Re: Dovecot GSSAPI Authentication problem

[Lucas Castro]

On 8/6/21 9:56 AM, Aki Tuomi wrote:

On 04/08/2021 19:47 Lucas Castro  wrote:

  
Hello,

I'm getting problem to setup dovecot imap/pop service authentication
through Kerberos.

Already read https://wiki.dovecot.org/Authentication/Kerberos.

My guess is kerberos is working but something goes wrong after.


Hi!

This looks like a bug indeed. Does things start working if you add

passdb {
   driver = static
   args = password=pass
}

Aki


Thanks for reply.


Another question, How can I map kerberos principal to mail users?

How can I access us...@domain1.zw.local with user0@ZW.LOCAL


When I set on mail client the user as user0, works fine. but if I set 
the user to u...@domain1.zw.local


dovecot return

"User not authorized to log in as user0"

And I don't figure out how to map the kerberos principal to mail account.

Right now, I keep the users information on ldap.

--
Lucas Castro

Re: Dovecot GSSAPI Authentication problem

[Aki Tuomi]

> On 04/08/2021 19:47 Lucas Castro  wrote:
> 
>  
> Hello,
> I'm getting problem to setup dovecot imap/pop service authentication 
> through Kerberos.
> 
> Already read https://wiki.dovecot.org/Authentication/Kerberos.
> 
> My guess is kerberos is working but something goes wrong after.
> 

Hi!

This looks like a bug indeed. Does things start working if you add

passdb {
  driver = static
  args = password=pass
}

Aki

Dovecot GSSAPI Authentication problem

[Lucas Castro]

Hello,
I'm getting problem to setup dovecot imap/pop service authentication 
through Kerberos.


Already read https://wiki.dovecot.org/Authentication/Kerberos.

My guess is kerberos is working but something goes wrong after.

The keytab and ticket ( for ldap userdb lookup )

-rw--- 1 dovecot dovecot  498 ago  3 20:20 /etc/dovecot/imap.keytab
-rw--- 1 dovecot root    1503 ago  4 11:40 /etc/dovecot/imap.ticket

dovecot --version
2.3.13 (89f716dc2)

the dovecot setting

# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.13 (cdd19fe3)
# OS: Linux 5.10.0-7-amd64 x86_64 Debian 11.0
# Hostname: postfix10.zw.local
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/imap.keytab
auth_mechanisms = gssapi
auth_username_translation = /@
import_environment = TZ KRB5CCNAME=/etc/dovecot/imap.ticket 
KRB5_KTNAME=/etc/dovecot/imap.keytab

mail_gid = 5000
mail_home = /var/mail/virtual/%d/%n
mail_location = maildir:~/mail
mail_privileged_group = mail
mail_uid = 5000
namespace inbox {
  disabled = no
  inbox = yes
  list = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
  type = private
}
protocols = " imap lmtp pop3"
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
ssl_cert = Aug  4 13:42:23 postfix10 dovecot: auth: Debug: client in: 
AUTH#0111#011GSSAPI#011service=pop3#011session=Q3GdfL7IvLmsEAAs#011lip=10.16.0.220#011rip=172.16.0.44#011lport=110#011rport=47548
Aug  4 13:42:23 postfix10 dovecot: auth: Debug: 
gssapi(?,172.16.0.44,): Using all keytab entries
Aug  4 13:42:23 postfix10 dovecot: auth: Debug: client passdb out: 
CONT#0111#011

Aug  4 13:42:23 postfix10 dovecot: auth: Debug: client in: CONT
Aug  4 13:42:23 postfix10 dovecot: auth: Debug: 
gssapi(user0@zw.local,172.16.0.44,): security context 
state completed.
Aug  4 13:42:23 postfix10 dovecot: auth: Debug: client passdb out: 
CONT#0111#011YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvsoco75BA/W0B9tS+UmJnunUg6vIcO5wr0fzZ7iGmCpsz0K2vL/qniGISDIwF9hDXXxs79bljbZE8Yx4dujqVuTPGMtewfhDtNfRNgYGNk/z28sDz7fs/dpIMKF2FAA1m9pFjBupQ1VkGbzMYc77U

Aug  4 13:42:23 postfix10 dovecot: auth: Debug: client in: CONT
Aug  4 13:42:23 postfix10 dovecot: auth: Debug: 
gssapi(user0@zw.local,172.16.0.44,): Negotiated 
security layer
Aug  4 13:42:23 postfix10 dovecot: auth: Debug: client passdb out: 
CONT#0111#011BQQF/wAMAdf8bQH///86U2L5ErmqfWFYNQA=

Aug  4 13:42:23 postfix10 dovecot: auth: Debug: client in: CONT
Aug  4 13:42:23 postfix10 dovecot: auth: Error: 
gssapi(us...@domain1.zw.local,172.16.0.44,): All 
password databases were skipped
Aug  4 13:42:23 postfix10 dovecot: auth: Debug: 
auth(us...@domain1.zw.local,172.16.0.44,): Auth 
request finished
Aug  4 13:42:25 postfix10 dovecot: auth: Debug: client passdb out: 
FAIL#0111#011user=us...@domain1.zw.local#011code=temp_fail#011original_user=user0@ZW.LOCAL
Aug  4 13:42:25 postfix10 dovecot: pop3-login: Debug: Ignoring unknown 
passdb extra field: original_user



Can someone help on this?


--
Lucas Castro