thr3ads.net - dovecot - [Dovecot] dovecot 1.2rc5 fails to authenticate user via GSSAPI [Jun 2009]

If this information is useful, please help other people find it:
Share via:

Michal Hlavinka

2009-Jun-24 13:38 UTC

[Dovecot] dovecot 1.2rc5 fails to authenticate user via GSSAPI

Hi,

we're facing problem where dovecot 1.2rc5 is not able to authenticate user
via
gssapi. (I'm forwarding information from red hat's bugzilla)

Steps to reproduce:
1. Install dovecot with kerberos support, create mailboxes for the client
2. Get initial credentials on client side
3. Attempt to log in via dovecot using gssapi
-> login failed

Client side
1. Email client displays: "[AUTHENTICATIONFAILED] Authentication
failed."
2. klist before login shows: 
Valid starting     Expires            Service principal
06/18/09 20:01:01  06/19/09 20:01:01  krbtgt/realm at realm
3. klist after login attempt shows:
Valid starting     Expires            Service principal
06/18/09 20:01:01  06/19/09 20:01:01  krbtgt/realm at realm
06/18/09 20:01:28  06/19/09 20:01:01  imap/mail.domain at realm

Server side
1. /var/log/maillog: 
dovecot: auth(default): gssapi(user,192.168.0.1): authn_name not authorized
dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<user>,
method=GSSAPI, rip=192.168.0.1, lip=192.168.0.2, TLS

----------------
It is possible for the same user to login via other mechanisms.
The issue reproduced with different email clients. Evolution and a custom
java-based client were attempted.

example of dovecot.conf:
protocols = imap
mail_location = maildir:/home/virtual/%u/Maildir
protocol imap {
}
auth_krb5_keytab=/etc/dovecot.keytab
auth default {
mechanisms = gssapi
  userdb static {
    args = uid=vmail gid=vmail home=/home/virtual/%u
  }
}
-------------------------
Exactly the same dovecot setup was working just fine with dovecot 1.1 series. 
Authentication using kinit works just fine and kerberos infrastructure is
functioning well as I use kerberos auth for other services like apache and ssh
successfully.

/var/log/maillog with using auth_debug=yes can be found here:
https://bugzilla.redhat.com/attachment.cgi?id=348710

Regards,
Michal Hlavinka

Timo Sirainen

2009-Jun-24 15:15 UTC

head link

[Dovecot] dovecot 1.2rc5 fails to authenticate user via GSSAPI

On Jun 24, 2009, at 9:38 AM, Michal Hlavinka wrote:
> we're facing problem where dovecot 1.2rc5 is not able to  
> authenticate user via
> gssapi. (I'm forwarding information from red hat's bugzilla)
I guess it has to be because of these patches:

http://hg.dovecot.org/dovecot-1.2/rev/ff6378d7b209
http://hg.dovecot.org/dovecot-1.2/rev/601e0382b442

Could you try reverting them and see if it helps?

Timo Sirainen

2009-Jul-08 00:20 UTC

head link

[Dovecot] dovecot 1.2rc5 fails to authenticate user via GSSAPI

On Wed, 2009-06-24 at 15:38 +0200, Michal Hlavinka
wrote:> dovecot: auth(default): gssapi(user,192.168.0.1): authn_name not authorized
Can you try what it says with these patches:

http://hg.dovecot.org/dovecot-1.2/rev/4172004c1958
http://hg.dovecot.org/dovecot-1.2/rev/a5c5a912769e

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url :
http://dovecot.org/pipermail/dovecot/attachments/20090707/9928399d/attachment.bin

Reasonably Related Threads

Search for more apparently analagous threads

dovecot - Jun 2009 - dovecot 1.2rc5 fails to authenticate user via GSSAPI

[Dovecot] dovecot 1.2rc5 fails to authenticate user via GSSAPI

[Dovecot] dovecot 1.2rc5 fails to authenticate user via GSSAPI

[Dovecot] dovecot 1.2rc5 fails to authenticate user via GSSAPI

Reasonably Related Threads