Timo Sirainen <t...@iki.fi> writes: > On Wed, 2009-03-25 at 15:31 +0100, Jahnke-Zumbusch, Dirk wrote:
>> 1. I am puzzled about the credentials "i...@my.host.name" being obtained; >> shouldn't this be >> something like "imap/my.host.n...@my.realm" ? > > I don't know anything about Kerberos. I suspect the "i...@my.host.name" refers to the subject at the GSSAPI layer. This is certainly the form one would use in gss_import_name() in order to construct the "name" of the peer one might then subsequently use in a call to gss_init_sec_context() or, as in this case, gss_acquire_cred(). If the underlying mechanism in use by the GSSAPI layer is Kerberos then it will be translated to an appropriately named principal, such as "imap/my.host.n...@my.realm", but that name will not in general be exposed above the GSSAPI layer. > This anyway means that dovecot-auth process is hanging for over 30 > seconds. Probably the "obtaining credentials" is taking for a long time. > But why that is, I've no idea. Wild guess: maybe the underlying Kerberos libraries are attempting to canonicalise the host part by doing DNS lookups which are timing out as a result of a non-responsive DNS server?
