On 6/25/2014 10:25 AM, Simo Sorce wrote:
On Wed, 2014-06-25 at 09:52 -0500, Dave Gonzalez wrote:
I don't know if the fact that the server is already enrolled as
smtp/mail.domain.net make dovecot not request any ticket as
imap/mail.domain.net as I don't see any entries for that system on
the
KDC log
Dovecot does not require any ticket, it's your clients that do, and you
showed me no logs of clients.
Sorry about the client logs, I don't really know where does Thunderbird stores those but it's Good to understand that, I thought there was some issue with the IMAP server, now it's clear.

I'm getting further and further with the setup as I told you after I installed the MIT Kerberos Windwos 8 client and check the DNS records I'm getting the Principal/password prompt, now it's apparently some missing files and wrong permissions from Dovecot thta I need to figure out too:

Jun 25 10:32:35 mail dovecot: imap-login: Login: user=<da...@domain.net>, method=GSSAPI, rip=181.140.146.136, lip=217.23.15.26, mpid=5253, TLS Jun 25 10:32:36 mail dovecot: imap(da...@domain.net): Error: open(/var/mail/da...@domain.net) failed: Permission denied (euid=97(dovecot) egid=31800003(mailusers) missing +w perm: /var/mail, euid is not dir owner) Jun 25 10:32:36 mail dovecot: imap(da...@domain.net): Error: Opening INBOX failed: Mailbox doesn't exist: INBOX Jun 25 10:34:49 mail dovecot: imap(da...@domain.net): Error: open(/var/mail/da...@domain.net) failed: Permission denied (euid=97(dovecot) egid=31800003(mailusers) missing +w perm: /var/mail, euid is not dir owner)

If you are configuring your client to talk to mail.domain.net, then you
*must* have a keys for imap/mail.domain.net on your IMAP server.
Keys for imap/mail01.example.net will be useless as the client won't be
looking for that ticket.

Yuo -- I see that from the Kerberos client I see

da...@domain.ney
    krbtgt/domain....@domain.net
    imap/mail.domain.net@
    imap/mail.domain....@domain.net

With their respective remaining times

When a client is configured to talk to mail.domain.net it will ask the
KDC for a ticket for the principal named imap/mail.domain.net.
The client also may need to be told what KDC to contact for the
domain.net domain if it really is a different domain from your main one.
You used example.com and domain.net both, so unless it is a bad
substitution, it means you may want to check the documentation for
setting up a correct domain_realm section in your krb5.conf (note that
modern IPA clients that use SSSD do not need manual configuration as
long as you configure the domains list in the ipa server).

Sorry about that example.com / domain.net typo, I just copied the wording form the howto, but as substition for my real domain which I need to substitute for obvious reasons, I do have everything to my correct domain name.

You can, of course, have multiple keys if you advertise your service
under multiple names to different clients.

Simo.

Thank you very much for such helpful information you've provided Simo. I know I need to do much much more reading to get this all done.

Now, after I get the permission stuff sorted out I need to delve into Postfix as I haven't yet found any clear info on setting it uo with IPA Server.

--Regards David G

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to