Problems with GSSAPI and LDAP

Juha Koho juha.koho at trineco.fi
Wed Oct 12 07:27:47 UTC 2016 

On 2016-10-11 12:10, Juha Koho wrote:
> On 2016-10-11 11:03, Aki Tuomi wrote:
>> On 11.10.2016 11:56, Juha Koho wrote:
>>> 
>>> On 2016-10-11 10:00, Aki Tuomi wrote:
>>>> On 11.10.2016 10:43, Juha Koho wrote:
>>>>> 
>>>>> On 2016-10-11 09:18, Aki Tuomi wrote:
>>>>>> On 11.10.2016 10:13, Juha Koho wrote:
>>>>>>> Hello,
>>>>>>> 
>>>>>>> I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was
>>>>>>> trying to
>>>>>>> set up a GSSAPI Kerberos authentication with the LDAP server but 
>>>>>>> with
>>>>>>> little success. Seems no matter what I try I end up with the
>>>>>>> following
>>>>>>> error message:
>>>>>>> 
>>>>>>> dovecot: auth: Error: LDAP: binding failed (dn
>>>>>>> (imap/host.example.com at EXAMPLE.COM)): Local error, SASL(-1): 
>>>>>>> generic
>>>>>>> failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
>>>>>>> provide more information (No Kerberos credentials available 
>>>>>>> (default
>>>>>>> cache: FILE:/tmp/dovecot.krb5.ccache))
>>>>>>> 
>>>>>>> I have set the import_environment in dovecot.conf:
>>>>>>> 
>>>>>>> import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID
>>>>>>> LISTEN_FDS
>>>>>>> KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache
>>>>>>> 
>>>>>>> And these in LDAP configuration:
>>>>>>> 
>>>>>>> dn = imap/host.example.com at EXAMPLE.COM
>>>>>>> sasl_bind = yes
>>>>>>> sasl_mech = gssapi
>>>>>>> sasl_realm = EXAMPLE.COM
>>>>>>> sasl_authz_id = imap/host.example.com at EXAMPLE.COM
>>>>>>> 
>>>>>>> I have tried with different values in dn and sasl_authz_id and 
>>>>>>> also
>>>>>>> leaving them out completely but I always end up with the error
>>>>>>> message
>>>>>>> above. Using simple bind without GSSAPI works just fine.
>>>>>>> 
>>>>>>> The credentials cache file exists and is valid for the principal
>>>>>>> imap/host.example.com at EXAMPLE.COM. The file is owned by dovecot 
>>>>>>> user
>>>>>>> so it shouldn't be a permission problem either.
>>>>>>> 
>>>>>>> GSSAPI in OpenLDAP works but I suppose it is irrelevant here 
>>>>>>> since
>>>>>>> the
>>>>>>> connection attempt never reaches the LDAP server due to the 
>>>>>>> error. I
>>>>>>> also have similar setup for Postfix and it works fine.
>>>>>>> 
>>>>>>> Any ideas what to try next?
>>>>>>> 
>>>>>>> Best regards,
>>>>>>> Juha
>>>>>> 
>>>>>> Can you provide klist output for the cache file? Also, it should 
>>>>>> be
>>>>>> readable by dovenull user, or whatever is configured as
>>>>>> default_login_user.
>>>>> 
>>>>> 
>>>>> Here's the klist output of the cache file:
>>>>> --
>>>>> Ticket cache: FILE:/tmp/dovecot.krb5.ccache
>>>>> Default principal: imap/host.example.com at EXAMPLE.COM
>>>>> 
>>>>> Valid starting       Expires              Service principal
>>>>> 10/11/2016 09:26:25  10/11/2016 21:26:25
>>>>> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>>>         renew until 10/12/2016 09:26:25
>>>>> ---
>>>>> 
>>>>> That I didn't know that also dovenull must have access to the cache
>>>>> but I tried also setting 0644 permissions to the cache file with no
>>>>> luck. So permissions shouldn't be the issue...
>>>>> 
>>>>> Juha
>>>> 
>>>> Your ccache has no ticket for imap/host.example.com at EXAMPLE.COM
>>>> 
>>>> please use kinit to acquire one.
>>> 
>>> 
>>> Now I'm confused. The cache file is created by kinit using the 
>>> command:
>>> 
>>> sudo -u dovenull kinit -c FILE:/tmp/dovecot.krb5.ccache -k -t
>>> /path/to/keytab imap/host.example.com
>>> 
>>> After that:
>>> 
>>> $ sudo -u dovenull klist /tmp/dovecot.krb5.ccache
>>> Ticket cache: FILE:/tmp/dovecot.krb5.ccache
>>> Default principal: imap/host.example.com at EXAMPLE.COM
>>> 
>>> Valid starting       Expires              Service principal
>>> 10/11/2016 10:47:47  10/11/2016 22:47:47  
