Hi list,
i noticed that when doing imap gssapi authentication with kerberos,
dovecot (here 2.1.7) always searches /etc/krb5.keytab although i have
auth_krb5_keytab = /etc/mail3.krb5.keytab in my etc/dovecot/dovecot.conf
and doveconf -n also show this setting. If i combine the keytabs in
krb5.keytab it works. Is there another location where i should put my
configuration regarding gssapi/kerberos ?
Thanks,
Leon
logs:
18:48_root at mail3:/root# cat /var/log/dovecot.log | tail -n 8
Jun 08 18:48:16 auth: Debug: client in: AUTH 1 GSSAPI service=imap
secured session=gexTxPjBZACClTqR lip=130.149.58.164
rip=130.149.58.145 lport=993 rport=31076
Jun 08 18:48:16 auth: Debug: gssapi(?,130.149.58.145,<gexTxPjBZACClTqR>):
Obtaining credentials for imap at mail3.physik-pool.tu-berlin.de
Jun 08 18:48:16 auth: Debug: client out: CONT 1
Jun 08 18:48:16 auth: Debug: client in: CONT<hidden>
Jun 08 18:48:16 auth: Info: gssapi(?,130.149.58.145,<gexTxPjBZACClTqR>):
While processing incoming data: Miscellaneous failure (see text)
Jun 08 18:48:16 auth: Info: gssapi(?,130.149.58.145,<gexTxPjBZACClTqR>):
While processing incoming data: Failed to find
imap/mail3.physik-pool.tu-berlin.de at PCPOOL.PHYSIK.TU-BERLIN.DE(kvno 1) in
keytab FILE:/etc/krb5.keytab (des3-cbc-sha1)
Jun 08 18:48:18 auth: Debug: client out: FAIL 1
Jun 08 18:48:23 imap-login: Info: Aborted login (auth failed, 1 attempts in 7
secs): user=<>, method=GSSAPI, rip=130.149.58.145, lip=130.149.58.164,
TLS, session=<gexTxPjBZACClTqR>
# 2.1.7: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 8.2-RELEASE-p3 amd64
auth_debug = yes
auth_gssapi_hostname = mail3.physik-pool.tu-berlin.de
auth_krb5_keytab = /etc/mail3.krb5.keytab
auth_mechanisms = gssapi plain login
auth_verbose = yes
auth_worker_max_count = 120
first_valid_gid = 300
first_valid_uid = 200
lda_mailbox_autocreate = yes
listen = mail3.physik.tu-berlin.de
log_path = /var/log/dovecot.log
mail_fsync = always
mail_location = maildir:~/maildir
mail_nfs_index = yes
mail_nfs_storage = yes
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date ihave
mmap_disable = yes
namespace {
inbox = yes
location prefix separator = /
type = private
}
namespace {
location = mbox:~/mail
prefix = mail/
separator = /
type = private
}
passdb {
args = session=yes failure_show_msg=yes max_requests=100 dovecot
driver = pam
}
plugin {
quota = fs
sieve = ~/.dovecot.sieve
sieve_dir = ~/.sieve
}
protocols = imap pop3
service auth {
unix_listener auth-client {
mode = 0660
}
unix_listener auth-master {
mode = 0600
}
user = root
}
service imap-login {
inet_listener imap {
port = 0
}
process_limit = 256
process_min_avail = 6
}
service managesieve-login {
process_limit = 256
process_min_avail = 6
}
service pop3-login {
inet_listener pop3 {
port = 0
}
process_limit = 256
process_min_avail = 6
}
ssl_cert = </etc/private/mail3.physik.tu-berlin.de.pem
ssl_key = </etc/private/physik.tu-berlin.de_privatekey.pem
userdb {
args = blocking=yes
driver = passwd
}
verbose_proctitle = yes
protocol lda {
info_log_path = /var/log/dovecot-lda.log
log_path = /var/log/dovecot-lda.log
mail_plugins = " sieve quota"
}