It's a test system so I'm not worried if the keys become public (which they now are). On my test box dovecot runs as root (something I'm going to change, but it's out of the scope for this problem). I know I should have the keytab in /etc/dovecot but I don't think it makes any difference right now, seeing how GSSAPI for imap using dovecot works.
I'm using Thunderbird 59.9.1 on Windows 7 and Samba 4.8.3 as an AD DC/KDC. #ls -la /etc/dovecot/dovecot.keytab -rw-rw-rw-. 1 root root 762 Aug 22 16:44 /etc/dovecot/dovecot.keytab I have the permission set so broad jus to rule out any permission problems. I retested it all and added more enctypes. Some result. It's puzzling though why IMAP works via GSSAPI but SMTP refuses to. # klist -ek /etc/dovecot/dovecot.keytab Keytab name: FILE:/etc/dovecot/dovecot.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 smtp/srv.mydomain.t...@mydomain.test (aes256-cts-hmac-sha1-96) 2 smtp/srv.mydomain.t...@mydomain.test (aes128-cts-hmac-sha1-96) 2 smtp/srv.mydomain.t...@mydomain.test (arcfour-hmac) 2 smtp/srv.mydomain.t...@mydomain.test (des-cbc-md5) 2 smtp/srv.mydomain.t...@mydomain.test (des-cbc-crc) 2 imap/srv.mydomain.t...@mydomain.test (aes256-cts-hmac-sha1-96) 2 imap/srv.mydomain.t...@mydomain.test (aes128-cts-hmac-sha1-96) 2 imap/srv.mydomain.t...@mydomain.test (arcfour-hmac) 2 imap/srv.mydomain.t...@mydomain.test (des-cbc-md5) 2 imap/srv.mydomain.t...@mydomain.test (des-cbc-crc) On Wed, Aug 22, 2018 at 6:50 PM Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > On Wed, Aug 22, 2018 at 06:41:31PM +0200, Kacper wrote: > > > On Wed, Aug 22, 2018 at 6:30 PM Viktor Dukhovni > > <postfix-us...@dukhovni.org> wrote: > > > Why are you looking in the dovecot logs? This is a dovecot IMAP error, > > > not a Postfix smtpd(8) error... > > > > Because you said that you had GSSAPI working using dovecot sasl, so I > > configured postfix to use dovecot instead of cyrus and got the same > > kerberos error. dovecot.log had more in depth logging of sasl errors > > than mailog. > > I see. What keytab file was dovecot using? That keytab file needs > to include service principals (under the same names as used by > clients) for both smtp and imap. Dovecot reads its keytab file as > the "dovecot" user (at least on my system), and it needs to have > appropriate ownership and permissions. > > What client software are you testing with? Is the client sending > an appropriate KRB5 mechanism GSS token? What do you see in the > client's credential cache? List sufficient detail to show the > service principal name, kvno and enctype. No need to post session > keys (nor keys from keytab files, just the enctypes are enough). > > -- > Viktor.
