Your message dated Tue, 12 Sep 2017 23:38:23 +0300 with message-id <[email protected]> and subject line Re: Bug#624837: dovecot-gssapi: no longer reads /etc/krb5.keytab has caused the Debian Bug report #624837, regarding dovecot-gssapi: no longer reads /etc/krb5.keytab to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 624837: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624837 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: dovecot-gssapi Version: 1:2.0.12-1 Severity: important From /etc/dovecot/conf.d/10-auth.conf: # Kerberos keytab to use for the GSSAPI mechanism. Will use the system # default (usually /etc/krb5.keytab) if not specified. This is not true. The system default keytab is generally root-owned and 600 [0]. Dovecot's new authentication mechanism cannot read this file and therefore all GSSAPI authentication fails. The IMAP server responds: A01 NO [UNAVAILABLE] Temporary authentication failure. and the logs say: May 1 22:11:54 castro dovecot: auth: Debug: gssapi(?,2001:470:1f05:79:216:d3ff:feb3:801e): Obtaining credentials for [email protected] May 1 22:11:54 castro dovecot: auth: gssapi(?,2001:470:1f05:79:216:d3ff:feb3:801e): While acquiring service credentials: Unspecified GSS failure. Minor code may provide more information May 1 22:11:54 castro dovecot: auth: gssapi(?,2001:470:1f05:79:216:d3ff:feb3:801e): While acquiring service credentials: Permission denied If I create a special keytab for dovecot that is owned by the dovecot user, it works. This workaround is the only reason this bug is important and not grave. If this is the intended course of action, this needs to be clearly documented, including a README.Debian that clearly outlines the procedures necessary to create this keytab. In that case, the text of the configuration file should not imply that it can use the system keytab and the configuration option should not have a default, since there is no sane default. Personally, I see this as a major regression: dovecot should acquire access to the keytab when it starts up, just like every normal service does with root-owned files. [0] Mine happens to be 640 root:smmsp, but this is not the default behavior and does not affect this bug. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: dovecot Version: 1:2.0.13-1 On 16:29 Wed 11 May , Timo Sirainen wrote: > On Sun, 2011-05-01 at 23:19 +0000, brian m. carlson wrote: > > > From /etc/dovecot/conf.d/10-auth.conf: > > > > # Kerberos keytab to use for the GSSAPI mechanism. Will use the system > > # default (usually /etc/krb5.keytab) if not specified. > > > > This is not true. The system default keytab is generally root-owned and > > 600 [0]. Dovecot's new authentication mechanism cannot read this file > > and therefore all GSSAPI authentication fails. The IMAP server > > responds: > > Updated the comment to: > > # Kerberos keytab to use for the GSSAPI mechanism. Will use the system > # default (usually /etc/krb5.keytab) if not specified. You may need to change > # the auth service to run as root to be able to read this file. > > Meaning, you can do: > > service auth { > user = root > } The updated comment has been included since 2.0.13. Closing this since there's nothing more to do. Regards, Apollon
--- End Message ---
