Re: [Freeipa-users] Having difficulty installing on Fedora 20
On 24.6.2014 21:40, Carl Perry wrote: Whoops, let me send replies to the list. Sorry about that! It appears the problem is with named not starting. I did install the required packages, but it looks like SELinux is getting in the way: [root@freeipa named]# named -f -d 255 isc_file_isplainfile 'data/named.run' failed: permission denied [root@freeipa named]# It took some time digging through logs and startup scripts to find the exact issue. Interesting. First of all, try to start named with named -g -u named and look for error messages. IMHO SELinux correctly prevents it from running under root account as it is undesirable. Also, it would be valuable to see error messages or AVCs from /var/log/audit/audit.log . Did you find any error in /var/log/ipaserver-install.log ? Petr^2 Spacek -Carl On 06/24/2014 02:13 PM, Rob Verduijn wrote: err http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation ofcourse Rob 2014-06-24 21:12 GMT+02:00 Rob Verduijn rob.verdu...@gmail.com: I saw this in your log : snip Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files snip Did you install bind and bind-dyndb-ldap ? http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica Just meddling around with ipa myself Rob 2014-06-24 19:11 GMT+02:00 Petr Spacek pspa...@redhat.com: Hello! That is interesting. Do you have latest updates? Please see http://www.freeipa.org/page/Troubleshooting On 24.6.2014 18:41, Carl Perry wrote: Unexpected error - see /var/log/ipaserver-install.log for details: If the web page doesn't cover your case please send us the log file mentioned in the the error message. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IPA + AD Integration - Auditor wants verification of integration
Since this information isn't in the Web Interface. How do I find query the ipa ldap server to proof that IPA is talking to our AD server in order to get identity and authorization information. Yes we know we've established a trust for our linux subdomain. But theres nothing that I can find that says it's our ad server. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA + AD Integration - Auditor wants verification of integration
On Wed, Jun 25, 2014 at 08:36:49AM -0400, Mark Gardner wrote: Since this information isn't in the Web Interface. How do I find query the ipa ldap server to proof that IPA is talking to our AD server in order to get identity and authorization information. Yes we know we've established a trust for our linux subdomain. But theres nothing that I can find that says it's our ad server. Trust is not about trusting a server but trusting the whole forest. So we are not connection to a specific AD server but use DNS SRV records to find all the DCs in your forest/domain and pick one. This is why you only see information about the trusted domain and not about AD servers in the Web UI. To verify to which AD server SSSD is talking (SSSD is used by recent version of IPA to get the user and group data from AD) you can e.g. call netstat -danpt | grep sssd As an alternative you can run SSSD with debug_level 7 or higher and look for 'New LDAP connection to' messages in the logs. HTH bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA Psotfix+Dovecot
Hey again guys, I know and understand there are topics that draw more interest and attention than others but I'd really need to insist on a *working* FreeIPA+Postfix+Dovecto tutorial tested by any members of the community?. I'd like to deploy this setup for my company so that some 20+ users can authenticate OTP-style or SSO-style to Services on my current setup which include Openfire, Asterisk. I'd really appreciate a bit more attention to something that many users will like me thank and appreciate. --Regards DavidG -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Introduction and question regarding SMTP/IMAP
On Sun, 2014-06-22 at 11:41 -0500, Dave Gonzalez wrote: Hello there everyone David here, I'm big time Red Hat fan, I work for a company where we have a small 20+ people directory, I'm currently using Samba4 to offer authentication to Openfire, Postfix, Dovecot (using GroupOffice); but I want to switch ebcause samba is a hassle to setup and whenever replication breaks it's nearly impossible to rebuild, anyways, My current environment is Proxmox VE 3 as virtualization platform and many CentOS/RedHat Servers holding my services. Please excuse me if this was already answered but after I went trhough the archives I coulnd't find anyone facing the same issue, please bear with me as I'm a newbie to FreeIPA and LDAP. I know I'm missing something or doing it wrong but after a week struggling with this