On 2016-10-11 10:00, Aki Tuomi wrote:
On 11.10.2016 10:43, Juha Koho wrote:


On 2016-10-11 09:18, Aki Tuomi wrote:
On 11.10.2016 10:13, Juha Koho wrote:
Hello,

I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying to set up a GSSAPI Kerberos authentication with the LDAP server but with little success. Seems no matter what I try I end up with the following
error message:

dovecot: auth: Error: LDAP: binding failed (dn
(imap/host.example....@example.com)): Local error, SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
provide more information (No Kerberos credentials available (default
cache: FILE:/tmp/dovecot.krb5.ccache))

I have set the import_environment in dovecot.conf:

import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS
KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache

And these in LDAP configuration:

dn = imap/host.example....@example.com
sasl_bind = yes
sasl_mech = gssapi
sasl_realm = EXAMPLE.COM
sasl_authz_id = imap/host.example....@example.com

I have tried with different values in dn and sasl_authz_id and also
leaving them out completely but I always end up with the error message
above. Using simple bind without GSSAPI works just fine.

The credentials cache file exists and is valid for the principal
imap/host.example....@example.com. The file is owned by dovecot user
so it shouldn't be a permission problem either.

GSSAPI in OpenLDAP works but I suppose it is irrelevant here since the
connection attempt never reaches the LDAP server due to the error. I
also have similar setup for Postfix and it works fine.

Any ideas what to try next?

Best regards,
Juha

Can you provide klist output for the cache file? Also, it should be
readable by dovenull user, or whatever is configured as
default_login_user.


Here's the klist output of the cache file:
--
Ticket cache: FILE:/tmp/dovecot.krb5.ccache
Default principal: imap/host.example....@example.com

Valid starting       Expires              Service principal
10/11/2016 09:26:25 10/11/2016 21:26:25 krbtgt/example....@example.com
        renew until 10/12/2016 09:26:25
---

That I didn't know that also dovenull must have access to the cache
but I tried also setting 0644 permissions to the cache file with no
luck. So permissions shouldn't be the issue...

Juha

Your ccache has no ticket for imap/host.example....@example.com

please use kinit to acquire one.


Now I'm confused. The cache file is created by kinit using the command:

sudo -u dovenull kinit -c FILE:/tmp/dovecot.krb5.ccache -k -t /path/to/keytab imap/host.example.com

After that:

$ sudo -u dovenull klist /tmp/dovecot.krb5.ccache
Ticket cache: FILE:/tmp/dovecot.krb5.ccache
Default principal: imap/host.example....@example.com

Valid starting       Expires              Service principal
10/11/2016 10:47:47  10/11/2016 22:47:47  krbtgt/example....@example.com
        renew until 10/12/2016 10:47:47

Also, I can use the cache file with ldapsearch just fine by running the following:

sudo -u dovenull KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache ldapsearch -Y GSSAPI -ZZ -H ldap://ldap.example.com/ -b dc=example,dc=com

After the ldapsearch has succeeded the klist output is the following:

$ sudo -u dovenull klist /tmp/dovecot.krb5.ccache
Ticket cache: FILE:/tmp/dovecot.krb5.ccache
Default principal: imap/host.example....@example.com

Valid starting       Expires              Service principal
10/11/2016 10:47:47  10/11/2016 22:47:47  krbtgt/example....@example.com
        renew until 10/12/2016 10:47:47
10/11/2016 10:49:32 10/11/2016 22:47:47 ldap/ldap.example....@example.com
        renew until 10/12/2016 10:47:47


Which is what I expected. Isn't this basically what dovecot does (or should do) or did I miss something?

Juha

Reply via email to