[Freeipa-users] Re: Kerberos/GSSAPI dovecot auth wierdeness?

[Carlos Mogas da Silva via FreeIPA-users]

On 2022-12-14 14:19, Alexander Bokovoy via FreeIPA-users wrote:
Could you please share your Dovecot and krb5 configuration on that
Dovecot server?
It is hard to help without seeing anything.

Sure mate. This was what I could think of that was relevant. If there's 
anything missing just ask.

# egrep -v "^#|^$" /etc/dovecot/conf.d/10-auth.conf
auth_realms = INT.R3PEK.ORG
auth_default_realm = INT.R3PEK.ORG
auth_username_format = %Ln
auth_gssapi_hostname = mail01.int.r3pek.org
auth_krb5_keytab =  /etc/dovecot/mail.keytab
auth_mechanisms = gssapi plain
!include auth-system.conf.ext

# egrep -v "^\s*#|^$" /etc/dovecot/conf.d/auth-system.conf.ext
passdb {
  driver = pam
}
userdb {
  driver = passwd
  override_fields = home=/email/%Lu
}

# klist -k /etc/dovecot/mail.keytab
Keytab name: FILE:mail.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
   1 smtp/mail01.int.r3pek....@int.r3pek.org
   1 smtp/mail01.int.r3pek....@int.r3pek.org
   1 smtp/mail01.int.r3pek....@int.r3pek.org
   1 smtp/mail01.int.r3pek....@int.r3pek.org
   1 imap/mail01.int.r3pek....@int.r3pek.org
   1 imap/mail01.int.r3pek....@int.r3pek.org
   1 imap/mail01.int.r3pek....@int.r3pek.org
   1 imap/mail01.int.r3pek....@int.r3pek.org

# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
   1 host/mail01.int.r3pek....@int.r3pek.org
   1 host/mail01.int.r3pek....@int.r3pek.org
   1 host/mail01.int.r3pek....@int.r3pek.org
   1 host/mail01.int.r3pek....@int.r3pek.org

# cat /etc/sssd/sssd.conf
[domain/int.r3pek.org]

id_provider = ipa
ipa_server = _srv_, ipa01.int.r3pek.org
ipa_domain = int.r3pek.org
ipa_hostname = mail01.int.r3pek.org
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
dyndns_update = True
dyndns_iface = enp6s18
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo

domains = int.r3pek.org
[nss]
homedir_substring = /home


Thanks.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue