Package: dovecot-gssapi Version: 1:2.0.12-1 Severity: important From /etc/dovecot/conf.d/10-auth.conf:
# Kerberos keytab to use for the GSSAPI mechanism. Will use the system # default (usually /etc/krb5.keytab) if not specified. This is not true. The system default keytab is generally root-owned and 600 [0]. Dovecot's new authentication mechanism cannot read this file and therefore all GSSAPI authentication fails. The IMAP server responds: A01 NO [UNAVAILABLE] Temporary authentication failure. and the logs say: May 1 22:11:54 castro dovecot: auth: Debug: gssapi(?,2001:470:1f05:79:216:d3ff:feb3:801e): Obtaining credentials for i...@castro.crustytoothpaste.net May 1 22:11:54 castro dovecot: auth: gssapi(?,2001:470:1f05:79:216:d3ff:feb3:801e): While acquiring service credentials: Unspecified GSS failure. Minor code may provide more information May 1 22:11:54 castro dovecot: auth: gssapi(?,2001:470:1f05:79:216:d3ff:feb3:801e): While acquiring service credentials: Permission denied If I create a special keytab for dovecot that is owned by the dovecot user, it works. This workaround is the only reason this bug is important and not grave. If this is the intended course of action, this needs to be clearly documented, including a README.Debian that clearly outlines the procedures necessary to create this keytab. In that case, the text of the configuration file should not imply that it can use the system keytab and the configuration option should not have a default, since there is no sane default. Personally, I see this as a major regression: dovecot should acquire access to the keytab when it starts up, just like every normal service does with root-owned files. [0] Mine happens to be 640 root:smmsp, but this is not the default behavior and does not affect this bug. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
