On 11.10.2016 11:56, Juha Koho wrote: > > On 2016-10-11 10:00, Aki Tuomi wrote: >> On 11.10.2016 10:43, Juha Koho wrote: >>> >>> On 2016-10-11 09:18, Aki Tuomi wrote: >>>> On 11.10.2016 10:13, Juha Koho wrote: >>>>> Hello, >>>>> >>>>> I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was >>>>> trying to >>>>> set up a GSSAPI Kerberos authentication with the LDAP server but with >>>>> little success. Seems no matter what I try I end up with the >>>>> following >>>>> error message: >>>>> >>>>> dovecot: auth: Error: LDAP: binding failed (dn >>>>> (imap/[email protected])): Local error, SASL(-1): generic >>>>> failure: GSSAPI Error: Unspecified GSS failure. Minor code may >>>>> provide more information (No Kerberos credentials available (default >>>>> cache: FILE:/tmp/dovecot.krb5.ccache)) >>>>> >>>>> I have set the import_environment in dovecot.conf: >>>>> >>>>> import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID >>>>> LISTEN_FDS >>>>> KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache >>>>> >>>>> And these in LDAP configuration: >>>>> >>>>> dn = imap/[email protected] >>>>> sasl_bind = yes >>>>> sasl_mech = gssapi >>>>> sasl_realm = EXAMPLE.COM >>>>> sasl_authz_id = imap/[email protected] >>>>> >>>>> I have tried with different values in dn and sasl_authz_id and also >>>>> leaving them out completely but I always end up with the error >>>>> message >>>>> above. Using simple bind without GSSAPI works just fine. >>>>> >>>>> The credentials cache file exists and is valid for the principal >>>>> imap/[email protected]. The file is owned by dovecot user >>>>> so it shouldn't be a permission problem either. >>>>> >>>>> GSSAPI in OpenLDAP works but I suppose it is irrelevant here since >>>>> the >>>>> connection attempt never reaches the LDAP server due to the error. I >>>>> also have similar setup for Postfix and it works fine. >>>>> >>>>> Any ideas what to try next? >>>>> >>>>> Best regards, >>>>> Juha >>>> >>>> Can you provide klist output for the cache file? Also, it should be >>>> readable by dovenull user, or whatever is configured as >>>> default_login_user. >>> >>> >>> Here's the klist output of the cache file: >>> -- >>> Ticket cache: FILE:/tmp/dovecot.krb5.ccache >>> Default principal: imap/[email protected] >>> >>> Valid starting Expires Service principal >>> 10/11/2016 09:26:25 10/11/2016 21:26:25 >>> krbtgt/[email protected] >>> renew until 10/12/2016 09:26:25 >>> --- >>> >>> That I didn't know that also dovenull must have access to the cache >>> but I tried also setting 0644 permissions to the cache file with no >>> luck. So permissions shouldn't be the issue... >>> >>> Juha >> >> Your ccache has no ticket for imap/[email protected] >> >> please use kinit to acquire one. > > > Now I'm confused. The cache file is created by kinit using the command: > > sudo -u dovenull kinit -c FILE:/tmp/dovecot.krb5.ccache -k -t > /path/to/keytab imap/host.example.com > > After that: > > $ sudo -u dovenull klist /tmp/dovecot.krb5.ccache > Ticket cache: FILE:/tmp/dovecot.krb5.ccache > Default principal: imap/[email protected] > > Valid starting Expires Service principal > 10/11/2016 10:47:47 10/11/2016 22:47:47 krbtgt/[email protected] > renew until 10/12/2016 10:47:47 > > Also, I can use the cache file with ldapsearch just fine by running > the following: > > sudo -u dovenull KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache ldapsearch > -Y GSSAPI -ZZ -H ldap://ldap.example.com/ -b dc=example,dc=com > > After the ldapsearch has succeeded the klist output is the following: > > $ sudo -u dovenull klist /tmp/dovecot.krb5.ccache > Ticket cache: FILE:/tmp/dovecot.krb5.ccache > Default principal: imap/[email protected] > > Valid starting Expires Service principal > 10/11/2016 10:47:47 10/11/2016 22:47:47 krbtgt/[email protected] > renew until 10/12/2016 10:47:47 > 10/11/2016 10:49:32 10/11/2016 22:47:47 > ldap/[email protected] > renew until 10/12/2016 10:47:47 > > > Which is what I expected. Isn't this basically what dovecot does (or > should do) or did I miss something? > > Juha
Dovecot won't acquire service tickets for you. It requires that you have ticket for imap/[email protected] in the cache or keytab. The default principal is used when *CONNECTING* to a service, but you are *ACCEPTING* a service, so you need a service principal. Aki
