Dirk Heinrichs
2010-Sep-05 17:02 UTC
[Dovecot] Problems setting up dovecot 2.0.1 with kerberos auth
Hi, I'm trying to setup dovecot 2.0.1 on a debian squeeze test box. I want to integrate it into an already working kerberos5 setup, but I don't get it to work. I've added created host/ smtp/ and imap/ service principals with random key for the test machine and added them to its keytab. I can also obtain user credentials using kinit, but when I try to telnet to port 143, I only get the following: # kinit heini Password for heini at ALTUM.DE: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: heini at ALTUM.DE Valid starting Expires Service principal 09/05/10 18:56:30 09/06/10 04:56:30 krbtgt/ALTUM.DE at ALTUM.DE renew until 09/06/10 18:56:27 # telnet localhost 143 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=GSSAPI] Dovecot ready. a authenticate GSSAPI a NO [UNAVAILABLE] Temporary authentication failure. ^] telnet> Connection closed. This is in the logs: Sep 5 18:56:47 oldbox dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Sep 5 18:56:47 oldbox dovecot: auth: Debug: auth client connected (pid=27684) Sep 5 18:56:58 oldbox dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=33753 Sep 5 18:56:58 oldbox dovecot: auth: Debug: gssapi(?,127.0.0.1): Obtaining credentials for imap at rohan Sep 5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While acquiring service credentials: Unspecified GSS failure. Minor code may provide more information Sep 5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While acquiring service credentials: Permission denied Sep 5 18:57:00 oldbox dovecot: auth: Debug: client out: FAIL#0111#011temp Sep 5 18:57:05 oldbox dovecot: imap-login: Disconnected (auth failed, 1 attempts): method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=0, secured My configuration: # doveconf -n # 2.0.1 (a05834588ffb): /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-486 i586 Debian squeeze/sid auth_debug = yes auth_gssapi_hostname = rohan auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = gssapi auth_verbose = yes disable_plaintext_auth = no listen = * mail_location = maildir:~/mail managesieve_notify_capability = mailto managesieve_sieve_capability = comparator-i;octet comparator-i;ascii-casemap fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = imap ssl = no ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { args = uid=vmail gid=vmail home=/var/vmail/%u driver = static } And here's the content of the kerberos keytab: # ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 host/oldbox.altum.de at ALTUM.DE 2 3 host/oldbox.altum.de at ALTUM.DE 3 3 host/oldbox.altum.de at ALTUM.DE 4 3 host/oldbox.altum.de at ALTUM.DE 5 3 imap/oldbox.altum.de at ALTUM.DE 6 3 imap/oldbox.altum.de at ALTUM.DE 7 3 imap/oldbox.altum.de at ALTUM.DE 8 3 imap/oldbox.altum.de at ALTUM.DE 9 3 smtp/oldbox.altum.de at ALTUM.DE 10 3 smtp/oldbox.altum.de at ALTUM.DE 11 3 smtp/oldbox.altum.de at ALTUM.DE 12 3 smtp/oldbox.altum.de at ALTUM.DE I also don't see any connection attempt in the KDC's log file. Any idea what could be wrong? Thanks... Dirk -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20100905/25d4f034/attachment-0002.bin>
Andre
2010-Sep-06 06:53 UTC
[Dovecot] Problems setting up dovecot 2.0.1 with kerberos auth
Il giorno 05/set/2010, alle ore 19.02, Dirk Heinrichs ha scritto:> Hi, > > I'm trying to setup dovecot 2.0.1 on a debian squeeze test box. I want > to integrate it into an already working kerberos5 setup, but I don't get > it to work. > > I've added created host/ smtp/ and imap/ service principals with random > key for the test machine and added them to its keytab.As I see below the principals are for oldbox.altum.de (is this the FQDN of the server?)