Problems with GSSAPI and LDAP

Aki Tuomi aki.tuomi at dovecot.fi
Tue Oct 11 08:00:44 UTC 2016



On 11.10.2016 10:43, Juha Koho wrote:
>
> On 2016-10-11 09:18, Aki Tuomi wrote:
>> On 11.10.2016 10:13, Juha Koho wrote:
>>> Hello,
>>>
>>> I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying to
>>> set up a GSSAPI Kerberos authentication with the LDAP server but with
>>> little success. Seems no matter what I try I end up with the following
>>> error message:
>>>
>>> dovecot: auth: Error: LDAP: binding failed (dn
>>> (imap/host.example.com at EXAMPLE.COM)): Local error, SASL(-1): generic
>>> failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
>>> provide more information (No Kerberos credentials available (default
>>> cache: FILE:/tmp/dovecot.krb5.ccache))
>>>
>>> I have set the import_environment in dovecot.conf:
>>>
>>> import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS
>>> KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache
>>>
>>> And these in LDAP configuration:
>>>
>>> dn = imap/host.example.com at EXAMPLE.COM
>>> sasl_bind = yes
>>> sasl_mech = gssapi
>>> sasl_realm = EXAMPLE.COM
>>> sasl_authz_id = imap/host.example.com at EXAMPLE.COM
>>>
>>> I have tried with different values in dn and sasl_authz_id and also
>>> leaving them out completely but I always end up with the error message
>>> above. Using simple bind without GSSAPI works just fine.
>>>
>>> The credentials cache file exists and is valid for the principal
>>> imap/host.example.com at EXAMPLE.COM. The file is owned by dovecot user
>>> so it shouldn't be a permission problem either.
>>>
>>> GSSAPI in OpenLDAP works but I suppose it is irrelevant here since the
>>> connection attempt never reaches the LDAP server due to the error. I
>>> also have similar setup for Postfix and it works fine.
>>>
>>> Any ideas what to try next?
>>>
>>> Best regards,
>>> Juha
>>
>> Can you provide klist output for the cache file? Also, it should be
>> readable by dovenull user, or whatever is configured as
>> default_login_user.
>
>
> Here's the klist output of the cache file:
> -- 
> Ticket cache: FILE:/tmp/dovecot.krb5.ccache
> Default principal: imap/host.example.com at EXAMPLE.COM
>
> Valid starting       Expires              Service principal
> 10/11/2016 09:26:25  10/11/2016 21:26:25  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>         renew until 10/12/2016 09:26:25
> ---
>
> That I didn't know that also dovenull must have access to the cache
> but I tried also setting 0644 permissions to the cache file with no
> luck. So permissions shouldn't be the issue...
>
> Juha

Your ccache has no ticket for imap/host.example.com at EXAMPLE.COM

please use kinit to acquire one.

Aki


More information about the dovecot mailing list