<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/07/2013 02:30 PM, Johan Petersson wrote: > Thank you for the information, i have come to the same conclusion after forcing myself to delve deeper into the mysteries of kerberos and its limitations. > Local storage of the users mail on the mail server seem to be the only valid option (or make the NFS server work double as mail server too.) > I am definitely looking forward to reading your article when it is done. I have just updated the article to have dovecot automatically creating a maildir in a custom location. <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On">http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On</a> Its not NFS based in the homedir, but technically if you're using a mail client with offline support, the mail in the homedir would be available if the imap server became unavailable anyway. Just a thought. Dale > > Regards, > Johan. > > > ------------------------- > *From:* <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a> [<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>] on behalf of Dale Macartney [<a class="moz-txt-link-abbreviated" href="mailto:dale@themacartneyclan.com">dale@themacartneyclan.com</a>] > *Sent:* Thursday, March 07, 2013 13:35 > *To:* <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> > *Subject:* Re: [Freeipa-users] Errors when trying IPA,Dovecot GSSAPI. > > > > On 03/06/2013 02:33 PM, Johan Petersson wrote: > > Hi, > > I hope someone here can shed some light on what is wrong in my test environment. > > The error seem to be that Dovecot on mail server wants to access mail folder in my home directory on the NFS Server but can't get credentials for it. rpc.gssd on Mail Server try either to open a cachefile in /tmp that is corrupt or expired or if no cache file exists it just do error downcall. > > No try to update the key or create a new one. > > Should not forwardable tickets update the cache or generate a new one? > > The permission denied error in maillog i believe is because of no valid kerberos credentials. > > > IPAserver > > NFS Server for Home Directory through autofs, IPA Client with nfs/share.test.net > > Mail server IPA Client with imap/mail.test.net,smtp/mail.test.net > > > Clients pc's that are also IPA clients > > > Everything is Red Hat 6.4 server and Client with default settings for IPA server and client. > > > When trying to get mail i get ticket not accepted but i do get a imap ticket that i can see with klist. > > > Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_1644800003_UsqtSh">FILE:/tmp/krb5cc_1644800003_UsqtSh</a> > > Default principal: <a class="moz-txt-link-abbreviated" href="mailto:johan@TEST.NET">johan@TEST.NET</a> > > > Valid starting Expires Service principal > > 03/06/13 14:34:28 03/07/13 14:34:28 <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/TEST.NET@TEST.NET">krbtgt/TEST.NET@TEST.NET</a> > > 03/06/13 14:40:41 03/07/13 14:34:28 <a class="moz-txt-link-abbreviated" href="mailto:imap/mail.test.net@TEST.NET">imap/mail.test.net@TEST.NET</a> > > 03/06/13 14:44:43 03/07/13 14:34:28 <a class="moz-txt-link-abbreviated" href="mailto:host/share.test.net@TEST.NET">host/share.test.net@TEST.NET</a> > > > Hopefully relevant logs: > > > Mail Server /var/log/messages with rpc.gssapi -vvv: > > > Mar 6 14:43:21 mail rpc.gssd[1143]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt12) > > Mar 6 14:43:21 mail rpc.gssd[1143]: handle_gssd_upcall: 'mech=krb5 uid=1644800003 enctypes=18,17,16,23,3,1,2 ' > > Mar 6 14:43:21 mail rpc.gssd[1143]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt12) > > Mar 6 14:43:21 mail rpc.gssd[1143]: process_krb5_upcall: service is '<null>' > > Mar 6 14:43:21 mail rpc.gssd[1143]: getting credentials for client with uid 1644800003 for server share.test.net > > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_machine_TEST.NET' being considered, with preferred realm 'TEST.NET' > > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_machine_TEST.NET' owned by 0, not 1644800003 > > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_1644800001_MOFHds' being considered, with preferred realm 'TEST.NET' > > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_1644800001_MOFHds' owned by 0, not 1644800003 > > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_0' being considered, with preferred realm 'TEST.NET' > > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file '/tmp/krb5cc_0' owned by 0, not 1644800003 > > Mar 6 14:43:21 mail rpc.gssd[1143]: WARNING: Failed to create krb5 context for user with uid 1644800003 for server share.test.net > > Mar 6 14:43:21 mail rpc.gssd[1143]: doing error downcall > > > Mail Server /var/log/maillog: > > > Mar 06 14:43:11 master: Info: Dovecot v2.0.9 starting up (core dumps disabled) > > Mar 06 14:43:21 auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth > > Mar 06 14:43:21 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so > > Mar 06 14:43:21 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so > > Mar 06 14:43:21 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so > > Mar 06 14:43:21 auth: Debug: auth client connected (pid=2183) > > Mar 06 14:43:21 auth: Debug: client in: AUTH 1 GSSAPI service=imap secured lip=192.168.0.33 rip=192.168.0.202 lport=143 rport=36424 > > Mar 06 14:43:21 auth: Debug: gssapi(?,192.168.0.202): Using all keytab entries > > Mar 06 14:43:21 auth: Debug: client out: CONT 1 > > Mar 06 14:43:21 auth: Debug: client in: CONT<hidden> > > Mar 06 14:43:21 auth: Debug: gssapi(<a class="moz-txt-link-abbreviated" href="mailto:johan@TEST.NET,192.168.0.202">johan@TEST.NET,192.168.0.202</a>): security context state completed. > > Mar 06 14:43:21 auth: Debug: client out: CONT 1 YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv1MwL+M8NJprfWznLmhNSKz2ONwOwvw+2nJkIlLZiRLgIfQECmsAnkj6v54ukCkFNkcl0eCKTuHX9/8CTSpBQZL0RpeHHqfqMDDVRtKuiVaK7DzFOf/RC2ZTKmRD4l54p4PF5KA39L3VTNbkKhsIN > > Mar 06 14:43:21 auth: Debug: client in: CONT<hidden> > > Mar 06 14:43:21 auth: Debug: gssapi(<a class="moz-txt-link-abbreviated" href="mailto:johan@TEST.NET,192.168.0.202">johan@TEST.NET,192.168.0.202</a>): Negotiated security layer > > Mar 06 14:43:21 auth: Debug: client out: CONT 1 BQQF/wAMAAAAAAAAN4/a0gH///+o8Mw0PdRlusfHcCo= > > Mar 06 14:43:21 auth: Debug: client in: CONT<hidden> > > Mar 06 14:43:21 auth: Debug: client out: OK 1 user=johan > > Mar 06 14:43:21 auth: Debug: master in: REQUEST 1818361857 2183 1 2f9e416bebaaac9a0a3f266165753c1b > > Mar 06 14:43:21 auth: Debug: passwd(johan,192.168.0.202): lookup > > Mar 06 14:43:21 auth: Debug: master out: USER 1818361857 johan system_groups_user=johan uid=1644800003 gid=1644800003 home=/nethome/johan > > Mar 06 14:43:21 imap-login: Info: Login: user=<johan>, method=GSSAPI, rip=192.168.0.202, lip=192.168.0.33, mpid=2186, TLS > > Mar 06 14:43:21 imap(johan): Error: chdir(/nethome/johan/) failed: Permission denied (euid=1644800003(johan) egid=1644800003(johan) missing +x perm: /nethome/johan, euid is not dir owner) > > Mar 06 14:43:21 imap(johan): Error: chdir(/nethome/johan) failed: Permission denied > > Mar 06 14:43:21 imap(johan): Error: user johan: Initialization failed: Initializing mail storage from mail_location setting failed: stat(/nethome/johan/mail) failed: Permission denied (euid=1644800003(johan) egid=1644800003(johan) missing +x perm: /nethome/johan, euid is not dir owner) > > Mar 06 14:43:21 imap(johan): Error: Invalid user settings. Refer to server log for more information. > Sorry to side track the mail thread Johan. > > the messages below indicate that there is no home directory mounted when imap is trying to connect. > > Mar 06 14:43:21 imap(johan): Error: chdir(/nethome/johan/) failed: Permission denied (euid=1644800003(johan) egid=1644800003(johan) missing +x perm: /nethome/johan, euid is not dir owner) > Mar 06 14:43:21 imap(johan): Error: chdir(/nethome/johan) failed: Permission denied > Mar 06 14:43:21 imap(johan): Error: user johan: Initialization failed: Initializing mail storage from mail_location setting failed: stat(/nethome/johan/mail) failed: Permission denied (euid=1644800003(johan) egid=1644800003(johan) missing +x perm: /nethome/johan, euid is not dir owner) > > What I have done is set the mail destination to /var/mail/ on the mail server, and then let the users mail client redirect the mail to their home directory. > > the issue here is because the user isn't actually logging into the mail server as you normally would an interactive session, their home directory is not accessible. > > Basically imap is doing what its meant to be doing, however accessing storage that doesn't exist due to another aspect of infrastructure is what's getting in the way. > > My original goal was to store mail on an NFS share in their home dir as well, however I am yet to achieve this solution. > > I have reopened this mini-project to update the howto for rhel 6.4 and ipa 3.0 so stay tuned for a new article if you don't get up and running before then. > > This will be more of a smtp + imap + ipa solution however as they all need to work together. > > Dale > > > > NFS Server /var/log/messages with rpc.svcgssd -vvv: > > > Mar 6 14:43:21 share rpc.svcgssd[17422]: handling null request > > Mar 6 14:43:21 share rpc.svcgssd[17422]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel > > Mar 6 14:43:21 share rpc.svcgssd[17422]: sname = <a class="moz-txt-link-abbreviated" href="mailto:nfs/mail.test.net@TEST.NET">nfs/mail.test.net@TEST.NET</a> > > Mar 6 14:43:21 share rpc.svcgssd[17422]: DEBUG: serialize_krb5_ctx: lucid version! > > Mar 6 14:43:21 share rpc.svcgssd[17422]: prepare_krb5_rfc4121_buffer: protocol 1 > > Mar 6 14:43:21 share rpc.svcgssd[17422]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 > > Mar 6 14:43:21 share rpc.svcgssd[17422]: doing downcall > > Mar 6 14:43:21 share rpc.svcgssd[17422]: mech: krb5, hndl len: 4, ctx len 52, timeout: 1362657132 (79731 from now), clnt: <a class="moz-txt-link-abbreviated" href="mailto:nfs@mail.test.net">nfs@mail.test.net</a>, uid: -1, gid: -1, num aux grps: 0: > > Mar 6 14:43:21 share rpc.svcgssd[17422]: sending null reply > > Mar 6 14:43:21 share rpc.svcgssd[17422]: writing message: \x \x6082026406092a864886f71201020201006e8202533082024fa003020105a10302010ea20703050020000000a382015d6182015930820155a003020105a10a1b08544553542e4e4554a220301ea003020103a11730151b036e66731b0e73686172652e746573742e6e6574a382011e3082011aa003020112a103020101a282010c048201080bd88fab1779cae6f283c843e375c2771728abafc384c52f50cc7b2af86583170f495fd96ad3665acb035e08fdac19c820c8ed16fa1120409d165b7eec74e418c11f3d24601c6ad2ee752185f20b4c9667a52dd8e11485e2aef2d5f7fd3ae6991d097e303287e5627f83dc514bca1932262dfa0df4836d55541a6dbce88cc88678cb037acdeada894dc4f3c0dbeaf7f157c9d57e6193ed3ca917f467b17291b4661742f6755a73c8c2b6b9d2b23334ee1cc3b108ee3d825db5edd042c7f9441afe76422f69c400620160fe415e28cdbe9637ca20062cad2999a453c4c4e4e694577bb7f861db6071759a4a0692ce0988fe9c6bdae423f04d22c8f5090d0f76ce235db4ceb9fe13fca481d83081d5a003020112a281cd0481ca1eb49a3eb4c68ce63349590168de47cd5af0bdcaa8a21434f3cbba3ec41a4469bae62d4dd65d037d6c02fcb0a24ff9679a22ab7ffd48857ea7b72f12ab3776c8d28b > > 27a985a0fa53bfc162da8fda7e8ca49a2e57093f2af0bc4d2a4148420aa1bacb8f7bc4313650060ccae01426ff752405aab2f52ed332f0ac5e670e0013acf9acef23e0e1e5beb85b497d506526aed62a0718377d7e360ce9d5ddf812d02839daa6ee62887e0370a63a49f0345f2eb0d4f9f069c983ed0c63cec039e97378d5abe4eeb214c2e735af 1362577461 0 0 \xbc000000 \x60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f598391477156abf0dce0a5d58927fc329174a95f47e0dbfb6ab9e77937ba24047c50beafed6bff70e4d133c6304bfb8b47e48b3c17b87ff5a3f44095ab138804a821c155e80410d0f8ec1e663416e935b50c1a90b030d828d7d6c9d2199a46193a04fb32dbd88f18984d5913a3bc60 > > Mar 6 14:43:21 share rpc.svcgssd[17422]: finished handling null request > > Mar 6 14:43:21 share rpc.svcgssd[17422]: entering poll > > > IPA Server /var/log/dirsrv/slapd-TEST-NET/access: > > > [06/Mar/2013:14:43:21 +0100] conn=1273 fd=70 slot=70 connection from 192.168.0.33 to 192.168.0.30 > > [06/Mar/2013:14:43:21 +0100] conn=1273 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI > > [06/Mar/2013:14:43:21 +0100] conn=1273 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress > > [06/Mar/2013:14:43:21 +0100] conn=1273 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI > > [06/Mar/2013:14:43:21 +0100] conn=1273 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress > > [06/Mar/2013:14:43:21 +0100] conn=1273 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI > > [06/Mar/2013:14:43:21 +0100] conn=1273 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=mail.test.net,cn=computers,cn=accounts,dc=test,dc=net" > > [06/Mar/2013:14:43:21 +0100] conn=1273 op=3 SRCH base="automountmapname=auto_nethome,cn=default,cn=automount,dc=test,dc=net" scope=2 filter="(&(objectClass=automount)(|(automountKey=johan)(automountKey=/)(automountKey=\2a)))" attrs="automountKey automountInformation" > > [06/Mar/2013:14:43:21 +0100] conn=1273 op=3 RESULT err=0 tag=101 nentries=1 etime=0 > > [06/Mar/2013:14:43:21 +0100] conn=1273 op=4 UNBIND > > [06/Mar/2013:14:43:21 +0100] conn=1273 op=4 fd=70 closed - U1 > > [06/Mar/2013:14:43:21 +0100] conn=1270 op=16 SRCH base="cn=accounts,dc=test,dc=net" scope=2 filter="(&(uid=nfs/mail.test.net)(objectClass=posixAccount))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey" > > [06/Mar/2013:14:43:21 +0100] conn=1270 op=16 RESULT err=0 tag=101 nentries=0 etime=0 > > > Regards, > > Johan. > > > > _______________________________________________ > > Freeipa-users mailing list > > <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > > <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - <a class="moz-txt-link-freetext" href="http://www.enigmail.net/">http://www.enigmail.net/</a> iQIcBAEBAgAGBQJROMknAAoJEAJsWS61tB+qSpIP/3hYrxCC7+f5TgH1QPeTB3Vg oDglme8LI5mkmuwvc5cFHmA/bVuzNSTUNndSmI5S8fjuvDB61KKuaMGuTHcKya1p xx07HLjkacg0JAcBida3NrMdW5p9d6ZSFddl5dHl49xwuFmTty4Ktp11gMR+TEcA ALkrv1h8XINhKh8N0BdVqig8pYPcTOnsZViOaOwXms9gbtq30VPZlaDNzvRt6lfF mwYjqte5nOP+nTYGmL5PR7XDF31gz7YbbKstcyGBrKkXLFjNIVOjIxINbQ4kC7NG gpnuS033ZnVMFBgcVlx61OV9B4x0rVCN+hfjnFOFTOiMiwFWC8fb2kXqFB5dWtNN qN+BbMTk03S0l/9eYEFuzb7NHnxWG4ktHoXr4EKn1aAHGwM4Dhw9TOE+EFAf7x4F HwK1x3WcgIVd7O96pLeW+FVyq//o63qdD3hxOXLd8zlKvzs8nRBIm+Q6BDi6NKi6 iMOYGszCmgOWRzY13gbnBL4fPldKoA0702MulU46ZoFnl+jbKOAXQnrCDOWKkdSG qTOgJu3wKOhiD6/3V091PgL0ve/r1bcahP5mV9iQazBBWXmAskLXVc+a0VHhfBcM DrhbPQgdd9FVKUxpOquOg/WviCD/0+/aSArnuW6D8cKS/NifG2+BY5z9Afft1ORZ ktgkIVbz/wS3lY3lmSaP =Qz62 -----END PGP SIGNATURE----- </body> </html>