Re: [SOGo] authentication with kerberos
Hello, this might be bug 1200: http://www.sogo.nu/bugs/view.php?id=1200 Best regards, Heiner Am Thursday 10 January 2013 23:25:05 schrieb cmsch...@rockwellcollins.com: Hello - thanks for the response.. As requested.. and a few other things.. /etc/httpd/conf.d/SOGo.conf *** Location /SOGo AuthType Kerberos Require valid-user SetEnv proxy-nokeepalive 1 Allow from all KrbAuthRealms EXAMPLE.COM KrbServiceName HTTP/host.example@example.com Krb5Keytab /etc/httpd/krb5.keytab KrbLocalUserMapping On RewriteEngine On RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}] /Location ProxyRequests Off SetEnv proxy-nokeepalive 1 ProxyPreserveHost On ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0 Proxy http://127.0.0.1:2/SOGo [^] RequestHeader set x-webobjects-server-port 80 RequestHeader set x-webobjects-server-name host RequestHeader set x-webobjects-server-url http://host; RequestHeader set x-webobjects-remote-user %{REMOTE_USER}e RequestHeader set x-webobjects-server-protocol HTTP/1.0 RequestHeader set x-webobjects-remote-host %{REMOTE_HOST}e env=REMOTE_HOST AddDefaultCharset UTF-8 Order allow,deny /Proxy RewriteEngine On RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT] *** And actually - I got this working okay. But the problem still seems to be that I have dovecot working with Kerberos - I can telnet into the IMAP port using my username and password and it works just fine.. ** [root@centos01 httpd]# telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. . login username password . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in *** My dovecot config looks like this: *** [root@centos01 httpd]# dovecot -n # 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-279.19.1.el6.x86_64 x86_64 CentOS release 6.3 (Final) auth_debug = yes auth_debug_passwords = yes auth_username_format = %Lu auth_verbose = yes disable_plaintext_auth = no mbox_write_locks = fcntl passdb { driver = pam } ssl_cert = /etc/pki/dovecot/certs/dovecot.pem ssl_key = /etc/pki/dovecot/private/dovecot.pem userdb { args = uid=503 gid=503 home=/home/vmail/%u driver = static } *** The pam_dovecot looks like this... *** [root@centos01 httpd]# cat /etc/pam.d/dovecot #%PAM-1.0 authsufficient pam_krb5.so no_user_check validate account sufficient pam_permit.so [root@centos01 httpd]# However, when I log into SOGo, then I get the error in my /var/log/maillog. Jan 10 16:19:45 centos01 dovecot: auth: Debug: pam(user,127.0.0.1): lookup service=dovecot Any ideas? Thanks - Chris From: Khapare Joshi khapar...@gmail.com To: users@sogo.nu Date: 01/10/2013 02:29 PM Subject:Re: [SOGo] authentication with kerberos can you share how did you configure sogo with kerberos ? On Thu, Jan 10, 2013 at 8:03 PM, cmsch...@rockwellcollins.com wrote: Is there anyway for SOGO to authenticate with UPPERCASE domain names? I was having issues with Dovecot with LDAP, so i configured it with Kerberos, which works great. However, when SOGO passes the authentication piece to Dovecot, it uses a lowercase domain name.. i.e. u...@example.com instead of u...@example.com for kerberos to work. Any insight? Thanks - Chris CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64 sogo-2.0.3a-1.centos6.x86_64 postfix-2.6.6-2.2.el6_1.x86_64 dovecot-2.0.9-2.el6_1.1.x86_64 -- users@sogo.nu https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] authentication with kerberos
Looks like you might be right.. Well.. back to LDAP I guess.. Thanks Chris From: Heiner Markert mephi...@gmx.net To: users@sogo.nu Cc: cmsch...@rockwellcollins.com Date: 01/11/2013 08:10 AM Subject:Re: [SOGo] authentication with kerberos Hello, this might be bug 1200: http://www.sogo.nu/bugs/view.php?id=1200 Best regards, Heiner Am Thursday 10 January 2013 23:25:05 schrieb cmsch...