On ke, 14 joulu 2022, Carlos Mogas da Silva wrote:
On 2022-12-14 14:19, Alexander Bokovoy via FreeIPA-users wrote:
Could you please share your Dovecot and krb5 configuration on that
Dovecot server?
It is hard to help without seeing anything.
Sure mate. This was what I could think of that was relevant. If
there's anything missing just ask.
Thanks. I also asked for krb5 configuration: /etc/krb5.conf and files
included from it, I think they are in /etc/krb5.conf.d and
/var/lib/sss/pubconf/krb5.include.d
You can see a full list of the directories with
grep includedir /etc/krb5.conf
The rest of the configuration looks fine but krb5 configs will help to
understand how hostname to realm mapping would be performed and what
else is affecting the configuration.
# egrep -v "^#|^$" /etc/dovecot/conf.d/10-auth.conf
auth_realms = INT.R3PEK.ORG
auth_default_realm = INT.R3PEK.ORG
auth_username_format = %Ln
auth_gssapi_hostname = mail01.int.r3pek.org
auth_krb5_keytab = /etc/dovecot/mail.keytab
auth_mechanisms = gssapi plain
!include auth-system.conf.ext
# egrep -v "^\s*#|^$" /etc/dovecot/conf.d/auth-system.conf.ext
passdb {
driver = pam
}
userdb {
driver = passwd
override_fields = home=/email/%Lu
}
# klist -k /etc/dovecot/mail.keytab
Keytab name: FILE:mail.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 smtp/[email protected]
1 smtp/[email protected]
1 smtp/[email protected]
1 smtp/[email protected]
1 imap/[email protected]
1 imap/[email protected]
1 imap/[email protected]
1 imap/[email protected]
# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/[email protected]
1 host/[email protected]
1 host/[email protected]
1 host/[email protected]
# cat /etc/sssd/sssd.conf
[domain/int.r3pek.org]
id_provider = ipa
ipa_server = _srv_, ipa01.int.r3pek.org
ipa_domain = int.r3pek.org
ipa_hostname = mail01.int.r3pek.org
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
dyndns_update = True
dyndns_iface = enp6s18
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo
domains = int.r3pek.org
[nss]
homedir_substring = /home
Thanks.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
