Hi Everyone, I'm running an IPA server on CentOS 7 successfully and now I want to change my Dovecot setup to use GSSAPI for IMAP authentication instead of a flat "userdb" file. I've already joined the Dovecot box to the IPA domain - ssh and ipa policies and all that are working properly. I read a number of articles on how to configure Dovecot for GSSAPI auth and they all said the same thing (even Red Hat's official how to on it agreed). But, when I set up Evolution on my Fedora 22 system to use GSSAPI, Dovecot's log records this: Sep 8 13:49:55 mailman02 dovecot: auth: Panic: file auth-request.c: line 733 (auth_request_is_disabled_master_user): assertion failed: (request->requested_login_user != NULL) Sep 8 13:49:55 mailman02 dovecot: auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x6a02e) [0x7f27af22202e] -> /usr/lib64/dovecot/libdovecot.so.0(+0x6a10e) [0x7f27af22210e] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f27af1da52c] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](+0x15922) [0x7f27af6c7922] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](auth_request_lookup_credentials+0x32) [0x7f27af6c9332] -> /usr/lib64/dovecot/auth/libmech_gssapi.so(+0x2134) [0x7f27ad615134] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](auth_request_handler_auth_continue+0xe5) [0x7f27af6caf15] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](+0x109da) [0x7f27af6c29da] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x27) [0x7f27af232a47] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0xff) [0x7f27af2338cf] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f27af232598] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f27af1df9e3] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](main+0x391) [0x7f27af6c07f1] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f27ae7ceaf5] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](+0xe9e1) [0x7f27af6c09e1] Sep 8 13:49:55 mailman02 dovecot: auth: Fatal: master: service(auth): child 23185 killed with signal 6 (core dumps disabled) I've already asked on the Dovecot list about my GSSAPI auth problems and was told that this is a bug in Dovecot which does not exist in the latest release (I don't know when the problem was actually fixed). My question is simply this: does anyone else have dovecot-2.2.10-4.el7_0.1.x86_64 working with GSSAPI auth against an IPA server? IPA is also running on CentOS 7.1.1503. Regards, Ranbir -- Kanwar R.S. Sandhu
You could try rebuilding this src.rpm - http://awel.domblogger.net/7/libre/src/repoview/dovecot.html That's what I use for Dovecot on CentOS 7 but I build it against LibreSSL so you probably don't want my binary RPM but the src.rpm will build against stock CentOS OpenSSL just fine w/o modification. I don't know if it will fix your issue but it is latest release that the dovecot list claims has the issue fixed. On 09/08/2015 12:00 PM, Kanwar Ranbir Sandhu wrote:> Hi Everyone, > > I'm running an IPA server on CentOS 7 successfully and now I want to > change my Dovecot setup to use GSSAPI for IMAP authentication instead > of a flat "userdb" file. I've already joined the Dovecot box to the IPA > domain - ssh and ipa policies and all that are working properly. > > I read a number of articles on how to configure Dovecot for GSSAPI auth > and they all said the same thing (even Red Hat's official how to on it > agreed). But, when I set up Evolution on my Fedora 22 system to use > GSSAPI, Dovecot's log records this: > > Sep 8 13:49:55 mailman02 dovecot: auth: Panic: file auth-request.c: > line 733 (auth_request_is_disabled_master_user): assertion failed: > (request->requested_login_user != NULL) > Sep 8 13:49:55 mailman02 dovecot: auth: Error: Raw backtrace: > /usr/lib64/dovecot/libdovecot.so.0(+0x6a02e) [0x7f27af22202e] -> > /usr/lib64/dovecot/libdovecot.so.0(+0x6a10e) [0x7f27af22210e] -> > /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f27af1da52c] -> > dovecot/auth [1 wait, 0 passdb, 0 userdb](+0x15922) [0x7f27af6c7922] -> > dovecot/auth [1 wait, 0 passdb, 0 > userdb](auth_request_lookup_credentials+0x32) [0x7f27af6c9332] -> > /usr/lib64/dovecot/auth/libmech_gssapi.so(+0x2134) [0x7f27ad615134] -> > dovecot/auth [1 wait, 0 passdb, 0 > userdb](auth_request_handler_auth_continue+0xe5) [0x7f27af6caf15] -> > dovecot/auth [1 wait, 0 passdb, 0 userdb](+0x109da) [0x7f27af6c29da] -> > /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x27) > [0x7f27af232a47] -> > /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0xff) > [0x7f27af2338cf] -> > /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f27af232598] > -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) > [0x7f27af1df9e3] -> dovecot/auth [1 wait, 0 passdb, 0 > userdb](main+0x391) [0x7f27af6c07f1] -> > /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f27ae7ceaf5] -> > dovecot/auth [1 wait, 0 passdb, 0 userdb](+0xe9e1) [0x7f27af6c09e1] > Sep 8 13:49:55 mailman02 dovecot: auth: Fatal: master: service(auth): > child 23185 killed with signal 6 (core dumps disabled) > > I've already asked on the Dovecot list about my GSSAPI auth problems > and was told that this is a bug in Dovecot which does not exist in the > latest release (I don't know when the problem was actually fixed). > > My question is simply this: does anyone else have > dovecot-2.2.10-4.el7_0.1.x86_64 working with GSSAPI auth against an IPA > server? IPA is also running on CentOS 7.1.1503. > > Regards, > > Ranbir >
On Tue, 2015-09-08 at 13:53 -0700, Alice Wonder wrote:> You could try rebuilding this src.rpm - > > http://awel.domblogger.net/7/libre/src/repoview/dovecot.html > > That's what I use for Dovecot on CentOS 7 but I build it against > LibreSSL so you probably don't want my binary RPM but the src.rpm > will > build against stock CentOS OpenSSL just fine w/o modification. > > I don't know if it will fix your issue but it is latest release that > the > dovecot list claims has the issue fixed.Thanks for the offer, but I need to know if anyone else has encountered the problem I'm having. I'm having a hard time believing no one else has run into this. Is there a point in creating a bug report about this in the CentOS tracker since we'd have to wait for someone to report it to Red Hat (and for them to fix it) first? Ranbir -- Kanwar R.S. Sandhu
On Tue, 8 Sep 2015, Kanwar Ranbir Sandhu wrote:> Hi Everyone, ><snip>> > My question is simply this: does anyone else have > dovecot-2.2.10-4.el7_0.1.x86_64 working with GSSAPI auth against an IPA > server? IPA is also running on CentOS 7.1.1503.Yep, I have it working. It's been almost 6 months since I set it up so don't recall many details other than it was NOT trivial :). Have only used alpine and thunderbird clients, both work fine. -- Mike
On 2015-09-09 14:21, Mike wrote:> Yep, I have it working. It's been almost 6 months since I set it up so > don't recall many details other than it was NOT trivial :). Have only > used alpine and thunderbird clients, both work fine.I wonder if that means Evolution is broken. In any case, could you tell me the changes you made to 10-auth.conf and any other files for GSSAPI auth to work? I would like to compare your setup to mine and to what I've read online. Thanks! Ranbir -- Kanwar R.S. Sandhu