On 2016-10-11 09:18, Aki Tuomi wrote:> On 11.10.2016 10:13, Juha Koho wrote: >> Hello, >> >> I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying to >> set up a GSSAPI Kerberos authentication with the LDAP server but with >> little success. Seems no matter what I try I end up with the following >> error message: >> >> dovecot: auth: Error: LDAP: binding failed (dn >> (imap/host.example.com at EXAMPLE.COM)): Local error, SASL(-1): generic >> failure: GSSAPI Error: Unspecified GSS failure. Minor code may >> provide more information (No Kerberos credentials available (default >> cache: FILE:/tmp/dovecot.krb5.ccache)) >> >> I have set the import_environment in dovecot.conf: >> >> import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS >> KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache >> >> And these in LDAP configuration: >> >> dn = imap/host.example.com at EXAMPLE.COM >> sasl_bind = yes >> sasl_mech = gssapi >> sasl_realm = EXAMPLE.COM >> sasl_authz_id = imap/host.example.com at EXAMPLE.COM >> >> I have tried with different values in dn and sasl_authz_id and also >> leaving them out completely but I always end up with the error message >> above. Using simple bind without GSSAPI works just fine. >> >> The credentials cache file exists and is valid for the principal >> imap/host.example.com at EXAMPLE.COM. The file is owned by dovecot user >> so it shouldn't be a permission problem either. >> >> GSSAPI in OpenLDAP works but I suppose it is irrelevant here since the >> connection attempt never reaches the LDAP server due to the error. I >> also have similar setup for Postfix and it works fine. >> >> Any ideas what to try next? >> >> Best regards, >> Juha > > Can you provide klist output for the cache file? Also, it should be > readable by dovenull user, or whatever is configured as > default_login_user.Here's the klist output of the cache file: -- Ticket cache: FILE:/tmp/dovecot.krb5.ccache Default principal: imap/host.example.com at EXAMPLE.COM Valid starting Expires Service principal 10/11/2016 09:26:25 10/11/2016 21:26:25 krbtgt/EXAMPLE.COM at EXAMPLE.COM renew until 10/12/2016 09:26:25 --- That I didn't know that also dovenull must have access to the cache but I tried also setting 0644 permissions to the cache file with no luck. So permissions shouldn't be the issue... Juha
On 11.10.2016 10:43, Juha Koho wrote:> > On 2016-10-11 09:18, Aki Tuomi wrote: >> On 11.10.2016 10:13, Juha Koho wrote: >>> Hello, >>> >>> I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying to >>> set up a GSSAPI Kerberos authentication with the LDAP server but with >>> little success. Seems no matter what I try I end up with the following >>> error message: >>> >>> dovecot: auth: Error: LDAP: binding failed (dn >>> (imap/host.example.com at EXAMPLE.COM)): Local error, SASL(-1): generic >>> failure: GSSAPI Error: Unspecified GSS failure. Minor code may >>> provide more information (No Kerberos credentials available (default >>> cache: FILE:/tmp/dovecot.krb5.ccache)) >>> >>> I have set the import_environment in dovecot.conf: >>> >>> import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS >>> KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache >>> >>> And these in LDAP configuration: >>> >>> dn = imap/host.example.com at EXAMPLE.COM >>> sasl_bind = yes >>> sasl_mech = gssapi >>> sasl_realm = EXAMPLE.COM >>> sasl_authz_id = imap/host.example.com at EXAMPLE.COM >>> >>> I have tried with different values in dn and sasl_authz_id and also >>> leaving them out completely but I always end up with the error message >>> above. Using simple bind without GSSAPI works just fine. >>> >>> The credentials cache file exists and is valid for the principal >>> imap/host.example.com at EXAMPLE.COM. The file is owned by dovecot user >>> so it shouldn't be a permission problem either. >>> >>> GSSAPI in OpenLDAP works but I suppose it is irrelevant here since the >>> connection attempt never reaches the LDAP server due to the error. I >>> also have similar setup for Postfix and it works fine. >>> >>> Any ideas what to try next? >>> >>> Best regards, >>> Juha >> >> Can you provide klist output for the cache file? Also, it should be >> readable by dovenull user, or whatever is configured as >> default_login_user. > > > Here's the klist output of the cache file: > -- > Ticket cache: FILE:/tmp/dovecot.krb5.ccache > Default principal: imap/host.example.com at EXAMPLE.COM > > Valid starting Expires Service principal > 10/11/2016 09:26:25 10/11/2016 21:26:25 krbtgt/EXAMPLE.COM at EXAMPLE.COM > renew until 10/12/2016 09:26:25 > --- > > That I didn't know that also dovenull must have access to the cache > but I tried also setting 0644 permissions to the cache file with no > luck. So permissions shouldn't be the issue... > > JuhaYour ccache has no ticket for imap/host.example.com at EXAMPLE.COM please use kinit to acquire one. Aki
