dovecot - Mar 2009 - v 1.1.13 / GSSAPI / Timeout waiting for handshake from auth server

Dear all,

I am trying to setup Dovecot with GSSAPI support. For testing purposes
gssapi is the
only method allowed for login. 

As I cannot login to my mailbox, I'vo got two questions about the following
log entries:

dovecot: Info: auth-worker(default): passwd-file
/dovecot/store/db/test-userdb: Read 3 users
dovecot: Info: auth(default): new auth connection: pid=3915
dovecot: Info: auth(default): 
  client in: AUTH  1  GSSAPI  service=imap lip=131.169.*.*  rip=131.169.*.*
lport=143  rport=35779
dovecot: Info: auth(default): gssapi(?,131.169.40.218): Obtaining
credentials for imap at my.host.name
dovecot: Error: imap-login: Timeout waiting for handshake from auth server.
my pid=3918, input bytes=0

1. I am puzzled about the credentials "imap at my.host.name" being
obtained;
shouldn't this be
   something like "imap/my.host.name at MY.REALM" ?

2. what does "Timeout waiting for handshake from auth server." mean?
Who is
trying to
   handshake with whom? 

Any ideas?

Best regards,
Dirk

--
Dirk Jahnke-Zumbusch              Deutsches Elektronen-Synchrotron DESY
IT Information Fabrics              Member of the Helmholtz Association
D-22603 Hamburg                        Notkestrasse 85  / 22607 Hamburg
T: +49-40-899.81760   F: +49-40-899.41760  dirk.jahnke-zumbusch at desy.de


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5631 bytes
Desc: not available
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20090325/5eb2a039/attachment-0002.bin>

On Wed, 2009-03-25 at 15:31 +0100, Jahnke-Zumbusch, Dirk
wrote:
> dovecot: Info: auth(default): gssapi(?,131.169.40.218): Obtaining
> credentials for imap at my.host.name
> dovecot: Error: imap-login: Timeout waiting for handshake from auth server.
> my pid=3918, input bytes=0
> 
> 1. I am puzzled about the credentials "imap at my.host.name"
being obtained;
> shouldn't this be
>    something like "imap/my.host.name at MY.REALM" ?
I don't know anything about Kerberos.
> 2. what does "Timeout waiting for handshake from auth server."
mean? Who is
> trying to
>    handshake with whom? 
This anyway means that dovecot-auth process is hanging for over 30
seconds. Probably the "obtaining credentials" is taking for a long
time.
But why that is, I've no idea.

Although this does remind me that GSSAPI should be handled in
auth-worker processes instead of the main dovecot-auth process..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20090402/e28074d3/attachment-0002.bin>

Timo Sirainen <tss at iki.fi> writes:
> On Wed, 2009-03-25 at 15:31 +0100, Jahnke-Zumbusch, Dirk wrote:
>> 1. I am puzzled about the credentials "imap at my.host.name"
being obtained;
>> shouldn't this be
>>    something like "imap/my.host.name at MY.REALM" ?
>
> I don't know anything about Kerberos.
I suspect the "imap at my.host.name" refers to the subject at the
GSSAPI
layer.  This is certainly the form one would use in gss_import_name() in
order to construct the "name" of the peer one might then subsequently
use
in a call to gss_init_sec_context() or, as in this case,
gss_acquire_cred().  If the underlying mechanism in use by the GSSAPI
layer is Kerberos then it will be translated to an appropriately named
principal, such as "imap/my.host.name at MY.REALM", but that name will
not in
general be exposed above the GSSAPI layer.
> This anyway means that dovecot-auth process is hanging for over 30
> seconds. Probably the "obtaining credentials" is taking for a
long time.
> But why that is, I've no idea.
Wild guess: maybe the underlying Kerberos libraries are attempting to
canonicalise the host part by doing DNS lookups which are timing out as a
result of a non-responsive DNS server?