gssapi without passdb

[David Wells]

Good afternoon.


I'm configuring dovecot to authenticate users against a samba server 
running as an active directory domain controller. I followed the 
instructions as stated in the page 
https://wiki.dovecot.org/Authentication/Kerberos and considering the 
sentence that states [...]The Kerberos authentication mechanism doesn't 
require having a passdb, but you do need a userdb[...] I produced a 
configuration file that looked like this

> auth_gssapi_hostname = $ALL
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = gssapi
> auth_username_format = %u
> mail_location = 
> maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope 
> encoded-character vacation subaddress comparator-i;ascii-numeric 
> relational regex imap4flags copy include variables body enotify 
> environment mailbox date index ihave duplicate mime foreverypart 
> extracttext
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> plugin {
>   sieve = file:~/sieve;active=~/.dovecot.sieve
> }
> protocols = imap
> ssl_ca = /etc/ssl/certs/cacertificate.crt
> ssl_cert = </etc/ssl/certs/certificate.crt
> ssl_key = # hidden, use -P to show it
> userdb {
>   args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes
>   driver = static
> }

When I ran these settings I would get an error that read

> Nov  8 17:00:00 mail dovecot: auth: Error: 
> gssapi(user at KERBEROSPRINCIPAL,192.168.182.137,<IQMcOtuWI+3AqLaJ>): All 
> password databases were skipped
> Nov  8 17:00:02 mail dovecot: imap-login: Disconnected (auth service 
> reported temporary failure): user=<user at KERBEROSPRINCIPAL>, 
> method=GSSAPI, rip=192.168.182.137, lip=192.168.182.4, TLS, 
> session=<IQMcOtuWI+3AqLaJ>

After Trying many things I finally modified my config

> auth_gssapi_hostname = $ALL
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = gssapi
> auth_username_format = %u
> mail_location = 
> maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope 
> encoded-character vacation subaddress comparator-i;ascii-numeric 
> relational regex imap4flags copy include variables body enotify 
> environment mailbox date index ihave duplicate mime foreverypart 
> extracttext
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> plugin {
>   sieve = file:~/sieve;active=~/.dovecot.sieve
> }
> protocols = imap
> ssl_ca = /etc/ssl/certs/cacertificate.crt
> ssl_cert = </etc/ssl/certs/certificate.crt
> ssl_key = # hidden, use -P to show it
> userdb {
>   args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes
>   driver = static
> }
The dovecot-ldap.conf.ext file looks like this

> hosts = dc1:3268
> tls = yes
> auth_bind = yes
> auth_bind_userdn = %u
> base =

With this configuration I can authenticate to the imap server sending 
user at KERBEROSPRINCIPAL as my username and without setting a password so 
I'm wondering if the wiki page needs to be updated or if there is 
something wrong with my first setup.


Thanks in advance.

Best regards,

David Wells.