So with more reading I've gotten even further, things never mentioned on
those howtos:
* You must have some means to authenticate to the Kerberos realm for
your domain, in my case the MIT Kerberos client for windows 8
I've got Dovecot working as expected authenticating using teh GSSAPI
authentication mechanism which is great.
Postfix is also talking to SASL Auth daemon but I'm getting some auth
errors like this:
Jun 25 13:09:46 mail postfix/smtpd[8616]: warning: SASL authentication
failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more information ()
While Thunderbird reports this:
Sending of message failed.
The Kerberos/GSSAPI ticket was not accepted by the SMTP server
mail.domain.net. Please check that you are logged in to the
Kerberos/GSSAPI realm.
I'm in fact logged in to the realm from what I can see in the MIT
Kerberos client interface:
I hope the attachment can be seen by the list:
So, as you can see both smtp/mail.domain.net and imap/mail.domain.net
are there, so whatever is causing the issue has to do with SASL but I
haven't been able to find any useful debug commands for it apart from
testsaslauthd whic yells
[root@mail ~]# testsaslauthd -u da...@domain.net -p pass
0: NO "authentication failed"
I don't know if I need the /etc/saslauthd.conf file as described on some
postfix+LDAP documents I tested that with no luck, here's a sample of
what I tried.
[root@mail ~]# cat saslauthd.conf
ldap_servers: ldap://ipa.domain.net
ldap_search_base: cn=users,cn=accounts,dc=domain,dc=net
ldap_filter: (|(uid=%u)(mail=%u))
ldap_bind_dn: uid=david,cn=users,cn=accounts,dc=domain,dc=net
ldap_bind_pw: pass
Any advise from you will be greatly appreciated.
Then again, Thanks In Advance guys.
--Regards DavidG
On 6/25/2014 10:25 AM, Simo Sorce wrote:
On Wed, 2014-06-25 at 09:52 -0500, Dave Gonzalez wrote:
I don't know if the fact that the server is already enrolled as
smtp/mail.domain.net make dovecot not request any ticket as
imap/mail.domain.net as I don't see any entries for that system on
the
KDC log
Dovecot does not require any ticket, it's your clients that do, and you
showed me no logs of clients.
If you are configuring your client to talk to mail.domain.net, then you
*must* have a keys for imap/mail.domain.net on your IMAP server.
Keys for imap/mail01.example.net will be useless as the client won't be
looking for that ticket.
When a client is configured to talk to mail.domain.net it will ask the
KDC for a ticket for the principal named imap/mail.domain.net.
The client also may need to be told what KDC to contact for the
domain.net domain if it really is a different domain from your main one.
You used example.com and domain.net both, so unless it is a bad
substitution, it means you may want to check the documentation for
setting up a correct domain_realm section in your krb5.conf (note that
modern IPA clients that use SSSD do not need manual configuration as
long as you configure the domains list in the ipa server).
You can, of course, have multiple keys if you advertise your service
under multiple names to different clients.
Simo.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
