On 2016-10-12 12:02, Aki Tuomi wrote:
On 12.10.2016 10:27, Juha Koho wrote:


On 2016-10-11 12:10, Juha Koho wrote:
On 2016-10-11 11:03, Aki Tuomi wrote:
On 11.10.2016 11:56, Juha Koho wrote:

On 2016-10-11 10:00, Aki Tuomi wrote:
On 11.10.2016 10:43, Juha Koho wrote:

On 2016-10-11 09:18, Aki Tuomi wrote:
On 11.10.2016 10:13, Juha Koho wrote:
Hello,

I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was
trying to
set up a GSSAPI Kerberos authentication with the LDAP server
but with
little success. Seems no matter what I try I end up with the
following
error message:

dovecot: auth: Error: LDAP: binding failed (dn
(imap/host.example....@example.com)): Local error, SASL(-1):
generic
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
provide more information (No Kerberos credentials available
(default
cache: FILE:/tmp/dovecot.krb5.ccache))

I have set the import_environment in dovecot.conf:

import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID
LISTEN_FDS
KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache

And these in LDAP configuration:

dn = imap/host.example....@example.com
sasl_bind = yes
sasl_mech = gssapi
sasl_realm = EXAMPLE.COM
sasl_authz_id = imap/host.example....@example.com

I have tried with different values in dn and sasl_authz_id and
also
leaving them out completely but I always end up with the error
message
above. Using simple bind without GSSAPI works just fine.

The credentials cache file exists and is valid for the principal
imap/host.example....@example.com. The file is owned by dovecot
user
so it shouldn't be a permission problem either.

GSSAPI in OpenLDAP works but I suppose it is irrelevant here since
the
connection attempt never reaches the LDAP server due to the
error. I
also have similar setup for Postfix and it works fine.

Any ideas what to try next?

Best regards,
Juha

Can you provide klist output for the cache file? Also, it should be
readable by dovenull user, or whatever is configured as
default_login_user.


Here's the klist output of the cache file:
--
Ticket cache: FILE:/tmp/dovecot.krb5.ccache
Default principal: imap/host.example....@example.com

Valid starting       Expires              Service principal
10/11/2016 09:26:25  10/11/2016 21:26:25
krbtgt/example....@example.com
        renew until 10/12/2016 09:26:25
---

That I didn't know that also dovenull must have access to the cache but I tried also setting 0644 permissions to the cache file with no
luck. So permissions shouldn't be the issue...

Juha

Your ccache has no ticket for imap/host.example....@example.com

please use kinit to acquire one.


Now I'm confused. The cache file is created by kinit using the
command:

sudo -u dovenull kinit -c FILE:/tmp/dovecot.krb5.ccache -k -t
/path/to/keytab imap/host.example.com

After that:

$ sudo -u dovenull klist /tmp/dovecot.krb5.ccache
Ticket cache: FILE:/tmp/dovecot.krb5.ccache
Default principal: imap/host.example....@example.com

Valid starting       Expires              Service principal
10/11/2016 10:47:47  10/11/2016 22:47:47
krbtgt/example....@example.com
        renew until 10/12/2016 10:47:47

Also, I can use the cache file with ldapsearch just fine by running
the following:

sudo -u dovenull KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache ldapsearch
-Y GSSAPI -ZZ -H ldap://ldap.example.com/ -b dc=example,dc=com

After the ldapsearch has succeeded the klist output is the following:

$ sudo -u dovenull klist /tmp/dovecot.krb5.ccache
Ticket cache: FILE:/tmp/dovecot.krb5.ccache
Default principal: imap/host.example....@example.com

Valid starting       Expires              Service principal
10/11/2016 10:47:47  10/11/2016 22:47:47
krbtgt/example....@example.com
        renew until 10/12/2016 10:47:47
10/11/2016 10:49:32  10/11/2016 22:47:47
ldap/ldap.example....@example.com
        renew until 10/12/2016 10:47:47


Which is what I expected. Isn't this basically what dovecot does (or
should do) or did I miss something?

Juha

Dovecot won't acquire service tickets for you. It requires that you
have
ticket for imap/imap.example....@example.com in the cache or keytab.

The default principal is used when *CONNECTING* to a service, but you
are *ACCEPTING* a service, so you need a service principal.

Aki

Sorry, all this Kerberos stuff is quite new to me and I'm still a bit
confused... :) What I still fail to understand is why would I need the
service principal in the cache since I'm trying to set dovecot to use
GSSAPI when connecting to the LDAP back end for passdb and userdb
lookups.

My imap users can connect to Dovecot using GSSAPI without problems.
This isn't the issue. Dovecot being the client to the LDAP service is
the issue.

But anyway, after adding the ticket for
imap/host.example....@example.com in the cache the error still
remains:

dovecot: auth: Error: LDAP: binding failed (dn
imap/host.example....@example.com): Local error, SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
provide more information (No Kerberos credentials available (default
cache: FILE:/tmp/dovecot.krb5.ccache))

$ sudo -u dovenull klist /tmp/dovecot.krb5.ccache
Ticket cache: FILE:/tmp/dovecot.krb5.ccache
Default principal: imap/host.example....@example.com

Valid starting       Expires              Service principal
10/11/2016 11:00:50 10/11/2016 23:00:50 krbtgt/example....@example.com
        renew until 10/12/2016 11:00:50
10/11/2016 11:19:09  10/11/2016 23:00:50  imap/host.example.com@
        renew until 10/12/2016 11:00:50
10/11/2016 11:19:09  10/11/2016 23:00:50
imap/host.example....@example.com
        renew until 10/12/2016 11:00:50

Juha

Just to let anyone interested know the configuration was correct but
this turned out to be some sort of library incompatibility or whatever.

I cloned the configuration to a new virtual server and compiled a
fresh copy of Dovecot from source (tried  git master and
release-2.2.25) and it worked without problems.

I also noticed that with the freshly compiled version the error
message changed to

dovecot: auth: Error: LDAP: binding failed (dn (none)): Local error,
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (No Kerberos credentials
available: Credentials cache permissions incorrect (filename:
/tmp/dovecot.krb5.ccache))

if the permissions of the cache file were incorrect instead of this
general error message above. So seems like the issue - whatever it was
- caused that Dovecot (or the underlying libraries) were unable to
locate or open the cache file in the first place.

Juha

I think it requires that the file is readable only by the user, so
setting if 0644 was probably a mistake.

Aki

No, this isn't the case. In the new test environment where things work it doesn't care about the cache file permissions as long as it can read the file.

I just noticed the error when I mistakenly had created the cache file as root and therefore it wasn't readable by Dovecot.

Juha

Reply via email to