Phillip Macey wrote:
In the release notes for v1.2.2, Timo said:
Found and fixes several v1.2-specific bugs. Hopefully it's now stable
for most people's usage.
* GSSAPI: More changes to authentication. Hopefully good now.
What were the GSSAPI changes? I am having problems with _some_ of my
users using GSSAPI auth. I am using version 1.2.1. The client
(thunderbird) reports that the server does not support 'secure
authentication'. When I switch on auth_debug in dovecot, I see errors
such as these in the logs:
Aug 3 16:45:57 fury dovecot: auth(default): client in: AUTH 1
GSSAPI service=imap lip=10.1.0.20 rip=10.8.5.72 lport=143
rport=4027
Aug 3 16:45:57 fury dovecot: auth(default): gssapi(?,10.8.5.72): Using
all keytab entries
Aug 3 16:45:57 fury dovecot: auth(default): client out: CONT 1
Aug 3 16:45:57 fury dovecot: imap-login: Disconnected: Input buffer
full (auth failed, 1 attempts): method=GSSAPI, rip=10.8.5.72, lip=10.1.0.20
Other users work perfectly (eg. all of the user accounts I tested
against). Would this have been a bug that was fixed in 1.2.2 or is it
something else? If it is most likely something else, I will post
`dovecot -n`.
Same here (1.2.3), it's been working fine adding all possible principals
to the keytab and setting:
auth_gssapi_hostname = $ALL
There are all sorts of resolvers out there that seem to mess with
principal name selection on the clients all the time. Weird thing is
this particular one didn't happen with 1.1.x
--
Angel Marin
http://anmar.eu.org/
