Hello, I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying to set up a GSSAPI Kerberos authentication with the LDAP server but with little success. Seems no matter what I try I end up with the following error message: dovecot: auth: Error: LDAP: binding failed (dn (imap/host.example.com at EXAMPLE.COM)): Local error, SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: FILE:/tmp/dovecot.krb5.ccache)) I have set the import_environment in dovecot.conf: import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache And these in LDAP configuration: dn = imap/host.example.com at EXAMPLE.COM sasl_bind = yes sasl_mech = gssapi sasl_realm = EXAMPLE.COM sasl_authz_id = imap/host.example.com at EXAMPLE.COM I have tried with different values in dn and sasl_authz_id and also leaving them out completely but I always end up with the error message above. Using simple bind without GSSAPI works just fine. The credentials cache file exists and is valid for the principal imap/host.example.com at EXAMPLE.COM. The file is owned by dovecot user so it shouldn't be a permission problem either. GSSAPI in OpenLDAP works but I suppose it is irrelevant here since the connection attempt never reaches the LDAP server due to the error. I also have similar setup for Postfix and it works fine. Any ideas what to try next? Best regards, Juha
On 11.10.2016 10:13, Juha Koho wrote:> Hello, > > I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying to > set up a GSSAPI Kerberos authentication with the LDAP server but with > little success. Seems no matter what I try I end up with the following > error message: > > dovecot: auth: Error: LDAP: binding failed (dn > (imap/host.example.com at EXAMPLE.COM)): Local error, SASL(-1): generic > failure: GSSAPI Error: Unspecified GSS failure. Minor code may > provide more information (No Kerberos credentials available (default > cache: FILE:/tmp/dovecot.krb5.ccache)) > > I have set the import_environment in dovecot.conf: > > import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS > KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache > > And these in LDAP configuration: > > dn = imap/host.example.com at EXAMPLE.COM > sasl_bind = yes > sasl_mech = gssapi > sasl_realm = EXAMPLE.COM > sasl_authz_id = imap/host.example.com at EXAMPLE.COM > > I have tried with different values in dn and sasl_authz_id and also > leaving them out completely but I always end up with the error message > above. Using simple bind without GSSAPI works just fine. > > The credentials cache file exists and is valid for the principal > imap/host.example.com at EXAMPLE.COM. The file is owned by dovecot user > so it shouldn't be a permission problem either. > > GSSAPI in OpenLDAP works but I suppose it is irrelevant here since the > connection attempt never reaches the LDAP server due to the error. I > also have similar setup for Postfix and it works fine. > > Any ideas what to try next? > > Best regards, > JuhaCan you provide klist output for the cache file? Also, it should be readable by dovenull user, or whatever is configured as default_login_user. Aki
On 2016-10-11 09:18, Aki Tuomi wrote:> On 11.10.2016 10:13, Juha Koho wrote: >> Hello, >> >> I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying to >> set up a GSSAPI Kerberos authentication with the LDAP server but with >> little success. Seems no matter what I try I end up with the following >> error message: >> >> dovecot: auth: Error: LDAP: binding failed (dn >> (imap/host.example.com at EXAMPLE.COM)): Local error, SASL(-1): generic >> failure: GSSAPI Error: Unspecified GSS failure. Minor code may >> provide more information (No Kerberos credentials available (default >> cache: FILE:/tmp/dovecot.krb5.ccache)) >> >> I have set the import_environment in dovecot.conf: >> >> import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS >> KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache >> >> And these in LDAP configuration: >> >> dn = imap/host.example.com at EXAMPLE.COM >> sasl_bind = yes >> sasl_mech = gssapi >> sasl_realm = EXAMPLE.COM >> sasl_authz_id = imap/host.example.com at EXAMPLE.COM >> >> I have tried with different values in dn and sasl_authz_id and also >> leaving them out completely but I always end up with the error message >> above. Using simple bind without GSSAPI works just fine. >> >> The credentials cache file exists and is valid for the principal >> imap/host.example.com at EXAMPLE.COM. The file is owned by dovecot user >> so it shouldn't be a permission problem either. >> >> GSSAPI in OpenLDAP works but I suppose it is irrelevant here since the >> connection attempt never reaches the LDAP server due to the error. I >> also have similar setup for Postfix and it works fine. >> >> Any ideas what to try next? >> >> Best regards, >> Juha > > Can you provide klist output for the cache file? Also, it should be > readable by dovenull user, or whatever is configured as > default_login_user.Here's the klist output of the cache file: -- Ticket cache: FILE:/tmp/dovecot.krb5.ccache Default principal: imap/host.example.com at EXAMPLE.COM Valid starting Expires Service principal 10/11/2016 09:26:25 10/11/2016 21:26:25 krbtgt/EXAMPLE.COM at EXAMPLE.COM renew until 10/12/2016 09:26:25 --- That I didn't know that also dovenull must have access to the cache but I tried also setting 0644 permissions to the cache file with no luck. So permissions shouldn't be the issue... Juha