setup I decided to call for the help of the experts. My environment: FreeIPA Server CentOS 6.5 x86_64 Mail Server CentOS 6.5 postfix-2.6.6-6.el6_5.x86_64 dovecot-2.0.9-7.el6.x86_64 ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.9.2-129.el6_5.4.x86_64 libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 I've followed these posts from Dale McCartney, whom I've also read his posts around here https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ http://www.freeipa.org/page/Dovecot_Integration None of them seem to work at the moment when using Thunderbird with the server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also reports that quote The kerberos/GSSAPI ticket was not accepted by the IMAP server da...@domain.com. Please chack that you're logged in to the Kerberos/GSSAPI realm /quote Need more details here. What is the imap server name ? Check the KDC logs do you see the client asking for a ticket ? Is it successful ? Withouth any data I am using my crystal ball and thinking the most probably cause is that you are using a different name in the client than what you configured your IMAP server's keytab with. with Dovecot I'm getting this code Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth attempts): rip=1.1.1.1, lip=217.1.2.3 /code This is because I guess the client copuldn't get a ticket so it didn't even attempt authentication. I tried manual telnet and use a authenticate gssapi which retuns + which means module is indeed loading and the server is gssapi ready for the challenge. If anyone of you could point me into the right direction I'd really value that. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] named's LDAP connection hangs
If there is a resolution to this, we would love to know. We have been experiencing the same issues. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Thomas Raehalme [thomas.raeha...@codecenter.fi] Sent: Sunday, June 22, 2014 8:29 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] named's LDAP connection hangs Hi! Today it finally happened again - named is not resolving names under the IPA domain, pvnet.cc. Killing the named process and restarting it solves the problem (until it happens again). Petr, I'll send you the logs directly so I don't have to leave anything out. I hope that's okay. Thank you for the help! Best regards, Thomas On Mon, Jun 16, 2014 at 1:54 PM, Petr Spacek pspa...@redhat.commailto:pspa...@redhat.com wrote: On 16.6.2014 09:41, Thomas Raehalme wrote: Hi, We have a problem with IPA going out of service every now and then. There seems to be two kinds of situations: 1) The connection between named and dirsrv fails. Named can resolve external names but the domain managed by IPA does not resolve any names. named cannot be stopped. After killing the process and restarting the issue is resolved. 2) Sometimes the situation is more severe and also dirsrv is unresponsive. The solution then seems to be restarting both named and dirsrv (individually or through the 'ipa' service). Regarding #1 the file /var/log/messages contains the following: Jun 16 03:22:23 ipa named[7295]: received control channel command 'reload' Jun 16 03:22:23 ipa named[7295]: loading configuration from '/etc/named.conf' Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv4 port range: [1024, 65535] Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv6 port range: [1024, 65535] Jun 16 03:22:23 ipa named[7295]: sizing zone task pool based on 6 zones Jun 16 03:22:23 ipa named[7295]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 16 03:22:23 ipa named[7295]: bind to LDAP server failed: Local error The reload is triggered by logrotate. For some reason authentication fails, and the IPA domain is no longer resolvable. I haven't discovered a pattern how often these problems occur. Maybe once a week or two. FreeIPA master running on CentOS 6.5 has been configured with the default settings. In addition a single replica has been added. Any ideas where I should look for the source of the problem? I have heard about this problem but nobody managed to reproduce the problem. Please: - configure KRB5_TRACE variable as described on https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a1.Gathersymptoms - restart named - send me logs when it happens again. Thank you! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thomas Raehalme CTO, teknologiajohtaja Mobile +358 40 545 0605 Codecenter Oy Väinönkatu 26 A, 4th Floor 40100 JYVÄSKYLÄ, Finland Tel. +358 10 322 0040 www.codecenter.fihttp://www.codecenter.fi Codecenter - Tietojärjestelmiä ymmärrettävästi -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Introduction and question regarding SMTP/IMAP
