Trever L. Adams
2010-Oct-16 03:50 UTC
[Dovecot] gssapi problems (postfix sasl through dovecot, dovecot imap working fine)
Thanks to Timo, I have solved all but one of my problems. For back ground, I am using Samba4 as an AD. I have the userdb working from LDAP just fine and kerberos authenetication for dovecot's IMAP server working fine. The problem is using dovecot's SASL with postfix. I also have plain/login working in imap and smtp. Both use pam_krb5 through pam to authenticate clients that don't have kerberos, and for now smtp. When trying to do smtp kerberos, I get the following: postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: request longer than 2048: AUTH GSSAPI ... dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=smtp#011nologin#011lip=SERVER_IP#011rip=CLIENT_IP#011secured#011resp=<hidden> dovecot: auth: Debug: gssapi(?,CLIENT_IP): Obtaining credentials for smtp at MAILSERVER_FQDN dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data: Unspecified GSS failure. Minor code may provide more information dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data: Invalid message type postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: SASL GSSAPI authentication failed: dovecot: auth: Debug: client out: FAIL#0111 # klist -k /etc/dovecot/krb5.keytab Keytab name: WRFILE:/etc/dovecot/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 imap/MAILSERVER_FQDN at DOMAIN_REALM 2 smtp/MAILSERVER_FQDN at DOMAIN_REALM The client is Thunderbird. Any help would be greatly appreciated. I have made sure that the file has proper permissions. I have regenerated the smtp cert making suer the password is accurate. I have done everything I know to try. The only thing that I am guess remains is something is broken with Thunderbird's kerberos setup for smtp. Thank you very much, Trever -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20101015/8f3bb49a/attachment-0002.bin>
Trever L. Adams
2010-Oct-19 12:16 UTC
[Dovecot] gssapi problems (postfix sasl through dovecot, dovecot imap working fine)
On 10/15/2010 09:50 PM, Trever L. Adams wrote:> Thanks to Timo, I have solved all but one of my problems. For back > ground, I am using Samba4 as an AD. I have the userdb working from LDAP > just fine and kerberos authenetication for dovecot's IMAP server working > fine. The problem is using dovecot's SASL with postfix. I also have > plain/login working in imap and smtp. Both use pam_krb5 through pam to > authenticate clients that don't have kerberos, and for now smtp. When > trying to do smtp kerberos, I get the following: > > postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: request longer > than 2048: AUTH GSSAPI ... > dovecot: auth: Debug: client in: > AUTH#0111#011GSSAPI#011service=smtp#011nologin#011lip=SERVER_IP#011rip=CLIENT_IP#011secured#011resp=<hidden> > dovecot: auth: Debug: gssapi(?,CLIENT_IP): Obtaining credentials for > smtp at MAILSERVER_FQDN > dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data: > Unspecified GSS failure. Minor code may provide more information > dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data: > Invalid message type > postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: SASL GSSAPI > authentication failed: > dovecot: auth: Debug: client out: FAIL#0111 > > # klist -k /etc/dovecot/krb5.keytab > Keytab name: WRFILE:/etc/dovecot/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 2 imap/MAILSERVER_FQDN at DOMAIN_REALM > 2 smtp/MAILSERVER_FQDN at DOMAIN_REALM > > The client is Thunderbird. > > Any help would be greatly appreciated. I have made sure that the file > has proper permissions. I have regenerated the smtp cert making suer the > password is accurate. I have done everything I know to try. The only > thing that I am guess remains is something is broken with Thunderbird's > kerberos setup for smtp. > > Thank you very much, > Trever >Samba4 doesn't automatically set the userPrincipalName to imap/f.q.d.n at REALM or smtp/f.q.d.n at REALM when setting up an SPN. This was the problem. For some reason it works fine for imap but not smtp. I have reported this as a possible bug to Samba4. I am documenting it here in case someone else has problems. Trever -- "The amount of time between slipping on the peel and landing on the pavement is precisely 1 bananosecond." -- Unknown -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20101019/3fda6431/attachment-0002.bin>