On 2016-10-11 10:00, Aki Tuomi wrote:> On 11.10.2016 10:43, Juha Koho wrote: >> >> On 2016-10-11 09:18, Aki Tuomi wrote: >>> On 11.10.2016 10:13, Juha Koho wrote: >>>> Hello, >>>> >>>> I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying >>>> to >>>> set up a GSSAPI Kerberos authentication with the LDAP server but >>>> with >>>> little success. Seems no matter what I try I end up with the >>>> following >>>> error message: >>>> >>>> dovecot: auth: Error: LDAP: binding failed (dn >>>> (imap/host.example.com at EXAMPLE.COM)): Local error, SASL(-1): generic >>>> failure: GSSAPI Error: Unspecified GSS failure. Minor code may >>>> provide more information (No Kerberos credentials available (default >>>> cache: FILE:/tmp/dovecot.krb5.ccache)) >>>> >>>> I have set the import_environment in dovecot.conf: >>>> >>>> import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID >>>> LISTEN_FDS >>>> KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache >>>> >>>> And these in LDAP configuration: >>>> >>>> dn = imap/host.example.com at EXAMPLE.COM >>>> sasl_bind = yes >>>> sasl_mech = gssapi >>>> sasl_realm = EXAMPLE.COM >>>> sasl_authz_id = imap/host.example.com at EXAMPLE.COM >>>> >>>> I have tried with different values in dn and sasl_authz_id and also >>>> leaving them out completely but I always end up with the error >>>> message >>>> above. Using simple bind without GSSAPI works just fine. >>>> >>>> The credentials cache file exists and is valid for the principal >>>> imap/host.example.com at EXAMPLE.COM. The file is owned by dovecot user >>>> so it shouldn't be a permission problem either. >>>> >>>> GSSAPI in OpenLDAP works but I suppose it is irrelevant here since >>>> the >>>> connection attempt never reaches the LDAP server due to the error. I >>>> also have similar setup for Postfix and it works fine. >>>> >>>> Any ideas what to try next? >>>> >>>> Best regards, >>>> Juha >>> >>> Can you provide klist output for the cache file? Also, it should be >>> readable by dovenull user, or whatever is configured as >>> default_login_user. >> >> >> Here's the klist output of the cache file: >> -- >> Ticket cache: FILE:/tmp/dovecot.krb5.ccache >> Default principal: imap/host.example.com at EXAMPLE.COM >> >> Valid starting Expires Service principal >> 10/11/2016 09:26:25 10/11/2016 21:26:25 >> krbtgt/EXAMPLE.COM at EXAMPLE.COM >> renew until 10/12/2016 09:26:25 >> --- >> >> That I didn't know that also dovenull must have access to the cache >> but I tried also setting 0644 permissions to the cache file with no >> luck. So permissions shouldn't be the issue... >> >> Juha > > Your ccache has no ticket for imap/host.example.com at EXAMPLE.COM > > please use kinit to acquire one.Now I'm confused. The cache file is created by kinit using the command: sudo -u dovenull kinit -c FILE:/tmp/dovecot.krb5.ccache -k -t /path/to/keytab imap/host.example.com After that: $ sudo -u dovenull klist /tmp/dovecot.krb5.ccache Ticket cache: FILE:/tmp/dovecot.krb5.ccache Default principal: imap/host.example.com at EXAMPLE.COM Valid starting Expires Service principal 10/11/2016 10:47:47 10/11/2016 22:47:47 krbtgt/EXAMPLE.COM at EXAMPLE.COM renew until 10/12/2016 10:47:47 Also, I can use the cache file with ldapsearch just fine by running the following: sudo -u dovenull KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache ldapsearch -Y GSSAPI -ZZ -H ldap://ldap.example.com/ -b dc=example,dc=com After the ldapsearch has succeeded the klist output is the following: $ sudo -u dovenull klist /tmp/dovecot.krb5.ccache Ticket cache: FILE:/tmp/dovecot.krb5.ccache Default principal: imap/host.example.com at EXAMPLE.COM Valid starting Expires Service principal 10/11/2016 10:47:47 10/11/2016 22:47:47 krbtgt/EXAMPLE.COM at EXAMPLE.COM renew until 10/12/2016 10:47:47 10/11/2016 10:49:32 10/11/2016 22:47:47 ldap/ldap.example.com at EXAMPLE.COM renew until 10/12/2016 10:47:47 Which is what I expected. Isn't this basically what dovecot does (or should do) or did I miss something? Juha