thr3ads.net - dovecot - [Dovecot] Problems setting up dovecot 2.0.1 with kerberos auth [Sep 2010]

If this information is useful, please help other people find it:
Share via:

Dirk Heinrichs

2010-Sep-05 17:02 UTC

[Dovecot] Problems setting up dovecot 2.0.1 with kerberos auth

Hi,

I'm trying to setup dovecot 2.0.1 on a debian squeeze test box. I want
to integrate it into an already working kerberos5 setup, but I don't get
it to work.

I've added created host/ smtp/ and imap/ service principals with random
key for the test machine and added them to its keytab.

I can also obtain user credentials using kinit, but when I try to telnet
to port 143, I only get the following:

# kinit heini
Password for heini at ALTUM.DE:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: heini at ALTUM.DE

Valid starting     Expires            Service principal
09/05/10 18:56:30  09/06/10 04:56:30  krbtgt/ALTUM.DE at ALTUM.DE
        renew until 09/06/10 18:56:27
# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=GSSAPI] Dovecot ready.
a authenticate GSSAPI
a NO [UNAVAILABLE] Temporary authentication failure.
^]
telnet> Connection closed.

This is in the logs:

Sep  5 18:56:47 oldbox dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
Sep  5 18:56:47 oldbox dovecot: auth: Debug: auth client connected
(pid=27684)
Sep  5 18:56:58 oldbox dovecot: auth: Debug: client in:
AUTH#0111#011GSSAPI#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=33753
Sep  5 18:56:58 oldbox dovecot: auth: Debug: gssapi(?,127.0.0.1):
Obtaining credentials for imap at rohan
Sep  5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While
acquiring service credentials: Unspecified GSS failure.  Minor code may
provide more information
Sep  5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While
acquiring service credentials: Permission denied
Sep  5 18:57:00 oldbox dovecot: auth: Debug: client out: FAIL#0111#011temp
Sep  5 18:57:05 oldbox dovecot: imap-login: Disconnected (auth failed, 1
attempts): method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=0, secured

My configuration:

# doveconf -n
# 2.0.1 (a05834588ffb): /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-486 i586 Debian squeeze/sid
auth_debug = yes
auth_gssapi_hostname = rohan
auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = gssapi
auth_verbose = yes
disable_plaintext_auth = no
listen = *
mail_location = maildir:~/mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = comparator-i;octet
comparator-i;ascii-casemap fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex
imap4flags copy include variables body enotify environment mailbox date
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = imap
ssl = no
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  args = uid=vmail gid=vmail home=/var/vmail/%u
  driver = static
}

And here's the content of the kerberos keytab:

# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
   1    3            host/oldbox.altum.de at ALTUM.DE
   2    3            host/oldbox.altum.de at ALTUM.DE
   3    3            host/oldbox.altum.de at ALTUM.DE
   4    3            host/oldbox.altum.de at ALTUM.DE
   5    3            imap/oldbox.altum.de at ALTUM.DE
   6    3            imap/oldbox.altum.de at ALTUM.DE
   7    3            imap/oldbox.altum.de at ALTUM.DE
   8    3            imap/oldbox.altum.de at ALTUM.DE
   9    3            smtp/oldbox.altum.de at ALTUM.DE
  10    3            smtp/oldbox.altum.de at ALTUM.DE
  11    3            smtp/oldbox.altum.de at ALTUM.DE
  12    3            smtp/oldbox.altum.de at ALTUM.DE


I also don't see any connection attempt in the KDC's log file.

Any idea what could be wrong?

Thanks...

	Dirk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20100905/25d4f034/attachment-0002.bin>

