> On April 17, 2016 at 12:41 AM Braden McDaniel <[email protected]> wrote: > > > I'm setting up dovecot on a new box; and once again I find myself > banging my head against GSSAPI authentication. > > The particularly irritating thing is that I have this working on > another box. I've done my best to ape the configuration of that box; > but it's been some years since I set it up and somewhere along the line > I have failed. > > My dovecot.conf has: > > auth_mechanism = plain gssapi > > passdb { > driver = pam > } > > userdb { > driver = ldap > args = /etc/dovecot/dovecot-ldap.conf.ext > } > > where /etc/dovecot/dovecot-ldap.conf.ext is: > > hosts = ldap > dn = cn=Manager,dc=endoframe,dc=net > dnpass = XXXXXXXX > ldap_version = 3 > base = ou=people,dc=endoframe,dc=net > deref = never > scope = subtree > user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid > user_filter = (&(objectClass=posixAccount)(uid=%u)) > > I've diff'd the contents of /etc/dovecot on the working vs. non-working > servers, and I can see nothing of pertinence (just a few lines about > loading the sieve plug-in). > > Now, logging in with the kerberos password via PAM *is* working. > /etc/pam.d/dovecot: > > #%PAM-1.0 > auth sufficient pam_krb5.so > account sufficient pam_krb5.so > > But GSSAPI authentication is not: > > [ root@hinge ~]# telnet localhost 143 > Trying ::1... > Connected to localhost. > Escape character is '^]'. > * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE > STARTTLS AUTH=PLAIN AUTH=GSSAPI] Dovecot ready. > a authenticate GSSAPI > a NO [UNAVAILABLE] Temporary authentication failure. > [hinge.endoframe.net:2016-04-16 21:33:32] > ^] > telnet> close > Connection closed. > > Oh... The kerberos server does have an IMAP service key for hinge; and > that service key appears in hinge's /etc/krb5.keytab, as well. > > Any pointers on where I should be looking at this point would be very > much appreciated. > > -- > Braden McDaniel <[email protected]>
Hi! Did you check your setup against http://wiki2.dovecot.org/Authentication/Kerberos Also can you provide klist -k on server? --- Aki Tuomi
