Problems with GSSAPI and LDAP

Juha Koho juha.koho at trineco.fi
Tue Oct 11 08:56:24 UTC 2016


On 2016-10-11 10:00, Aki Tuomi wrote:
> On 11.10.2016 10:43, Juha Koho wrote:
>> 
>> On 2016-10-11 09:18, Aki Tuomi wrote:
>>> On 11.10.2016 10:13, Juha Koho wrote:
>>>> Hello,
>>>> 
>>>> I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying 
>>>> to
>>>> set up a GSSAPI Kerberos authentication with the LDAP server but 
>>>> with
>>>> little success. Seems no matter what I try I end up with the 
>>>> following
>>>> error message:
>>>> 
>>>> dovecot: auth: Error: LDAP: binding failed (dn
>>>> (imap/host.example.com at EXAMPLE.COM)): Local error, SASL(-1): generic
>>>> failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
>>>> provide more information (No Kerberos credentials available (default
>>>> cache: FILE:/tmp/dovecot.krb5.ccache))
>>>> 
>>>> I have set the import_environment in dovecot.conf:
>>>> 
>>>> import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID 
>>>> LISTEN_FDS
>>>> KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache
>>>> 
>>>> And these in LDAP configuration:
>>>> 
>>>> dn = imap/host.example.com at EXAMPLE.COM
>>>> sasl_bind = yes
>>>> sasl_mech = gssapi
>>>> sasl_realm = EXAMPLE.COM
>>>> sasl_authz_id = imap/host.example.com at EXAMPLE.COM
>>>> 
>>>> I have tried with different values in dn and sasl_authz_id and also
>>>> leaving them out completely but I always end up with the error 
>>>> message
>>>> above. Using simple bind without GSSAPI works just fine.
>>>> 
>>>> The credentials cache file exists and is valid for the principal
>>>> imap/host.example.com at EXAMPLE.COM. The file is owned by dovecot user
>>>> so it shouldn't be a permission problem either.
>>>> 
>>>> GSSAPI in OpenLDAP works but I suppose it is irrelevant here since 
>>>> the
>>>> connection attempt never reaches the LDAP server due to the error. I
>>>> also have similar setup for Postfix and it works fine.
>>>> 
>>>> Any ideas what to try next?
>>>> 
>>>> Best regards,
>>>> Juha
>>> 
>>> Can you provide klist output for the cache file? Also, it should be
>>> readable by dovenull user, or whatever is configured as
>>> default_login_user.
>> 
>> 
>> Here's the klist output of the cache file:
>> --
>> Ticket cache: FILE:/tmp/dovecot.krb5.ccache
>> Default principal: imap/host.example.com at EXAMPLE.COM
>> 
>> Valid starting       Expires              Service principal
>> 10/11/2016 09:26:25  10/11/2016 21:26:25  
>> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>         renew until 10/12/2016 09:26:25
>> ---
>> 
>> That I didn't know that also dovenull must have access to the cache
>> but I tried also setting 0644 permissions to the cache file with no
>> luck. So permissions shouldn't be the issue...
>> 
>> Juha
> 
> Your ccache has no ticket for imap/host.example.com at EXAMPLE.COM
> 
> please use kinit to acquire one.


Now I'm confused. The cache file is created by kinit using the command:

sudo -u dovenull kinit -c FILE:/tmp/dovecot.krb5.ccache -k -t 
/path/to/keytab imap/host.example.com

After that:

$ sudo -u dovenull klist /tmp/dovecot.krb5.ccache
Ticket cache: FILE:/tmp/dovecot.krb5.ccache
Default principal: imap/host.example.com at EXAMPLE.COM

Valid starting       Expires              Service principal
10/11/2016 10:47:47  10/11/2016 22:47:47  krbtgt/EXAMPLE.COM at EXAMPLE.COM
         renew until 10/12/2016 10:47:47

Also, I can use the cache file with ldapsearch just fine by running the 
following:

sudo -u dovenull KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache ldapsearch -Y 
GSSAPI -ZZ -H ldap://ldap.example.com/ -b dc=example,dc=com

After the ldapsearch has succeeded the klist output is the following:

$ sudo -u dovenull klist /tmp/dovecot.krb5.ccache
Ticket cache: FILE:/tmp/dovecot.krb5.ccache
Default principal: imap/host.example.com at EXAMPLE.COM

Valid starting       Expires              Service principal
10/11/2016 10:47:47  10/11/2016 22:47:47  krbtgt/EXAMPLE.COM at EXAMPLE.COM
         renew until 10/12/2016 10:47:47
10/11/2016 10:49:32  10/11/2016 22:47:47  
ldap/ldap.example.com at EXAMPLE.COM
         renew until 10/12/2016 10:47:47


Which is what I expected. Isn't this basically what dovecot does (or 
should do) or did I miss something?

Juha


More information about the dovecot mailing list