CentOS 7.1.1503 + Dovecot + IPA

Home » CentOS » CentOS 7.1.1503 + Dovecot + IPA
CentOS 7 Comments

Hi Everyone,

I’m running an IPA server on CentOS 7 successfully and now I want to change my Dovecot setup to use GSSAPI for IMAP authentication instead of a flat “userdb” file. I’ve already joined the Dovecot box to the IPA
domain – SSH and ipa policies and all that are working properly.

I read a number of articles on how to configure Dovecot for GSSAPI auth and they all said the same thing (even Red Hat’s official how to on it agreed). But, when I set up Evolution on my Fedora 22 system to use GSSAPI, Dovecot’s log records this:

Sep 8 13:49:55 mailman02 dovecot: auth: Panic: file auth-request.c:
line 733 (auth_request_is_disabled_master_user): assertion failed:
(request->requested_login_user != NULL)
Sep 8 13:49:55 mailman02 dovecot: auth: Error: Raw backtrace:
/usr/lib64/dovecot/libdovecot.so.0(+0x6a02e) [0x7f27af22202e] ->
/usr/lib64/dovecot/libdovecot.so.0(+0x6a10e) [0x7f27af22210e] ->
/usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f27af1da52c] ->
dovecot/auth [1 wait, 0 passdb, 0 userdb](+0x15922) [0x7f27af6c7922] ->
dovecot/auth [1 wait, 0 passdb, 0
userdb](auth_request_lookup_credentials+0x32) [0x7f27af6c9332] ->
/usr/lib64/dovecot/auth/libmech_gssapi.so(+0x2134) [0x7f27ad615134] ->
dovecot/auth [1 wait, 0 passdb, 0
userdb](auth_request_handler_auth_continue+0xe5) [0x7f27af6caf15] ->
dovecot/auth [1 wait, 0 passdb, 0 userdb](+0x109da) [0x7f27af6c29da] ->
/usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x27)
[0x7f27af232a47] ->
/usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0xff)
[0x7f27af2338cf] ->
/usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f27af232598]
-> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13)
[0x7f27af1df9e3] -> dovecot/auth [1 wait, 0 passdb, 0
userdb](main+0x391) [0x7f27af6c07f1] ->
/lib64/libc.so.6(__libc_start_main+0xf5) [0x7f27ae7ceaf5] ->
dovecot/auth [1 wait, 0 passdb, 0 userdb](+0xe9e1) [0x7f27af6c09e1]
Sep 8 13:49:55 mailman02 dovecot: auth: Fatal: master: service(auth):
child 23185 killed with signal 6 (core dumps disabled)

I’ve already asked on the Dovecot list about my GSSAPI auth problems and was told that this is a bug in Dovecot which does not exist in the latest release (I don’t know when the problem was actually fixed).

My question is simply this: does anyone else have dovecot-2.2.10-4.el7_0.1.x86_64 working with GSSAPI auth against an IPA
server? IPA is also running on CentOS 7.1.1503.

Regards,

Ranbir

7 thoughts on - CentOS 7.1.1503 + Dovecot + IPA

  • You could try rebuilding this src.rpm –

    http://awel.domblogger.net/7/libre/src/repoview/dovecot.html

    That’s what I use for Dovecot on CentOS 7 but I build it against LibreSSL so you probably don’t want my binary RPM but the src.rpm will build against stock CentOS OpenSSL just fine w/o modification.

    I don’t know if it will fix your issue but it is latest release that the dovecot list claims has the issue fixed.

  • Thanks for the offer, but I need to know if anyone else has encountered the problem I’m having. I’m having a hard time believing no one else has run into this.

    Is there a point in creating a bug report about this in the CentOS
    tracker since we’d have to wait for someone to report it to Red Hat
    (and for them to fix it) first?

    Ranbir

  • Yep, I have it working. It’s been almost 6 months since I set it up so don’t recall many details other than it was NOT trivial :). Have only used alpine and thunderbird clients, both work fine.

    — Mike

  • I wonder if that means Evolution is broken. In any case, could you tell me the changes you made to 10-auth.conf and any other files for GSSAPI
    auth to work? I would like to compare your setup to mine and to what I’ve read online.

    Thanks!

    Ranbir

  • I wouldn’t be surprised, I stopped using evolution because it seemed to frequently experience a database corruption causing it to rebuild itself, re-downloading all the headers.

    That went on for me for months, it was most prominent on my laptop but it also happened on my desktop.

    It happened in CentOS and it happened in Fedora.

    So I said to hell with it, I don’t want to use broken software.

    That didn’t involve GSSAPI though, but I wouldn’t be surprised if evolution is the problem.

  • In looking at my notes I think it was LDAP integration that gave me the most headaches, GSSAPI was pretty straight forward. In any case for GSSAPI/SSO I’m pretty sure this is what I used primarily (noting that it was written with RHEL 6.2 as a target):
    http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On

    And I believe these are the primary changes that I made to the dovecot config.

    # diff ~/etc_dovecot_orig/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf
    10a11
    29a31
    33a36
    71a75
    76a81
    100c105,106
    < auth_mechanisms = plain -

  • This helped. I enabled pam for passdb and now my GSSAPI auth works, but I don’t understand why. I also had to enable “allow_all_users=yes”
    otherwise the messages weren’t delivered.

    I’m going to have to take this to the Dovecot list to get an explanation.

    Thanks to you and Alice for the help!