Thank you for the information, i have come to the same conclusion after forcing 
myself to delve deeper into the mysteries of kerberos and its limitations.
Local storage of the users mail on the mail server seem to be the only valid 
option (or make the NFS server work double as mail server too.)
I am definitely looking forward to reading your article when it is done.

Regards,
Johan.


________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dale Macartney [d...@themacartneyclan.com]
Sent: Thursday, March 07, 2013 13:35
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Errors when trying IPA,Dovecot GSSAPI.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 03/06/2013 02:33 PM, Johan Petersson wrote:
> Hi,
> I hope someone here can shed some light on what is wrong in my test 
> environment.
> The error seem to be that Dovecot on mail server wants to access mail folder 
> in my home directory on the NFS Server but can't get credentials for it. 
> rpc.gssd on Mail Server try either to open a cachefile in /tmp that is 
> corrupt or expired or if no cache file exists it just do error downcall.
> No try to update the key or create a new one.
> Should not forwardable tickets update the cache or generate a new one?
> The permission denied error in maillog i believe is because of no valid 
> kerberos credentials.
>
> IPAserver
> NFS Server for Home Directory through autofs, IPA Client with 
> nfs/share.test.net
> Mail server IPA Client with imap/mail.test.net,smtp/mail.test.net
>
> Clients pc's that are also IPA clients
>
> Everything is Red Hat 6.4 server and Client with default settings for IPA 
> server and client.
>
> When trying to get mail i get ticket not accepted but i do get a imap ticket 
> that i can see with klist.
>
> Ticket cache: FILE:/tmp/krb5cc_1644800003_UsqtSh<UrlBlockedError.aspx>
> Default principal: jo...@test.net<mailto:jo...@test.net>
>
> Valid starting Expires Service principal
> 03/06/13 14:34:28 03/07/13 14:34:28 
> krbtgt/test....@test.net<mailto:krbtgt/test....@test.net>
> 03/06/13 14:40:41 03/07/13 14:34:28 
> imap/mail.test....@test.net<mailto:imap/mail.test....@test.net>
> 03/06/13 14:44:43 03/07/13 14:34:28 
> host/share.test....@test.net<mailto:host/share.test....@test.net>
>
> Hopefully relevant logs:
>
> Mail Server /var/log/messages with rpc.gssapi -vvv:
>
> Mar 6 14:43:21 mail rpc.gssd[1143]: handling gssd upcall 
> (/var/lib/nfs/rpc_pipefs/nfs/clnt12)
> Mar 6 14:43:21 mail rpc.gssd[1143]: handle_gssd_upcall: 'mech=krb5 
> uid=1644800003 enctypes=18,17,16,23,3,1,2 '
> Mar 6 14:43:21 mail rpc.gssd[1143]: handling krb5 upcall 
> (/var/lib/nfs/rpc_pipefs/nfs/clnt12)
> Mar 6 14:43:21 mail rpc.gssd[1143]: process_krb5_upcall: service is '<null>'
> Mar 6 14:43:21 mail rpc.gssd[1143]: getting credentials for client with uid 
> 1644800003 for server share.test.net
> Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_machine_TEST.NET' 
> being considered, with preferred realm 'TEST.NET'
> Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_machine_TEST.NET' 
> owned by 0, not 1644800003
> Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_1644800001_MOFHds' 
> being considered, with preferred realm 'TEST.NET'
> Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_1644800001_MOFHds' 
> owned by 0, not 1644800003
> Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_0' being considered, 
> with preferred realm 'TEST.NET'
> Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_0' owned by 0, not 
> 1644800003
> Mar 6 14:43:21 mail rpc.gssd[1143]: WARNING: Failed to create krb5 context 
> for user with uid 1644800003 for server share.test.net
> Mar 6 14:43:21 mail rpc.gssd[1143]: doing error downcall
>
> Mail Server /var/log/maillog:
>
> Mar 06 14:43:11 master: Info: Dovecot v2.0.9 starting up (core dumps disabled)
> Mar 06 14:43:21 auth: Debug: Loading modules from directory: 
> /usr/lib64/dovecot/auth
> Mar 06 14:43:21 auth: Debug: Module loaded: 
> /usr/lib64/dovecot/auth/libauthdb_ldap.so
> Mar 06 14:43:21 auth: Debug: Module loaded: 
> /usr/lib64/dovecot/auth/libdriver_sqlite.so
> Mar 06 14:43:21 auth: Debug: Module loaded: 
> /usr/lib64/dovecot/auth/libmech_gssapi.so
> Mar 06 14:43:21 auth: Debug: auth client connected (pid=2183)
> Mar 06 14:43:21 auth: Debug: client in: AUTH 1 GSSAPI service=imap secured 
> lip=192.168.0.33 rip=192.168.0.202 lport=143 rport=36424
> Mar 06 14:43:21 auth: Debug: gssapi(?,192.168.0.202): Using all keytab entries
> Mar 06 14:43:21 auth: Debug: client out: CONT 1
> Mar 06 14:43:21 auth: Debug: client in: CONT<hidden>
> Mar 06 14:43:21 auth: Debug: 
> gssapi(jo...@test.net,192.168.0.202<mailto:jo...@test.net,192.168.0.202>): 
> security context state completed.
> Mar 06 14:43:21 auth: Debug: client out: CONT 1 
> YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv1MwL+M8NJprfWznLmhNSKz2ONwOwvw+2nJkIlLZiRLgIfQECmsAnkj6v54ukCkFNkcl0eCKTuHX9/8CTSpBQZL0RpeHHqfqMDDVRtKuiVaK7DzFOf/RC2ZTKmRD4l54p4PF5KA39L3VTNbkKhsIN
> Mar 06 14:43:21 auth: Debug: client in: CONT<hidden>
> Mar 06 14:43:21 auth: Debug: 
> gssapi(jo...@test.net,192.168.0.202<mailto:jo...@test.net,192.168.0.202>): 
> Negotiated security layer
> Mar 06 14:43:21 auth: Debug: client out: CONT 1 
> BQQF/wAMAAAAAAAAN4/a0gH///+o8Mw0PdRlusfHcCo=
> Mar 06 14:43:21 auth: Debug: client in: CONT<hidden>
> Mar 06 14:43:21 auth: Debug: client out: OK 1 user=johan
> Mar 06 14:43:21 auth: Debug: master in: REQUEST 1818361857 2183 1 
> 2f9e416bebaaac9a0a3f266165753c1b
> Mar 06 14:43:21 auth: Debug: passwd(johan,192.168.0.202): lookup
> Mar 06 14:43:21 auth: Debug: master out: USER 1818361857 johan 
> system_groups_user=johan uid=1644800003 gid=1644800003 home=/nethome/johan
> Mar 06 14:43:21 imap-login: Info: Login: user=<johan>, method=GSSAPI, 
> rip=192.168.0.202, lip=192.168.0.33, mpid=2186, TLS
> Mar 06 14:43:21 imap(johan): Error: chdir(/nethome/johan/) failed: Permission 
> denied (euid=1644800003(johan) egid=1644800003(johan) missing +x perm: 
> /nethome/johan, euid is not dir owner)
> Mar 06 14:43:21 imap(johan): Error: chdir(/nethome/johan) failed: Permission 
> denied
> Mar 06 14:43:21 imap(johan): Error: user johan: Initialization failed: 
> Initializing mail storage from mail_location setting failed: 
> stat(/nethome/johan/mail) failed: Permission denied (euid=1644800003(johan) 
> egid=1644800003(johan) missing +x perm: /nethome/johan, euid is not dir owner)
> Mar 06 14:43:21 imap(johan): Error: Invalid user settings. Refer to server 
> log for more information.
Sorry to side track the mail thread Johan.

