Alexander, thank you very much for your config sample, I took some time
and compared to mine and they're pretty much the same, I want to move
mailboxes to Maildir style because the system I'm planning to migrate to
this IPA deployment does use Maildir style mailboxes.
Thanks and cheers.
On 6/25/2014 10:54 AM, Alexander Bokovoy wrote:
On Sun, 22 Jun 2014, Dave Gonzalez wrote:
Hello there everyone David here,
I'm big time Red Hat fan, I work for a company where we have a small
20+ people directory, I'm currently using Samba4 to offer
authentication to Openfire, Postfix, Dovecot (using GroupOffice); but
I want to switch ebcause samba is a hassle to setup and whenever
replication breaks it's nearly impossible to rebuild, anyways, My
current environment is Proxmox VE 3 as virtualization platform and
many CentOS/RedHat Servers holding my services.
Please excuse me if this was already answered but after I went
trhough the archives I coulnd't find anyone facing the same issue,
please bear with me as I'm a newbie to FreeIPA and LDAP. I know I'm
missing something or doing it wrong but after a week struggling with
this setup I decided to call for the help of the experts.
My environment:
FreeIPA Server
CentOS 6.5 x86_64
Mail Server
CentOS 6.5
postfix-2.6.6-6.el6_5.x86_64
dovecot-2.0.9-7.el6.x86_64
ipa-python-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-1.9.2-129.el6_5.4.x86_64
libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
I've followed these posts from Dale McCartney, whom I've also read
his posts around here
https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/
http://www.freeipa.org/page/Dovecot_Integration
None of them seem to work at the moment when using Thunderbird with
the server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also
reports that
<quote>
"The kerberos/GSSAPI ticket was not accepted by the IMAP server
da...@domain.com. Please chack that you're logged in to the
Kerberos/GSSAPI realm"
</quote>
with Dovecot I'm getting this
<code>
Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth
attempts): rip=1.1.1.1, lip=217.1.2.3
</code>
I tried manual telnet and use a authenticate gssapi which retuns "+"
which means module is indeed loading and the server is gssapi ready
for the challenge.
If anyone of you could point me into the right direction I'd really
value that.
Following configuration works for me (generated with 'dovecot -n' from
my actual config files):
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.14.4-200.fc20.x86_64 x86_64 Fedora release 20
(Heisenbug) auth_default_realm = VDA.LI
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = gssapi
auth_realms = VDA.LI
base_dir = /var/run/dovecot/
mail_location = maildir:~/Maildir
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location = mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix = }
passdb {
driver = pam
}
userdb {
driver = passwd
}
ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
The /etc/dovecot/dovecot.keytab contains the keytab, obtained with
# kinit admin
# ipa-getkeytab -s `hostname` -p imap/`hostname` -k
/etc/dovecot/dovecot.keytab
# chown dovecot /etc/dovecot/dovecot.keytab
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project