Dovecot is littering /tmp with files from expired kerberous tickets. It fails to properly close out the kerberos session, or at least thats the theory. We had the same problem with UW imap and applied a fix for that, we probably need to pull in a similar patch for dovecot.
Notting believes the fix in uw imap was calling pam_setcred (hdl,PAM_DELETE_CRED) after the pam auth succeeded. I'll investigate and see if this is in our latest version. We did just do an update to 0.99.13, not sure what's running on devserv
Bill: I build a new version of dovecot that hopefully fixes the kerberos ticket problem. Its checked into "devel" and here is a binary I built on my own FC3 box, I don't want to build in rawhide yet. Do you want to test it? ftp://people.redhat.com/jdennis/dovecot-0.99.13-4.devel.i386.rpm I did some minimal testing with pam and it seems to work fine, but pam on my test system is not using kerberos so its not a sufficient test. After having a discussion with Nalin it was suggested that dovecot not call PAM_ESTABLISH_CRED in the first place, he thought this was a better fix than trying to locate all the places to call PAM_DELETE_CRED. The reasoning is fully explained in dovecot-pam-setcred.patch, in essence there is no need to create the on disk copy of the ticket with PAM_ESTABLISH_CRED if the session is not held open and pam_end is immediately called after validating the login, which is what dovecot does.
Currently testing on the server here (had to do a local build). Seems to solve the issue.
Was the new build ok? If yes, please release it because I'm having this problem here...
The FC4 dovecot rpm has the fix.
And apparently FC3 updates-testing too. Just upgraded dovecot to it. Seems to work ok. Problem solved.