Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-31 Thread Ondrej Valousek
Hey sounds good to me, just glad it is working for you :). The only other question/suggestion I have is that it looks like you aren't leveraging kerberos in your configuration for SSO, You might want to think about doing this as it can be a pretty nice configuration. Essentially you would just

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-31 Thread Stephen Gallagher
On Tue, 2012-01-31 at 10:22 +0100, Ondrej Valousek wrote: Hey sounds good to me, just glad it is working for you :). The only other question/suggestion I have is that it looks like you aren't leveraging kerberos in your configuration for SSO, You might want to think about doing this

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-31 Thread Ondrej Valousek
I fail to see why non-root processes should be trying to read /etc/krb5.keytab at all. You should be generating a per-service keytab with only the keys necessary for that service to authenticate itself to the KDC. So you might have /etc/dovecot/dovecot.keytab which is readable only by the

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-31 Thread Simo Sorce
On Tue, 2012-01-31 at 13:58 +0100, Ondrej Valousek wrote: I fail to see why non-root processes should be trying to read /etc/krb5.keytab at all. You should be generating a per-service keytab with only the keys necessary for that service to authenticate itself to the KDC. So you might

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-31 Thread Dale Macartney
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 howdy all just another update from me. I have a workable gssapi setup working with dovecot for imap... (i didn't test pop yet). the below setup was tested against rhel6.2 # enable dovecot on startup chkconfig dovecot on # set dovecot to

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-31 Thread Sigbjorn Lie
On 01/31/2012 05:07 PM, Dale Macartney wrote: sed -i s-#auth_krb5_keytab =-auth_krb5_keytab = /etc/krb5.keytab-g /etc/dovecot/conf.d/10-auth.conf Perhaps I could recommend to retreive the imap/imaps keytabs into a seperate keytab file, and configure the auth_krb5_keytab config file option

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-31 Thread Dale Macartney
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 thanks Siggi, I was just browsing past those mails from earlier today as well... I'll make those changes before it goes on the wiki. On 01/31/2012 04:37 PM, Sigbjorn Lie wrote: On 01/31/2012 05:07 PM, Dale Macartney wrote: sed -i

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-31 Thread Dale Macartney
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All I just found the culprit for the selinux error I have the user's home dir automatically created when I was testing the account was working. ssh us...@mail02.example.com... etc for some reason, the selinux context of the users homedir is set

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-31 Thread Dale Macartney
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Simo I have used oddjob in the past and it works a treat, however this was with ipa-client-install.. I was just dappling around with the script over diner and saw you were an author... whenever I use the flag --mkhomedir with

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-31 Thread Simo Sorce
On Tue, 2012-01-31 at 21:03 +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Simo I have used oddjob in the past and it works a treat, however this was with ipa-client-install.. I was just dappling around with the script over diner and saw you were an

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-31 Thread Stephen Gallagher
On Tue, 2012-01-31 at 21:03 +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Simo I have used oddjob in the past and it works a treat, however this was with ipa-client-install.. I was just dappling around with the script over diner and saw you were an

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-30 Thread Ondrej Valousek
Dovecot is not running as root - can't read your krb5.keytab...? On 01/30/2012 01:16 PM, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all I'm working on a test lab setup at the moment with RHEL 6.2 running IPA 2.1 and experimenting with simple mail server setups. .

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-30 Thread Dmitri Pal
On 01/30/2012 07:16 AM, Dale Macartney wrote: Hi all I'm working on a test lab setup at the moment with RHEL 6.2 running IPA 2.1 and experimenting with simple mail server setups. . I have mail being received base on pam lookups from IPA. The mail server is tapped into IPA via the

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-30 Thread Dale Macartney
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Of course Dmitri Here you go. I was actually trying to resolve this for an automated kickstart process anyway. The details specific to dovecot are in the middle. # Connect server to IPA domain

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-30 Thread Dale Macartney
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Of course Dmitri Here you go. I was actually trying to resolve this for an automated kickstart process anyway. The details specific to dovecot are in the middle. # Connect server to IPA domain (ensure DNS is working correctly otherwise this step

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-30 Thread Dmitri Pal
On 01/30/2012 11:42 AM, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Of course Dmitri Here you go. I was actually trying to resolve this for an automated kickstart process anyway. The details specific to dovecot are in the middle. # Connect server to IPA domain

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-30 Thread Dale Macartney
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Erinn I originally asked the question as I was thinking my auth attempts were failing when using ipa, however this was not the case. On closer inspection, i found that the authentication was successful yet dovecot was failing to read a missing

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-30 Thread Erinn Looney-Triggs
On 01/30/2012 10:20 AM, Dale Macartney wrote: Hi Erinn I originally asked the question as I was thinking my auth attempts were failing when using ipa, however this was not the case. On closer inspection, i found that the authentication was successful yet dovecot was failing to read a

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-30 Thread Dale Macartney
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey Erinn, funny you mention that actually, I was adding service principles when i was first troubleshooting that. SSO is definitely on the planned cards for me to be honest. I'll send through the details to the list one I have a reproducible

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-30 Thread Dmitri Pal
On 01/30/2012 02:50 PM, Dale Macartney wrote: Hey Erinn, funny you mention that actually, I was adding service principles when i was first troubleshooting that. SSO is definitely on the planned cards for me to be honest. I'll send through the details to the list one I have a reproducible

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-30 Thread Dale Macartney
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ;-) will do mate. I'm writing a list of items to cover at the moment actually. On 01/30/2012 08:02 PM, Dmitri Pal wrote: On 01/30/2012 02:50 PM, Dale Macartney wrote: Hey Erinn, funny you mention that actually, I was adding service principles