Hi, I'm trying to setup dovecot 2.0.1 on a debian squeeze test box. I want to integrate it into an already working kerberos5 setup, but I don't get it to work.
I've added created host/ smtp/ and imap/ service principals with random
key for the test machine and added them to its keytab.
I can also obtain user credentials using kinit, but when I try to telnet
to port 143, I only get the following:
# kinit heini
Password for he...@altum.de:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: he...@altum.de
Valid starting Expires Service principal
09/05/10 18:56:30 09/06/10 04:56:30 krbtgt/altum...@altum.de
renew until 09/06/10 18:56:27
# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=GSSAPI] Dovecot ready.
a authenticate GSSAPI
a NO [UNAVAILABLE] Temporary authentication failure.
^]
telnet> Connection closed.
This is in the logs:
Sep 5 18:56:47 oldbox dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
Sep 5 18:56:47 oldbox dovecot: auth: Debug: auth client connected
(pid=27684)
Sep 5 18:56:58 oldbox dovecot: auth: Debug: client in:
AUTH#0111#011GSSAPI#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=33753
Sep 5 18:56:58 oldbox dovecot: auth: Debug: gssapi(?,127.0.0.1):
Obtaining credentials for i...@rohan
Sep 5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While
acquiring service credentials: Unspecified GSS failure. Minor code may
provide more information
Sep 5 18:56:58 oldbox dovecot: auth: gssapi(?,127.0.0.1): While
acquiring service credentials: Permission denied
Sep 5 18:57:00 oldbox dovecot: auth: Debug: client out: FAIL#0111#011temp
Sep 5 18:57:05 oldbox dovecot: imap-login: Disconnected (auth failed, 1
attempts): method=GSSAPI, rip=127.0.0.1, lip=127.0.0.1, mpid=0, secured
My configuration:
# doveconf -n
# 2.0.1 (a05834588ffb): /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-486 i586 Debian squeeze/sid
auth_debug = yes
auth_gssapi_hostname = rohan
auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = gssapi
auth_verbose = yes
disable_plaintext_auth = no
listen = *
mail_location = maildir:~/mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = comparator-i;octet
comparator-i;ascii-casemap fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex
imap4flags copy include variables body enotify environment mailbox date
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
protocols = imap
ssl = no
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
args = uid=vmail gid=vmail home=/var/vmail/%u
driver = static
}
And here's the content of the kerberos keytab:
# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 3 host/oldbox.altum...@altum.de
2 3 host/oldbox.altum...@altum.de
3 3 host/oldbox.altum...@altum.de
4 3 host/oldbox.altum...@altum.de
5 3 imap/oldbox.altum...@altum.de
6 3 imap/oldbox.altum...@altum.de
7 3 imap/oldbox.altum...@altum.de
8 3 imap/oldbox.altum...@altum.de
9 3 smtp/oldbox.altum...@altum.de
10 3 smtp/oldbox.altum...@altum.de
11 3 smtp/oldbox.altum...@altum.de
12 3 smtp/oldbox.altum...@altum.de
I also don't see any connection attempt in the KDC's log file.
Any idea what could be wrong?
Thanks...
Dirk
signature.asc
Description: OpenPGP digital signature
