[Dovecot] Kerberos GSSAPI - proper item name in keytab
Stanislav Klinkov
klinkov at yandex.ru
Mon Aug 29 16:39:14 EEST 2011
Hello, ALL.
I am trying to organize a transparent single sign-on concept for my
Active Directory users into Dovecot via IMAP. On the user's desktop I
use Thunderbird 6.0 as a mail client (MUA), Windows XP as an operating
system. Domain is controlled by Windows 2008 Server SP2 with Active
Directory.
I have installed on my Mail server Debian GNU/Linux 6.0.2 (Squeeze) and
Dovecot 2.0.13 from official "wheezy" repositories of it with all
dependencies.
I ran into in a problem with generating proper "/etc/krb5.keytab" file
for successful kerberos authentication against AD controller. I has
performed all the steps described in official dovecot wiki here:
http://wiki2.dovecot.org/Authentication/Kerberos
I have generated a service ticket with name
"imap/efim.test.local at MYORG.LAN" exactly as described in wiki.
("MYORG.LAN" is my kerberos realm.) But this does not work. I see in
debug logs something like this:
******** main service logs ********
Aug 29 16:05:14 auth: Info: gssapi(?,192.168.4.12): While processing
incoming data: Unspecified GSS failure. Minor code may provide more
information
Aug 29 16:05:14 auth: Info: gssapi(?,192.168.4.12): While processing
incoming data: Wrong principal in request
*************************************
******** auth debug logs *********
Aug 29 16:05:14 auth: Debug: gssapi(?,192.168.4.12): Obtaining
credentials for imap at efim.test.local
Aug 29 16:05:14 auth: Debug: client out: CONT 1
Aug 29 16:05:14 auth: Debug: client in: CONT<hidden>
Aug 29 16:05:16 auth: Debug: client out: FAIL 1
*************************************
But (!). If I define << auth_gssapi_hostname = "$ALL" >> instead of <<
auth_gssapi_hostname = efim.test.local >> then everything works fine. I
decided to find out where is the problem, so I dig into source code of
gssapi module, "mech-gssapi.c". For versions 2.0.13 and 2.0.14 of
dovecot I see there the following:
********* mech-gssapi.c *********
static OM_uint32
obtain_service_credentials(struct auth_request *request, gss_cred_id_t
*ret_r)
/* blah-blah-blah */
principal_name = t_str_new(128);
str_append(principal_name, service_name);
str_append_c(principal_name, '@');
str_append(principal_name, request->set->gssapi_hostname);
auth_request_log_debug(request, "gssapi",
"Obtaining credentials for %s", str_c(principal_name));
inbuf.length = str_len(principal_name);
inbuf.value = str_c_modifiable(principal_name);
major_status = gss_import_name(&minor_status, &inbuf,
GSS_C_NT_HOSTBASED_SERVICE,
&gss_principal);
*********************************
So, according to source code, Dovecot tries to find in krb5.keytab a
principal named "imap at hostname". However wiki says to create the
principal named "imap/hostname at REALM".
Please, clarify where is the error: in source code, in wiki, or I have
misunderstood something.
Respectfully,
Stanislav Klinkov.
More information about the dovecot
mailing list