GSSAPI authentication setup
braden at endoframe.com
Sat Apr 16 21:41:53 UTC 2016
I'm setting up dovecot on a new box; and once again I find myself
banging my head against GSSAPI authentication.
The particularly irritating thing is that I have this working on
another box. I've done my best to ape the configuration of that box;
but it's been some years since I set it up and somewhere along the line
I have failed.
My dovecot.conf has:
auth_mechanism = plain gssapi
driver = pam
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
where /etc/dovecot/dovecot-ldap.conf.ext is:
hosts = ldap
dn = cn=Manager,dc=endoframe,dc=net
dnpass = XXXXXXXX
ldap_version = 3
base = ou=people,dc=endoframe,dc=net
deref = never
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%u))
I've diff'd the contents of /etc/dovecot on the working vs. non-working
servers, and I can see nothing of pertinence (just a few lines about
loading the sieve plug-in).
Now, logging in with the kerberos password via PAM *is* working.
auth sufficient pam_krb5.so
account sufficient pam_krb5.so
But GSSAPI authentication is not:
[ root at hinge ~]# telnet localhost 143
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=GSSAPI] Dovecot ready.
a authenticate GSSAPI
a NO [UNAVAILABLE] Temporary authentication failure. [hinge.endoframe.net:2016-04-16 21:33:32]
Oh... The kerberos server does have an IMAP service key for hinge; and
that service key appears in hinge's /etc/krb5.keytab, as well.
Any pointers on where I should be looking at this point would be very
Braden McDaniel <braden at endoframe.com>
More information about the dovecot