On 10/15/2010 09:50 PM, Trever L. Adams wrote: > Thanks to Timo, I have solved all but one of my problems. For back > ground, I am using Samba4 as an AD. I have the userdb working from LDAP > just fine and kerberos authenetication for dovecot's IMAP server working > fine. The problem is using dovecot's SASL with postfix. I also have > plain/login working in imap and smtp. Both use pam_krb5 through pam to > authenticate clients that don't have kerberos, and for now smtp. When > trying to do smtp kerberos, I get the following: > > postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: request longer > than 2048: AUTH GSSAPI ... > dovecot: auth: Debug: client in: > AUTH#0111#011GSSAPI#011service=smtp#011nologin#011lip=SERVER_IP#011rip=CLIENT_IP#011secured#011resp=<hidden> > dovecot: auth: Debug: gssapi(?,CLIENT_IP): Obtaining credentials for > s...@mailserver_fqdn > dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data: > Unspecified GSS failure. Minor code may provide more information > dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data: > Invalid message type > postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: SASL GSSAPI > authentication failed: > dovecot: auth: Debug: client out: FAIL#0111 > > # klist -k /etc/dovecot/krb5.keytab > Keytab name: WRFILE:/etc/dovecot/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 2 imap/mailserver_f...@domain_realm > 2 smtp/mailserver_f...@domain_realm > > The client is Thunderbird. > > Any help would be greatly appreciated. I have made sure that the file > has proper permissions. I have regenerated the smtp cert making suer the > password is accurate. I have done everything I know to try. The only > thing that I am guess remains is something is broken with Thunderbird's > kerberos setup for smtp. > > Thank you very much, > Trever > Samba4 doesn't automatically set the userPrincipalName to imap/f.q....@realm or smtp/f.q....@realm when setting up an SPN. This was the problem. For some reason it works fine for imap but not smtp.
I have reported this as a possible bug to Samba4. I am documenting it here in case someone else has problems. Trever -- "The amount of time between slipping on the peel and landing on the pavement is precisely 1 bananosecond." -- Unknown
signature.asc
Description: OpenPGP digital signature
