I'm setting up dovecot on a new box; and once again I find myself
banging my head against GSSAPI authentication.
The particularly irritating thing is that I have this working on
another box. I've done my best to ape the configuration of that box;
but it's been some years since I set it up and somewhere along the line
I have failed.
My dovecot.conf has:
auth_mechanism = plain gssapi
passdb {
driver = pam
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
where /etc/dovecot/dovecot-ldap.conf.ext is:
hosts = ldap
dn = cn=Manager,dc=endoframe,dc=net
dnpass = XXXXXXXX
ldap_version = 3
base = ou=people,dc=endoframe,dc=net
deref = never
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%u))
I've diff'd the contents of /etc/dovecot on the working vs. non-working
servers, and I can see nothing of pertinence (just a few lines about
loading the sieve plug-in).
Now, logging in with the kerberos password via PAM *is* working.
/etc/pam.d/dovecot:
#%PAM-1.0
auth sufficient pam_krb5.so
account sufficient pam_krb5.so
But GSSAPI authentication is not:
[ root@hinge ~]# telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
STARTTLS AUTH=PLAIN AUTH=GSSAPI] Dovecot ready.
a authenticate GSSAPI
a NO [UNAVAILABLE] Temporary authentication failure.
[hinge.endoframe.net:2016-04-16 21:33:32]
^]
telnet> close
Connection closed.
Oh... The kerberos server does have an IMAP service key for hinge; and
that service key appears in hinge's /etc/krb5.keytab, as well.
Any pointers on where I should be looking at this point would be very
much appreciated.
--
Braden McDaniel <bra...@endoframe.com>