inline quote follows On 6/25/2014 8:17 AM, Simo Sorce wrote: On Sun, 2014-06-22 at 11:41 -0500, Dave Gonzalez wrote: Hello there everyone David here, I'm big time Red Hat fan, I work for a company where we have a small 20+ people directory, I'm currently using Samba4 to offer authentication to Openfire, Postfix, Dovecot (using GroupOffice); but I want to switch ebcause samba is a hassle to setup and whenever replication breaks it's nearly impossible to rebuild, anyways, My current environment is Proxmox VE 3 as virtualization platform and many CentOS/RedHat Servers holding my services. Please excuse me if this was already answered but after I went trhough the archives I coulnd't find anyone facing the same issue, please bear with me as I'm a newbie to FreeIPA and LDAP. I know I'm missing something or doing it wrong but after a week struggling with this setup I decided to call for the help of the experts. My environment: FreeIPA Server CentOS 6.5 x86_64 Mail Server CentOS 6.5 postfix-2.6.6-6.el6_5.x86_64 dovecot-2.0.9-7.el6.x86_64 ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.9.2-129.el6_5.4.x86_64 libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 I've followed these posts from Dale McCartney, whom I've also read his posts around here https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ http://www.freeipa.org/page/Dovecot_Integration None of them seem to work at the moment when using Thunderbird with the server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also reports that quote The kerberos/GSSAPI ticket was not accepted by the IMAP server da...@domain.com. Please chack that you're logged in to the Kerberos/GSSAPI realm /quote Need more details here. What is the imap server name ? Dovecot and Postfix running on the same server which I alread added with ipa service-add mail.domain.net, downloaded the keytabs, set up everything as per the howtos mentioned on my first post Check the KDC logs do you see the client asking for a ticket ? Is it successful ? Yes -- the ipa server is indeed showing some tickets, here's the /var/log/krb5kdc.log 6 23}) 217.23.15.26: NEEDED_PREAUTH: smtp/mail.domain@domain.net for krbtgt/domain@domain.net, Additional pre-authentication required Jun 25 08:30:01 ipa.domain.net krb5kdc[25103](info): AS_REQ (4 etypes {18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH: host/mail.domain@domain.net for krbtgt/domain@domain.net, Additional pre-authentication required Jun 25 08:30:01 ipa.domain.net krb5kdc[25102](info): AS_REQ (4 etypes {18 17 16 23}) 217.23.15.26: ISSUE: authtime 1403703001, etypes {rep=18 tkt=18 ses=18}, host/mail.domain@domain.net for krbtgt/domain@domain.net Jun 25 08:30:01 ipa.domain.net krb5kdc[25105](info): TGS_REQ (4 etypes {18 17 16 23}) 217.23.15.26: ISSUE: authtime 1403703001, etypes {rep=18 tkt=18 ses=18}, host/mail.domain@domain.net for ldap/ipa.domain@domain.net Jun 25 08:30:01 ipa.domain.net krb5kdc[25105](info): AS_REQ (4 etypes {18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH: smtp/mail.domain@domain.net for krbtgt/domain@domain.net, Additional pre-authentication required Jun 25 08:31:01 ipa.domain.net krb5kdc[25104](info): AS_REQ (4 etypes {18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH: smtp/mail.domain@domain.net for krbtgt/domain@domain.net, Additional pre-authentication required Jun 25 08:32:01 ipa.domain.net krb5kdc[25104](info): AS_REQ (4 etypes {18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH: smtp/mail.domain@domain.net for krbtgt/domain@domain.net, Additional pre-authentication required Withouth any data I am using my crystal ball and thinking the most probably cause is that you are using a different name in the client than what you configured your IMAP server's keytab with. I did this: ipa-client-install -U -p admin -w mysecretpassword auth_mechanisms = gssapi auth_gssapi_hostname = mail01.example.com auth_krb5_keytab = /etc/dovecot/krb5.keytab auth_realms = example.com auth_default_realm = example.com # kinit admin Password for ad...@example.com: # ipa service-add imap/mail01.example.com # ipa-getkeytab -s ds01.example.com -p imap/mail01.example.com -k /etc/dovecot/krb5.keytab With my own values of course. Now as an update to the progress on my research I installed the MIT Kerberos Windwos Client and I'm gettinga prompt to enter my da...@domain.net and password, then after enabling Dovecot's IMAP logs Jun 25 09:39:13 mail dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Jun 25 09:39:13 mail dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Jun 25 09:39:13 mail dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Jun 25 09:39:13 mail dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so Jun 25 09:39:13
