[Dovecot] auth_krb5_keytab ignored ?

[Leon Meßner]

On Mon, Jun 11, 2012 at 05:51:24PM +0200, Leon Meßner wrote:
> On Mon, Jun 11, 2012 at 06:26:57PM +0300, Timo Sirainen wrote:
> > On 11.6.2012, at 17.43, Leon Meßner wrote:
> > 
> > >> import_environment = TZ GDB DEBUG_SILENT KRB5_KTNAME 
> > >> 
i > >> KRB5_KTNAME=/etc/mail3.krb5.keytab dovecot
> > >> 
> > >> I'm wondering if the code in mech-gssapi.c that sets KRB5_KTNAME
> > >> environment is being called too late.
> > > 
> > > It's still looking inside the default krb5.keytab .
> > 
> > Which Kerberos library are you using? Maybe it doesn't support this way of giving the keytab.
> 
> I'm using the stock FreeBSD 8.2-RELEASE one which is heimdal-1.1.0 .
> I will update the machine to 8.3 (which is the latest release in 8.x),

Updating and recompiling did not help. I don't know where to look for
the problem though. If i use the kerberos utilities with KRB5_KTNAME the
environment variable is beeing picked up ok.

19:22_root at mail3:/usr/ports/mail/dovecot# KRB5_KTNAME=/etc/mail3.krb5.keytab ktutil list
/etc/mail3.krb5.keytab:

Vno  Type           Principal
  1  des-cbc-crc    imap/mail3.physik-pool.tu-berlin.de at PCPOOL.PHYSIK.TU-BERLIN.DE
  1  des-cbc-md4    imap/mail3.physik-pool.tu-berlin.de at PCPOOL.PHYSIK.TU-BERLIN.DE
  1  des-cbc-md5    imap/mail3.physik-pool.tu-berlin.de at PCPOOL.PHYSIK.TU-BERLIN.DE
  1  des3-cbc-sha1  imap/mail3.physik-pool.tu-berlin.de at PCPOOL.PHYSIK.TU-BERLIN.DE

19:34_root at mail3:/usr/ports/mail/dovecot# KRB5_KTNAME=/etc/mail3.krb5.keytab kinit -k imap/mail3.physik-pool.tu-berlin.de
19:39_root at mail3:/usr/ports/mail/dovecot# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: imap/mail3.physik-pool.tu-berlin.de at PCPOOL.PHYSIK.TU-BERLIN.DE

  Issued           Expires          Principal
Jun 12 19:39:11  Jun 13 05:39:11  krbtgt/PCPOOL.PHYSIK.TU-BERLIN.DE at PCPOOL.PHYSIK.TU-BERLIN.DE