search for: k5princip

...uthentication. When authenticating with Kerberos, Dovecot uses master user and password to authenticate to backends (backends can be Cyrus or Exchange servers too) When authenticating with PLAIN passwords, Dovecot sends user's login and password to the backend. For GSSAPI, I use extrafields : k5principals=principal at REALM proxy=Y pass=masterpassword login_user=principal user=masteruser host=backend For PLAIN, I use a static driver : passdb { driver = static args = proxy=y host=cyrus password=%w } I can authenticate fine with Kerberos tickets and login/password on the backend. Trouble is...

...cating with PLAIN passwords, Dovecot sends user's login and password to the backend. </div> <div> <br> </div> <div> For GSSAPI, I use extrafields : </div> <div> <span style="font-family: monospace;">k5principals=principal@REALM proxy=Y pass=masterpassword login_user=principal user=masteruser host=backend</span> </div> <div> <br> </div> <div> For PLAIN, I use a static driver : </div> <div> <span style="font-fam...

...ant attrs: --- mailAddress: sn.gn at example.com mailDeliveryAddress: 123456 at example.com uid: u123456 krbPrincipalName: u123456 at REALM krbPrincipalName: user123456 at REALM krbPrincipalName: alias at REALM --- with pass_attrs = =user=%{ldap:mailDeliveryAddress},=password=%{ldap:userPassword},=k5principals=%{ldap:krbPrincipalName} I can see incorrectly logged ldap search result for krbPrincipalName attr as it is written 3 times with the same value -- number is correct, values should differ. All is working ok as expected, but was a bit confusing while tuning /etc/krb5.conf on non-working remote cl...

The attached patch makes it possible for Kerberos principals to be associated with a password database entry by adding a new "k5principals" passdb setting. A client that successfully authenticates using GSSAPI will be able to log in as any user who has been associated with the client's Kerberos principal. This means that users can now use their Kerberos identities to access virtual mail accounts. The patch definitely need...

...ot stuck on configuring master user authentication. I use GSSAPI authentication in parallel with PLAIN/LOGIN (pam backend that authenticates against my Active Directory domain) and this works as intended. I then tried adding simple static master passdb that simply returns nopassword='y' and k5principals=... for test and it also works OK. Sadly, using any other backend (I've tried lua and sql) for master passdb instead of static in combination with GSSAPI client causes auth-worker to report "Error: BUG: PASSL had invalid passdb ID". I took a look at the code and my best guess is t...

I am running dovecot 2.1.7 on Debian Squeeze 64 bit, config information at the end of the email. I am working on a Kerberos/GSSAPI based setup that requires cross-realm authentication. I have regular GSSAPI working, I can log in using pam_krb5 with password based logins or with the GSSAPI support when using a kerberos ticket in the default realm. However when I attempt to authenticate using

...ation of these instructions can eventually make it into: http://wiki2.dovecot.org/Authentication/Kerberos What is essentially missing from the wiki is how to set up the proper Service Principal Names and the subsequent creation of a dovecot useable kerberos keytab file. The wiki comment on "k5principals passdb" was not helpful and largely unintelligble to me. Perhaps like many of you, I have switched from Microsoft SBS and Exchange to Samaba4 and Dovecot/IMAP. The transition was completely transparent to my users, except they needed a separate password for email authentication in the abs...