Bug 506782
Summary: | dovecot fails to authenticate user via GSSAPI | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Roman Kisilenko <rkisilenko> | ||||
Component: | dovecot | Assignee: | Michal Hlavinka <mhlavink> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 11 | CC: | mhlavink | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | 1.2.3-1.fc11 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-08-18 21:14:03 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Roman Kisilenko
2009-06-18 16:31:44 UTC
Could you please try to reproduce this with dovecot-1.2-0.rc5 ? You can download unsigned packages here: http://koji.fedoraproject.org/koji/buildinfo?buildID=107028 or wait when they are pushed to updates which should be soon I hope. If the problem is still reproducible with new dovecot, please attach dovecot.conf Thanks Hello, I've installed dovecot-1.2-0.rc5 packages and the problem still persists. Here is my dovecot.conf: protocols = imap mail_location = maildir:/home/virtual/%u/Maildir protocol imap { } auth_krb5_keytab=/etc/dovecot.keytab ssl_cert_file = /etc/pki/dovecot/certs/imap.crt ssl_key_file = /etc/pki/dovecot/private/imap.key ssl_ca_file = /etc/pki/dovecot/certs/ca.crt-crl auth default { mechanisms = gssapi userdb static { args = uid=vmail gid=vmail home=/home/virtual/%u } } Thank you, Roman Were you using gssapi authentication with old dovecot (1.1 series) or this is first time you are trying to set up this? Does authenticating using kinit works for users? Add: auth_debug=yes to dovecot.conf, reproduce this problem and let me know what occurred in /var/log/maillog Test kerberos authentication described on dovecot's wiki: http://wiki.dovecot.org/Authentication/Kerberos What is the result? thanks Created attachment 348710 [details]
maillog with debug_auth=yes
Exactly the same dovecot setup was working just fine with dovecot 1.1 series on fedora 10 (using GSSAPI, of course). The dovecot.conf I've sent you was narrowed down to the smallest essential configuration which still allow to reproduce problem. Yes, authentication using kinit works just fine and kerberos infrastructure is functioning well as I use kerberos auth for other services like apache and ssh successfully. I've followed http://wiki.dovecot.org/Authentication/Kerberos and result with mutt is exactly the same as in initial bug description. Attached is maillog when auth_debug=yes. Unfortunately, I wasn't able to to solve this out. I've asked upstream developer for help. After discussion with upstream I've prepared testing packages, can you verify they fix this problem? Packages can be found here: http://koji.fedoraproject.org/koji/taskinfo?taskID=1434777 Thanks, that solved the problem. ok, thanks for testing... this package has reverted "gssapi: Cross-realm authentication fix.", so it seems this fix was broken. I'll report this upstream and they will probably try to fix cross-realm a different way. I've pushed dovecot 1.2.0 to updates, but unfortunately it still does not contain fix for this issue. Comment from upstream: > If I fix it for you, I break it for someone else. > I'd need to find out what exacly is that patch doing > wrong and how it should be fixed the correct way. Please tell me, if you want prepared 1.2.0 package with the same workaround as in comment #7 finally, upstream created patches that should fix this issue, could you please test if it works? If it does not work, please include log messages (with auth_debug=yes) packages: http://koji.fedoraproject.org/koji/taskinfo?taskID=1460926 Just tested packages from http://koji.fedoraproject.org/koji/taskinfo?taskID=1460926, they work fine for me. ok, thanks for testing, I'll inform upstream dovecot-1.2.1-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/dovecot-1.2.1-1.fc11 dovecot-1.2.1-1.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update dovecot'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-7776 dovecot-1.2.2-1.20090728snap.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/dovecot-1.2.2-1.20090728snap.fc11 dovecot-1.2.2-1.20090728snap.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update dovecot'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8079 dovecot-1.2.3-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. |