On Mon, 2016-04-18 at 08:59 +0300, aki.tuomi at dovecot.fi wrote:> > > > On April 18, 2016 at 8:13 AM Braden McDaniel <braden at endoframe.com> > > wrote: > > > > > > On Sun, 2016-04-17 at 21:49 +0300, aki.tuomi at dovecot.fi wrote: > > > > > > > > > > > > > > > Did you check your setup against > > > http://wiki2.dovecot.org/Authentication/Kerberos > > I did. ?Of course, it's possible I've still managed to overlook > > something.? > > > > > > > > Also can you provide klist -k on server? > > I assume you mean the kerberos server: > > > > ????[????root at knock?????~]#? > > Apologies, I ment your IMAP server.[ root at hinge ~]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- ???3 host/hinge.endoframe.net at ENDOFRAME.NET ???3 host/hinge.endoframe.net at ENDOFRAME.NET ???3 host/hinge.endoframe.net at ENDOFRAME.NET ???3 host/hinge.endoframe.net at ENDOFRAME.NET ???3 host/hinge.endoframe.net at ENDOFRAME.NET ???3 host/hinge.endoframe.net at ENDOFRAME.NET ???3 host/hinge.endoframe.net at ENDOFRAME.NET ???3 host/hinge.endoframe.net at ENDOFRAME.NET ???3 host/hinge.endoframe.net at ENDOFRAME.NET ???3 host/hinge.endoframe.net at ENDOFRAME.NET ???3 host/hinge.endoframe.net at ENDOFRAME.NET ???3 host/hinge.endoframe.net at ENDOFRAME.NET ???3 host/hinge.endoframe.net at ENDOFRAME.NET ???3 host/hinge.endoframe.net at ENDOFRAME.NET ???3 host/hinge.endoframe.net at ENDOFRAME.NET ???3 host/hinge.endoframe.net at ENDOFRAME.NET ???4 host/hinge.endoframe.net at ENDOFRAME.NET ???4 host/hinge.endoframe.net at ENDOFRAME.NET ???4 host/hinge.endoframe.net at ENDOFRAME.NET ???4 host/hinge.endoframe.net at ENDOFRAME.NET ???4 host/hinge.endoframe.net at ENDOFRAME.NET ???4 host/hinge.endoframe.net at ENDOFRAME.NET ???4 host/hinge.endoframe.net at ENDOFRAME.NET ???4 host/hinge.endoframe.net at ENDOFRAME.NET ???2 imap/hinge.endoframe.net at ENDOFRAME.NET ???2 imap/hinge.endoframe.net at ENDOFRAME.NET ???2 imap/hinge.endoframe.net at ENDOFRAME.NET ???2 imap/hinge.endoframe.net at ENDOFRAME.NET ???2 imap/hinge.endoframe.net at ENDOFRAME.NET ???2 imap/hinge.endoframe.net at ENDOFRAME.NET ???2 imap/hinge.endoframe.net at ENDOFRAME.NET ???2 imap/hinge.endoframe.net at ENDOFRAME.NET -- Braden McDaniel <braden at endoframe.com>
On 18.04.2016 14:22, Braden McDaniel wrote:> On Mon, 2016-04-18 at 08:59 +0300, aki.tuomi at dovecot.fi wrote: >>> On April 18, 2016 at 8:13 AM Braden McDaniel <braden at endoframe.com> >>> wrote: >>> >>> >>> On Sun, 2016-04-17 at 21:49 +0300, aki.tuomi at dovecot.fi wrote: >>>>> >>>>> Did you check your setup against >>>> http://wiki2.dovecot.org/Authentication/Kerberos >>> I did. Of course, it's possible I've still managed to overlook >>> something. >>> >>>> Also can you provide klist -k on server? >>> I assume you mean the kerberos server: >>> >>> [ root at knock ~]# >> Apologies, I ment your IMAP server. > [ root at hinge ~]# klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > 3 host/hinge.endoframe.net at ENDOFRAME.NET > 3 host/hinge.endoframe.net at ENDOFRAME.NET > 4 host/hinge.endoframe.net at ENDOFRAME.NET > 2 imap/hinge.endoframe.net at ENDOFRAME.NET > >There was previous case where gssapi did not work with Thunderbird. It apparently has some problems with GSSAPI usage. Also, did you ensure that your client has all the requisite principals? Can you try turning on auth_verbose=yes? Remember that kerberos is very DNS oriented, so missing/incorrect reverse records can also cause failures. Aki
On Mon, 2016-04-18 at 14:49 +0300, Aki Tuomi wrote:> > There was previous case where gssapi did not work with Thunderbird. > It > apparently has some problems with GSSAPI usage.I'm using Evolution; but note the telnet session. ?I'll beat mail clients into submission later. I found the problem: I had not made the keytab file on the mail server readable by the dovecot process. (Yes, I'm well aware the wiki mentions this; and I probably read that sentence at least a half dozen times without it really registering with me. ?Ahem.) Thank you for your assistance. -- Braden McDaniel <braden at endoframe.com>