[Freeipa-users] ipa user-del not deleting the ldap entry
rpm -qa|grep ipa ipa-server-3.0.0-37.el6.x86_64 rpm -qa|grep 389 389-ds-base-1.2.11.15-29.el6.x86_64 389-ds-base-libs.1.2.11.15-29.el6.x86_64 === /var/log/dirsrv/slapd-DOMAIN/errors === [23/Jun/214:11:34:27-0400] referint-plugin - _update_all_per_mod: entry cn=667a2b330ee4c889c6dadcd66c086dc,ou=tenants,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com: deleting member: uid=foo,cn=users,cn=accounts,dc=example,dc=com failed (16) [23/Jun/2014:11:34:27-0400]referint-plugin - _update_all_per_mod: entry cn=enabled_users,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com: deleting member: uid=foo,cn=users,cn=accounts,dc=example,dc=com failed (16) [23/Jun/2014:11:34:27-0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com: deleting member:uid=foo,cn=users,cn=accounts,dc=example,dc=com failed (16) [23/Jun/2014:11:34:43-0400] ipalockout_preop - [file ipa_lockout.c, line 722]: Failed to retrieve entry uid=rhospadmin,cn=users,cn=accounts,dc=example,dc=com: 32 [23/Jun/2014:11:34:43-0400]ipalockout_postop - [file ipa_lockout.c, line 473]: Failed to retrieve entry uid=rhospadmin,cn=users,cn=accounts,dc=example,dc=com: 32 [23/Jun/2014:11:35:39-0400] referint-plugin - _update_all_per_mod: entry cn=enabled_tenants,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com: deleting member: uid=tenants,cn=users,cn=accounts,dc=example,dc=com failed (16) [23/Jun/2014:11:35:39-0400] referint-plugin - _update_all_per_mod: entry cn=enabled_tenants,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com: deleting member: uid=openstack,cn=users,cn=accounts,dc=example,dc=com failed (16) [23/Jun/2014:11:35:41-0400] ldbm_back_modify -Attempt to modify a tombstone entry nsuiqueid=d2138508-faeb11e3-89c8890f-56b4c812,cn=Manage OpenStack,cn=privileges,cn=pbac,dc=example,dc=com === On 6/24/14, Rich Megginson rmegg...@redhat.com wrote: On 06/24/2014 09:46 AM, Chase Khoury wrote: Hello, I am having issues with deleting an ipa user. When I do an 'ipa user-del foo' there still remains reminisces of the user that are causing issues. I have a freeIPA server setup with 3 replica servers set up. When I did an ipa user-del foo it did not fully delete the user. if I do an ipa user-add foo after the delete I get an ipa ERROR: user with the name foo already exists If I do a ipa user-show foo I get ipa ERROR: foo: user not found if I do an ipa user-find foo it returns an entry. -- 1 user matched -- User login: foo First name: foo Last name: bar Home directory: /home/foo login shell: /bin/bash Email address: f...@bar.com UID: 5021 GID: 5021 Account disabled: False Password: True Kerberos keys available: True Number of entries returned 1 If I do an ldapsearch for the user it still has a user entry. When trying to do an ldapdelete I get the error Server is unwilling to perform (53) Does anyone know why this happened or how to clean up the server so I can get it into a state when I can successful do an ipa-user-add foo? What version of ipa are you using? What version of 389? rpm -qa|grep ipa rpm -qa|grep 389 Can you provide excerpts from your 389 errors log /var/log/dirsrv/slapd-DOMAIN/errors from around the time of the problems mentioned above? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Introduction and question regarding SMTP/IMAP
On Wed, 2014-06-25 at 09:52 -0500, Dave Gonzalez wrote: I don't know if the fact that the server is already enrolled as smtp/mail.domain.net make dovecot not request any ticket as imap/mail.domain.net as I don't see any entries for that system on the KDC log Dovecot does not require any ticket, it's your clients that do, and you showed me no logs of clients. If you are configuring your client to talk to mail.domain.net, then you *must* have a keys for imap/mail.domain.net on your IMAP server. Keys for imap/mail01.example.net will be useless as the client won't be looking for that ticket. When a client is configured to talk to mail.domain.net it will ask the KDC for a ticket for the principal named imap/mail.domain.net. The client also may need to be told what KDC to contact for the domain.net domain if it really is a different domain from your main one. You used example.com and domain.net both, so unless it is a bad substitution, it means you may want to check the documentation for setting up a correct domain_realm section in your krb5.conf (note that modern IPA clients that use SSSD do not need manual configuration as long as you configure the domains list in the ipa server). You can, of course, have multiple keys if you advertise your service under multiple names to different clients. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Introduction and question regarding SMTP/IMAP
