Problems with GSSAPI and LDAP

Aki Tuomi aki.tuomi at dovecot.fi
Tue Oct 11 09:03:30 UTC 2016



On 11.10.2016 11:56, Juha Koho wrote:
>
> On 2016-10-11 10:00, Aki Tuomi wrote:
>> On 11.10.2016 10:43, Juha Koho wrote:
>>>
>>> On 2016-10-11 09:18, Aki Tuomi wrote:
>>>> On 11.10.2016 10:13, Juha Koho wrote:
>>>>> Hello,
>>>>>
>>>>> I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was
>>>>> trying to
>>>>> set up a GSSAPI Kerberos authentication with the LDAP server but with
>>>>> little success. Seems no matter what I try I end up with the
>>>>> following
>>>>> error message:
>>>>>
>>>>> dovecot: auth: Error: LDAP: binding failed (dn
>>>>> (imap/host.example.com at EXAMPLE.COM)): Local error, SASL(-1): generic
>>>>> failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
>>>>> provide more information (No Kerberos credentials available (default
>>>>> cache: FILE:/tmp/dovecot.krb5.ccache))
>>>>>
>>>>> I have set the import_environment in dovecot.conf:
>>>>>
>>>>> import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID
>>>>> LISTEN_FDS
>>>>> KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache
>>>>>
>>>>> And these in LDAP configuration:
>>>>>
>>>>> dn = imap/host.example.com at EXAMPLE.COM
>>>>> sasl_bind = yes
>>>>> sasl_mech = gssapi
>>>>> sasl_realm = EXAMPLE.COM
>>>>> sasl_authz_id = imap/host.example.com at EXAMPLE.COM
>>>>>
>>>>> I have tried with different values in dn and sasl_authz_id and also
>>>>> leaving them out completely but I always end up with the error
>>>>> message
>>>>> above. Using simple bind without GSSAPI works just fine.
>>>>>
>>>>> The credentials cache file exists and is valid for the principal
>>>>> imap/host.example.com at EXAMPLE.COM. The file is owned by dovecot user
>>>>> so it shouldn't be a permission problem either.
>>>>>
>>>>> GSSAPI in OpenLDAP works but I suppose it is irrelevant here since
>>>>> the
>>>>> connection attempt never reaches the LDAP server due to the error. I
>>>>> also have similar setup for Postfix and it works fine.
>>>>>
>>>>> Any ideas what to try next?
>>>>>
>>>>> Best regards,
>>>>> Juha
>>>>
>>>> Can you provide klist output for the cache file? Also, it should be
>>>> readable by dovenull user, or whatever is configured as
>>>> default_login_user.
>>>
>>>
>>> Here's the klist output of the cache file:
>>> -- 
>>> Ticket cache: FILE:/tmp/dovecot.krb5.ccache
>>> Default principal: imap/host.example.com at EXAMPLE.COM
>>>
>>> Valid starting       Expires              Service principal
>>> 10/11/2016 09:26:25  10/11/2016 21:26:25 
>>> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>         renew until 10/12/2016 09:26:25
>>> ---
>>>
>>> That I didn't know that also dovenull must have access to the cache
>>> but I tried also setting 0644 permissions to the cache file with no
>>> luck. So permissions shouldn't be the issue...
>>>
>>> Juha
>>
>> Your ccache has no ticket for imap/host.example.com at EXAMPLE.COM
>>
>> please use kinit to acquire one.
>
>
> Now I'm confused. The cache file is created by kinit using the command:
>
> sudo -u dovenull kinit -c FILE:/tmp/dovecot.krb5.ccache -k -t
> /path/to/keytab imap/host.example.com
>
> After that:
>
> $ sudo -u dovenull klist /tmp/dovecot.krb5.ccache
> Ticket cache: FILE:/tmp/dovecot.krb5.ccache
> Default principal: imap/host.example.com at EXAMPLE.COM
>
> Valid starting       Expires              Service principal
> 10/11/2016 10:47:47  10/11/2016 22:47:47  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>         renew until 10/12/2016 10:47:47
>
> Also, I can use the cache file with ldapsearch just fine by running
> the following:
>
> sudo -u dovenull KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache ldapsearch
> -Y GSSAPI -ZZ -H ldap://ldap.example.com/ -b dc=example,dc=com
>
> After the ldapsearch has succeeded the klist output is the following:
>
> $ sudo -u dovenull klist /tmp/dovecot.krb5.ccache
> Ticket cache: FILE:/tmp/dovecot.krb5.ccache
> Default principal: imap/host.example.com at EXAMPLE.COM
>
> Valid starting       Expires              Service principal
> 10/11/2016 10:47:47  10/11/2016 22:47:47  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>         renew until 10/12/2016 10:47:47
> 10/11/2016 10:49:32  10/11/2016 22:47:47 
> ldap/ldap.example.com at EXAMPLE.COM
>         renew until 10/12/2016 10:47:47
>
>
> Which is what I expected. Isn't this basically what dovecot does (or
> should do) or did I miss something?
>
> Juha

Dovecot won't acquire service tickets for you. It requires that you have
ticket for imap/imap.example.com at EXAMPLE.COM in the cache or keytab.

The default principal is used when *CONNECTING* to a service, but you
are *ACCEPTING* a service, so you need a service principal.

Aki


More information about the dovecot mailing list