GSSAPI authentication setup

aki.tuomi at dovecot.fi aki.tuomi at dovecot.fi
Sun Apr 17 18:49:38 UTC 2016 

> On April 17, 2016 at 12:41 AM Braden McDaniel <braden at endoframe.com> wrote:
> 
> 
> I'm setting up dovecot on a new box; and once again I find myself
> banging my head against GSSAPI authentication.
> 
> The particularly irritating thing is that I have this working on
> another box.  I've done my best to ape the configuration of that box;
> but it's been some years since I set it up and somewhere along the line
> I have failed.
> 
> My dovecot.conf has:
> 
> auth_mechanism = plain gssapi
> 
>     passdb {
>       driver = pam
>     }
> 
>     userdb {
>       driver = ldap
>       args = /etc/dovecot/dovecot-ldap.conf.ext
>     }
> 
> where /etc/dovecot/dovecot-ldap.conf.ext is:
> 
>     hosts = ldap
>     dn = cn=Manager,dc=endoframe,dc=net
>     dnpass = XXXXXXXX
>     ldap_version = 3
>     base = ou=people,dc=endoframe,dc=net
>     deref = never
>     scope = subtree
>     user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
>     user_filter = (&(objectClass=posixAccount)(uid=%u))
> 
> I've diff'd the contents of /etc/dovecot on the working vs. non-working 
> servers, and I can see nothing of pertinence (just a few lines about
> loading the sieve plug-in).
> 
> Now, logging in with the kerberos password via PAM *is* working.
>  /etc/pam.d/dovecot:
> 
>     #%PAM-1.0
>     auth       sufficient   pam_krb5.so
>     account    sufficient   pam_krb5.so
> 
> But GSSAPI authentication is not:
> 
>     [    root at hinge     ~]# telnet localhost 143
>     Trying ::1...
>     Connected to localhost.
>     Escape character is '^]'.
>     * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
> STARTTLS AUTH=PLAIN AUTH=GSSAPI] Dovecot ready.
>     a authenticate GSSAPI
>     a NO [UNAVAILABLE] Temporary authentication failure.
> [hinge.endoframe.net:2016-04-16 21:33:32]
>     ^]
>     telnet> close
>     Connection closed.
> 
> Oh... The kerberos server does have an IMAP service key for hinge; and
> that service key appears in hinge's /etc/krb5.keytab, as well.
> 
> Any pointers on where I should be looking at this point would be very
> much appreciated.
> 
> -- 
> Braden McDaniel <braden at endoframe.com>

Hi!

Did you check your setup against
http://wiki2.dovecot.org/Authentication/Kerberos

Also can you provide klist -k on server?
---
Aki Tuomi

More information about the dovecot mailing list