Hello,
I'm getting problem to setup dovecot imap/pop service authentication
through Kerberos.
Already read https://wiki.dovecot.org/Authentication/Kerberos.
My guess is kerberos is working but something goes wrong after.
The keytab and ticket ( for ldap userdb lookup )
-rw------- 1 dovecot dovecot 498 ago 3 20:20 /etc/dovecot/imap.keytab
-rw------- 1 dovecot root 1503 ago 4 11:40 /etc/dovecot/imap.ticket
dovecot --version
2.3.13 (89f716dc2)
the dovecot setting
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.13 (cdd19fe3)
# OS: Linux 5.10.0-7-amd64 x86_64 Debian 11.0
# Hostname: postfix10.zw.local
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/imap.keytab
auth_mechanisms = gssapi
auth_username_translation = /@
import_environment = TZ KRB5CCNAME=/etc/dovecot/imap.ticket
KRB5_KTNAME=/etc/dovecot/imap.keytab
mail_gid = 5000
mail_home = /var/mail/virtual/%d/%n
mail_location = maildir:~/mail
mail_privileged_group = mail
mail_uid = 5000
namespace inbox {
disabled = no
inbox = yes
list = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
type = private
}
protocols = " imap lmtp pop3"
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocol lmtp {
postmaster_address = postmaster at zw.local
}
When I launch Thunderbird, mail log raise this
Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client in:
AUTH#0111#011GSSAPI#011service=pop3#011session=Q3GdfL7IvLmsEAAs#011lip=10.16.0.220#011rip=172.16.0.44#011lport=110#011rport=47548
Aug 4 13:42:23 postfix10 dovecot: auth: Debug:
gssapi(?,172.16.0.44,<Q3GdfL7IvLmsEAAs>): Using all keytab entries
Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client passdb out:
CONT#0111#011
Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client in: CONT<hidden>
Aug 4 13:42:23 postfix10 dovecot: auth: Debug:
gssapi(user0 at zw.local,172.16.0.44,<Q3GdfL7IvLmsEAAs>): security context
state completed.
Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client passdb out:
CONT#0111#011YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvsoco75BA/W0B9tS+UmJnunUg6vIcO5wr0fzZ7iGmCpsz0K2vL/qniGISDIwF9hDXXxs79bljbZE8Yx4dujqVuTPGMtewfhDtNfRNgYGNk/z28sDz7fs/dpIMKF2FAA1m9pFjBupQ1VkGbzMYc77U
Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client in: CONT<hidden>
Aug 4 13:42:23 postfix10 dovecot: auth: Debug:
gssapi(user0 at zw.local,172.16.0.44,<Q3GdfL7IvLmsEAAs>): Negotiated
security layer
Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client passdb out:
CONT#0111#011BQQF/wAMAAAAAAAAAdf8bQH///86U2L5ErmqfWFYNQA=
Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client in: CONT<hidden>
Aug 4 13:42:23 postfix10 dovecot: auth: Error:
gssapi(user0 at domain1.zw.local,172.16.0.44,<Q3GdfL7IvLmsEAAs>): All
password databases were skipped
Aug 4 13:42:23 postfix10 dovecot: auth: Debug:
auth(user0 at domain1.zw.local,172.16.0.44,<Q3GdfL7IvLmsEAAs>): Auth
request finished
Aug 4 13:42:25 postfix10 dovecot: auth: Debug: client passdb out:
FAIL#0111#011user=user0 at domain1.zw.local#011code=temp_fail#011original_user=user0 at ZW.LOCAL
Aug 4 13:42:25 postfix10 dovecot: pop3-login: Debug: Ignoring unknown
passdb extra field: original_user
Can someone help on this?
--
Lucas Castro