the messages below indicate that there is no home directory mounted when imap 
is trying to connect.

Mar 06 14:43:21 imap(johan): Error: chdir(/nethome/johan/) failed: Permission 
denied (euid=1644800003(johan) egid=1644800003(johan) missing +x perm: 
/nethome/johan, euid is not dir owner)
Mar 06 14:43:21 imap(johan): Error: chdir(/nethome/johan) failed: Permission 
denied
Mar 06 14:43:21 imap(johan): Error: user johan: Initialization failed: 
Initializing mail storage from mail_location setting failed: 
stat(/nethome/johan/mail) failed: Permission denied (euid=1644800003(johan) 
egid=1644800003(johan) missing +x perm: /nethome/johan, euid is not dir owner)

What I have done is set the mail destination to /var/mail/ on the mail server, 
and then let the users mail client redirect the mail to their home directory.

the issue here is because the user isn't actually logging into the mail server 
as you normally would an interactive session, their home directory is not 
accessible.

Basically imap is doing what its meant to be doing, however accessing storage 
that doesn't exist due to another aspect of infrastructure is what's getting in 
the way.

My original goal was to store mail on an NFS share in their home dir as well, 
however I am yet to achieve this solution.

I have reopened this mini-project to update the howto for rhel 6.4 and ipa 3.0 
so stay tuned for a new article if you don't get up and running before then.

This will be more of a smtp + imap + ipa solution however as they all need to 
work together.

