[Dovecot] auth_krb5_keytab ignored ?

Leon Meßner l.messner at physik.tu-berlin.de
Mon Jun 11 17:43:45 EEST 2012


On Mon, Jun 11, 2012 at 03:16:16PM +0300, Timo Sirainen wrote:
> On Fri, 2012-06-08 at 18:59 +0200, Leon Meßner wrote:
> > Hi list,
> > 
> > i noticed that when doing imap gssapi authentication with kerberos,
> > dovecot (here 2.1.7) always searches /etc/krb5.keytab although i have
> > auth_krb5_keytab = /etc/mail3.krb5.keytab in my etc/dovecot/dovecot.conf
> > and doveconf -n also show this setting. If i combine the keytabs in
> > krb5.keytab it works. Is there another location where i should put my
> > configuration regarding gssapi/kerberos ?
> 
> Try if this works:
> 
> import_environment = TZ GDB DEBUG_SILENT KRB5_KTNAME 
> 
> Then start Dovecot with:
> 
> KRB5_KTNAME=/etc/mail3.krb5.keytab dovecot
> 
> I'm wondering if the code in mech-gssapi.c that sets KRB5_KTNAME
> environment is being called too late.

It's still looking inside the default krb5.keytab .

/var/log/dovecot.log:
Jun 11 16:26:55 master: Info: Dovecot v2.1.7 starting up
Jun 11 16:26:55 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Jun 11 16:26:55 auth: Debug: auth client connected (pid=82646)
Jun 11 16:26:55 auth: Debug: auth client connected (pid=82648)
Jun 11 16:26:55 auth: Debug: auth client connected (pid=82647)
Jun 11 16:26:55 auth: Debug: auth client connected (pid=82649)
Jun 11 16:26:55 auth: Debug: auth client connected (pid=82651)
Jun 11 16:26:55 auth: Debug: auth client connected (pid=82653)
Jun 11 16:26:55 auth: Debug: auth client connected (pid=82655)
Jun 11 16:26:55 auth: Debug: auth client connected (pid=82652)
Jun 11 16:26:55 auth: Debug: auth client connected (pid=82656)
Jun 11 16:26:55 auth: Debug: auth client connected (pid=82657)
Jun 11 16:26:55 auth: Debug: auth client connected (pid=82650)
Jun 11 16:26:55 auth: Debug: auth client connected (pid=82654)
Jun 11 16:27:05 auth: Debug: auth client connected (pid=82669)
Jun 11 16:27:06 auth: Debug: client in: AUTH    1       GSSAPI  service=imap    secured session=DLX+JDPCLwCClTqR        lip=130.149.58.164      rip=130.149.58.145      lport=993       rport=29743
Jun 11 16:27:06 auth: Debug: gssapi(?,130.149.58.145,<DLX+JDPCLwCClTqR>): Obtaining credentials for imap at mail3.physik-pool.tu-berlin.de
Jun 11 16:27:06 auth: Debug: client out: CONT   1
Jun 11 16:27:06 auth: Debug: client in: CONT<hidden>
Jun 11 16:27:06 auth: Info: gssapi(?,130.149.58.145,<DLX+JDPCLwCClTqR>): While processing incoming data:  Miscellaneous failure (see text)
Jun 11 16:27:06 auth: Info: gssapi(?,130.149.58.145,<DLX+JDPCLwCClTqR>): While processing incoming data: Failed to find imap/mail3.physik-pool.tu-berlin.de at PCPOOL.PHYSIK.TU-BERLIN.DE(kvno 1) in keytab FILE:/etc/krb5.keytab (des3-cbc-sha1)
Jun 11 16:27:08 auth: Debug: client out: FAIL   1
Jun 11 16:27:18 auth: Debug: auth client connected (pid=82673)
Jun 11 16:27:18 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=130.149.58.149, lip=130.149.58.164, TLS, session=<Vy6wJTPCAgCClTqV>
Jun 11 16:27:22 imap-login: Info: Aborted login (auth failed, 1 attempts in 16 secs): user=<>, method=GSSAPI, rip=130.149.58.145, lip=130.149.58.164, TLS, session=<DLX+JDPCLwCClTqR>
Jun 11 16:27:38 auth: Debug: auth client connected (pid=82681)
Jun 11 16:27:38 pop3-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=130.149.58.149, lip=130.149.58.164, TLS, session=<lhjfJjPCWwCClTqV>
Jun 11 16:27:45 master: Warning: Killed with signal 15 (by pid=82684 uid=0 code=kill)



More information about the dovecot mailing list