[Dovecot] auth_krb5_keytab ignored ?

Leon Meßner l.messner at physik.tu-berlin.de
Fri Jun 8 19:59:02 EEST 2012 

Hi list,

i noticed that when doing imap gssapi authentication with kerberos,
dovecot (here 2.1.7) always searches /etc/krb5.keytab although i have
auth_krb5_keytab = /etc/mail3.krb5.keytab in my etc/dovecot/dovecot.conf
and doveconf -n also show this setting. If i combine the keytabs in
krb5.keytab it works. Is there another location where i should put my
configuration regarding gssapi/kerberos ?

Thanks,
Leon

logs:
18:48_root at mail3:/root# cat /var/log/dovecot.log | tail -n 8
Jun 08 18:48:16 auth: Debug: client in: AUTH    1       GSSAPI  service=imap    secured session=gexTxPjBZACClTqR        lip=130.149.58.164      rip=130.149.58.145      lport=993 rport=31076
Jun 08 18:48:16 auth: Debug: gssapi(?,130.149.58.145,<gexTxPjBZACClTqR>): Obtaining credentials for imap at mail3.physik-pool.tu-berlin.de
Jun 08 18:48:16 auth: Debug: client out: CONT   1
Jun 08 18:48:16 auth: Debug: client in: CONT<hidden>
Jun 08 18:48:16 auth: Info: gssapi(?,130.149.58.145,<gexTxPjBZACClTqR>): While processing incoming data:  Miscellaneous failure (see text)
Jun 08 18:48:16 auth: Info: gssapi(?,130.149.58.145,<gexTxPjBZACClTqR>): While processing incoming data: Failed to find imap/mail3.physik-pool.tu-berlin.de at PCPOOL.PHYSIK.TU-BERLIN.DE(kvno 1) in keytab FILE:/etc/krb5.keytab (des3-cbc-sha1)
Jun 08 18:48:18 auth: Debug: client out: FAIL   1
Jun 08 18:48:23 imap-login: Info: Aborted login (auth failed, 1 attempts in 7 secs): user=<>, method=GSSAPI, rip=130.149.58.145, lip=130.149.58.164, TLS, session=<gexTxPjBZACClTqR>


# 2.1.7: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 8.2-RELEASE-p3 amd64
auth_debug = yes
auth_gssapi_hostname = mail3.physik-pool.tu-berlin.de
auth_krb5_keytab = /etc/mail3.krb5.keytab
auth_mechanisms = gssapi plain login
auth_verbose = yes
auth_worker_max_count = 120
first_valid_gid = 300
first_valid_uid = 200
lda_mailbox_autocreate = yes
listen = mail3.physik.tu-berlin.de
log_path = /var/log/dovecot.log
mail_fsync = always
mail_location = maildir:~/maildir
mail_nfs_index = yes
mail_nfs_storage = yes
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
mmap_disable = yes
namespace {
  inbox = yes
  location =
  prefix =
  separator = /
  type = private
}
namespace {
  location = mbox:~/mail
  prefix = mail/
  separator = /
  type = private
}
passdb {
  args = session=yes failure_show_msg=yes max_requests=100 dovecot
  driver = pam
}
plugin {
  quota = fs
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/.sieve
}
protocols = imap pop3
service auth {
  unix_listener auth-client {
    mode = 0660
  }
  unix_listener auth-master {
    mode = 0600
  }
  user = root
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  process_limit = 256
  process_min_avail = 6
}
service managesieve-login {
  process_limit = 256
  process_min_avail = 6
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  process_limit = 256
  process_min_avail = 6
}
ssl_cert = </etc/private/mail3.physik.tu-berlin.de.pem
ssl_key = </etc/private/physik.tu-berlin.de_privatekey.pem
userdb {
  args = blocking=yes
  driver = passwd
}
verbose_proctitle = yes
protocol lda {
  info_log_path = /var/log/dovecot-lda.log
  log_path = /var/log/dovecot-lda.log
  mail_plugins = " sieve quota"
}

More information about the dovecot mailing list