On 18.04.2016 14:22, Braden McDaniel wrote: > On Mon, 2016-04-18 at 08:59 +0300, [email protected] wrote: >>> On April 18, 2016 at 8:13 AM Braden McDaniel <[email protected]> >>> wrote: >>> >>> >>> On Sun, 2016-04-17 at 21:49 +0300, [email protected] wrote: >>>>> >>>>> Did you check your setup against >>>> http://wiki2.dovecot.org/Authentication/Kerberos >>> I did. Of course, it's possible I've still managed to overlook >>> something. >>> >>>> Also can you provide klist -k on server? >>> I assume you mean the kerberos server: >>> >>> [ root@knock ~]# >> Apologies, I ment your IMAP server. > [ root@hinge ~]# klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 3 host/[email protected] > 3 host/[email protected] > 4 host/[email protected] > 2 imap/[email protected] > > There was previous case where gssapi did not work with Thunderbird. It apparently has some problems with GSSAPI usage. Also, did you ensure that your client has all the requisite principals?
Can you try turning on auth_verbose=yes? Remember that kerberos is very DNS oriented, so missing/incorrect reverse records can also cause failures. Aki
