[Dovecot] gssapi problems (postfix sasl through dovecot, dovecot imap working fine)
Trever L. Adams
trever.adams at gmail.com
Tue Oct 19 15:16:46 EEST 2010
On 10/15/2010 09:50 PM, Trever L. Adams wrote:
> Thanks to Timo, I have solved all but one of my problems. For back
> ground, I am using Samba4 as an AD. I have the userdb working from LDAP
> just fine and kerberos authenetication for dovecot's IMAP server working
> fine. The problem is using dovecot's SASL with postfix. I also have
> plain/login working in imap and smtp. Both use pam_krb5 through pam to
> authenticate clients that don't have kerberos, and for now smtp. When
> trying to do smtp kerberos, I get the following:
>
> postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: request longer
> than 2048: AUTH GSSAPI ...
> dovecot: auth: Debug: client in:
> AUTH#0111#011GSSAPI#011service=smtp#011nologin#011lip=SERVER_IP#011rip=CLIENT_IP#011secured#011resp=<hidden>
> dovecot: auth: Debug: gssapi(?,CLIENT_IP): Obtaining credentials for
> smtp at MAILSERVER_FQDN
> dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data:
> Unspecified GSS failure. Minor code may provide more information
> dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data:
> Invalid message type
> postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: SASL GSSAPI
> authentication failed:
> dovecot: auth: Debug: client out: FAIL#0111
>
> # klist -k /etc/dovecot/krb5.keytab
> Keytab name: WRFILE:/etc/dovecot/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 2 imap/MAILSERVER_FQDN at DOMAIN_REALM
> 2 smtp/MAILSERVER_FQDN at DOMAIN_REALM
>
> The client is Thunderbird.
>
> Any help would be greatly appreciated. I have made sure that the file
> has proper permissions. I have regenerated the smtp cert making suer the
> password is accurate. I have done everything I know to try. The only
> thing that I am guess remains is something is broken with Thunderbird's
> kerberos setup for smtp.
>
> Thank you very much,
> Trever
>
Samba4 doesn't automatically set the userPrincipalName to
imap/f.q.d.n at REALM or smtp/f.q.d.n at REALM when setting up an SPN. This
was the problem. For some reason it works fine for imap but not smtp.
I have reported this as a possible bug to Samba4. I am documenting it
here in case someone else has problems.
Trever
--
"The amount of time between slipping on the peel and landing on the
pavement is precisely 1 bananosecond." -- Unknown
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20101019/3fda6431/attachment.bin
More information about the dovecot
mailing list