This is a continuation of a problem I have been having. Samba 4 has recently changed to require binds. I need LDAP to verify users exist. I am using Kerberos (GSSAPI) as the passdb. Samba can handle GSSAPI/Kerberos SASL binds. I have the following in my dovecot-ldap setup for userdb: dn = smtp/mailhost.example.org at EXAMPLE.ORG sasl_bind = yes sasl_mech = GSSAPI sasl_realm = EXAMPLE.ORG sasl_authz_id = smtp/mailhost.example.org at EXAMPLE.ORG Which gives me the following error. Debug: ldap(trever): user search: base=dc=example,dc=org scope=subtree filter=(&(objectClass=person)(|(mail=trever)(sAMAccountName=trever)(userPrincipalName=trever))) fields=userPrincipalName dovecot: auth: Error: LDAP: binding failed (dn smtp/mailhost.example.org at EXAMPLE.ORG): Local error, SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_97' not found) Additionally, I have "auth_krb5_keytab = /etc/dovecot/krb5.keytab" setup for the GSSAPI user login. The credential cache should be that file should it not? If not, how do I go about setting that up so that it will work. Thank you, Trever -- "The only true happiness comes from squandering ourselves for a purpose." -- William Cowper -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20110202/bf7833c7/attachment-0002.bin>
On Wed, 2011-02-02 at 14:29 -0700, Trever L. Adams wrote:> dn = smtp/mailhost.example.org at EXAMPLE.ORG > sasl_bind = yes > sasl_mech = GSSAPI > sasl_realm = EXAMPLE.ORG > sasl_authz_id = smtp/mailhost.example.org at EXAMPLE.ORGLDAP SASL authentication goes through Cyrus SASL library, nothing Dovecot can do about it, except for me to write my own LDAP library.> Additionally, I have "auth_krb5_keytab = /etc/dovecot/krb5.keytab" setup > for the GSSAPI user login.So this setting is never used. If that's the problem, you could try if you can work around it in a bit kludgy way: service auth { executable = /usr/local/bin/auth-wrapper.sh } Which contains: #!/bin/sh export KRB5_KTNAME=/etc/dovecot/krb5.keytab exec /usr/local/libexec/dovecot/auth -k