Authentication with Samba using Kerberos fails

Justin Clacherty justin at redfish.com.au
Wed Apr 8 03:27:48 UTC 2015 

Hi,

I've been having some problems getting GSSAPI authentication going against a samba (4.2) server and am hoping someone can point me in the right direction. I've searched through Google and haven't managed to find a solution yet.

I followed the config instructions at http://wiki2.dovecot.org/Authentication/Kerberos and run through the testing. Testing from the server with telnet does as expected i.e. I get the "+" after I try "a authenticate GSSAPI". However, when I go to test from Thunderbird on while logged in on a Windows PC joined to the domain authentication fails and I see the following in mail.log (I'm running Ubuntu 14.04.2 LTS).

Apr  8 11:49:18 server dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
Apr  8 11:49:18 server dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
Apr  8 11:49:18 server dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libmech_gssapi.so
Apr  8 11:49:18 server dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Apr  8 11:49:18 server dovecot: auth: Debug: auth client connected (pid=17667)
Apr  8 11:49:18 server dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=imap#011secured#011session=e8xMvSwTQgDAqCpl#011lip=192.168.1.1#011rip=192.168.1.101#011lport=143#011rport=49986
Apr  8 11:49:18 server dovecot: auth: Debug: gssapi(?,192.168.42.101,<e8xMvSwTQgDAqCpl>): Obtaining credentials for imap at server.corp.mydomain.com
Apr  8 11:49:18 server dovecot: auth: Debug: client passdb out: CONT#0111#011
Apr  8 11:49:18 server dovecot: auth: Debug: client in: CONT<hidden>
Apr  8 11:49:18 server dovecot: auth: Debug: gssapi(me at corp.mydomain.com,192.168.1.101,<e8xMvSwTQgDAqCpl>): security context state completed.
Apr  8 11:49:18 server dovecot: auth: Debug: client passdb out: CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrkGiOLsky4fbzWGzpxgW4mjmpjvNsiCqH8MnsUKviP9v1oVLPXSVkqFzFUiCLAd130ldnf742o/inz9Dx6e0aETwDKnnZu9OUD2nCGg/f5zA20IXGWR1zXVJi3hEB8nmrLgaENhyX0JMiE6g=
Apr  8 11:49:18 server dovecot: auth: Debug: client in: CONT<hidden>
Apr  8 11:49:18 server dovecot: auth: Debug: gssapi(me at corp.mydomain.com,192.168.1.101,<e8xMvSwTQgDAqCpl>): Negotiated security layer
Apr  8 11:49:18 server dovecot: auth: Debug: client passdb out: CONT#0111#011BQQF/wAMAAAAAAAAIvajggH////ubQhCZGfeuWGZQ7w=
Apr  8 11:49:18 server dovecot: auth: Debug: client in: CONT<hidden>
Apr  8 11:49:18 server dovecot: auth: Panic: file auth-request.c: line 716 (auth_request_is_disabled_master_user): assertion failed: (request->requested_login_user != NULL)
Apr  8 11:49:18 server dovecot: auth: Error: Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(+0x5e271) [0x7f524a7da271] -> /usr/lib/dovecot/libdovecot.so.0(+0x5e34e) [0x7f524a7da34e] -> /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f524a795a9e] -> dovecot/auth(+0x15162) [0x7f524ac7e162] -> dovecot/auth(auth_request_lookup_credentials+0x22) [0x7f524ac7f8d2] -> /usr/lib/dovecot/modules/auth/libmech_gssapi.so(+0x20d4) [0x7f52499450d4] -> dovecot/auth(auth_request_handler_auth_continue+0xd1) [0x7f524ac81391] -> dovecot/auth(+0x1052a) [0x7f524ac7952a] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x27) [0x7f524a7ea247] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0xd7) [0x7f524a7eafd7] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f524a7e9de8] -> /usr/lib/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f524a79ac93] -> dovecot/auth(main+0x38c) [0x7f524ac7750c] -> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f5249d8dec5] -> dovecot/auth(+0xe6d9) [0x7f524ac776d9]
Apr  8 11:49:18 server dovecot: auth: Fatal: master: service(auth): child 17668 killed with signal 6 (core dumps disabled)
Apr  8 11:49:18 server dovecot: imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=17667, EOF)
Apr  8 11:49:19 server dovecot: imap-login: Disconnected (auth process communication failure): user=<>, method=GSSAPI, rip=192.168.1.101, lip=192.168.1.1, TLS, session=<e8xMvSwTQgDAqCpl>

Relevant parts of my config:

auth_anonymous_username = anonymous
auth_cache_negative_ttl = 1 hours
auth_cache_size = 0
auth_cache_ttl = 1 hours
auth_debug = yes
auth_debug_passwords = no
auth_default_realm = CORP.MYDOMAIN.COM
auth_failure_delay = 2 secs
auth_gssapi_hostname = server.corp.mydomain.com
auth_krb5_keytab = /etc/dovecot/krb5.keytab
auth_master_user_separator =
auth_mechanisms = gssapi
auth_proxy_self =
auth_realms =
auth_socket_path = auth-userdb
auth_ssl_require_client_cert = no
auth_ssl_username_from_cert = no
auth_use_winbind = no
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_username_format = %Lu
auth_username_translation =
auth_verbose = yes
auth_verbose_passwords = no
auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_worker_max_count = 30
userdb {
  args = uid=dovecot gid=dovecot home=/var/vmail/%u
  default_fields =
  driver = static
  override_fields =
}

Any help greatly appreciated.

Cheers,
Justin.

More information about the dovecot mailing list