<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
<br>
On 03/07/2013 02:30 PM, Johan Petersson wrote:<br>
<span style="white-space: pre;">> Thank you for the information,
i have come to the same conclusion after forcing myself to delve
deeper into the mysteries of kerberos and its limitations.<br>
> Local storage of the users mail on the mail server seem to be
the only valid option (or make the NFS server work double as mail
server too.)<br>
> I am definitely looking forward to reading your article when
it is done.</span><br>
<br>
I have just updated the article to have dovecot automatically
creating a maildir in a custom location.<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On">http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On</a><br>
<br>
Its not NFS based in the homedir, but technically if you're using a
mail client with offline support, the mail in the homedir would be
available if the imap server became unavailable anyway. Just a
thought.<br>
<br>
Dale<br>
<br>
<span style="white-space: pre;">><br>
> Regards,<br>
> Johan.<br>
><br>
><br>
> -------------------------<br>
> *From:* <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>
[<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>] on behalf of Dale Macartney
[<a class="moz-txt-link-abbreviated" href="mailto:dale@themacartneyclan.com">dale@themacartneyclan.com</a>]<br>
> *Sent:* Thursday, March 07, 2013 13:35<br>
> *To:* <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
> *Subject:* Re: [Freeipa-users] Errors when trying IPA,Dovecot
GSSAPI.<br>
><br>
><br>
><br>
> On 03/06/2013 02:33 PM, Johan Petersson wrote:<br>
> > Hi,<br>
> > I hope someone here can shed some light on what is wrong
in my test environment.<br>
> > The error seem to be that Dovecot on mail server wants
to access mail folder in my home directory on the NFS Server but
can't get credentials for it. rpc.gssd on Mail Server try either
to open a cachefile in /tmp that is corrupt or expired or if no
cache file exists it just do error downcall.<br>
> > No try to update the key or create a new one.<br>
> > Should not forwardable tickets update the cache or
generate a new one?<br>
> > The permission denied error in maillog i believe is
because of no valid kerberos credentials.<br>
><br>
> > IPAserver<br>
> > NFS Server for Home Directory through autofs, IPA Client
with nfs/share.test.net<br>
> > Mail server IPA Client with
imap/mail.test.net,smtp/mail.test.net<br>
><br>
> > Clients pc's that are also IPA clients<br>
><br>
> > Everything is Red Hat 6.4 server and Client with default
settings for IPA server and client.<br>
><br>
> > When trying to get mail i get ticket not accepted but i
do get a imap ticket that i can see with klist.<br>
><br>
> > Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_1644800003_UsqtSh">FILE:/tmp/krb5cc_1644800003_UsqtSh</a><br>
> > Default principal: <a class="moz-txt-link-abbreviated" href="mailto:johan@TEST.NET">johan@TEST.NET</a><br>
><br>
> > Valid starting Expires Service principal<br>
> > 03/06/13 14:34:28 03/07/13 14:34:28
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/TEST.NET@TEST.NET">krbtgt/TEST.NET@TEST.NET</a><br>
> > 03/06/13 14:40:41 03/07/13 14:34:28
<a class="moz-txt-link-abbreviated" href="mailto:imap/mail.test.net@TEST.NET">imap/mail.test.net@TEST.NET</a><br>
> > 03/06/13 14:44:43 03/07/13 14:34:28
<a class="moz-txt-link-abbreviated" href="mailto:host/share.test.net@TEST.NET">host/share.test.net@TEST.NET</a><br>
><br>
> > Hopefully relevant logs:<br>
><br>
> > Mail Server /var/log/messages with rpc.gssapi -vvv:<br>
><br>
> > Mar 6 14:43:21 mail rpc.gssd[1143]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)<br>