On Sun, 22 Jun 2014, Dave Gonzalez wrote: Hello there everyone David here, I'm big time Red Hat fan, I work for a company where we have a small 20+ people directory, I'm currently using Samba4 to offer authentication to Openfire, Postfix, Dovecot (using GroupOffice); but I want to switch ebcause samba is a hassle to setup and whenever replication breaks it's nearly impossible to rebuild, anyways, My current environment is Proxmox VE 3 as virtualization platform and many CentOS/RedHat Servers holding my services. Please excuse me if this was already answered but after I went trhough the archives I coulnd't find anyone facing the same issue, please bear with me as I'm a newbie to FreeIPA and LDAP. I know I'm missing something or doing it wrong but after a week struggling with this setup I decided to call for the help of the experts. My environment: FreeIPA Server CentOS 6.5 x86_64 Mail Server CentOS 6.5 postfix-2.6.6-6.el6_5.x86_64 dovecot-2.0.9-7.el6.x86_64 ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.9.2-129.el6_5.4.x86_64 libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 I've followed these posts from Dale McCartney, whom I've also read his posts around here https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ http://www.freeipa.org/page/Dovecot_Integration None of them seem to work at the moment when using Thunderbird with the server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also reports that quote The kerberos/GSSAPI ticket was not accepted by the IMAP server da...@domain.com. Please chack that you're logged in to the Kerberos/GSSAPI realm /quote with Dovecot I'm getting this code Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth attempts): rip=1.1.1.1, lip=217.1.2.3 /code I tried manual telnet and use a authenticate gssapi which retuns + which means module is indeed loading and the server is gssapi ready for the challenge. If anyone of you could point me into the right direction I'd really value that. Following configuration works for me (generated with 'dovecot -n' from my actual config files): # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.14.4-200.fc20.x86_64 x86_64 Fedora release 20 (Heisenbug) auth_default_realm = VDA.LI auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = gssapi auth_realms = VDA.LI base_dir = /var/run/dovecot/ mail_location = maildir:~/Maildir mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox Sent Messages { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } userdb { driver = passwd } ssl = required ssl_cert = /etc/pki/dovecot/certs/dovecot.pem ssl_key = /etc/pki/dovecot/private/dovecot.pem The /etc/dovecot/dovecot.keytab contains the keytab, obtained with # kinit admin # ipa-getkeytab -s `hostname` -p imap/`hostname` -k /etc/dovecot/dovecot.keytab # chown dovecot /etc/dovecot/dovecot.keytab -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Introduction and question regarding SMTP/IMAP
On 6/25/2014 10:25 AM, Simo Sorce wrote: On Wed, 2014-06-25 at 09:52 -0500, Dave Gonzalez wrote: I don't know if the fact that the server is already enrolled as smtp/mail.domain.net make dovecot not request any ticket as imap/mail.domain.net as I don't see any entries for that system on the KDC log Dovecot does not require any ticket, it's your clients that do, and you showed me no logs of clients. Sorry about the client logs, I don't really know where does Thunderbird stores those but it's Good to understand that, I thought there was some issue with the IMAP server, now it's clear. I'm getting further and further with the setup as I told you after I installed the MIT Kerberos Windwos 8 client and check the DNS records I'm getting the Principal/password prompt, now it's apparently some missing files and wrong permissions from Dovecot thta I need to figure out too: Jun 25 10:32:35 mail dovecot: imap-login: Login: user=da...@domain.net, method=GSSAPI, rip=181.140.146.136, lip=217.23.15.26, mpid=5253, TLS Jun 25 10:32:36 mail dovecot: imap(da...@domain.net): Error: open(/var/mail/da...@domain.net) failed: Permission denied (euid=97(dovecot) egid=3183(mailusers) missing +w perm: /var/mail, euid is not dir owner) Jun 25 10:32:36 mail dovecot: imap(da...@domain.net): Error: Opening INBOX failed: Mailbox doesn't exist: INBOX Jun 25 10:34:49 mail dovecot: imap(da...@domain.net): Error: open(/var/mail/da...@domain.net) failed: Permission denied (euid=97(dovecot) egid=3183(mailusers) missing +w perm: /var/mail, euid is not dir owner) If you are configuring your client to talk to mail.domain.net, then you *must* have a keys for imap/mail.domain.net on your IMAP server. Keys for imap/mail01.example.net will be useless as the client won't be looking for that ticket. Yuo -- I see that from the Kerberos client I see da...