Description of problem: There is a permanent login failure when trying to login via dovecot to imap or smtp using GSSAPI. Version-Release number of selected component (if applicable): dovecot-1.2-0.rc3.1.fc11.x86_64.rpm dovecot-gssapi-1.2-0.rc3.1.fc11.x86_64.rpm How reproducible: always Steps to Reproduce: 1. Install dovecot with kerberos support, create mailboxes for the client 2. Get initial credentials on client side 3. Attempt to log in via dovecot using gssapi Actual results: login failed Client side 1. Email client displays: "[AUTHENTICATIONFAILED] Authentication failed." 2. klist before login shows: Valid starting Expires Service principal 06/18/09 20:01:01 06/19/09 20:01:01 krbtgt/realm@realm 3. klist after login attempt shows: Valid starting Expires Service principal 06/18/09 20:01:01 06/19/09 20:01:01 krbtgt/realm@realm 06/18/09 20:01:28 06/19/09 20:01:01 imap/mail.domain@realm Server side 1. /var/log/maillog: dovecot: auth(default): gssapi(user,192.168.0.1): authn_name not authorized dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<user>, method=GSSAPI, rip=192.168.0.1, lip=192.168.0.2, TLS Expected results: login successfull Additional info: 1. It is possible for the same user to login via other mechanisms. 2. The issue reproduced with different email clients. Evolution and a custom java-based client were attempted. Please let me know if any other information can be of any help
Could you please try to reproduce this with dovecot-1.2-0.rc5 ? You can download unsigned packages here: http://koji.fedoraproject.org/koji/buildinfo?buildID=107028 or wait when they are pushed to updates which should be soon I hope. If the problem is still reproducible with new dovecot, please attach dovecot.conf Thanks
Hello, I've installed dovecot-1.2-0.rc5 packages and the problem still persists. Here is my dovecot.conf: protocols = imap mail_location = maildir:/home/virtual/%u/Maildir protocol imap { } auth_krb5_keytab=/etc/dovecot.keytab ssl_cert_file = /etc/pki/dovecot/certs/imap.crt ssl_key_file = /etc/pki/dovecot/private/imap.key ssl_ca_file = /etc/pki/dovecot/certs/ca.crt-crl auth default { mechanisms = gssapi userdb static { args = uid=vmail gid=vmail home=/home/virtual/%u } } Thank you, Roman
Were you using gssapi authentication with old dovecot (1.1 series) or this is first time you are trying to set up this? Does authenticating using kinit works for users? Add: auth_debug=yes to dovecot.conf, reproduce this problem and let me know what occurred in /var/log/maillog Test kerberos authentication described on dovecot's wiki: http://wiki.dovecot.org/Authentication/Kerberos What is the result? thanks
Created attachment 348710 [details] maillog with debug_auth=yes
Exactly the same dovecot setup was working just fine with dovecot 1.1 series on fedora 10 (using GSSAPI, of course). The dovecot.conf I've sent you was narrowed down to the smallest essential configuration which still allow to reproduce problem. Yes, authentication using kinit works just fine and kerberos infrastructure is functioning well as I use kerberos auth for other services like apache and ssh successfully. I've followed http://wiki.dovecot.org/Authentication/Kerberos and result with mutt is exactly the same as in initial bug description. Attached is maillog when auth_debug=yes.
Unfortunately, I wasn't able to to solve this out. I've asked upstream developer for help.
After discussion with upstream I've prepared testing packages, can you verify they fix this problem? Packages can be found here: http://koji.fedoraproject.org/koji/taskinfo?taskID=1434777
Thanks, that solved the problem.
ok, thanks for testing... this package has reverted "gssapi: Cross-realm authentication fix.", so it seems this fix was broken. I'll report this upstream and they will probably try to fix cross-realm a different way.
I've pushed dovecot 1.2.0 to updates, but unfortunately it still does not contain fix for this issue. Comment from upstream: > If I fix it for you, I break it for someone else. > I'd need to find out what exacly is that patch doing > wrong and how it should be fixed the correct way. Please tell me, if you want prepared 1.2.0 package with the same workaround as in comment #7
finally, upstream created patches that should fix this issue, could you please test if it works? If it does not work, please include log messages (with auth_debug=yes) packages: http://koji.fedoraproject.org/koji/taskinfo?taskID=1460926
Just tested packages from http://koji.fedoraproject.org/koji/taskinfo?taskID=1460926, they work fine for me.
ok, thanks for testing, I'll inform upstream
dovecot-1.2.1-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/dovecot-1.2.1-1.fc11
dovecot-1.2.1-1.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update dovecot'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-7776
dovecot-1.2.2-1.20090728snap.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/dovecot-1.2.2-1.20090728snap.fc11
dovecot-1.2.2-1.20090728snap.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update dovecot'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8079
dovecot-1.2.3-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.