[Dovecot] [Solved] Kerberos GSSAPI - proper item name in keytab

Stanislav Klinkov klinkov at yandex.ru
Thu Sep 1 16:53:36 EEST 2011


OK, gentlemen.

I have found the source of problem. It appears to be very unexpectedly.

My testing stand was deployed on a OpenVZ-bazed virtual machine with
Venet interface on board. Here are references to OpenVZ documentation:
http://wiki.openvz.org/Virtual_network_device
http://wiki.openvz.org/Differences_between_venet_and_veth

By design venet interface coressponds to a loopback interface with one
or more aliases and very foxy routing rules. For example, in Debian it
looks like this:

************** ifconfig output  ****************
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:956 errors:0 dropped:0 overruns:0 frame:0
          TX packets:956 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:134666 (131.5 KiB)  TX bytes:134666 (131.5 KiB)

venet0    Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:160164 errors:0 dropped:0 overruns:0 frame:0
          TX packets:106318 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:155480098 (148.2 MiB)  TX bytes:17449831 (16.6 MiB)

venet0:0  Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.9.36  P-t-P:192.168.9.36  Bcast:0.0.0.0 
Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
************************************************

In config file it looks like this:

*********** /etc/network/interfaces *********
# Auto generated lo interface
auto lo
iface lo inet loopback

# Auto generated venet0 interface
auto venet0
iface venet0 inet manual
        up ifconfig venet0 up
        up ifconfig venet0 0
        up route add default dev venet0
        down route del default dev venet0
        down ifconfig venet0 down


iface venet0 inet6 manual

auto venet0:0
iface venet0:0 inet static
        address 192.168.9.36
        netmask 255.255.255.255
*********************************************


For most cases such type of emulation works fine. But this time either
krb5 libs, or dovecot, or someone else could not correctly define
hostname. So, someone of them (I beleive than krb5 libs) was unable to
compare proper IP with the proper stanza in keytab. And neither explicit
"listen" nor "auth_gssapi_hostname"  directives became helpful.

So, I changed equipped emulated interface from "Venet" to more "brute"
Veth, and everything flies up.

Thank you all very much for such an interesting discussion. I shall
describe this situation in my howto's and known issues archive, for others.

In other words, my trouble is totally OpenVZ-specific. So, I may pretend
to be the first who bumped into it.

And then, there is a second question.

Can there be a way to continue using this crafty venet interface, but
force krb5 libs to look up for desired IP ?

Respectfully,
Stanislav Klinkov.



More information about the dovecot mailing list