> On April 3, 2016 at 10:57 AM Luca Bertoncello <[email protected]> wrote: > > > Hi list! > > I'm really puzzled... > I have a Mailserver with Dovecot 2.2.9 (installed from Ubuntu > 14.04-Repositories) and it works well with LDAP-Authentication agains the > Active Directory. > > Now I want to use GSSAPI to allow the clients (with Thunderbird 38.7.1) to > read E-Mails without giving a password. > > I configured Dovecot using these HowTos: > > http://mindref.blogspot.de/2011/02/dovecot-kerberos.html > http://wiki.dovecot.org/Authentication/Kerberos > > But it does not work... > In mail.log I can just see: > > Apr 3 09:52:26 mail dovecot: auth: Debug: Loading modules from directory: > /usr/lib/dovecot/modules/auth > Apr 3 09:52:26 mail dovecot: auth: Debug: Loading modules from directory: > /usr/lib/dovecot/modules/auth > Apr 3 09:52:26 mail dovecot: auth: Debug: Module loaded: > /usr/lib/dovecot/modules/auth/libmech_gssapi.so > Apr 3 09:52:26 mail dovecot: auth: Debug: Loading modules from directory: > /usr/lib/dovecot/modules/auth > Apr 3 09:52:26 mail dovecot: auth: Debug: Module loaded: > /usr/lib/dovecot/modules/auth/libauthdb_ldap.so > Apr 3 09:52:26 mail dovecot: auth: Debug: Read auth token secret from > /var/run/dovecot/auth-token-secret.dat > Apr 3 09:52:26 mail dovecot: auth: Debug: auth client connected (pid=2300) > Apr 3 09:52:26 mail dovecot: imap-login: Disconnected (no auth attempts in 0 > secs): user=<>, rip=192.168.50.54, lip=192.168.50.3, > session=<x8Sq5I8vsADAqDI2> > > and Thunderbird says that the Ticket was not accepted and I have to check > if I'm logged into the Kerberos/GSSAPI subsystem. > I checked with tcpdump and I see that Thunderbird does NOT send at all any > request. > > Could someone help me? > > Thanks a lot! > Luca Bertoncello > ([email protected])
Make sure you have a keytab entry for IMAP/hostname, and host/hostname. Kerberos is pretty name oriented so DNS names much match, also reverse entries for optimal performance. Also make sure your client has acquired some principal such as username@YOURDOMAIN. These are usually checked with klist command or klist -k, depending if you are looking at credentials cache or keytab file. Also, make sure that GSSAPI is provided as mechanism by dovecot, this is easy to check with telnet hostname 14 and see what LOGIN mechanisms are provided. If it does not list capabilities, use a01 CAPABILITY to list them. Aki Tuomi Dovecot Oy
