thr3ads.net - dovecot - Authentication with Samba using Kerberos fails [Apr 2015]

If this information is useful, please help other people find it:
Share via:
Justin Clacherty
2015-Apr-08 03:27 UTC
Authentication with Samba using Kerberos fails

Hi,

I've been having some problems getting GSSAPI authentication going against a
samba (4.2) server and am hoping someone can point me in the right direction.
I've searched through Google and haven't managed to find a solution yet.

I followed the config instructions at
http://wiki2.dovecot.org/Authentication/Kerberos and run through the testing.
Testing from the server with telnet does as expected i.e. I get the
"+" after I try "a authenticate GSSAPI". However, when I go
to test from Thunderbird on while logged in on a Windows PC joined to the domain
authentication fails and I see the following in mail.log (I'm running Ubuntu
14.04.2 LTS).

Apr  8 11:49:18 server dovecot: auth: Debug: Loading modules from directory:
/usr/lib/dovecot/modules/auth
Apr  8 11:49:18 server dovecot: auth: Debug: Loading modules from directory:
/usr/lib/dovecot/modules/auth
Apr  8 11:49:18 server dovecot: auth: Debug: Module loaded:
/usr/lib/dovecot/modules/auth/libmech_gssapi.so
Apr  8 11:49:18 server dovecot: auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Apr  8 11:49:18 server dovecot: auth: Debug: auth client connected (pid=17667)
Apr  8 11:49:18 server dovecot: auth: Debug: client in:
AUTH#0111#011GSSAPI#011service=imap#011secured#011session=e8xMvSwTQgDAqCpl#011lip=192.168.1.1#011rip=192.168.1.101#011lport=143#011rport=49986
Apr  8 11:49:18 server dovecot: auth: Debug:
gssapi(?,192.168.42.101,<e8xMvSwTQgDAqCpl>): Obtaining credentials for
imap at server.corp.mydomain.com
Apr  8 11:49:18 server dovecot: auth: Debug: client passdb out: CONT#0111#011
Apr  8 11:49:18 server dovecot: auth: Debug: client in: CONT<hidden>
Apr  8 11:49:18 server dovecot: auth: Debug: gssapi(me at
corp.mydomain.com,192.168.1.101,<e8xMvSwTQgDAqCpl>): security context
state completed.
Apr  8 11:49:18 server dovecot: auth: Debug: client passdb out:
CONT#0111#011YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrkGiOLsky4fbzWGzpxgW4mjmpjvNsiCqH8MnsUKviP9v1oVLPXSVkqFzFUiCLAd130ldnf742o/inz9Dx6e0aETwDKnnZu9OUD2nCGg/f5zA20IXGWR1zXVJi3hEB8nmrLgaENhyX0JMiE6gApr
8 11:49:18 server dovecot: auth: Debug: client in: CONT<hidden>
Apr  8 11:49:18 server dovecot: auth: Debug: gssapi(me at
corp.mydomain.com,192.168.1.101,<e8xMvSwTQgDAqCpl>): Negotiated security
layer
Apr  8 11:49:18 server dovecot: auth: Debug: client passdb out:
CONT#0111#011BQQF/wAMAAAAAAAAIvajggH////ubQhCZGfeuWGZQ7wApr  8 11:49:18 server
dovecot: auth: Debug: client in: CONT<hidden>
Apr  8 11:49:18 server dovecot: auth: Panic: file auth-request.c: line 716
(auth_request_is_disabled_master_user): assertion failed:
(request->requested_login_user != NULL)
Apr  8 11:49:18 server dovecot: auth: Error: Raw backtrace:
/usr/lib/dovecot/libdovecot.so.0(+0x5e271) [0x7f524a7da271] ->
/usr/lib/dovecot/libdovecot.so.0(+0x5e34e) [0x7f524a7da34e] ->
/usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f524a795a9e] ->
dovecot/auth(+0x15162) [0x7f524ac7e162] ->
dovecot/auth(auth_request_lookup_credentials+0x22) [0x7f524ac7f8d2] ->
/usr/lib/dovecot/modules/auth/libmech_gssapi.so(+0x20d4) [0x7f52499450d4] ->
dovecot/auth(auth_request_handler_auth_continue+0xd1) [0x7f524ac81391] ->
dovecot/auth(+0x1052a) [0x7f524ac7952a] ->
/usr/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x27) [0x7f524a7ea247] ->
/usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0xd7) [0x7f524a7eafd7]
-> /usr/lib/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f524a7e9de8] ->
/usr/lib/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f524a79ac93] ->
dovecot/auth(main+0x38c) [0x7f524ac7750c] ->
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f5249d8dec5] ->
dovecot/auth(+0xe6d9) [0x7f524ac776d9]
Apr  8 11:49:18 server dovecot: auth: Fatal: master: service(auth): child 17668
killed with signal 6 (core dumps disabled)
Apr  8 11:49:18 server dovecot: imap-login: Warning: Auth connection closed with
1 pending requests (max 0 secs, pid=17667, EOF)
Apr  8 11:49:19 server dovecot: imap-login: Disconnected (auth process
communication failure): user=<>, method=GSSAPI, rip=192.168.1.101,
lip=192.168.1.1, TLS, session=<e8xMvSwTQgDAqCpl>

Relevant parts of my config:

auth_anonymous_username = anonymous
auth_cache_negative_ttl = 1 hours
auth_cache_size = 0
auth_cache_ttl = 1 hours
auth_debug = yes
auth_debug_passwords = no
auth_default_realm = CORP.MYDOMAIN.COM
auth_failure_delay = 2 secs
auth_gssapi_hostname = server.corp.mydomain.com
auth_krb5_keytab = /etc/dovecot/krb5.keytab
auth_master_user_separator auth_mechanisms = gssapi
auth_proxy_self auth_realms auth_socket_path = auth-userdb
auth_ssl_require_client_cert = no
auth_ssl_username_from_cert = no
auth_use_winbind = no
auth_username_chars =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_username_format = %Lu
auth_username_translation auth_verbose = yes
auth_verbose_passwords = no
auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_worker_max_count = 30
userdb {
  args = uid=dovecot gid=dovecot home=/var/vmail/%u
  default_fields   driver = static
  override_fields }

Any help greatly appreciated.

Cheers,
Justin.
Possibly Parallel Threads

Search for more maybe matching threads
dovecot - Apr 2015 - Authentication with Samba using Kerberos fails

Authentication with Samba using Kerberos fails

Possibly Parallel Threads

Wisdom of the Ancients
