I'm setting up dovecot on a new box; and once again I find myself
banging my head against GSSAPI authentication.
The particularly irritating thing is that I have this working on
another box. ?I've done my best to ape the configuration of that box;
but it's been some years since I set it up and somewhere along the line
I have failed.
My dovecot.conf has:
auth_mechanism = plain gssapi
passdb {
? driver = pam
}
userdb {
? driver = ldap
??args = /etc/dovecot/dovecot-ldap.conf.ext
}
where /etc/dovecot/dovecot-ldap.conf.ext is:
hosts = ldap
dn = cn=Manager,dc=endoframe,dc=net
dnpass = XXXXXXXX
ldap_version = 3
base = ou=people,dc=endoframe,dc=net
deref = never
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%u))
I've diff'd the contents of /etc/dovecot on the working vs. non-working
servers, and I can see nothing of pertinence (just a few lines about
loading the sieve plug-in).
Now, logging in with the kerberos password via PAM *is* working.
?/etc/pam.d/dovecot:
#%PAM-1.0
auth???????sufficient???pam_krb5.so
account????sufficient???pam_krb5.so
But GSSAPI authentication is not:
[ root at hinge ~]# telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
STARTTLS AUTH=PLAIN AUTH=GSSAPI] Dovecot ready.
a authenticate GSSAPI
a NO [UNAVAILABLE] Temporary authentication failure.
[hinge.endoframe.net:2016-04-16 21:33:32]
^]
telnet> close
Connection closed.
Oh... The kerberos server does have an IMAP service key for hinge; and
that service key appears in hinge's /etc/krb5.keytab, as well.
Any pointers on where I should be looking at this point would be very
much appreciated.
--
Braden McDaniel <braden at endoframe.com>
> On April 17, 2016 at 12:41 AM Braden McDaniel <braden at endoframe.com> wrote: > > > I'm setting up dovecot on a new box; and once again I find myself > banging my head against GSSAPI authentication. > > The particularly irritating thing is that I have this working on > another box. ?I've done my best to ape the configuration of that box; > but it's been some years since I set it up and somewhere along the line > I have failed. > > My dovecot.conf has: > > auth_mechanism = plain gssapi > > passdb { > ? driver = pam > } > > userdb { > ? driver = ldap > ??args = /etc/dovecot/dovecot-ldap.conf.ext > } > > where /etc/dovecot/dovecot-ldap.conf.ext is: > > hosts = ldap > dn = cn=Manager,dc=endoframe,dc=net > dnpass = XXXXXXXX > ldap_version = 3 > base = ou=people,dc=endoframe,dc=net > deref = never > scope = subtree > user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid > user_filter = (&(objectClass=posixAccount)(uid=%u)) > > I've diff'd the contents of /etc/dovecot on the working vs. non-working > servers, and I can see nothing of pertinence (just a few lines about > loading the sieve plug-in). > > Now, logging in with the kerberos password via PAM *is* working. > ?/etc/pam.d/dovecot: > > #%PAM-1.0 > auth???????sufficient???pam_krb5.so > account????sufficient???pam_krb5.so > > But GSSAPI authentication is not: > > [ root at hinge ~]# telnet localhost 143 > Trying ::1... > Connected to localhost. > Escape character is '^]'. > * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE > STARTTLS AUTH=PLAIN AUTH=GSSAPI] Dovecot ready. > a authenticate GSSAPI > a NO [UNAVAILABLE] Temporary authentication failure. > [hinge.endoframe.net:2016-04-16 21:33:32] > ^] > telnet> close > Connection closed. > > Oh... The kerberos server does have an IMAP service key for hinge; and > that service key appears in hinge's /etc/krb5.keytab, as well. > > Any pointers on where I should be looking at this point would be very > much appreciated. > > -- > Braden McDaniel <braden at endoframe.com>Hi! Did you check your setup against http://wiki2.dovecot.org/Authentication/Kerberos Also can you provide klist -k on server? --- Aki Tuomi
On Sun, 2016-04-17 at 21:49 +0300, aki.tuomi at dovecot.fi wrote:> > > > Did you check your setup against > http://wiki2.dovecot.org/Authentication/KerberosI did. ?Of course, it's possible I've still managed to overlook something.?> Also can you provide klist -k on server?I assume you mean the kerberos server: [ root at knock ~]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- ???2 host/knock.endoframe.net at ENDOFRAME.NET ???2 host/knock.endoframe.net at ENDOFRAME.NET ???2 host/knock.endoframe.net at ENDOFRAME.NET ???2 host/knock.endoframe.net at ENDOFRAME.NET ???2 host/knock.endoframe.net at ENDOFRAME.NET ???2 host/knock.endoframe.net at ENDOFRAME.NET ???4 host/rail.endoframe.net at ENDOFRAME.NET ???4 host/rail.endoframe.net at ENDOFRAME.NET ???4 host/rail.endoframe.net at ENDOFRAME.NET ???4 host/rail.endoframe.net at ENDOFRAME.NET ???4 host/rail.endoframe.net at ENDOFRAME.NET ???4 host/rail.endoframe.net at ENDOFRAME.NET ???3 nfs/rail.endoframe.net at ENDOFRAME.NET ???5 host/hinge.endoframe.net at ENDOFRAME.NET ???5 host/hinge.endoframe.net at ENDOFRAME.NET ???5 host/hinge.endoframe.net at ENDOFRAME.NET ???5 host/hinge.endoframe.net at ENDOFRAME.NET ???5 host/hinge.endoframe.net at ENDOFRAME.NET ???5 host/hinge.endoframe.net at ENDOFRAME.NET ???5 host/hinge.endoframe.net at ENDOFRAME.NET ???5 host/hinge.endoframe.net at ENDOFRAME.NET -- Braden McDaniel <braden at endoframe.com>