Hi Everyone,
I'm running an IPA server on CentOS 7 successfully and now I want to change my Dovecot setup to use GSSAPI for IMAP authentication instead of a flat "userdb" file. I've already joined the Dovecot box to the IPA domain - ssh and ipa policies and all that are working properly.
I read a number of articles on how to configure Dovecot for GSSAPI auth and they all said the same thing (even Red Hat's official how to on it agreed). But, when I set up Evolution on my Fedora 22 system to use GSSAPI, Dovecot's log records this:
Sep 8 13:49:55 mailman02 dovecot: auth: Panic: file auth-request.c: line 733 (auth_request_is_disabled_master_user): assertion failed: (request->requested_login_user != NULL) Sep 8 13:49:55 mailman02 dovecot: auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x6a02e) [0x7f27af22202e] -> /usr/lib64/dovecot/libdovecot.so.0(+0x6a10e) [0x7f27af22210e] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f27af1da52c] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](+0x15922) [0x7f27af6c7922] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](auth_request_lookup_credentials+0x32) [0x7f27af6c9332] -> /usr/lib64/dovecot/auth/libmech_gssapi.so(+0x2134) [0x7f27ad615134] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](auth_request_handler_auth_continue+0xe5) [0x7f27af6caf15] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](+0x109da) [0x7f27af6c29da] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x27) [0x7f27af232a47] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0xff) [0x7f27af2338cf] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f27af232598] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f27af1df9e3] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](main+0x391) [0x7f27af6c07f1] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f27ae7ceaf5] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](+0xe9e1) [0x7f27af6c09e1] Sep 8 13:49:55 mailman02 dovecot: auth: Fatal: master: service(auth): child 23185 killed with signal 6 (core dumps disabled)
I've already asked on the Dovecot list about my GSSAPI auth problems and was told that this is a bug in Dovecot which does not exist in the latest release (I don't know when the problem was actually fixed).
My question is simply this: does anyone else have dovecot-2.2.10-4.el7_0.1.x86_64 working with GSSAPI auth against an IPA server? IPA is also running on CentOS 7.1.1503.
Regards,
Ranbir
You could try rebuilding this src.rpm -
http://awel.domblogger.net/7/libre/src/repoview/dovecot.html
That's what I use for Dovecot on CentOS 7 but I build it against LibreSSL so you probably don't want my binary RPM but the src.rpm will build against stock CentOS OpenSSL just fine w/o modification.
I don't know if it will fix your issue but it is latest release that the dovecot list claims has the issue fixed.
On 09/08/2015 12:00 PM, Kanwar Ranbir Sandhu wrote:
Hi Everyone,
I'm running an IPA server on CentOS 7 successfully and now I want to change my Dovecot setup to use GSSAPI for IMAP authentication instead of a flat "userdb" file. I've already joined the Dovecot box to the IPA domain - ssh and ipa policies and all that are working properly.
I read a number of articles on how to configure Dovecot for GSSAPI auth and they all said the same thing (even Red Hat's official how to on it agreed). But, when I set up Evolution on my Fedora 22 system to use GSSAPI, Dovecot's log records this:
Sep 8 13:49:55 mailman02 dovecot: auth: Panic: file auth-request.c: line 733 (auth_request_is_disabled_master_user): assertion failed: (request->requested_login_user != NULL) Sep 8 13:49:55 mailman02 dovecot: auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x6a02e) [0x7f27af22202e] -> /usr/lib64/dovecot/libdovecot.so.0(+0x6a10e) [0x7f27af22210e] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f27af1da52c] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](+0x15922) [0x7f27af6c7922] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](auth_request_lookup_credentials+0x32) [0x7f27af6c9332] -> /usr/lib64/dovecot/auth/libmech_gssapi.so(+0x2134) [0x7f27ad615134] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](auth_request_handler_auth_continue+0xe5) [0x7f27af6caf15] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](+0x109da) [0x7f27af6c29da] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x27) [0x7f27af232a47] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0xff) [0x7f27af2338cf] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f27af232598] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f27af1df9e3] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](main+0x391) [0x7f27af6c07f1] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f27ae7ceaf5] -> dovecot/auth [1 wait, 0 passdb, 0 userdb](+0xe9e1) [0x7f27af6c09e1] Sep 8 13:49:55 mailman02 dovecot: auth: Fatal: master: service(auth): child 23185 killed with signal 6 (core dumps disabled)
I've already asked on the Dovecot list about my GSSAPI auth problems and was told that this is a bug in Dovecot which does not exist in the latest release (I don't know when the problem was actually fixed).