> > Mar 6 14:43:21 mail rpc.gssd[1143]: handle_gssd_upcall:
'mech=krb5 uid=1644800003 enctypes=18,17,16,23,3,1,2 '<br>
> > Mar 6 14:43:21 mail rpc.gssd[1143]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt12)<br>
> > Mar 6 14:43:21 mail rpc.gssd[1143]: process_krb5_upcall:
service is '<null>'<br>
> > Mar 6 14:43:21 mail rpc.gssd[1143]: getting credentials
for client with uid 1644800003 for server share.test.net<br>
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
'/tmp/krb5cc_machine_TEST.NET' being considered, with preferred
realm 'TEST.NET'<br>
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
'/tmp/krb5cc_machine_TEST.NET' owned by 0, not 1644800003<br>
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
'/tmp/krb5cc_1644800001_MOFHds' being considered, with preferred
realm 'TEST.NET'<br>
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
'/tmp/krb5cc_1644800001_MOFHds' owned by 0, not 1644800003<br>
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
'/tmp/krb5cc_0' being considered, with preferred realm 'TEST.NET'<br>
> > Mar 6 14:43:21 mail rpc.gssd[1143]: CC file
'/tmp/krb5cc_0' owned by 0, not 1644800003<br>
> > Mar 6 14:43:21 mail rpc.gssd[1143]: WARNING: Failed to
create krb5 context for user with uid 1644800003 for server
share.test.net<br>
> > Mar 6 14:43:21 mail rpc.gssd[1143]: doing error downcall<br>
><br>
> > Mail Server /var/log/maillog:<br>
><br>
> > Mar 06 14:43:11 master: Info: Dovecot v2.0.9 starting up
(core dumps disabled)<br>
> > Mar 06 14:43:21 auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth<br>
> > Mar 06 14:43:21 auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libauthdb_ldap.so<br>
> > Mar 06 14:43:21 auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so<br>
> > Mar 06 14:43:21 auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libmech_gssapi.so<br>
> > Mar 06 14:43:21 auth: Debug: auth client connected
(pid=2183)<br>
> > Mar 06 14:43:21 auth: Debug: client in: AUTH 1 GSSAPI
service=imap secured lip=192.168.0.33 rip=192.168.0.202 lport=143
rport=36424<br>
> > Mar 06 14:43:21 auth: Debug: gssapi(?,192.168.0.202):
Using all keytab entries<br>
> > Mar 06 14:43:21 auth: Debug: client out: CONT 1<br>
> > Mar 06 14:43:21 auth: Debug: client in:
CONT<hidden><br>
> > Mar 06 14:43:21 auth: Debug:
gssapi(<a class="moz-txt-link-abbreviated" href="mailto:johan@TEST.NET,192.168.0.202">johan@TEST.NET,192.168.0.202</a>): security context state
completed.<br>
> > Mar 06 14:43:21 auth: Debug: client out: CONT 1
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv1MwL+M8NJprfWznLmhNSKz2ONwOwvw+2nJkIlLZiRLgIfQECmsAnkj6v54ukCkFNkcl0eCKTuHX9/8CTSpBQZL0RpeHHqfqMDDVRtKuiVaK7DzFOf/RC2ZTKmRD4l54p4PF5KA39L3VTNbkKhsIN<br>
> > Mar 06 14:43:21 auth: Debug: client in:
CONT<hidden><br>
> > Mar 06 14:43:21 auth: Debug:
gssapi(<a class="moz-txt-link-abbreviated" href="mailto:johan@TEST.NET,192.168.0.202">johan@TEST.NET,192.168.0.202</a>): Negotiated security layer<br>
> > Mar 06 14:43:21 auth: Debug: client out: CONT 1
BQQF/wAMAAAAAAAAN4/a0gH///+o8Mw0PdRlusfHcCo=<br>
> > Mar 06 14:43:21 auth: Debug: client in:
CONT<hidden><br>
> > Mar 06 14:43:21 auth: Debug: client out: OK 1 user=johan<br>
> > Mar 06 14:43:21 auth: Debug: master in: REQUEST
1818361857 2183 1 2f9e416bebaaac9a0a3f266165753c1b<br>
> > Mar 06 14:43:21 auth: Debug:
passwd(johan,192.168.0.202): lookup<br>
> > Mar 06 14:43:21 auth: Debug: master out: USER 1818361857
johan system_groups_user=johan uid=1644800003 gid=1644800003
home=/nethome/johan<br>
> > Mar 06 14:43:21 imap-login: Info: Login:
user=<johan>, method=GSSAPI, rip=192.168.0.202,
lip=192.168.0.33, mpid=2186, TLS<br>
> > Mar 06 14:43:21 imap(johan): Error:
chdir(/nethome/johan/) failed: Permission denied
(euid=1644800003(johan) egid=1644800003(johan) missing +x perm:
/nethome/johan, euid is not dir owner)<br>
> > Mar 06 14:43:21 imap(johan): Error:
chdir(/nethome/johan) failed: Permission denied<br>
> > Mar 06 14:43:21 imap(johan): Error: user johan:
Initialization failed: Initializing mail storage from
mail_location setting failed: stat(/nethome/johan/mail) failed:
Permission denied (euid=1644800003(johan) egid=1644800003(johan)
missing +x perm: /nethome/johan, euid is not dir owner)<br>
> > Mar 06 14:43:21 imap(johan): Error: Invalid user
settings. Refer to server log for more information.<br>
> Sorry to side track the mail thread Johan.<br>
><br>
> the messages below indicate that there is no home directory
mounted when imap is trying to connect.<br>
><br>
> Mar 06 14:43:21 imap(johan): Error: chdir(/nethome/johan/)
failed: Permission denied (euid=1644800003(johan)
egid=1644800003(johan) missing +x perm: /nethome/johan, euid is
not dir owner)<br>
> Mar 06 14:43:21 imap(johan): Error: chdir(/nethome/johan)
failed: Permission denied<br>
> Mar 06 14:43:21 imap(johan): Error: user johan:
Initialization failed: Initializing mail storage from
mail_location setting failed: stat(/nethome/johan/mail) failed:
Permission denied (euid=1644800003(johan) egid=1644800003(johan)
missing +x perm: /nethome/johan, euid is not dir owner)<br>
><br>
> What I have done is set the mail destination to /var/mail/ on
the mail server, and then let the users mail client redirect the
mail to their home directory.<br>
><br>
> the issue here is because the user isn't actually logging
into the mail server as you normally would an interactive session,
their home directory is not accessible.<br>
><br>
> Basically imap is doing what its meant to be doing, however
accessing storage that doesn't exist due to another aspect of
infrastructure is what's getting in the way.<br>
><br>
> My original goal was to store mail on an NFS share in their
home dir as well, however I am yet to achieve this solution.<br>
><br>
> I have reopened this mini-project to update the howto for
rhel 6.4 and ipa 3.0 so stay tuned for a new article if you don't
get up and running before then.<br>
><br>
> This will be more of a smtp + imap + ipa solution however as
they all need to work together.<br>
><br>
> Dale<br>
><br>
><br>
> > NFS Server /var/log/messages with rpc.svcgssd -vvv:<br>
><br>
> > Mar 6 14:43:21 share rpc.svcgssd[17422]: handling null
request<br>
> > Mar 6 14:43:21 share rpc.svcgssd[17422]:
svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes
with 7 enctypes from the kernel<br>
> > Mar 6 14:43:21 share rpc.svcgssd[17422]: sname =
<a class="moz-txt-link-abbreviated" href="mailto:nfs/mail.test.net@TEST.NET">nfs/mail.test.net@TEST.NET</a><br>
> > Mar 6 14:43:21 share rpc.svcgssd[17422]: DEBUG:
serialize_krb5_ctx: lucid version!<br>
> > Mar 6 14:43:21 share rpc.svcgssd[17422]:
prepare_krb5_rfc4121_buffer: protocol 1<br>
> > Mar 6 14:43:21 share rpc.svcgssd[17422]:
prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and
size 32<br>
> > Mar 6 14:43:21 share rpc.svcgssd[17422]: doing downcall<br>
> > Mar 6 14:43:21 share rpc.svcgssd[17422]: mech: krb5,
hndl len: 4, ctx len 52, timeout: 1362657132 (79731 from now),
clnt: <a class="moz-txt-link-abbreviated" href="mailto:nfs@mail.test.net">nfs@mail.test.net</a>, uid: -1, gid: -1, num aux grps: 0:<br>
> > Mar 6 14:43:21 share rpc.svcgssd[17422]: sending null
reply<br>
> > Mar 6 14:43:21 share rpc.svcgssd[17422]: writing
message: \x
