On 2016-10-11 10:00, Aki Tuomi wrote:
On 11.10.2016 10:43, Juha Koho wrote:
On 2016-10-11 09:18, Aki Tuomi wrote:
On 11.10.2016 10:13, Juha Koho wrote:
Hello,
I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying
to
set up a GSSAPI Kerberos authentication with the LDAP server but
with
little success. Seems no matter what I try I end up with the
following
error message:
dovecot: auth: Error: LDAP: binding failed (dn
(imap/host.example....@example.com)): Local error, SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (No Kerberos credentials available (default
cache: FILE:/tmp/dovecot.krb5.ccache))
I have set the import_environment in dovecot.conf:
import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID
LISTEN_FDS
KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache
And these in LDAP configuration:
dn = imap/host.example....@example.com
sasl_bind = yes
sasl_mech = gssapi
sasl_realm = EXAMPLE.COM
sasl_authz_id = imap/host.example....@example.com
I have tried with different values in dn and sasl_authz_id and also
leaving them out completely but I always end up with the error
message
above. Using simple bind without GSSAPI works just fine.
The credentials cache file exists and is valid for the principal
imap/host.example....@example.com. The file is owned by dovecot user
so it shouldn't be a permission problem either.
GSSAPI in OpenLDAP works but I suppose it is irrelevant here since
the
connection attempt never reaches the LDAP server due to the error. I
also have similar setup for Postfix and it works fine.
Any ideas what to try next?
Best regards,
Juha
Can you provide klist output for the cache file? Also, it should be
readable by dovenull user, or whatever is configured as
default_login_user.
Here's the klist output of the cache file:
--
Ticket cache: FILE:/tmp/dovecot.krb5.ccache
Default principal: imap/host.example....@example.com
Valid starting Expires Service principal
10/11/2016 09:26:25 10/11/2016 21:26:25
krbtgt/example....@example.com
renew until 10/12/2016 09:26:25
---
That I didn't know that also dovenull must have access to the cache
but I tried also setting 0644 permissions to the cache file with no
luck. So permissions shouldn't be the issue...
Juha
Your ccache has no ticket for imap/host.example....@example.com
please use kinit to acquire one.
Now I'm confused. The cache file is created by kinit using the command:
sudo -u dovenull kinit -c FILE:/tmp/dovecot.krb5.ccache -k -t
/path/to/keytab imap/host.example.com
After that:
$ sudo -u dovenull klist /tmp/dovecot.krb5.ccache
Ticket cache: FILE:/tmp/dovecot.krb5.ccache
Default principal: imap/host.example....@example.com
Valid starting Expires Service principal
10/11/2016 10:47:47 10/11/2016 22:47:47 krbtgt/example....@example.com
renew until 10/12/2016 10:47:47
Also, I can use the cache file with ldapsearch just fine by running the
following:
sudo -u dovenull KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache ldapsearch -Y
GSSAPI -ZZ -H ldap://ldap.example.com/ -b dc=example,dc=com
After the ldapsearch has succeeded the klist output is the following:
$ sudo -u dovenull klist /tmp/dovecot.krb5.ccache
Ticket cache: FILE:/tmp/dovecot.krb5.ccache
Default principal: imap/host.example....@example.com
Valid starting Expires Service principal
10/11/2016 10:47:47 10/11/2016 22:47:47 krbtgt/example....@example.com
renew until 10/12/2016 10:47:47
10/11/2016 10:49:32 10/11/2016 22:47:47
ldap/ldap.example....@example.com
renew until 10/12/2016 10:47:47
Which is what I expected. Isn't this basically what dovecot does (or
should do) or did I miss something?
Juha