search for: authn_name

Hello, I'm trying to authenticate using GSSAPI, but getting this in dovecot.log "authn_name and authz_name differ: not supported". What is actually trying to say me? I've remeber once encounter this problem but it get away silently. I'm using Mozilla Thunderbird 3 beta 3 and Dovecot 1.0.15

Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes cross-realm GSSAPI authentication. Changes it makes: 1. When using krb5_kuserok, do not call gss_compare_name to check that authn_name and authz_name are the same. Instead, make TWO calls to krb5_kuserok, one for each ID. If both IDs are acceptable, allow the login. 2. Disable checking that the name is a GSS_KRB5_PRINCIPAL_NAME, as this doesn't appear to be always the case for the authz_name. If I create a .k5login listing...

...ticated to Kerberos v5 KRB5_KTNAME=/etc/krb5.keytab ; export KRB5_KTNAME TESTING: imtest srv-mail ERROR: Mar 10 08:27:23 srv-mail dovecot: auth(default): auth(?,10.0.0.5): Invalid username: host/srv-mail.cn.energy at CN.ENERGY Mar 10 08:27:23 srv-mail dovecot: auth(default): gssapi(?,10.0.0.5): authn_name: Username contains disallowed character: 0x2f Why username "host/srv-mail.cn.energy at CN.ENERGY" ??? imtest -m GSSAPI -u ross -a ross -r cn.energy srv-mail ERROR: Mar 10 08:31:55 srv-mail dovecot: auth(default): auth(?,10.0.0.5): Invalid username: host/srv-mail.cn.energy at CN.ENERGY M...

I've been trying to track down some problems with Dovecot in a Kerberos 5 cross-realm environment, and there seem to be a few issues. LOGIN/PLAIN work fine using pam_krb5, but GSSAPI is a bit harder to handle. On line 436 of src/auth/mech-gssapi.c, the authn_name and the authz_name are compared using gss_compare_name. This dates back to the message at: http://dovecot.org/pipermail/dovecot/2005-October/009615.html While everything within that message is true, as things stand, Dovecot is unusable in a cross-realm environment. When cross-realm tickets are u...

.... klist after login attempt shows: Valid starting Expires Service principal 06/18/09 20:01:01 06/19/09 20:01:01 krbtgt/realm at realm 06/18/09 20:01:28 06/19/09 20:01:01 imap/mail.domain at realm Server side 1. /var/log/maillog: dovecot: auth(default): gssapi(user,192.168.0.1): authn_name not authorized dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<user>, method=GSSAPI, rip=192.168.0.1, lip=192.168.0.2, TLS ---------------- It is possible for the same user to login via other mechanisms. The issue reproduced with different email clients. Evolution and a c...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Attached is a patch against current CVS that adds support for the GSSAPI SASL mechanism. It was written from scratch, after reading the patch from Colin Walters against a much older version of dovecot. Other then support for the 'GSSAPI' mechanism, it contains the following changes: - - Added 'auth_krb5_keytab' option for

Hi all, We have 2 mail servers sitting behind linux-HA machines.The mail servers are currently running dovecot 1.0rc2. Looking to enable GSSAPI authentication, I exported krb keytabs for imap/node01.domain at REALM and imap/node02.domain at REALM for both mail servers. However, clients are connecting to mail.domain.com, which results in a mismatch as far as the keytab is concerned (and rightly