[Dovecot] GSSAPI Authentication in v1.2.1

Angel Marin anmar at anmar.eu.org
Mon Aug 10 11:36:39 EEST 2009


Phillip Macey wrote:
> 
> In the release notes for v1.2.2, Timo said:
>> Found and fixes several v1.2-specific bugs. Hopefully it's now stable
>> for most people's usage.
>>
>>     * GSSAPI: More changes to authentication. Hopefully good now.
>>   
> What were the GSSAPI changes? I am having problems with _some_ of my
> users using GSSAPI auth. I am using version 1.2.1. The client 
> (thunderbird) reports that the server does not support 'secure 
> authentication'. When I switch on auth_debug in dovecot, I see errors 
> such as these in the logs:
> 
> Aug  3 16:45:57 fury dovecot: auth(default): client in: AUTH    1
> GSSAPI  service=imap    lip=10.1.0.20 rip=10.8.5.72   lport=143
> rport=4027
> Aug  3 16:45:57 fury dovecot: auth(default): gssapi(?,10.8.5.72): Using
> all keytab entries
> Aug  3 16:45:57 fury dovecot: auth(default): client out: CONT   1
> Aug  3 16:45:57 fury dovecot: imap-login: Disconnected: Input buffer
> full (auth failed, 1 attempts): method=GSSAPI, rip=10.8.5.72, lip=10.1.0.20
> 
> 
> Other users work perfectly (eg. all of the user accounts I tested
> against). Would this have been a bug that was fixed in 1.2.2 or is it
> something else? If it is most likely something else, I will post
> `dovecot -n`.

Same here (1.2.3), it's been working fine adding all possible principals 
to the keytab and setting:

auth_gssapi_hostname = $ALL

There are all sorts of resolvers out there that seem to mess with 
principal name selection on the clients all the time. Weird thing is 
this particular one didn't happen with 1.1.x

-- 
Angel Marin
http://anmar.eu.org/



More information about the dovecot mailing list