inline quote follows
On 6/25/2014 8:17 AM, Simo Sorce wrote:
On Sun, 2014-06-22 at 11:41 -0500, Dave Gonzalez wrote:
Hello there everyone David here,
I'm big time Red Hat fan, I work for a company where we have a small 20+
people directory, I'm currently using Samba4 to offer authentication to
Openfire, Postfix, Dovecot (using GroupOffice); but I want to switch
ebcause samba is a hassle to setup and whenever replication breaks it's
nearly impossible to rebuild, anyways, My current environment is Proxmox
VE 3 as virtualization platform and many CentOS/RedHat Servers holding
my services.
Please excuse me if this was already answered but after I went trhough
the archives I coulnd't find anyone facing the same issue, please bear
with me as I'm a newbie to FreeIPA and LDAP. I know I'm missing
something or doing it wrong but after a week struggling with this setup
I decided to call for the help of the experts.
My environment:
FreeIPA Server
CentOS 6.5 x86_64
Mail Server
CentOS 6.5
postfix-2.6.6-6.el6_5.x86_64
dovecot-2.0.9-7.el6.x86_64
ipa-python-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-1.9.2-129.el6_5.4.x86_64
libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
I've followed these posts from Dale McCartney, whom I've also read his
posts around here
https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/
http://www.freeipa.org/page/Dovecot_Integration
None of them seem to work at the moment when using Thunderbird with the
server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also reports that
<quote>
"The kerberos/GSSAPI ticket was not accepted by the IMAP server
da...@domain.com. Please chack that you're logged in to the
Kerberos/GSSAPI realm"
</quote>
Need more details here.
What is the imap server name ?
Dovecot and Postfix running on the same server which I alread added with
ipa service-add mail.domain.net, downloaded the keytabs, set up
everything as per the howtos mentioned on my first post
Check the KDC logs do you see the client asking for a ticket ? Is it
successful ?
Yes -- the ipa server is indeed showing some tickets, here's the
/var/log/krb5kdc.log
6 23}) 217.23.15.26: NEEDED_PREAUTH: smtp/mail.domain....@domain.net for
krbtgt/domain....@domain.net, Additional pre-authentication required
Jun 25 08:30:01 ipa.domain.net krb5kdc[25103](info): AS_REQ (4 etypes
{18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH:
host/mail.domain....@domain.net for krbtgt/domain....@domain.net,
Additional pre-authentication required
Jun 25 08:30:01 ipa.domain.net krb5kdc[25102](info): AS_REQ (4 etypes
{18 17 16 23}) 217.23.15.26: ISSUE: authtime 1403703001, etypes {rep=18
tkt=18 ses=18}, host/mail.domain....@domain.net for
krbtgt/domain....@domain.net
Jun 25 08:30:01 ipa.domain.net krb5kdc[25105](info): TGS_REQ (4 etypes
{18 17 16 23}) 217.23.15.26: ISSUE: authtime 1403703001, etypes {rep=18
tkt=18 ses=18}, host/mail.domain....@domain.net for
ldap/ipa.domain....@domain.net
Jun 25 08:30:01 ipa.domain.net krb5kdc[25105](info): AS_REQ (4 etypes
{18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH:
smtp/mail.domain....@domain.net for krbtgt/domain....@domain.net,
Additional pre-authentication required
Jun 25 08:31:01 ipa.domain.net krb5kdc[25104](info): AS_REQ (4 etypes
{18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH:
smtp/mail.domain....@domain.net for krbtgt/domain....@domain.net,
Additional pre-authentication required
Jun 25 08:32:01 ipa.domain.net krb5kdc[25104](info): AS_REQ (4 etypes
{18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH:
smtp/mail.domain....@domain.net for krbtgt/domain....@domain.net,
Additional pre-authentication required
Withouth any data I am using my crystal ball and thinking the most
probably cause is that you are using a different name in the client than
what you configured your IMAP server's keytab with.
I did this:
ipa-client-install -U -p admin -w mysecretpassword
auth_mechanisms = gssapi
auth_gssapi_hostname = mail01.example.com
auth_krb5_keytab = /etc/dovecot/krb5.keytab
auth_realms = example.com
auth_default_realm = example.com
# kinit admin
Password for ad...@example.com:
# ipa service-add imap/mail01.example.com
# ipa-getkeytab -s ds01.example.com -p imap/mail01.example.com -k
/etc/dovecot/krb5.keytab
With my own values of course.
