Cannot login with method=GSSAPI

Thu Aug 17 04:43:16 EEST 2017

I solved the problem. The dovecot auth_gssapi_hostname entry did not have
a correct reverse DNS entry.

Example:

mail.example.com had an IP of 192.168.1.3 and the reverse pointer record
for 192.168.1.3 was a different hostname; i.e. orange.example.com.

Kerberos gssapi is strict.

Thank you for your help.

On Tue, Aug 15, 2017 at 11:55 PM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:

> The disconnect (no auth attempts) means that the client did not see any
> reason to try logging in.
>
> You can use https://wiki.mozilla.org/MailNews:Logging to enable debug
> logging.
>
> Aki
>
>
> On 16.08.2017 09:50, Erik Haller wrote:
> > I am migrating an existing dovecot server to a new server. The existing
> > server uses pam_krb5 and works with the plain and gssapi methods. The new
> > server plain/pam_krb5 normal password authentication works. However, the
> > gssapi (tickets) authentication is producing the following error:
> >
> > === Begin Error ====
> >
> > imap-login: Disconnected (no auth attempts in 0 secs): user=<>,
> > rip=192.168.7.61, lip=192.168.7.97, TLS, session=<SPnD7NhWWtrAqAc9>
> >
> > === End Error ===
> >
> > What is causing the "user=<>"? It should be "user=<erik>".
> >
> > I have been using Thunderbird SSL GSSAPI from a Debian Linux
> testing/buster
> > XFCE desktop to connect to the existing server for years. When I point it
> > to the new server, I receive the above error.
> >
> > ssh kerberos gssapi authentication is working fine on the new server.
> >
> > Most of the doveconf setting between the existing and new servers are the
> > same.
> >
> > The existing server is 32 bit. The new server is 64 bit running in an LXC
> > container. The existing server dovecot version is the same as the new
> > server.
> >
> >
> > Notes:
> >
> > dovecot version: 2.2.31 (65cde28)
> > OS: Debian Linux testing/buster
> > Arch: amd64
> >
> > Client: Mozilla Thunderbird 52.2.1 (latest)
>