On 12.10.2016 10:27, Juha Koho wrote: > > On 2016-10-11 12:10, Juha Koho wrote: >> On 2016-10-11 11:03, Aki Tuomi wrote: >>> On 11.10.2016 11:56, Juha Koho wrote: >>>> >>>> On 2016-10-11 10:00, Aki Tuomi wrote: >>>>> On 11.10.2016 10:43, Juha Koho wrote: >>>>>> >>>>>> On 2016-10-11 09:18, Aki Tuomi wrote: >>>>>>> On 11.10.2016 10:13, Juha Koho wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was >>>>>>>> trying to >>>>>>>> set up a GSSAPI Kerberos authentication with the LDAP server >>>>>>>> but with >>>>>>>> little success. Seems no matter what I try I end up with the >>>>>>>> following >>>>>>>> error message: >>>>>>>> >>>>>>>> dovecot: auth: Error: LDAP: binding failed (dn >>>>>>>> (imap/host.example....@example.com)): Local error, SASL(-1): >>>>>>>> generic >>>>>>>> failure: GSSAPI Error: Unspecified GSS failure. Minor code may >>>>>>>> provide more information (No Kerberos credentials available >>>>>>>> (default >>>>>>>> cache: FILE:/tmp/dovecot.krb5.ccache)) >>>>>>>> >>>>>>>> I have set the import_environment in dovecot.conf: >>>>>>>> >>>>>>>> import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID >>>>>>>> LISTEN_FDS >>>>>>>> KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache >>>>>>>> >>>>>>>> And these in LDAP configuration: >>>>>>>> >>>>>>>> dn = imap/host.example....@example.com >>>>>>>> sasl_bind = yes >>>>>>>> sasl_mech = gssapi >>>>>>>> sasl_realm = EXAMPLE.COM >>>>>>>> sasl_authz_id = imap/host.example....@example.com >>>>>>>> >>>>>>>> I have tried with different values in dn and sasl_authz_id and >>>>>>>> also >>>>>>>> leaving them out completely but I always end up with the error >>>>>>>> message >>>>>>>> above. Using simple bind without GSSAPI works just fine. >>>>>>>> >>>>>>>> The credentials cache file exists and is valid for the principal >>>>>>>> imap/host.example....@example.com. The file is owned by dovecot >>>>>>>> user >>>>>>>> so it shouldn't be a permission problem either. >>>>>>>> >>>>>>>> GSSAPI in OpenLDAP works but I suppose it is irrelevant here since >>>>>>>> the >>>>>>>> connection attempt never reaches the LDAP server due to the >>>>>>>> error. I >>>>>>>> also have similar setup for Postfix and it works fine. >>>>>>>> >>>>>>>> Any ideas what to try next? >>>>>>>> >>>>>>>> Best regards, >>>>>>>> Juha >>>>>>> >>>>>>> Can you provide klist output for the cache file? Also, it should be >>>>>>> readable by dovenull user, or whatever is configured as >>>>>>> default_login_user. >>>>>> >>>>>> >>>>>> Here's the klist output of the cache file: >>>>>> -- >>>>>> Ticket cache: FILE:/tmp/dovecot.krb5.ccache >>>>>> Default principal: imap/host.example....@example.com >>>>>> >>>>>> Valid starting Expires Service principal >>>>>> 10/11/2016 09:26:25 10/11/2016 21:26:25 >>>>>> krbtgt/example....@example.com >>>>>> renew until 10/12/2016 09:26:25 >>>>>> --- >>>>>> >>>>>> That I didn't know that also dovenull must have access to the cache >>>>>> but I tried also setting 0644 permissions to the cache file with no >>>>>> luck. So permissions shouldn't be the issue... >>>>>> >>>>>> Juha >>>>> >>>>> Your ccache has no ticket for imap/host.example....@example.com >>>>> >>>>> please use kinit to acquire one. >>>> >>>> >>>> Now I'm confused. The cache file is created by kinit using the >>>> command: >>>> >>>> sudo -u dovenull kinit -c FILE:/tmp/dovecot.krb5.ccache -k -t >>>> /path/to/keytab imap/host.example.com >>>> >>>> After that: >>>> >>>> $ sudo -u dovenull klist /tmp/dovecot.krb5.ccache >>>> Ticket cache: FILE:/tmp/dovecot.krb5.ccache >>>> Default principal: imap/host.example....@example.com >>>> >>>> Valid starting Expires Service principal >>>> 10/11/2016 10:47:47 10/11/2016 22:47:47 >>>> krbtgt/example....