Now as an update to the progress on my research I installed the MIT
Kerberos Windwos Client and I'm gettinga prompt to enter my
da...@domain.net and password, then after enabling Dovecot's IMAP logs
Jun 25 09:39:13 mail dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Jun 25 09:39:13 mail dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Jun 25 09:39:13 mail dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Jun 25 09:39:13 mail dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libmech_gssapi.so
Jun 25 09:39:13 mail dovecot: auth: Debug: auth client connected (pid=4576)
Jun 25 09:39:14 mail dovecot: auth: Debug: client in:
AUTH#0111#011GSSAPI#011service=imap#011secured#011lip=217.23.15.26#011rip=181.140.146.136#011lport=143#011rport=64275
Jun 25 09:39:14 mail dovecot: auth: Debug: gssapi(?,181.140.146.136):
Obtaining credentials for i...@mail.domain.net
Jun 25 09:39:14 mail dovecot: auth: Debug: client out: CONT#0111#011
Jun 25 09:39:14 mail dovecot: auth: Debug: client in:
CONT#0111#011YIICbQYJKoZIhvcSAQICAQBuggJcMIICWKADAgEFoQMCAQ6iBwMFACAAAACjggFvYYIBazCCAWegAwIBBaEOGwxQQVlNVU5ETy5ORVSiJDAioAMCAQOhGzAZGwRpbWFwGxFtYWlsLnBheW11bmRvLm5ldKOCASgwggEkoAMCARKhAwIBA6KCARYEggESURD7IYGOw0RjKSrRT.....x1j6YNFQiORWEY5InF1HB7Thgi+DMMyZLSQ/7qMQ7d.....qSH/BQVlm7G2gRvfT4DW2O6Sq0j4+AqZDF+EJhIE9jiZmoBSdkVECKnurcsLNgEEDp+mX..........6X1qV0oXwLmiRw9k50/F4fkO7JC+6f1OutHALQwT72K1b0ZYHhp8vPAihiDX3ZKaPOJOlS7GIf2THufWzqf5lskJihkwcN6LAPOK........hwekM0WmY2rDWm2I8/jBYPlu4Yp4j1+8lE2y10f1iBIxkAgnMyG3ZbIqQUT7lE5qSBzzCBzKADAgESooHEBIHBRg+jmt1e3f7jnTegfWoiaBzIli3s/L1ZstEPq6hiwW4T8kUfZyuf6WTZKq/k0e4jz76lP4nCK5MHwV/OM0a+rBhUGeHU2mN7MQt63eLRlf+XAKT3FlmQArcqWzKCtjsIdTxtJj9dt9EhHUNU+PgjiTNAA9LeFxHNxN8l9xPDawy60j96wAka1QI4g==
Jun 25 09:39:14 mail dovecot: auth: Debug:
gssapi(da...@domain.net,181.140.146.136): security context state completed.
Jun 25 09:39:14 mail dovecot: auth: Debug: client out:
CONT#0111#011YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+ieq1mPuNUjd7eq2zRkDb8B0Im1Z5lPSxRL+Gn9Ljy7VOtJsQYq+EWgDlP+kPGWxVA6DtASk4hO+sD3jZTAd
Jun 25 09:39:14 mail dovecot: auth: Debug: client in: CONT#0111#011
Jun 25 09:39:14 mail dovecot: auth: Debug:
gssapi(da...@domain.net,181.140.146.136): Negotiated security layer
Jun 25 09:39:14 mail dovecot: auth: Debug: client out:
CONT#0111#011QF/wAMAAAQ2yTAH///8hlXwCrWScU=
Jun 25 09:39:15 mail dovecot: auth: Debug: client in:
CONT#0111#011BQQE/wAMAAAEAAABkYXZpZFin/xrUh3Faw/W0IA==
Jun 25 09:39:15 mail dovecot: auth: Debug: client out:
OK#0111#011user=da...@domain.net
Jun 25 09:39:15 mail dovecot: auth: Debug: master in:
REQUEST#0113104702465#0114576#0111#011d8d0053151d33c802
Jun 25 09:39:15 mail dovecot: auth: Debug: master out:
USER#0113104702465#011da...@domain.net#011uid=97#011gid=97#011home=/var/spool/mail/da...@domain.net
Jun 25 09:39:15 mail dovecot: imap-login: Login:
user=<da...@domain.net>, method=GSSAPI, rip=181.140.146.136,
lip=217.23.15.26, mpid=4579, TLS
Jun 25 09:39:15 mail dovecot: imap(da...@domain.net): Error: user
da...@domain.net: Couldn't drop privileges: Mail access for users with
UID 97 not permitted (see first_valid_uid in config file).
Jun 25 09:39:15 mail dovecot: imap(da...@domain.net): Error: Internal
error occurred. Refer to server log for more information.
Now the latter part regarding the first_valid_uid issue is never
mentioned on the online howtos, so there's another new issue, but at
least now I see the system and Thunderbird trying to authenticate
HTH, if you need any more info please let me know.
Thank you very much for taking the time to reply to my question.
with Dovecot I'm getting this
<code>
Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth
attempts): rip=1.1.1.1, lip=217.1.2.3
</code>
This is because I guess the client copuldn't get a ticket so it didn't
even attempt authentication.
I don't know if the fact that the server is already enrolled as
smtp/mail.domain.net make dovecot not request any ticket as
imap/mail.domain.net as I don't see any entries for that system on the
KDC log
I tried manual telnet and use a authenticate gssapi which retuns "+"
which means module is indeed loading and the server is gssapi ready for
the challenge.
If anyone of you could point me into the right direction I'd really
value that.
HTH,
Simo.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project