Re: [Dovecot] v 1.1.13 / GSSAPI / Timeout waiting for handshake from auth server
Timo Sirainen writes: > On Wed, 2009-03-25 at 15:31 +0100, Jahnke-Zumbusch, Dirk wrote: >> 1. I am puzzled about the credentials "i...@my.host.name" being obtained; >> shouldn't this be >>something like "imap/my.host.n...@my.realm" ? > > I don't know anything about Kerberos. I suspect the "i...@my.host.name" refers to the subject at the GSSAPI layer. This is certainly the form one would use in gss_import_name() in order to construct the "name" of the peer one might then subsequently use in a call to gss_init_sec_context() or, as in this case, gss_acquire_cred(). If the underlying mechanism in use by the GSSAPI layer is Kerberos then it will be translated to an appropriately named principal, such as "imap/my.host.n...@my.realm", but that name will not in general be exposed above the GSSAPI layer. > This anyway means that dovecot-auth process is hanging for over 30 > seconds. Probably the "obtaining credentials" is taking for a long time. > But why that is, I've no idea. Wild guess: maybe the underlying Kerberos libraries are attempting to canonicalise the host part by doing DNS lookups which are timing out as a result of a non-responsive DNS server?
Re: [Dovecot] v 1.1.13 / GSSAPI / Timeout waiting for handshake from auth server
On Wed, 2009-03-25 at 15:31 +0100, Jahnke-Zumbusch, Dirk wrote: > dovecot: Info: auth(default): gssapi(?,131.169.40.218): Obtaining > credentials for i...@my.host.name > dovecot: Error: imap-login: Timeout waiting for handshake from auth server. > my pid=3918, input bytes=0 > > 1. I am puzzled about the credentials "i...@my.host.name" being obtained; > shouldn't this be >something like "imap/my.host.n...@my.realm" ? I don't know anything about Kerberos. > 2. what does "Timeout waiting for handshake from auth server." mean? Who is > trying to >handshake with whom? This anyway means that dovecot-auth process is hanging for over 30 seconds. Probably the "obtaining credentials" is taking for a long time. But why that is, I've no idea. Although this does remind me that GSSAPI should be handled in auth-worker processes instead of the main dovecot-auth process.. signature.asc Description: This is a digitally signed message part
[Dovecot] v 1.1.13 / GSSAPI / Timeout waiting for handshake from auth server
Dear all, I am trying to setup Dovecot with GSSAPI support. For testing purposes gssapi is the only method allowed for login. As I cannot login to my mailbox, I'vo got two questions about the following log entries: dovecot: Info: auth-worker(default): passwd-file /dovecot/store/db/test-userdb: Read 3 users dovecot: Info: auth(default): new auth connection: pid=3915 dovecot: Info: auth(default): client in: AUTH 1 GSSAPI service=imap lip=131.169.*.* rip=131.169.*.* lport=143 rport=35779 dovecot: Info: auth(default): gssapi(?,131.169.40.218): Obtaining credentials for i...@my.host.name dovecot: Error: imap-login: Timeout waiting for handshake from auth server. my pid=3918, input bytes=0 1. I am puzzled about the credentials "i...@my.host.name" being obtained; shouldn't this be something like "imap/my.host.n...@my.realm" ? 2. what does "Timeout waiting for handshake from auth server." mean? Who is trying to handshake with whom? Any ideas? Best regards, Dirk -- Dirk Jahnke-Zumbusch Deutsches Elektronen-Synchrotron DESY IT Information Fabrics Member of the Helmholtz Association D-22603 HamburgNotkestrasse 85 / 22607 Hamburg T: +49-40-899.81760 F: +49-40-899.41760 dirk.jahnke-zumbu...@desy.de smime.p7s Description: S/MIME cryptographic signature
