The distinction is that kerberos principals are in form <service>/<hostname>@<REALM>
the hostname bit *must* match to the host you are connecting to, exactly and verbatim. It can differ in case, I guess. The service is what service you are connecting to. These have special meanings and can be case sensitive (like http won't always work, it has to be HTTP). host/ is always needed in at least system keytab. Not sure if it's needed now in the service tab. But I suspect that you need to have IMAP and not imap. Also make sure and double-check that the hostname is correct. Once you've done the keytab you'll want to grab a cup of coffee and local newspaper or something and read it thru before trying, because it might take some time for it to work. Also, your client *and* host needs to be able to access KDC (all of them) on 88/tcp. Aki On 01.07.2016 09:42, Mark Foley wrote: > My keytab now has: > > ktutil: read_kt /etc/dovecot/dovecot.keytab > ktutil: list > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 1 smtp/mail.hprs.local@HPRS.LOCAL > 2 1 imap/mail.hprs.local@HPRS.LOCAL > > I added these in ktutil with: > > addent -password -p smtp/mail.hprs.local@HPRS.LOCAL -k 1 -e arcfour-hmac > > Aki wrote: > >> I think the problem still is that your keytab file has no entry >> imap/hostname@DOMAIN and IMAP/hostname@DOMAIN >> you also have no host/hostname@DOMAIN > Not sure how to interpret your template. Are you suggesting I should ... > > addent -password -p IMAP/mail@HPRS.LOCAL -k 1 -e arcfour-hmac > addent -password -p imap/mail@HPRS.LOCAL -k 1 -e arcfour-hmac > > (one IMAP uppercase and one lowercase?) > > I don't get your distinction between host and hostname in your 3rd example: > host/hostname@DOMAIN > > Meanwhile ... > > Tried a bunch of things. No go so far. In fact, I'm questioning if gssapi > is enabled in my > dovecot. I did rebuild and reinstall using `./configure --with-gssapi=yes`, > but if I only > enable gssapi authentication, I get "No authenticators available" (mail > client). How can I > verify gssapi is really available? dovecot --build-options shows: > > Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 > Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail > SQL drivers: > Passdb: checkpassword passwd passwd-file shadow > Userdb: checkpassword nss passwd prefetch passwd-file > > should I see authentication methods there? > > --Mark > > -----Original Message----- > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > To: dovecot@dovecot.org > From: Aki Tuomi <aki.tu...@dovecot.fi> > Organization: Dovecot Oy > Date: Thu, 30 Jun 2016 09:58:14 +0300 > > I think the problem still is that your keytab file has no entry > imap/hostname@DOMAIN and IMAP/hostname@DOMAIN > > you also have no host/hostname@DOMAIN > > Aki > > On 29.06.2016 18:40, Mark Foley wrote: >> Yes, I think that's exactly correct. I just made a similar reply to Edgar >> Pettijohn about that. >> The Thunderbird message is: >> >> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server >> m...@ohprs.org. Please check >> that you are logged in to the Kerberos/GSSAPI realm." >> >> I made further comments in that message that I won't clutter the list by >> repeating here. Check >> out that message and see what you think could be wrong. >> >> Thanks for your help! I'm sure this is solvable! >> >> --Mark >> >> -----Original Message----- >>> Date: Wed, 29 Jun 2016 08:03:14 -0400 >>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config >>> example] >>> From: brendan kearney <bpk...@gmail.com> >>> To: Mark Foley <mfo...@ohprs.org> >>> Cc: dovecot@dovecot.org >>> >>> The last log line shows "user=<>". This indicates no credentials were >>> presented. If the rip field matches the client ip you tested from, I would >>> bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not >>> pulled for the authentication. >>> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfo...@ohprs.org> wrote: >> [deleted]