Andre

2010-Sep-06 06:53 UTC

head link

[Dovecot] Problems setting up dovecot 2.0.1 with kerberos auth

Il giorno 05/set/2010, alle ore 19.02, Dirk Heinrichs ha scritto:
> Hi,
> 
> I'm trying to setup dovecot 2.0.1 on a debian squeeze test box. I want
> to integrate it into an already working kerberos5 setup, but I don't
get
> it to work.
> 
> I've added created host/ smtp/ and imap/ service principals with random
> key for the test machine and added them to its keytab.
As I see below the principals are for oldbox.altum.de (is this the FQDN of the
server?)
> 
> I can also obtain user credentials using kinit, but when I try to telnet
> to port 143, I only get the following:
> 
> # kinit heini
> Password for heini at ALTUM.DE:
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: heini at ALTUM.DE
> 
> Valid starting     Expires            Service principal
> 09/05/10 18:56:30  09/06/10 04:56:30  krbtgt/ALTUM.DE at ALTUM.DE
>        renew until 09/06/10 18:56:27
> # telnet localhost 143
> Trying 127.0.0.1...
> Connected to localhost (127.0.0.1).
> Escape character is '^]'.
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
> AUTH=GSSAPI] Dovecot ready.
> a authenticate GSSAPI
> a NO [UNAVAILABLE] Temporary authentication failure.
> ^]
> telnet> Connection closed.
> 
> This is in the logs:
> 
> Sep  5 18:56:47 oldbox dovecot: auth: Debug: Loading modules from
> directory: /usr/lib/dovecot/modules/auth
> Sep  5 18:56:47 oldbox dovecot: auth: Debug: auth client connected
> (pid=27684)
> Sep  5 18:56:58 oldbox dovecot: auth: Debug: client in:
>
AUTH#0111#011GSSAPI#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=33753
> Sep  5 18:56:58 oldbox dovecot: auth: Debug: gssapi(?,127.0.0.1):
> Obtaining credentials for imap at rohan
> Sep  5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While
> acquiring service credentials: Unspecified GSS failure.  Minor code may
> provide more information
> Sep  5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While
> acquiring service credentials: Permission denied
> Sep  5 18:57:00 oldbox dovecot: auth: Debug: client out: FAIL#0111#011temp
> Sep  5 18:57:05 oldbox dovecot: imap-login: Disconnected (auth failed, 1
> attempts): method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=0, secured
> 
> My configuration:
> 
> # doveconf -n
> # 2.0.1 (a05834588ffb): /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-5-486 i586 Debian squeeze/sid
> auth_debug = yes
> auth_gssapi_hostname = rohan^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Line above should be ?auth_gssapi_hostname = oldbox.altum.de"
> auth_krb5_keytab = /etc/krb5.keytab
> auth_mechanisms = gssapi
> auth_verbose = yes
> disable_plaintext_auth = no
> listen = *
> mail_location = maildir:~/mail
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = comparator-i;octet
> comparator-i;ascii-casemap fileinto reject envelope encoded-character
> vacation subaddress comparator-i;ascii-numeric relational regex
> imap4flags copy include variables body enotify environment mailbox date
> plugin {
>  sieve = ~/.dovecot.sieve
>  sieve_dir = ~/sieve
> }
> protocols = imap
> ssl = no
> ssl_cert = </etc/ssl/certs/dovecot.pem
> ssl_key = </etc/ssl/private/dovecot.pem
> userdb {
>  args = uid=vmail gid=vmail home=/var/vmail/%u
>  driver = static
> }
> 
> And here's the content of the kerberos keytab:
> 
> # ktutil
> ktutil:  rkt /etc/krb5.keytab
> ktutil:  l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
>   1    3            host/oldbox.altum.de at ALTUM.DE
>   2    3            host/oldbox.altum.de at ALTUM.DE
>   3    3            host/oldbox.altum.de at ALTUM.DE
>   4    3            host/oldbox.altum.de at ALTUM.DE
>   5    3            imap/oldbox.altum.de at ALTUM.DE
>   6    3            imap/oldbox.altum.de at ALTUM.DE
>   7    3            imap/oldbox.altum.de at ALTUM.DE
>   8    3            imap/oldbox.altum.de at ALTUM.DE
>   9    3            smtp/oldbox.altum.de at ALTUM.DE
>  10    3            smtp/oldbox.altum.de at ALTUM.DE
>  11    3            smtp/oldbox.altum.de at ALTUM.DE
>  12    3            smtp/oldbox.altum.de at ALTUM.DE
> 
> 
> I also don't see any connection attempt in the KDC's log file.
> 
> Any idea what could be wrong?
> 
Read between the lines :)

It is sufficient that you create principal ?imap/fullyqualifieddomainname? for
IMAP auth. host/ principal is necessary if you want to telnet/ssh to the host
using KRB auth, smtp/ is necessary if you want to send mails authenticating via
KRB, but your SMTP server should support it.

It is VERY VERY important that you use the FQDN (the one you obtain doing a
reverse resolution - host -t ptr IP.of.the.server) of the imap server, unless
you use a buggy client (read Apple Mail.app) in which case it should be
necessary to create a principal for "imap/alias.of.server" and you
MUST add auth_gssapi_hostname = ?$ALL? to your configuration.

A.

Reasonably Related Threads

Search for more seemingly similar threads

dovecot - Sep 2010 - Problems setting up dovecot 2.0.1 with kerberos auth

[Dovecot] Problems setting up dovecot 2.0.1 with kerberos auth

[Dovecot] Problems setting up dovecot 2.0.1 with kerberos auth

Reasonably Related Threads