>>> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>         renew until 10/12/2016 10:47:47
>>> 
>>> Also, I can use the cache file with ldapsearch just fine by running
>>> the following:
>>> 
>>> sudo -u dovenull KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache ldapsearch
>>> -Y GSSAPI -ZZ -H ldap://ldap.example.com/ -b dc=example,dc=com
>>> 
>>> After the ldapsearch has succeeded the klist output is the following:
>>> 
>>> $ sudo -u dovenull klist /tmp/dovecot.krb5.ccache
>>> Ticket cache: FILE:/tmp/dovecot.krb5.ccache
>>> Default principal: imap/host.example.com at EXAMPLE.COM
>>> 
>>> Valid starting       Expires              Service principal
>>> 10/11/2016 10:47:47  10/11/2016 22:47:47  
>>> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>         renew until 10/12/2016 10:47:47
>>> 10/11/2016 10:49:32  10/11/2016 22:47:47
>>> ldap/ldap.example.com at EXAMPLE.COM
>>>         renew until 10/12/2016 10:47:47
>>> 
>>> 
>>> Which is what I expected. Isn't this basically what dovecot does (or
>>> should do) or did I miss something?
>>> 
>>> Juha
>> 
>> Dovecot won't acquire service tickets for you. It requires that you 
>> have
>> ticket for imap/imap.example.com at EXAMPLE.COM in the cache or keytab.
>> 
>> The default principal is used when *CONNECTING* to a service, but you
>> are *ACCEPTING* a service, so you need a service principal.
>> 
>> Aki
> 
> Sorry, all this Kerberos stuff is quite new to me and I'm still a bit
> confused... :) What I still fail to understand is why would I need the
> service principal in the cache since I'm trying to set dovecot to use
> GSSAPI when connecting to the LDAP back end for passdb and userdb
> lookups.
> 
> My imap users can connect to Dovecot using GSSAPI without problems.
> This isn't the issue. Dovecot being the client to the LDAP service is
> the issue.
> 
> But anyway, after adding the ticket for
> imap/host.example.com at EXAMPLE.COM in the cache the error still
> remains:
> 
> dovecot: auth: Error: LDAP: binding failed (dn
> imap/host.example.com at EXAMPLE.COM): Local error, SASL(-1): generic
> failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
> provide more information (No Kerberos credentials available (default
> cache: FILE:/tmp/dovecot.krb5.ccache))
> 
> $ sudo -u dovenull klist /tmp/dovecot.krb5.ccache
> Ticket cache: FILE:/tmp/dovecot.krb5.ccache
> Default principal: imap/host.example.com at EXAMPLE.COM
> 
> Valid starting       Expires              Service principal
> 10/11/2016 11:00:50  10/11/2016 23:00:50  
> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>         renew until 10/12/2016 11:00:50
> 10/11/2016 11:19:09  10/11/2016 23:00:50  imap/host.example.com@
>         renew until 10/12/2016 11:00:50
> 10/11/2016 11:19:09  10/11/2016 23:00:50  
> imap/host.example.com at EXAMPLE.COM
>         renew until 10/12/2016 11:00:50
> 
> Juha

Just to let anyone interested know the configuration was correct but 
this turned out to be some sort of library incompatibility or whatever.

I cloned the configuration to a new virtual server and compiled a fresh 
copy of Dovecot from source (tried  git master and release-2.2.25) and 
it worked without problems.

I also noticed that with the freshly compiled version the error message 
changed to

dovecot: auth: Error: LDAP: binding failed (dn (none)): Local error, 
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor 
code may provide more information (No Kerberos credentials available: 
Credentials cache permissions incorrect (filename: 
/tmp/dovecot.krb5.ccache))

if the permissions of the cache file were incorrect instead of this 
general error message above. So seems like the issue - whatever it was - 
caused that Dovecot (or the underlying libraries) were unable to locate 
or open the cache file in the first place.

Juha

More information about the dovecot mailing list