[Dovecot] Kerberos GSSAPI - proper item name in keytab

Stanislav Klinkov klinkov at yandex.ru
Mon Aug 29 16:39:14 EEST 2011 

Hello, ALL.

I am trying to organize a transparent single sign-on concept for my
Active Directory users into Dovecot via IMAP. On the user's desktop I
use Thunderbird 6.0 as a mail client (MUA), Windows XP as an operating
system. Domain is controlled by Windows 2008 Server SP2 with Active
Directory.

I have installed on my Mail server Debian GNU/Linux 6.0.2 (Squeeze) and
Dovecot 2.0.13 from official "wheezy" repositories of it with all
dependencies.

I ran into in a problem with generating proper "/etc/krb5.keytab" file
for successful kerberos authentication against AD controller. I has
performed all the steps described in official dovecot wiki here:
http://wiki2.dovecot.org/Authentication/Kerberos

I have generated a service ticket with name
"imap/efim.test.local at MYORG.LAN" exactly as described in wiki.
("MYORG.LAN" is my kerberos realm.) But this does not work. I see in
debug logs something like this:

******** main service logs ********
Aug 29 16:05:14 auth: Info: gssapi(?,192.168.4.12): While processing
incoming data: Unspecified GSS failure.  Minor code may provide more
information
Aug 29 16:05:14 auth: Info: gssapi(?,192.168.4.12): While processing
incoming data: Wrong principal in request
*************************************
******** auth debug logs *********
Aug 29 16:05:14 auth: Debug: gssapi(?,192.168.4.12): Obtaining
credentials for imap at efim.test.local
Aug 29 16:05:14 auth: Debug: client out: CONT   1
Aug 29 16:05:14 auth: Debug: client in: CONT<hidden>
Aug 29 16:05:16 auth: Debug: client out: FAIL   1
*************************************

But (!). If I define << auth_gssapi_hostname = "$ALL" >> instead of <<
auth_gssapi_hostname = efim.test.local >> then everything works fine. I
decided to find out where is the problem, so I dig into source code of
gssapi module, "mech-gssapi.c". For versions 2.0.13 and 2.0.14 of
dovecot I see there the following:

********* mech-gssapi.c *********
static OM_uint32
obtain_service_credentials(struct auth_request *request, gss_cred_id_t
*ret_r)
/* blah-blah-blah */
    principal_name = t_str_new(128);
    str_append(principal_name, service_name);
    str_append_c(principal_name, '@');
    str_append(principal_name, request->set->gssapi_hostname);

    auth_request_log_debug(request, "gssapi",
        "Obtaining credentials for %s", str_c(principal_name));

    inbuf.length = str_len(principal_name);
    inbuf.value = str_c_modifiable(principal_name);

    major_status = gss_import_name(&minor_status, &inbuf,
                       GSS_C_NT_HOSTBASED_SERVICE,
                       &gss_principal);
*********************************

So, according to source code, Dovecot tries to find in krb5.keytab a
principal named "imap at hostname". However wiki says to create the
principal named "imap/hostname at REALM".

Please, clarify where is the error: in source code, in wiki, or I have
misunderstood something.

Respectfully,
Stanislav Klinkov.

More information about the dovecot mailing list