Bug 506782

Summary: dovecot fails to authenticate user via GSSAPI
Product: [Fedora] Fedora Reporter: Roman Kisilenko <rkisilenko>
Component: dovecotAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: mhlavink
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.2.3-1.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-18 21:14:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
maillog with debug_auth=yes none

Description Roman Kisilenko 2009-06-18 16:31:44 UTC 
Description of problem: There is a permanent login failure when trying to login via dovecot to imap or smtp using GSSAPI. 

Version-Release number of selected component (if applicable): 
dovecot-1.2-0.rc3.1.fc11.x86_64.rpm
dovecot-gssapi-1.2-0.rc3.1.fc11.x86_64.rpm

How reproducible: always

Steps to Reproduce:
1. Install dovecot with kerberos support, create mailboxes for the client
2. Get initial credentials on client side
3. Attempt to log in via dovecot using gssapi
  
Actual results: login failed

Client side
1. Email client displays: "[AUTHENTICATIONFAILED] Authentication failed."
2. klist before login shows: 
Valid starting     Expires            Service principal
06/18/09 20:01:01  06/19/09 20:01:01  krbtgt/realm@realm
3. klist after login attempt shows:
Valid starting     Expires            Service principal
06/18/09 20:01:01  06/19/09 20:01:01  krbtgt/realm@realm
06/18/09 20:01:28  06/19/09 20:01:01  imap/mail.domain@realm

Server side
1. /var/log/maillog: 
dovecot: auth(default): gssapi(user,192.168.0.1): authn_name not authorized
dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<user>, method=GSSAPI, rip=192.168.0.1, lip=192.168.0.2, TLS

Expected results: login successfull

Additional info: 
1. It is possible for the same user to login via other mechanisms.
2. The issue reproduced with different email clients. Evolution and a custom java-based client were attempted.

Please let me know if any other information can be of any help
Comment 1 Michal Hlavinka 2009-06-19 10:40:51 UTC 
Could you please try to reproduce this with dovecot-1.2-0.rc5 ? You can download unsigned packages here:

http://koji.fedoraproject.org/koji/buildinfo?buildID=107028

or wait when they are pushed to updates which should be soon I hope.

If the problem is still reproducible with new dovecot, please attach dovecot.conf 

Thanks
Comment 2 Roman Kisilenko 2009-06-19 11:34:48 UTC 
Hello,

I've installed dovecot-1.2-0.rc5 packages and the problem still persists.

Here is my dovecot.conf:
protocols = imap
mail_location = maildir:/home/virtual/%u/Maildir
protocol imap {
}
auth_krb5_keytab=/etc/dovecot.keytab
ssl_cert_file = /etc/pki/dovecot/certs/imap.crt
ssl_key_file = /etc/pki/dovecot/private/imap.key
ssl_ca_file = /etc/pki/dovecot/certs/ca.crt-crl
auth default {
mechanisms = gssapi
  userdb static {
    args = uid=vmail gid=vmail home=/home/virtual/%u
  }
}

Thank you,
Roman
Comment 3 Michal Hlavinka 2009-06-19 14:03:57 UTC 
Were you using gssapi authentication with old dovecot (1.1 series) or this is first time you are trying to set up this?

Does authenticating using kinit works for users?

Add:

auth_debug=yes

to dovecot.conf, reproduce this problem and let me know what occurred in /var/log/maillog 

Test kerberos authentication described on dovecot's wiki:
http://wiki.dovecot.org/Authentication/Kerberos
What is the result?

thanks
Comment 4 Roman Kisilenko 2009-06-19 20:45:20 UTC 
Created attachment 348710 [details]
maillog with debug_auth=yes
Comment 5 Roman Kisilenko 2009-06-19 20:45:32 UTC 
Exactly the same dovecot setup was working just fine with dovecot 1.1 series on fedora 10 (using GSSAPI, of course). The dovecot.conf I've sent you was narrowed down to the smallest essential configuration which still allow to reproduce problem.

Yes, authentication using kinit works just fine and kerberos infrastructure is functioning well as I use kerberos auth for other services like apache and ssh successfully.

I've followed http://wiki.dovecot.org/Authentication/Kerberos and result with mutt is exactly the same as in initial bug description.

Attached is maillog when auth_debug=yes.
Comment 6 Michal Hlavinka 2009-06-24 13:39:11 UTC 
Unfortunately, I wasn't able to to solve this out. I've asked upstream developer for help.
Comment 7 Michal Hlavinka 2009-06-25 05:52:22 UTC 
After discussion with upstream I've prepared testing packages, can you verify they fix this problem?

Packages can be found here:
http://koji.fedoraproject.org/koji/taskinfo?taskID=1434777
Comment 8 Roman Kisilenko 2009-06-25 08:13:12 UTC 
Thanks, that solved the problem.
Comment 9 Michal Hlavinka 2009-06-25 08:59:36 UTC 
ok, thanks for testing... this package has reverted "gssapi: Cross-realm authentication fix.", so it seems this fix was broken. I'll report this upstream and they will probably try to fix cross-realm a different way.
Comment 10 Michal Hlavinka 2009-07-07 11:23:24 UTC 
I've pushed dovecot 1.2.0 to updates, but unfortunately it still does not contain fix for this issue. Comment from upstream:

> If I fix it for you, I break it for someone else.
> I'd need to find out what exacly is that patch doing
> wrong and how it should be fixed the correct way.

Please tell me, if you want prepared 1.2.0 package with the same workaround as in comment #7
Comment 11 Michal Hlavinka 2009-07-08 07:56:52 UTC 
finally, upstream created patches that should fix this issue, could you please test if it works? If it does not work, please include log messages (with auth_debug=yes)

packages:
http://koji.fedoraproject.org/koji/taskinfo?taskID=1460926
Comment 12 Roman Kisilenko 2009-07-08 11:20:52 UTC 
Just tested packages from http://koji.fedoraproject.org/koji/taskinfo?taskID=1460926, they work fine for me.
Comment 13 Michal Hlavinka 2009-07-08 11:42:51 UTC 
ok, thanks for testing, I'll inform upstream
Comment 14 Fedora Update System 2009-07-13 08:03:28 UTC 
dovecot-1.2.1-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/dovecot-1.2.1-1.fc11
Comment 15 Fedora Update System 2009-07-19 10:30:22 UTC 
dovecot-1.2.1-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dovecot'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-7776
Comment 16 Fedora Update System 2009-07-29 08:04:43 UTC 
dovecot-1.2.2-1.20090728snap.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/dovecot-1.2.2-1.20090728snap.fc11
Comment 17 Fedora Update System 2009-07-29 21:28:10 UTC 
dovecot-1.2.2-1.20090728snap.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dovecot'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8079
Comment 18 Fedora Update System 2009-08-18 21:13:57 UTC 
dovecot-1.2.3-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.