Displaying 7 results from an estimated 7 matches for "k5principals".
2019 Nov 24
2
Proxy GSSAPI + PLAIN authentication
...uthentication.
When authenticating with Kerberos, Dovecot uses master user and password to
authenticate to backends (backends can be Cyrus or Exchange servers too)
When authenticating with PLAIN passwords, Dovecot sends user's login and
password to the backend.
For GSSAPI, I use extrafields :
k5principals=principal at REALM proxy=Y pass=masterpassword
login_user=principal user=masteruser host=backend
For PLAIN, I use a static driver :
passdb {
driver = static
args = proxy=y host=cyrus password=%w
}
I can authenticate fine with Kerberos tickets and login/password on the
backend.
Trouble is tha...
2019 Nov 24
0
Proxy GSSAPI + PLAIN authentication
...cating with PLAIN passwords, Dovecot sends user's login and password to the backend.
</div>
<div>
<br>
</div>
<div>
For GSSAPI, I use extrafields :
</div>
<div>
<span style="font-family: monospace;">k5principals=principal@REALM proxy=Y pass=masterpassword login_user=principal user=masteruser host=backend</span>
</div>
<div>
<br>
</div>
<div>
For PLAIN, I use a static driver :
</div>
<div>
<span style="font-family...
2020 Aug 12
0
auth debug log entry incorrect
...ant attrs:
---
mailAddress: sn.gn at example.com
mailDeliveryAddress: 123456 at example.com
uid: u123456
krbPrincipalName: u123456 at REALM
krbPrincipalName: user123456 at REALM
krbPrincipalName: alias at REALM
---
with
pass_attrs = =user=%{ldap:mailDeliveryAddress},=password=%{ldap:userPassword},=k5principals=%{ldap:krbPrincipalName}
I can see incorrectly logged ldap search result for krbPrincipalName attr as it is written 3 times with the same value -- number is correct, values should differ.
All is working ok as expected, but was a bit confusing while tuning /etc/krb5.conf on non-working remote clien...
2012 Mar 05
1
[PATCH] GSSAPI authorization and virtual users
The attached patch makes it possible for Kerberos principals to be
associated with a password database entry by adding a new "k5principals"
passdb setting. A client that successfully authenticates using GSSAPI
will be able to log in as any user who has been associated with the
client's Kerberos principal. This means that users can now use their
Kerberos identities to access virtual mail accounts.
The patch definitely needs r...
2020 Jan 25
0
Lookup master userdb used with GSSAPI causes auth-worker to report "Error: BUG: PASSL had invalid passdb ID"
...ot stuck on configuring master user
authentication. I use GSSAPI authentication in parallel with PLAIN/LOGIN
(pam backend that authenticates against my Active Directory domain) and
this works as intended. I then tried adding simple static master passdb
that simply returns nopassword='y' and k5principals=... for test and it
also works OK.
Sadly, using any other backend (I've tried lua and sql) for master passdb
instead of static in combination with GSSAPI client causes auth-worker to
report "Error: BUG: PASSL had invalid passdb ID". I took a look at the code
and my best guess is that...
2013 May 09
1
Crossrealm Kerberos problems
I am running dovecot 2.1.7 on Debian Squeeze 64 bit, config information
at the end of the email.
I am working on a Kerberos/GSSAPI based setup that requires cross-realm
authentication. I have regular GSSAPI working, I can log in using
pam_krb5 with password based logins or with the GSSAPI support when
using a kerberos ticket in the default realm.
However when I attempt to authenticate using
2016 Jul 04
2
Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
...ation of these instructions
can eventually make it into:
http://wiki2.dovecot.org/Authentication/Kerberos
What is essentially missing from the wiki is how to set up the proper Service Principal Names
and the subsequent creation of a dovecot useable kerberos keytab file. The wiki comment on
"k5principals passdb" was not helpful and largely unintelligble to me.
Perhaps like many of you, I have switched from Microsoft SBS and Exchange to Samaba4 and
Dovecot/IMAP. The transition was completely transparent to my users, except they needed a
separate password for email authentication in the absenc...