Problem with GSSAPI

aki.tuomi at dovecot.fi aki.tuomi at dovecot.fi
Sun Apr 3 10:54:41 UTC 2016 

> On April 3, 2016 at 10:57 AM Luca Bertoncello <lucabert at lucabert.de> wrote:
> 
> 
> Hi list!
> 
> I'm really puzzled...
> I have a Mailserver with Dovecot 2.2.9 (installed from Ubuntu
> 14.04-Repositories) and it works well with LDAP-Authentication agains the
> Active Directory.
> 
> Now I want to use GSSAPI to allow the clients (with Thunderbird 38.7.1) to
> read E-Mails without giving a password.
> 
> I configured Dovecot using these HowTos:
> 
> http://mindref.blogspot.de/2011/02/dovecot-kerberos.html
> http://wiki.dovecot.org/Authentication/Kerberos
> 
> But it does not work...
> In mail.log I can just see:
> 
> Apr  3 09:52:26 mail dovecot: auth: Debug: Loading modules from directory:
> /usr/lib/dovecot/modules/auth
> Apr  3 09:52:26 mail dovecot: auth: Debug: Loading modules from directory:
> /usr/lib/dovecot/modules/auth
> Apr  3 09:52:26 mail dovecot: auth: Debug: Module loaded:
> /usr/lib/dovecot/modules/auth/libmech_gssapi.so
> Apr  3 09:52:26 mail dovecot: auth: Debug: Loading modules from directory:
> /usr/lib/dovecot/modules/auth
> Apr  3 09:52:26 mail dovecot: auth: Debug: Module loaded:
> /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
> Apr  3 09:52:26 mail dovecot: auth: Debug: Read auth token secret from
> /var/run/dovecot/auth-token-secret.dat
> Apr  3 09:52:26 mail dovecot: auth: Debug: auth client connected (pid=2300)
> Apr  3 09:52:26 mail dovecot: imap-login: Disconnected (no auth attempts in 0
> secs): user=<>, rip=192.168.50.54, lip=192.168.50.3,
> session=<x8Sq5I8vsADAqDI2>
> 
> and Thunderbird says that the Ticket was not accepted and I have to check
> if I'm logged into the Kerberos/GSSAPI subsystem.
> I checked with tcpdump and I see that Thunderbird does NOT send at all any
> request.
> 
> Could someone help me?
> 
> Thanks a lot!
> Luca Bertoncello
> (lucabert at lucabert.de)

Make sure you have a keytab entry for IMAP/hostname, and host/hostname. Kerberos
is pretty name oriented so DNS names much match, also reverse entries for
optimal performance. 

Also make sure your client has acquired some principal such as
username at YOURDOMAIN.

These are usually checked with klist command or klist -k, depending if you are
looking at credentials cache or keytab file.

Also, make sure that GSSAPI is provided as mechanism by dovecot, this is easy to
check with

telnet hostname 14

and see what LOGIN mechanisms are provided. If it does not list capabilities,
use

a01 CAPABILITY

to list them.

Aki Tuomi
Dovecot Oy

More information about the dovecot mailing list