@domain.ney krbtgt/domain@domain.net imap/mail.domain.net@ imap/mail.domain@domain.net With their respective remaining times When a client is configured to talk to mail.domain.net it will ask the KDC for a ticket for the principal named imap/mail.domain.net. The client also may need to be told what KDC to contact for the domain.net domain if it really is a different domain from your main one. You used example.com and domain.net both, so unless it is a bad substitution, it means you may want to check the documentation for setting up a correct domain_realm section in your krb5.conf (note that modern IPA clients that use SSSD do not need manual configuration as long as you configure the domains list in the ipa server). Sorry about that example.com / domain.net typo, I just copied the wording form the howto, but as substition for my real domain which I need to substitute for obvious reasons, I do have everything to my correct domain name. You can, of course, have multiple keys if you advertise your service under multiple names to different clients. Simo. Thank you very much for such helpful information you've provided Simo. I know I need to do much much more reading to get this all done. Now, after I get the permission stuff sorted out I need to delve into Postfix as I haven't yet found any clear info on setting it uo with IPA Server. --Regards David G -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Introduction and question regarding SMTP/IMAP
Alexander, thank you very much for your config sample, I took some time and compared to mine and they're pretty much the same, I want to move mailboxes to Maildir style because the system I'm planning to migrate to this IPA deployment does use Maildir style mailboxes. Thanks and cheers. On 6/25/2014 10:54 AM, Alexander Bokovoy wrote: On Sun, 22 Jun 2014, Dave Gonzalez wrote: Hello there everyone David here, I'm big time Red Hat fan, I work for a company where we have a small 20+ people directory, I'm currently using Samba4 to offer authentication to Openfire, Postfix, Dovecot (using GroupOffice); but I want to switch ebcause samba is a hassle to setup and whenever replication breaks it's nearly impossible to rebuild, anyways, My current environment is Proxmox VE 3 as virtualization platform and many CentOS/RedHat Servers holding my services. Please excuse me if this was already answered but after I went trhough the archives I coulnd't find anyone facing the same issue, please bear with me as I'm a newbie to FreeIPA and LDAP. I know I'm missing something or doing it wrong but after a week struggling with this setup I decided to call for the help of the experts. My environment: FreeIPA Server CentOS 6.5 x86_64 Mail Server CentOS 6.5 postfix-2.6.6-6.el6_5.x86_64 dovecot-2.0.9-7.el6.x86_64 ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.9.2-129.el6_5.4.x86_64 libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 I've followed these posts from Dale McCartney, whom I've also read his posts around here https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ http://www.freeipa.org/page/Dovecot_Integration None of them seem to work at the moment when using Thunderbird with the server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also reports that quote The kerberos/GSSAPI ticket was not accepted by the IMAP server da...@domain.com. Please chack that you're logged in to the Kerberos/GSSAPI realm /quote with Dovecot I'm getting this code Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth attempts): rip=1.1.1.1, lip=217.1.2.3 /code I tried manual telnet and use a authenticate gssapi which retuns + which means module is indeed loading and the server is gssapi ready for the challenge. If anyone of you could point me into the right direction I'd really value that. Following configuration works for me (generated with 'dovecot -n' from my actual config files): # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.14.4-200.fc20.x86_64 x86_64 Fedora release 20 (Heisenbug) auth_default_realm = VDA.LI auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = gssapi auth_realms = VDA.LI base_dir = /var/run/dovecot/ mail_location = maildir:~/Maildir mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox Sent Messages { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } userdb { driver = passwd } ssl = required ssl_cert = /etc/pki/dovecot/certs/dovecot.pem ssl_key = /etc/pki/dovecot/private/dovecot.pem The /etc/dovecot/dovecot.keytab contains the keytab, obtained with # kinit admin # ipa-getkeytab -s `hostname` -p imap/`hostname` -k /etc/dovecot/dovecot.keytab # chown dovecot /etc/dovecot/dovecot.keytab -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Introduction and question regarding SMTP/IMAP