@rockwellcollins.com: Hello - thanks for the response.. As requested.. and a few other things.. /etc/httpd/conf.d/SOGo.conf *** Location /SOGo AuthType Kerberos Require valid-user SetEnv proxy-nokeepalive 1 Allow from all KrbAuthRealms EXAMPLE.COM KrbServiceName HTTP/host.example@example.com Krb5Keytab /etc/httpd/krb5.keytab KrbLocalUserMapping On RewriteEngine On RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}] /Location ProxyRequests Off SetEnv proxy-nokeepalive 1 ProxyPreserveHost On ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0 Proxy http://127.0.0.1:2/SOGo [^] RequestHeader set x-webobjects-server-port 80 RequestHeader set x-webobjects-server-name host RequestHeader set x-webobjects-server-url http://host; RequestHeader set x-webobjects-remote-user %{REMOTE_USER}e RequestHeader set x-webobjects-server-protocol HTTP/1.0 RequestHeader set x-webobjects-remote-host %{REMOTE_HOST}e env=REMOTE_HOST AddDefaultCharset UTF-8 Order allow,deny /Proxy RewriteEngine On RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT] *** And actually - I got this working okay. But the problem still seems to be that I have dovecot working with Kerberos - I can telnet into the IMAP port using my username and password and it works just fine.. ** [root@centos01 httpd]# telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. . login username password . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in *** My dovecot config looks like this: *** [root@centos01 httpd]# dovecot -n # 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-279.19.1.el6.x86_64 x86_64 CentOS release 6.3 (Final) auth_debug = yes auth_debug_passwords = yes auth_username_format = %Lu auth_verbose = yes disable_plaintext_auth = no mbox_write_locks = fcntl passdb { driver = pam } ssl_cert = /etc/pki/dovecot/certs/dovecot.pem ssl_key = /etc/pki/dovecot/private/dovecot.pem userdb { args = uid=503 gid=503 home=/home/vmail/%u driver = static } *** The pam_dovecot looks like this... *** [root@centos01 httpd]# cat /etc/pam.d/dovecot #%PAM-1.0 authsufficient pam_krb5.so no_user_check validate account sufficient pam_permit.so [root@centos01 httpd]# However, when I log into SOGo, then I get the error in my /var/log/maillog. Jan 10 16:19:45 centos01 dovecot: auth: Debug: pam(user,127.0.0.1): lookup service=dovecot Any ideas? Thanks - Chris From: Khapare Joshi khapar...@gmail.com To: users@sogo.nu Date: 01/10/2013 02:29 PM Subject:Re: [SOGo] authentication with kerberos can you share how did you configure sogo with kerberos ? On Thu, Jan 10, 2013 at 8:03 PM, cmsch...@rockwellcollins.com wrote: Is there anyway for SOGO to authenticate with UPPERCASE domain names? I was having issues with Dovecot with LDAP, so i configured it with Kerberos, which works great. However, when SOGO passes the authentication piece to Dovecot, it uses a lowercase domain name.. i.e. u...@example.com instead of u...@example.com for kerberos to work. Any insight? Thanks - Chris CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64 sogo-2.0.3a-1.centos6.x86_64 postfix-2.6.6-2.2.el6_1.x86_64 dovecot-2.0.9-2.el6_1.1.x86_64 -- users@sogo.nu https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] authentication with kerberos
can you share how did you configure sogo with kerberos ? On Thu, Jan 10, 2013 at 8:03 PM, cmsch...@rockwellcollins.com wrote: Is there anyway for SOGO to authenticate with UPPERCASE domain names? I was having issues with Dovecot with LDAP, so i configured it with Kerberos, which works great. However, when SOGO passes the authentication piece to Dovecot, it uses a lowercase domain name.. i.e. u...@example.com instead of u...@example.com for kerberos to work. Any insight? Thanks - Chris CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64 sogo-2.0.3a-1.centos6.x86_64 postfix-2.6.6-2.2.el6_1.x86_64 dovecot-2.0.9-2.el6_1.1.x86_64 -- users@sogo.nu https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] authentication with kerberos