> > I can also obtain user credentials using kinit, but when I try to telnet > to port 143, I only get the following: > > # kinit heini > Password for heini at ALTUM.DE: > # klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: heini at ALTUM.DE > > Valid starting Expires Service principal > 09/05/10 18:56:30 09/06/10 04:56:30 krbtgt/ALTUM.DE at ALTUM.DE > renew until 09/06/10 18:56:27 > # telnet localhost 143 > Trying 127.0.0.1... > Connected to localhost (127.0.0.1). > Escape character is '^]'. > * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE > AUTH=GSSAPI] Dovecot ready. > a authenticate GSSAPI > a NO [UNAVAILABLE] Temporary authentication failure. > ^] > telnet> Connection closed. > > This is in the logs: > > Sep 5 18:56:47 oldbox dovecot: auth: Debug: Loading modules from > directory: /usr/lib/dovecot/modules/auth > Sep 5 18:56:47 oldbox dovecot: auth: Debug: auth client connected > (pid=27684) > Sep 5 18:56:58 oldbox dovecot: auth: Debug: client in: > AUTH#0111#011GSSAPI#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=33753 > Sep 5 18:56:58 oldbox dovecot: auth: Debug: gssapi(?,127.0.0.1): > Obtaining credentials for imap at rohan > Sep 5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While > acquiring service credentials: Unspecified GSS failure. Minor code may > provide more information > Sep 5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While > acquiring service credentials: Permission denied > Sep 5 18:57:00 oldbox dovecot: auth: Debug: client out: FAIL#0111#011temp > Sep 5 18:57:05 oldbox dovecot: imap-login: Disconnected (auth failed, 1 > attempts): method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=0, secured > > My configuration: > > # doveconf -n > # 2.0.1 (a05834588ffb): /etc/dovecot/dovecot.conf > # OS: Linux 2.6.32-5-486 i586 Debian squeeze/sid > auth_debug = yes > auth_gssapi_hostname = rohan^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Line above should be ?auth_gssapi_hostname = oldbox.altum.de"> auth_krb5_keytab = /etc/krb5.keytab > auth_mechanisms = gssapi > auth_verbose = yes > disable_plaintext_auth = no > listen = * > mail_location = maildir:~/mail > managesieve_notify_capability = mailto > managesieve_sieve_capability = comparator-i;octet > comparator-i;ascii-casemap fileinto reject envelope encoded-character > vacation subaddress comparator-i;ascii-numeric relational regex > imap4flags copy include variables body enotify environment mailbox date > plugin { > sieve = ~/.dovecot.sieve > sieve_dir = ~/sieve > } > protocols = imap > ssl = no > ssl_cert = </etc/ssl/certs/dovecot.pem > ssl_key = </etc/ssl/private/dovecot.pem > userdb { > args = uid=vmail gid=vmail home=/var/vmail/%u > driver = static > } > > And here's the content of the kerberos keytab: > > # ktutil > ktutil: rkt /etc/krb5.keytab > ktutil: l > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 3 host/oldbox.altum.de at ALTUM.DE > 2 3 host/oldbox.altum.de at ALTUM.DE > 3 3 host/oldbox.altum.de at ALTUM.DE > 4 3 host/oldbox.altum.de at ALTUM.DE > 5 3 imap/oldbox.altum.de at ALTUM.DE > 6 3 imap/oldbox.altum.de at ALTUM.DE > 7 3 imap/oldbox.altum.de at ALTUM.DE > 8 3 imap/oldbox.altum.de at ALTUM.DE > 9 3 smtp/oldbox.altum.de at ALTUM.DE > 10 3 smtp/oldbox.altum.de at ALTUM.DE > 11 3 smtp/oldbox.altum.de at ALTUM.DE > 12 3 smtp/oldbox.altum.de at ALTUM.DE > > > I also don't see any connection attempt in the KDC's log file. > > Any idea what could be wrong? >Read between the lines :) It is sufficient that you create principal ?imap/fullyqualifieddomainname? for IMAP auth. host/ principal is necessary if you want to telnet/ssh to the host using KRB auth, smtp/ is necessary if you want to send mails authenticating via KRB, but your SMTP server should support it. It is VERY VERY important that you use the FQDN (the one you obtain doing a reverse resolution - host -t ptr IP.of.the.server) of the imap server, unless you use a buggy client (read Apple Mail.app) in which case it should be necessary to create a principal for "imap/alias.of.server" and you MUST add auth_gssapi_hostname = ?$ALL? to your configuration. A.