On Sun, 2014-06-22 at 11:41 -0500, Dave Gonzalez wrote: > Hello there everyone David here, > > I'm big time Red Hat fan, I work for a company where we have a small 20+ > people directory, I'm currently using Samba4 to offer authentication to > Openfire, Postfix, Dovecot (using GroupOffice); but I want to switch > ebcause samba is a hassle to setup and whenever replication breaks it's > nearly impossible to rebuild, anyways, My current environment is Proxmox > VE 3 as virtualization platform and many CentOS/RedHat Servers holding > my services. > > Please excuse me if this was already answered but after I went trhough > the archives I coulnd't find anyone facing the same issue, please bear > with me as I'm a newbie to FreeIPA and LDAP. I know I'm missing > something or doing it wrong but after a week struggling with this setup > I decided to call for the help of the experts. > > My environment: > FreeIPA Server > CentOS 6.5 x86_64 > > Mail Server > CentOS 6.5 > postfix-2.6.6-6.el6_5.x86_64 > dovecot-2.0.9-7.el6.x86_64 > ipa-python-3.0.0-37.el6.x86_64 > ipa-client-3.0.0-37.el6.x86_64 > python-iniparse-0.3.1-2.1.el6.noarch > libipa_hbac-1.9.2-129.el6_5.4.x86_64 > libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 > > I've followed these posts from Dale McCartney, whom I've also read his > posts around here > > https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ > > http://www.freeipa.org/page/Dovecot_Integration > > None of them seem to work at the moment when using Thunderbird with the > server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also reports that > > <quote> > "The kerberos/GSSAPI ticket was not accepted by the IMAP server > da...@domain.com. Please chack that you're logged in to the > Kerberos/GSSAPI realm" > </quote>
Need more details here. What is the imap server name ? Check the KDC logs do you see the client asking for a ticket ? Is it successful ? Withouth any data I am using my crystal ball and thinking the most probably cause is that you are using a different name in the client than what you configured your IMAP server's keytab with. > with Dovecot I'm getting this > > <code> > Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth > attempts): rip=1.1.1.1, lip=217.1.2.3 > </code> This is because I guess the client copuldn't get a ticket so it didn't even attempt authentication. > I tried manual telnet and use a authenticate gssapi which retuns "+" > which means module is indeed loading and the server is gssapi ready for > the challenge. > > If anyone of you could point me into the right direction I'd really > value that. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
