-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/08/2013 02:34 PM, Anthony Messina wrote: > On Friday, March 08, 2013 08:09:20 AM Loris Santamaria wrote: >>> 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for >>> authenticated SSO mail sending >> >> Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com". >> On the mail server you should obtain the keytab with ipa-getkeytab and >> save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf : >> >> smtpd_sasl_auth_enable = yes >> smtpd_sasl_security_options = noanonymous >> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options >> broken_sasl_auth_clients = yes >> smtpd_recipient_restrictions = >> permit_sasl_authenticated, >> permit_mynetworks, >> reject_unauth_destination >> >> Lastly, add to /etc/sasl2/smtpd.conf: >> pwcheck_method: saslauthd >> mech_list: GSSAPI PLAIN LOGIN >> >> Restart postfix and saslauthd and it should work. > > You *may* also need to update Postfix's environment: > > # Import environment for Kerberos v5 GSSAPI > import_environment = > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C > KRB5_KTNAME=/etc/postfix/smtp.keytab Anthony, where were you declaring the above? In Squid, I've added the keytab to the service startup script. Presumably it would be somewhere similar? Dale > > -A > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRPzK1AAoJEAJsWS61tB+qPuIQAIfFv9uSxgjOx0iItVrOiTJ1 vPNd2pxQwednomutiHtZA8dTfXG1O/pEhbQFytpTm5Gmy4z3HKaVxq2Yb88ebzS5 ANm87rDmmQVRG9SOJhjVCyfFrlelM87Qtt0LBDvyPUUykuYh1j93TWH6E+QITWFJ r+wBn+dVvA4HbhXENpv2drPFMmmdJgRDjvHa4TL2kF8E62Tjp8EkeIwkcTVTK8px HypFZ1CrCh2ZxmNwG0akN4bipZWFzAoWlUXWWJmEwT8TutpaQrdvBIuhSab5UdWv nRsdzpfUpA8z0+qeF6cf2Inw0vCJFFrhezDzow3H/xEsaIEreAz/VriP5kavkoLr NJAZkX/BHCCqqUDGyAI3HYucgcVHlM5K+P4btT0ULZTzxCdeC9vv6IhPyeoeGjyS 9Ox+ipw8Yv+a/le7eFZIhwbU5VePjpAhJTflCya7Rj8YJ2+jBE5UWtut+qCVDduQ KIfZhDaT3o3Vi5aBzK/ziHhDiOg90Et0pyOgwb2u/Bsqqm3TJ7bg/GL9szA/dNH0 PQezfoazK1kE6rAItPvN3++5Xgo7kK0wMm4zNZyevAZ/McKikioec0P0HSLhZcyT /c8JLz3SbYPY2941DvR8n2yrb7vrV8ud6tc2pz0NL30I+2qCOUfr5INNBA+a7f3F leHvuBX3WxuY/ylxV3mW =52yq -----END PGP SIGNATURE-----
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