On Wed, 25 Jun 2014, Dave Gonzalez wrote: Alexander, thank you very much for your config sample, I took some time and compared to mine and they're pretty much the same, I want to move mailboxes to Maildir style because the system I'm planning to migrate to this IPA deployment does use Maildir style mailboxes. I would still suggest you to check if plain IPA setup is working, i.e. if you can successfuly use GSSAPI against Dovecot from a Linux client with Thunderbird or mutt. Once that is working, you can be sure that your server side is in order and start looking at how to integrate Windows machines. Read also http://www.freeipa.org/page/Windows_authentication_against_FreeIPA -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Introduction and question regarding SMTP/IMAP
So with more reading I've gotten even further, things never mentioned on those howtos: * You must have some means to authenticate to the Kerberos realm for your domain, in my case the MIT Kerberos client for windows 8 I've got Dovecot working as expected authenticating using teh GSSAPI authentication mechanism which is great. Postfix is also talking to SASL Auth daemon but I'm getting some auth errors like this: Jun 25 13:09:46 mail postfix/smtpd[8616]: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () While Thunderbird reports this: Sending of message failed. The Kerberos/GSSAPI ticket was not accepted by the SMTP server mail.domain.net. Please check that you are logged in to the Kerberos/GSSAPI realm. I'm in fact logged in to the realm from what I can see in the MIT Kerberos client interface: I hope the attachment can be seen by the list: So, as you can see both smtp/mail.domain.net and imap/mail.domain.net are there, so whatever is causing the issue has to do with SASL but I haven't been able to find any useful debug commands for it apart from testsaslauthd whic yells [root@mail ~]# testsaslauthd -u da...@domain.net -p pass 0: NO authentication failed I don't know if I need the /etc/saslauthd.conf file as described on some postfix+LDAP documents I tested that with no luck, here's a sample of what I tried. [root@mail ~]# cat saslauthd.conf ldap_servers: ldap://ipa.domain.net ldap_search_base: cn=users,cn=accounts,dc=domain,dc=net ldap_filter: (|(uid=%u)(mail=%u)) ldap_bind_dn: uid=david,cn=users,cn=accounts,dc=domain,dc=net ldap_bind_pw: pass Any advise from you will be greatly appreciated. Then again, Thanks In Advance guys. --Regards DavidG On 6/25/2014 10:25 AM, Simo Sorce wrote: On Wed, 2014-06-25 at 09:52 -0500, Dave Gonzalez wrote: I don't know if the fact that the server is already enrolled as smtp/mail.domain.net make dovecot not request any ticket as imap/mail.domain.net as I don't see any entries for that system on the KDC log Dovecot does not require any ticket, it's your clients that do, and you showed me no logs of clients. If you are configuring your client to talk to mail.domain.net, then you *must* have a keys for imap/mail.domain.net on your IMAP server. Keys for imap/mail01.example.net will be useless as the client won't be looking for that ticket. When a client is configured to talk to mail.domain.net it will ask the KDC for a ticket for the principal named imap/mail.domain.net. The client also may need to be told what KDC to contact for the domain.net domain if it really is a different domain from your main one. You used example.com and domain.net both, so unless it is a bad substitution, it means you may want to check the documentation for setting up a correct domain_realm section in your krb5.conf (note that modern IPA clients that use SSSD do not need manual configuration as long as you configure the domains list in the ipa server). You can, of course, have multiple keys if you advertise your service under multiple names to different clients. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Introduction and question regarding SMTP/IMAP
On Wed, 2014-06-25 at 13:28 -0500, Dave Gonzalez wrote: [root@mail ~]# cat saslauthd.conf ldap_servers: ldap://ipa.domain.net ldap_search_base: cn=users,cn=accounts,dc=domain,dc=net ldap_filter: (|(uid=%u)(mail=%u)) ldap_bind_dn: uid=david,cn=users,cn=accounts,dc=domain,dc=net ldap_bind_pw: pass This configuration is for password based authentication tested against an LDAP server. Has really nothing to do with GSSAPI. This guide should help you configure postfix with GSSAPI authentication: https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/ Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project