On 24.11.2014 13:56, Maria Jose Yañez Dacosta wrote:
> Hi!,
> 
> I'm installing a Zimbra server to authenticate using SSO against FreeIPA.
> When when trying to access I'm getting an error which makes me think that
> probably I forget set something else in FreeIPA configuration.
> 
> Because I'm a newbie with using FreeIPA.
> And when I configured SSO with existing Kerberos installation  it worked.
> So surely the mistake is mine to configure something on FreeIPA.
> 
> I tell some details about it but if you need more information y can share
> it with all you.
> 
> As a client to access via GSSAPI use Thunderbird.
> 
> The error I get:
> 
> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server
> usu...@fi.example.com.
> Please check that you are logged in to the Kerberos/GSSAPI realm".
> 
> Steps to Reproduce in FreeIPA:
> 
> 1) I add the entry to the imap service by Identity Management.
>    In Services HBAC add imap/fi.example....@fi.example.com.
> 
> By clicking on it.
> I get the following information about status:
> - Key current Kerberos Service provided
> - Service Certificate: Certificate not valid
> 
> 2) I got the keytab which is then used in the installation of Zimbra as
> follows:
> 
> ipa-getkeytab freeipafi.example.com -p -s imap /
> zimbrafreeipa.fi.example.com -k /tmp/keytab/ticket.keytab
> 
> Thanks for any help or clarification.
> Greetings!.

For the beginning, try to run this on the *client* machine:
$ kvno imap/fi.example....@fi.example.com

If it works then Kerberos principal itself and client configuration should be
okay and it is necessary to look at server configuration.

If it doesn't work you may try to run it as:
$ KRB5_TRACE=/dev/stdout kvno imap/fi.example....@fi.example.com
or alternatively
$ KRB5_TRACE=/dev/stdout thunderbird

and check debug messages.

Usual mistakes:
- wrong file permissions on keytab file used by server
- wrong SELinux label on the keytab file
- wrong DNS configuration which prevents client from finding server or KDC
(this possibility should be eliminated by kvno command above)

Have a nice day!

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to