I'm setting up dovecot on a new box; and once again I find myself banging my head against GSSAPI authentication. The particularly irritating thing is that I have this working on another box. ?I've done my best to ape the configuration of that box; but it's been some years since I set it up and somewhere along the line I have failed. My dovecot.conf has: auth_mechanism = plain gssapi passdb { ? driver = pam } userdb { ? driver = ldap ??args = /etc/dovecot/dovecot-ldap.conf.ext } where /etc/dovecot/dovecot-ldap.conf.ext is: hosts = ldap dn = cn=Manager,dc=endoframe,dc=net dnpass = XXXXXXXX ldap_version = 3 base = ou=people,dc=endoframe,dc=net deref = never scope = subtree user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_filter = (&(objectClass=posixAccount)(uid=%u)) I've diff'd the contents of /etc/dovecot on the working vs. non-working servers, and I can see nothing of pertinence (just a few lines about loading the sieve plug-in). Now, logging in with the kerberos password via PAM *is* working. ?/etc/pam.d/dovecot: #%PAM-1.0 auth???????sufficient???pam_krb5.so account????sufficient???pam_krb5.so But GSSAPI authentication is not: [ root at hinge ~]# telnet localhost 143 Trying ::1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=GSSAPI] Dovecot ready. a authenticate GSSAPI a NO [UNAVAILABLE] Temporary authentication failure. [hinge.endoframe.net:2016-04-16 21:33:32] ^] telnet> close Connection closed. Oh... The kerberos server does have an IMAP service key for hinge; and that service key appears in hinge's /etc/krb5.keytab, as well. Any pointers on where I should be looking at this point would be very much appreciated. -- Braden McDaniel <braden at endoframe.com>
> On April 17, 2016 at 12:41 AM Braden McDaniel <braden at endoframe.com> wrote: > > > I'm setting up dovecot on a new box; and once again I find myself > banging my head against GSSAPI authentication. > > The particularly irritating thing is that I have this working on > another box. ?I've done my best to ape the configuration of that box; > but it's been some years since I set it up and somewhere along the line > I have failed. > > My dovecot.conf has: > > auth_mechanism = plain gssapi > > passdb { > ? driver = pam > } > > userdb { > ? driver = ldap > ??args = /etc/dovecot/dovecot-ldap.conf.ext > } > > where /etc/dovecot/dovecot-ldap.conf.ext is: > > hosts = ldap > dn = cn=Manager,dc=endoframe,dc=net > dnpass = XXXXXXXX > ldap_version = 3 > base = ou=people,dc=endoframe,dc=net > deref = never > scope = subtree > user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid > user_filter = (&(objectClass=posixAccount)(uid=%u)) > > I've diff'd the contents of /etc/dovecot on the working vs. non-working > servers, and I can see nothing of pertinence (just a few lines about > loading the sieve plug-in). > > Now, logging in with the kerberos password via PAM *is* working. > ?/etc/pam.d/dovecot: > > #%PAM-1.0 > auth???????sufficient???pam_krb5.so > account????sufficient???pam_krb5.so > > But GSSAPI authentication is not: > > [ root at hinge ~]# telnet localhost 143 > Trying ::1... > Connected to localhost. > Escape character is '^]'. > * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE > STARTTLS AUTH=PLAIN AUTH=GSSAPI] Dovecot ready. > a authenticate GSSAPI > a NO [UNAVAILABLE] Temporary authentication failure. > [hinge.endoframe.net:2016-04-16 21:33:32] > ^] > telnet> close > Connection closed. > > Oh... The kerberos server does have an IMAP service key for hinge; and > that service key appears in hinge's /etc/krb5.keytab, as well. > > Any pointers on where I should be looking at this point would be very > much appreciated. > > -- > Braden McDaniel <braden at endoframe.com>Hi! Did you check your setup against http://wiki2.dovecot.org/Authentication/Kerberos Also can you provide klist -k on server? --- Aki Tuomi
On Sun, 2016-04-17 at 21:49 +0300, aki.tuomi at dovecot.fi wrote:> > > > Did you check your setup against > http://wiki2.dovecot.org/Authentication/KerberosI did. ?Of course, it's possible I've still managed to overlook something.?> Also can you provide klist -k on server?I assume you mean the kerberos server: [ root at knock ~]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- ???2 host/knock.endoframe.net at ENDOFRAME.NET ???2 host/knock.endoframe.net at ENDOFRAME.NET ???2 host/knock.endoframe.net at ENDOFRAME.NET ???2 host/knock.endoframe.net at ENDOFRAME.NET ???2 host/knock.endoframe.net at ENDOFRAME.NET ???2 host/knock.endoframe.net at ENDOFRAME.NET ???4 host/rail.endoframe.net at ENDOFRAME.NET ???4 host/rail.endoframe.net at ENDOFRAME.NET ???4 host/rail.endoframe.net at ENDOFRAME.NET ???4 host/rail.endoframe.net at ENDOFRAME.NET ???4 host/rail.endoframe.net at ENDOFRAME.NET ???4 host/rail.endoframe.net at ENDOFRAME.NET ???3 nfs/rail.endoframe.net at ENDOFRAME.NET ???5 host/hinge.endoframe.net at ENDOFRAME.NET ???5 host/hinge.endoframe.net at ENDOFRAME.NET ???5 host/hinge.endoframe.net at ENDOFRAME.NET ???5 host/hinge.endoframe.net at ENDOFRAME.NET ???5 host/hinge.endoframe.net at ENDOFRAME.NET ???5 host/hinge.endoframe.net at ENDOFRAME.NET ???5 host/hinge.endoframe.net at ENDOFRAME.NET ???5 host/hinge.endoframe.net at ENDOFRAME.NET -- Braden McDaniel <braden at endoframe.com>