GSSAPI authentication setup

Aki Tuomi aki.tuomi at dovecot.fi
Mon Apr 18 11:49:17 UTC 2016



On 18.04.2016 14:22, Braden McDaniel wrote:
> On Mon, 2016-04-18 at 08:59 +0300, aki.tuomi at dovecot.fi wrote:
>>> On April 18, 2016 at 8:13 AM Braden McDaniel <braden at endoframe.com>
>>> wrote:
>>>
>>>
>>> On Sun, 2016-04-17 at 21:49 +0300, aki.tuomi at dovecot.fi wrote:
>>>>>
>>>>> Did you check your setup against
>>>> http://wiki2.dovecot.org/Authentication/Kerberos
>>> I did.  Of course, it's possible I've still managed to overlook
>>> something. 
>>>
>>>> Also can you provide klist -k on server?
>>> I assume you mean the kerberos server:
>>>
>>>     [    root at knock     ~]# 
>> Apologies, I ment your IMAP server.
>     [    root at hinge     ~]# klist -k
>     Keytab name: FILE:/etc/krb5.keytab
>     KVNO Principal
>     ---- --------------------------------------------------------------------------
>        3     host/hinge.endoframe.net at ENDOFRAME.NET
>    3 host/hinge.endoframe.net at ENDOFRAME.NET
>    4 host/hinge.endoframe.net at ENDOFRAME.NET
>    2 imap/hinge.endoframe.net at ENDOFRAME.NET
>
>
There was previous case where gssapi did not work with Thunderbird. It
apparently has some problems with GSSAPI usage. Also, did you ensure
that your client has all the requisite principals?

Can you try turning on auth_verbose=yes?

Remember that kerberos is very DNS oriented, so missing/incorrect
reverse records can also cause failures.

Aki


More information about the dovecot mailing list