My keytab now has: ktutil: read_kt /etc/dovecot/dovecot.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 smtp/mail.hprs.local@HPRS.LOCAL 2 1 imap/mail.hprs.local@HPRS.LOCAL
I added these in ktutil with: addent -password -p smtp/mail.hprs.local@HPRS.LOCAL -k 1 -e arcfour-hmac Aki wrote: > I think the problem still is that your keytab file has no entry > imap/hostname@DOMAIN and IMAP/hostname@DOMAIN > you also have no host/hostname@DOMAIN Not sure how to interpret your template. Are you suggesting I should ... addent -password -p IMAP/mail@HPRS.LOCAL -k 1 -e arcfour-hmac addent -password -p imap/mail@HPRS.LOCAL -k 1 -e arcfour-hmac (one IMAP uppercase and one lowercase?) I don't get your distinction between host and hostname in your 3rd example: host/hostname@DOMAIN Meanwhile ... Tried a bunch of things. No go so far. In fact, I'm questioning if gssapi is enabled in my dovecot. I did rebuild and reinstall using `./configure --with-gssapi=yes`, but if I only enable gssapi authentication, I get "No authenticators available" (mail client). How can I verify gssapi is really available? dovecot --build-options shows: Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail SQL drivers: Passdb: checkpassword passwd passwd-file shadow Userdb: checkpassword nss passwd prefetch passwd-file should I see authentication methods there? --Mark -----Original Message----- Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] To: dovecot@dovecot.org From: Aki Tuomi <aki.tu...@dovecot.fi> Organization: Dovecot Oy Date: Thu, 30 Jun 2016 09:58:14 +0300 I think the problem still is that your keytab file has no entry imap/hostname@DOMAIN and IMAP/hostname@DOMAIN you also have no host/hostname@DOMAIN Aki On 29.06.2016 18:40, Mark Foley wrote: > Yes, I think that's exactly correct. I just made a similar reply to Edgar > Pettijohn about that. > The Thunderbird message is: > > "The Kerberos/GSSAPI ticket was not accepted by the IMAP server > m...@ohprs.org. Please check > that you are logged in to the Kerberos/GSSAPI realm." > > I made further comments in that message that I won't clutter the list by > repeating here. Check > out that message and see what you think could be wrong. > > Thanks for your help! I'm sure this is solvable! > > --Mark > > -----Original Message----- >> Date: Wed, 29 Jun 2016 08:03:14 -0400 >> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >> From: brendan kearney <bpk...@gmail.com> >> To: Mark Foley <mfo...@ohprs.org> >> Cc: dovecot@dovecot.org >> >> The last log line shows "user=<>". This indicates no credentials were >> presented. If the rip field matches the client ip you tested from, I would >> bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not >> pulled for the authentication. >> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfo...@ohprs.org> wrote: > [deleted]