Dale

>
> NFS Server /var/log/messages with rpc.svcgssd -vvv:
>
> Mar 6 14:43:21 share rpc.svcgssd[17422]: handling null request
> Mar 6 14:43:21 share rpc.svcgssd[17422]: svcgssd_limit_krb5_enctypes: Calling 
> gss_set_allowable_enctypes with 7 enctypes from the kernel
> Mar 6 14:43:21 share rpc.svcgssd[17422]: sname = 
> nfs/mail.test....@test.net<mailto:nfs/mail.test....@test.net>
> Mar 6 14:43:21 share rpc.svcgssd[17422]: DEBUG: serialize_krb5_ctx: lucid 
> version!
> Mar 6 14:43:21 share rpc.svcgssd[17422]: prepare_krb5_rfc4121_buffer: 
> protocol 1
> Mar 6 14:43:21 share rpc.svcgssd[17422]: prepare_krb5_rfc4121_buffer: 
> serializing key with enctype 18 and size 32
> Mar 6 14:43:21 share rpc.svcgssd[17422]: doing downcall
> Mar 6 14:43:21 share rpc.svcgssd[17422]: mech: krb5, hndl len: 4, ctx len 52, 
> timeout: 1362657132 (79731 from now), clnt: 
> n...@mail.test.net<mailto:n...@mail.test.net>, uid: -1, gid: -1, num aux 
> grps: 0:
> Mar 6 14:43:21 share rpc.svcgssd[17422]: sending null reply
> Mar 6 14:43:21 share rpc.svcgssd[17422]: writing message: \x 
> \x6082026406092a864886f71201020201006e8202533082024fa003020105a10302010ea20703050020000000a382015d6182015930820155a003020105a10a1b08544553542e4e4554a220301ea003020103a11730151b036e66731b0e73686172652e746573742e6e6574a382011e3082011aa003020112a103020101a282010c048201080bd88fab1779cae6f283c843e375c2771728abafc384c52f50cc7b2af86583170f495fd96ad3665acb035e08fdac19c820c8ed16fa1120409d165b7eec74e418c11f3d24601c6ad2ee752185f20b4c9667a52dd8e11485e2aef2d5f7fd3ae6991d097e303287e5627f83dc514bca1932262dfa0df4836d55541a6dbce88cc88678cb037acdeada894dc4f3c0dbeaf7f157c9d57e6193ed3ca917f467b17291b4661742f6755a73c8c2b6b9d2b23334ee1cc3b108ee3d825db5edd042c7f9441afe76422f69c400620160fe415e28cdbe9637ca20062cad2999a453c4c4e4e694577bb7f861db6071759a4a0692ce0988fe9c6bdae423f04d22c8f5090d0f76ce235db4ceb9fe13fca481d83081d5a003020112a281cd0481ca1eb49a3eb4c68ce63349590168de47cd5af0bdcaa8a21434f3cbba3ec41a4469bae62d4dd65d037d6c02fcb0a24ff9679a22ab7ffd48857ea7b72f12ab3776c8d28b
> 27a985a0fa53bfc162da8fda7e8ca49a2e57093f2af0bc4d2a4148420aa1bacb8f7bc4313650060ccae01426ff752405aab2f52ed332f0ac5e670e0013acf9acef23e0e1e5beb85b497d506526aed62a0718377d7e360ce9d5ddf812d02839daa6ee62887e0370a63a49f0345f2eb0d4f9f069c983ed0c63cec039e97378d5abe4eeb214c2e735af
>  1362577461 0 0 \xbc000000 
> \x60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f598391477156abf0dce0a5d58927fc329174a95f47e0dbfb6ab9e77937ba24047c50beafed6bff70e4d133c6304bfb8b47e48b3c17b87ff5a3f44095ab138804a821c155e80410d0f8ec1e663416e935b50c1a90b030d828d7d6c9d2199a46193a04fb32dbd88f18984d5913a3bc60
> Mar 6 14:43:21 share rpc.svcgssd[17422]: finished handling null request
> Mar 6 14:43:21 share rpc.svcgssd[17422]: entering poll
>
> IPA Server /var/log/dirsrv/slapd-TEST-NET/access:
>
> [06/Mar/2013:14:43:21 +0100] conn=1273 fd=70 slot=70 connection from 
> 192.168.0.33 to 192.168.0.30
> [06/Mar/2013:14:43:21 +0100] conn=1273 op=0 BIND dn="" method=sasl version=3 
> mech=GSSAPI
> [06/Mar/2013:14:43:21 +0100] conn=1273 op=0 RESULT err=14 tag=97 nentries=0 
> etime=0, SASL bind in progress
> [06/Mar/2013:14:43:21 +0100] conn=1273 op=1 BIND dn="" method=sasl version=3 
> mech=GSSAPI
> [06/Mar/2013:14:43:21 +0100] conn=1273 op=1 RESULT err=14 tag=97 nentries=0 
> etime=0, SASL bind in progress
> [06/Mar/2013:14:43:21 +0100] conn=1273 op=2 BIND dn="" method=sasl version=3 
> mech=GSSAPI
> [06/Mar/2013:14:43:21 +0100] conn=1273 op=2 RESULT err=0 tag=97 nentries=0 
> etime=0 dn="fqdn=mail.test.net,cn=computers,cn=accounts,dc=test,dc=net"
> [06/Mar/2013:14:43:21 +0100] conn=1273 op=3 SRCH 
> base="automountmapname=auto_nethome,cn=default,cn=automount,dc=test,dc=net" 
> scope=2 
> filter="(&(objectClass=automount)(|(automountKey=johan)(automountKey=/)(automountKey=\2a)))"
>  attrs="automountKey automountInformation"
> [06/Mar/2013:14:43:21 +0100] conn=1273 op=3 RESULT err=0 tag=101 nentries=1 
> etime=0
> [06/Mar/2013:14:43:21 +0100] conn=1273 op=4 UNBIND
> [06/Mar/2013:14:43:21 +0100] conn=1273 op=4 fd=70 closed - U1
> [06/Mar/2013:14:43:21 +0100] conn=1270 op=16 SRCH 
> base="cn=accounts,dc=test,dc=net" scope=2 
> filter="(&(uid=nfs/mail.test.net)(objectClass=posixAccount))" 
> attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory 
> loginShell krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn 
> shadowLastChange shadowMin shadowMax shadowWarning shadowInactive 
> shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute 
> authorizedService accountexpires useraccountcontrol nsAccountLock host 
> logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey"
> [06/Mar/2013:14:43:21 +0100] conn=1270 op=16 RESULT err=0 tag=101 nentries=0 
> etime=0
>
> Regards,
> Johan.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJROImIAAoJEAJsWS61tB+qiMEQAIKDAKzZWXfTjUAC7XyOR3nR
bOH6iLkcg/3e0xwCWtFTXT3ypXRg2En/01cPu7N2AOuBL6aZiqq9e9ludUZcnY11
75h0cdWRnWAhGotKd1BmAypbu4ZsV6Cpe8H3O8KB+n14BFM2klDpj008gqmiJoFy
xE3ljXbHV76f3UlAy6ImedsIDiD6M3Wt+4DamoUMtrL9mdN30RLUL3TjM4DjMv1C
WDhA+ePtNrU/nt4uHdyMJibj8BYmwPdErvrVhugVzlB3Hi0FDGqQf3kdBd8NDQwU
f/ef2CVz7SMgY3tv8JExVjQcoBxTsZsZcDfM3rviJ41Tnp2f29cfoIlbZYMwG6pE
noHdBMgsLD5kKNOgRq/nbndEZjRKhHPzq3ukETM3CPCmS8Gof5S3AFcLulZBiN++
9Q9FW+OgUjEvRLkm9SPbDXdDTh+rx0tCD9BJdT5kdYFO3d3jTyoLuZXe/zaCUJcB
8CtzQTfPFahJO2YGcKPuTP7bemNHZWJ2bH29rWSTy4UsSDd2QMKCYAZiX0gO+E2i
IlI+g9dyAcY7Ze5F95OShONG/zXj8lOoxG2/lpAVuBMjsORTqumNqzC3Mjc0goYD
n954TRWHS559fzTEptKnWClAo2afgztTVI2wonrlzGbWm4w2CF+diFLmPlp3MVIC
yluAApkPILxGZcT3dl25
=KFHi
-----END PGP SIGNATURE-----

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to