Sorry.. some more information.. If I log into the IMAP service (port 143 via telnet).. I see this in the /var/log/secure Jan 10 16:31:49 centos01 auth: pam_krb5[15155]: error reading keytab 'FILE:/etc/krb5.keytab' Jan 10 16:31:49 centos01 auth: pam_krb5[15155]: TGT verified Jan 10 16:31:49 centos01 auth: pam_krb5[15155]: authentication succeeds for 'user' (u...@example.com) However, when I log into SOGo, I get this... Jan 10 16:31:19 centos01 auth: pam_krb5[15155]: authentication fails for 'u...@example.com' (u...@example.com): Authentication failure (KDC reply did not match expectations) From: Khapare Joshi khapar...@gmail.com To: users@sogo.nu Date: 01/10/2013 02:29 PM Subject:Re: [SOGo] authentication with kerberos can you share how did you configure sogo with kerberos ? On Thu, Jan 10, 2013 at 8:03 PM, cmsch...@rockwellcollins.com wrote: Is there anyway for SOGO to authenticate with UPPERCASE domain names? I was having issues with Dovecot with LDAP, so i configured it with Kerberos, which works great. However, when SOGO passes the authentication piece to Dovecot, it uses a lowercase domain name.. i.e. u...@example.com instead of u...@example.com for kerberos to work. Any insight? Thanks - Chris CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64 sogo-2.0.3a-1.centos6.x86_64 postfix-2.6.6-2.2.el6_1.x86_64 dovecot-2.0.9-2.el6_1.1.x86_64 -- users@sogo.nu https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] authentication with kerberos
Hello - thanks for the response.. As requested.. and a few other things.. /etc/httpd/conf.d/SOGo.conf *** Location /SOGo AuthType Kerberos Require valid-user SetEnv proxy-nokeepalive 1 Allow from all KrbAuthRealms EXAMPLE.COM KrbServiceName HTTP/host.example@example.com Krb5Keytab /etc/httpd/krb5.keytab KrbLocalUserMapping On RewriteEngine On RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}] /Location ProxyRequests Off SetEnv proxy-nokeepalive 1 ProxyPreserveHost On ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0 Proxy http://127.0.0.1:2/SOGo [^] RequestHeader set x-webobjects-server-port 80 RequestHeader set x-webobjects-server-name host RequestHeader set x-webobjects-server-url http://host; RequestHeader set x-webobjects-remote-user %{REMOTE_USER}e RequestHeader set x-webobjects-server-protocol HTTP/1.0 RequestHeader set x-webobjects-remote-host %{REMOTE_HOST}e env=REMOTE_HOST AddDefaultCharset UTF-8 Order allow,deny /Proxy RewriteEngine On RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT] *** And actually - I got this working okay. But the problem still seems to be that I have dovecot working with Kerberos - I can telnet into the IMAP port using my username and password and it works just fine.. ** [root@centos01 httpd]# telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. . login username password . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in *** My dovecot config looks like this: *** [root@centos01 httpd]# dovecot -n # 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-279.19.1.el6.x86_64 x86_64 CentOS release 6.3 (Final) auth_debug = yes auth_debug_passwords = yes auth_username_format = %Lu auth_verbose = yes disable_plaintext_auth = no mbox_write_locks = fcntl passdb { driver = pam } ssl_cert = /etc/pki/dovecot/certs/dovecot.pem ssl_key = /etc/pki/dovecot/private/dovecot.pem userdb { args = uid=503 gid=503 home=/home/vmail/%u driver = static } *** The pam_dovecot looks like this... *** [root@centos01 httpd]# cat /etc/pam.d/dovecot #%PAM-1.0 authsufficient pam_krb5.so no_user_check validate account sufficient pam_permit.so [root@centos01 httpd]# However, when I log into SOGo, then I get the error in my /var/log/maillog. Jan 10 16:19:45 centos01 dovecot: auth: Debug: pam(user,127.0.0.1): lookup service=dovecot Any ideas? Thanks - Chris From: Khapare Joshi khapar...@gmail.com To: users@sogo.nu Date: 01/10/2013 02:29 PM Subject:Re: [SOGo] authentication with kerberos can you share how did you configure sogo with kerberos ? On Thu, Jan 10, 2013 at 8:03 PM, cmsch...@rockwellcollins.com wrote: Is there anyway for SOGO to authenticate with UPPERCASE domain names? I was having issues with Dovecot with LDAP, so i configured it with Kerberos, which works great. However, when SOGO passes the authentication piece to Dovecot, it uses a lowercase domain name.. i.e. u...@example.com instead of u...@example.com for kerberos to work. Any insight? Thanks - Chris CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64 sogo-2.0.3a-1.centos6.x86_64 postfix-2.6.6-2.2.el6_1.x86_64 dovecot-2.0.9-2.el6_1.1.x86_64 -- users@sogo.nu https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists