gssapi without passdb

David Wells dwells at alfavinil.com
Fri Nov 8 22:13:44 EET 2019


Good afternoon.


I'm configuring dovecot to authenticate users against a samba server 
running as an active directory domain controller. I followed the 
instructions as stated in the page 
https://wiki.dovecot.org/Authentication/Kerberos and considering the 
sentence that states [...]The Kerberos authentication mechanism doesn't 
require having a passdb, but you do need a userdb[...] I produced a 
configuration file that looked like this

> auth_gssapi_hostname = $ALL
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = gssapi
> auth_username_format = %u
> mail_location = 
> maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope 
> encoded-character vacation subaddress comparator-i;ascii-numeric 
> relational regex imap4flags copy include variables body enotify 
> environment mailbox date index ihave duplicate mime foreverypart 
> extracttext
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> plugin {
>   sieve = file:~/sieve;active=~/.dovecot.sieve
> }
> protocols = imap
> ssl_ca = /etc/ssl/certs/cacertificate.crt
> ssl_cert = </etc/ssl/certs/certificate.crt
> ssl_key = # hidden, use -P to show it
> userdb {
>   args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes
>   driver = static
> }

When I ran these settings I would get an error that read

> Nov  8 17:00:00 mail dovecot: auth: Error: 
> gssapi(user at KERBEROSPRINCIPAL,192.168.182.137,<IQMcOtuWI+3AqLaJ>): All 
> password databases were skipped
> Nov  8 17:00:02 mail dovecot: imap-login: Disconnected (auth service 
> reported temporary failure): user=<user at KERBEROSPRINCIPAL>, 
> method=GSSAPI, rip=192.168.182.137, lip=192.168.182.4, TLS, 
> session=<IQMcOtuWI+3AqLaJ>

After Trying many things I finally modified my config

> auth_gssapi_hostname = $ALL
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = gssapi
> auth_username_format = %u
> mail_location = 
> maildir:~/Maildir:INDEX=/var/lib/dovecot/%d/%n:CONTROL=/var/lib/dovecot/%d/%n:UTF-8
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope 
> encoded-character vacation subaddress comparator-i;ascii-numeric 
> relational regex imap4flags copy include variables body enotify 
> environment mailbox date index ihave duplicate mime foreverypart 
> extracttext
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> plugin {
>   sieve = file:~/sieve;active=~/.dovecot.sieve
> }
> protocols = imap
> ssl_ca = /etc/ssl/certs/cacertificate.crt
> ssl_cert = </etc/ssl/certs/certificate.crt
> ssl_key = # hidden, use -P to show it
> userdb {
>   args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes
>   driver = static
> }
The dovecot-ldap.conf.ext file looks like this

> hosts = dc1:3268
> tls = yes
> auth_bind = yes
> auth_bind_userdn = %u
> base =

With this configuration I can authenticate to the imap server sending 
user at KERBEROSPRINCIPAL as my username and without setting a password so 
I'm wondering if the wiki page needs to be updated or if there is 
something wrong with my first setup.


Thanks in advance.

Best regards,

David Wells.




More information about the dovecot mailing list