@example.com >>>> renew until 10/12/2016 10:47:47 >>>> >>>> Also, I can use the cache file with ldapsearch just fine by running >>>> the following: >>>> >>>> sudo -u dovenull KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache ldapsearch >>>> -Y GSSAPI -ZZ -H ldap://ldap.example.com/ -b dc=example,dc=com >>>> >>>> After the ldapsearch has succeeded the klist output is the following: >>>> >>>> $ sudo -u dovenull klist /tmp/dovecot.krb5.ccache >>>> Ticket cache: FILE:/tmp/dovecot.krb5.ccache >>>> Default principal: imap/host.example....@example.com >>>> >>>> Valid starting Expires Service principal >>>> 10/11/2016 10:47:47 10/11/2016 22:47:47 >>>> krbtgt/example....@example.com >>>> renew until 10/12/2016 10:47:47 >>>> 10/11/2016 10:49:32 10/11/2016 22:47:47 >>>> ldap/ldap.example....@example.com >>>> renew until 10/12/2016 10:47:47 >>>> >>>> >>>> Which is what I expected. Isn't this basically what dovecot does (or >>>> should do) or did I miss something? >>>> >>>> Juha >>> >>> Dovecot won't acquire service tickets for you. It requires that you >>> have >>> ticket for imap/imap.example....@example.com in the cache or keytab. >>> >>> The default principal is used when *CONNECTING* to a service, but you >>> are *ACCEPTING* a service, so you need a service principal. >>> >>> Aki >> >> Sorry, all this Kerberos stuff is quite new to me and I'm still a bit >> confused... :) What I still fail to understand is why would I need the >> service principal in the cache since I'm trying to set dovecot to use >> GSSAPI when connecting to the LDAP back end for passdb and userdb >> lookups. >> >> My imap users can connect to Dovecot using GSSAPI without problems. >> This isn't the issue. Dovecot being the client to the LDAP service is >> the issue. >> >> But anyway, after adding the ticket for >> imap/host.example....@example.com in the cache the error still >> remains: >> >> dovecot: auth: Error: LDAP: binding failed (dn >> imap/host.example....@example.com): Local error, SASL(-1): generic >> failure: GSSAPI Error: Unspecified GSS failure. Minor code may >> provide more information (No Kerberos credentials available (default >> cache: FILE:/tmp/dovecot.krb5.ccache)) >> >> $ sudo -u dovenull klist /tmp/dovecot.krb5.ccache >> Ticket cache: FILE:/tmp/dovecot.krb5.ccache >> Default principal: imap/host.example....@example.com >> >> Valid starting Expires Service principal >> 10/11/2016 11:00:50 10/11/2016 23:00:50 krbtgt/example....@example.com >> renew until 10/12/2016 11:00:50 >> 10/11/2016 11:19:09 10/11/2016 23:00:50 imap/host.example.com@ >> renew until 10/12/2016 11:00:50 >> 10/11/2016 11:19:09 10/11/2016 23:00:50 >> imap/host.example....@example.com >> renew until 10/12/2016 11:00:50 >> >> Juha > > Just to let anyone interested know the configuration was correct but > this turned out to be some sort of library incompatibility or whatever. > > I cloned the configuration to a new virtual server and compiled a > fresh copy of Dovecot from source (tried git master and > release-2.2.25) and it worked without problems. > > I also noticed that with the freshly compiled version the error > message changed to > > dovecot: auth: Error: LDAP: binding failed (dn (none)): Local error, > SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (No Kerberos credentials > available: Credentials cache permissions incorrect (filename: > /tmp/dovecot.krb5.ccache)) > > if the permissions of the cache file were incorrect instead of this > general error message above. So seems like the issue - whatever it was > - caused that Dovecot (or the underlying libraries) were unable to > locate or open the cache file in the first place. > > Juha
I think it requires that the file is readable only by the user, so setting if 0644 was probably a mistake. Aki