My question is simply this: does anyone else have dovecot-2.2.10-4.el7_0.1.x86_64 working with GSSAPI auth against an IPA server? IPA is also running on CentOS 7.1.1503.
Regards,
Ranbir
On Tue, 2015-09-08 at 13:53 -0700, Alice Wonder wrote:
You could try rebuilding this src.rpm -
http://awel.domblogger.net/7/libre/src/repoview/dovecot.html
That's what I use for Dovecot on CentOS 7 but I build it against LibreSSL so you probably don't want my binary RPM but the src.rpm will build against stock CentOS OpenSSL just fine w/o modification.
I don't know if it will fix your issue but it is latest release that the dovecot list claims has the issue fixed.
Thanks for the offer, but I need to know if anyone else has encountered the problem I'm having. I'm having a hard time believing no one else has run into this.
Is there a point in creating a bug report about this in the CentOS tracker since we'd have to wait for someone to report it to Red Hat (and for them to fix it) first?
Ranbir
On Tue, 8 Sep 2015, Kanwar Ranbir Sandhu wrote:
Hi Everyone,
<snip>
My question is simply this: does anyone else have dovecot-2.2.10-4.el7_0.1.x86_64 working with GSSAPI auth against an IPA server? IPA is also running on CentOS 7.1.1503.
Yep, I have it working. It's been almost 6 months since I set it up so don't recall many details other than it was NOT trivial :). Have only used alpine and thunderbird clients, both work fine.
-- Mike
On 2015-09-09 14:21, Mike wrote:
Yep, I have it working. It's been almost 6 months since I set it up so don't recall many details other than it was NOT trivial :). Have only used alpine and thunderbird clients, both work fine.
I wonder if that means Evolution is broken. In any case, could you tell me the changes you made to 10-auth.conf and any other files for GSSAPI auth to work? I would like to compare your setup to mine and to what I've read online.
Thanks!
Ranbir
On 09/10/2015 10:24 AM, Kanwar Ranbir Sandhu wrote:
On 2015-09-09 14:21, Mike wrote:
Yep, I have it working. It's been almost 6 months since I set it up so don't recall many details other than it was NOT trivial :). Have only used alpine and thunderbird clients, both work fine.
I wonder if that means Evolution is broken.
I wouldn't be surprised, I stopped using evolution because it seemed to frequently experience a database corruption causing it to rebuild itself, re-downloading all the headers.
That went on for me for months, it was most prominent on my laptop but it also happened on my desktop.
It happened in CentOS and it happened in Fedora.
So I said to hell with it, I don't want to use broken software.
That didn't involve GSSAPI though, but I wouldn't be surprised if evolution is the problem.
On Thu, 10 Sep 2015, Kanwar Ranbir Sandhu wrote:
On 2015-09-09 14:21, Mike wrote:
Yep, I have it working. It's been almost 6 months since I set it up so don't recall many details other than it was NOT trivial :). Have only used alpine and thunderbird clients, both work fine.
I wonder if that means Evolution is broken. In any case, could you tell me the changes you made to 10-auth.conf and any other files for GSSAPI auth to work? I would like to compare your setup to mine and to what I've read online.
Thanks!
Ranbir
In looking at my notes I think it was LDAP integration that gave me the most headaches, GSSAPI was pretty straight forward. In any case for GSSAPI/SSO I'm pretty sure this is what I used primarily (noting that it was written with RHEL 6.2 as a target): http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Sin...
And I believe these are the primary changes that I made to the dovecot config.
# diff ~/etc_dovecot_orig/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf 10a11
disable_plaintext_auth = no
29a31
auth_realms = ourdomain.com
33a36
auth_default_realm = ourdomain.com
71a75
auth_gssapi_hostname = mx01.ourdomain.com
76a81
auth_krb5_keytab = /etc/dovecot/krb5.keytab
100c105,106 < auth_mechanisms = plain ---
#auth_mechanisms = plain auth_mechanisms = gssapi cram-md5 plain login
122c128 < !include auth-system.conf.ext ---
#!include auth-system.conf.ext
124c130 < #!include auth-ldap.conf.ext ---
!include auth-ldap.conf.ext
On Thu, 2015-09-10 at 11:01 -0700, Mike wrote:
< !include auth-system.conf.ext
This helped. I enabled pam for passdb and now my GSSAPI auth works, but I don't understand why. I also had to enable "allow_all_users=yes" otherwise the messages weren't delivered.
I'm going to have to take this to the Dovecot list to get an explanation.
Thanks to you and Alice for the help!
-
Alice Wonder -
Kanwar Ranbir Sandhu -
Mike