\x6082026406092a864886f71201020201006e8202533082024fa003020105a10302010ea20703050020000000a382015d6182015930820155a003020105a10a1b08544553542e4e4554a220301ea003020103a11730151b036e66731b0e73686172652e746573742e6e6574a382011e3082011aa003020112a103020101a282010c048201080bd88fab1779cae6f283c843e375c2771728abafc384c52f50cc7b2af86583170f495fd96ad3665acb035e08fdac19c820c8ed16fa1120409d165b7eec74e418c11f3d24601c6ad2ee752185f20b4c9667a52dd8e11485e2aef2d5f7fd3ae6991d097e303287e5627f83dc514bca1932262dfa0df4836d55541a6dbce88cc88678cb037acdeada894dc4f3c0dbeaf7f157c9d57e6193ed3ca917f467b17291b4661742f6755a73c8c2b6b9d2b23334ee1cc3b108ee3d825db5edd042c7f9441afe76422f69c400620160fe415e28cdbe9637ca20062cad2999a453c4c4e4e694577bb7f861db6071759a4a0692ce0988fe9c6bdae423f04d22c8f5090d0f76ce235db4ceb9fe13fca481d83081d5a003020112a281cd0481ca1eb49a3eb4c68ce63349590168de47cd5af0bdcaa8a21434f3cbba3ec41a4469bae62d4dd65d037d6c02fcb0a24ff9679a22ab7ffd48857ea7b72f12ab3776c8d28b<br>
> >
27a985a0fa53bfc162da8fda7e8ca49a2e57093f2af0bc4d2a4148420aa1bacb8f7bc4313650060ccae01426ff752405aab2f52ed332f0ac5e670e0013acf9acef23e0e1e5beb85b497d506526aed62a0718377d7e360ce9d5ddf812d02839daa6ee62887e0370a63a49f0345f2eb0d4f9f069c983ed0c63cec039e97378d5abe4eeb214c2e735af
1362577461 0 0 \xbc000000
\x60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f598391477156abf0dce0a5d58927fc329174a95f47e0dbfb6ab9e77937ba24047c50beafed6bff70e4d133c6304bfb8b47e48b3c17b87ff5a3f44095ab138804a821c155e80410d0f8ec1e663416e935b50c1a90b030d828d7d6c9d2199a46193a04fb32dbd88f18984d5913a3bc60<br>
> > Mar 6 14:43:21 share rpc.svcgssd[17422]: finished
handling null request<br>
> > Mar 6 14:43:21 share rpc.svcgssd[17422]: entering poll<br>
><br>
> > IPA Server /var/log/dirsrv/slapd-TEST-NET/access:<br>
><br>
> > [06/Mar/2013:14:43:21 +0100] conn=1273 fd=70 slot=70
connection from 192.168.0.33 to 192.168.0.30<br>
> > [06/Mar/2013:14:43:21 +0100] conn=1273 op=0 BIND dn=""
method=sasl version=3 mech=GSSAPI<br>
> > [06/Mar/2013:14:43:21 +0100] conn=1273 op=0 RESULT
err=14 tag=97 nentries=0 etime=0, SASL bind in progress<br>
> > [06/Mar/2013:14:43:21 +0100] conn=1273 op=1 BIND dn=""
method=sasl version=3 mech=GSSAPI<br>
> > [06/Mar/2013:14:43:21 +0100] conn=1273 op=1 RESULT
err=14 tag=97 nentries=0 etime=0, SASL bind in progress<br>
> > [06/Mar/2013:14:43:21 +0100] conn=1273 op=2 BIND dn=""
method=sasl version=3 mech=GSSAPI<br>
> > [06/Mar/2013:14:43:21 +0100] conn=1273 op=2 RESULT err=0
tag=97 nentries=0 etime=0
dn="fqdn=mail.test.net,cn=computers,cn=accounts,dc=test,dc=net"<br>
> > [06/Mar/2013:14:43:21 +0100] conn=1273 op=3 SRCH
base="automountmapname=auto_nethome,cn=default,cn=automount,dc=test,dc=net"
scope=2
filter="(&(objectClass=automount)(|(automountKey=johan)(automountKey=/)(automountKey=\2a)))"
attrs="automountKey automountInformation"<br>
> > [06/Mar/2013:14:43:21 +0100] conn=1273 op=3 RESULT err=0
tag=101 nentries=1 etime=0<br>
> > [06/Mar/2013:14:43:21 +0100] conn=1273 op=4 UNBIND<br>
> > [06/Mar/2013:14:43:21 +0100] conn=1273 op=4 fd=70 closed
- U1<br>
> > [06/Mar/2013:14:43:21 +0100] conn=1270 op=16 SRCH
base="cn=accounts,dc=test,dc=net" scope=2
filter="(&(uid=nfs/mail.test.net)(objectClass=posixAccount))"
attrs="objectClass uid userPassword uidNumber gidNumber gecos
homeDirectory loginShell krbPrincipalName cn memberOf nsUniqueId
modifyTimestamp entryusn shadowLastChange shadowMin shadowMax
shadowWarning shadowInactive shadowExpire shadowFlag
krbLastPwdChange krbPasswordExpiration pwdattribute
authorizedService accountexpires useraccountcontrol nsAccountLock
host logindisabled loginexpirationtime loginallowedtimemap
ipaSshPubKey"<br>
> > [06/Mar/2013:14:43:21 +0100] conn=1270 op=16 RESULT
err=0 tag=101 nentries=0 etime=0<br>
><br>
> > Regards,<br>
> > Johan.<br>
><br>
><br>
> > _______________________________________________<br>
> > Freeipa-users mailing list<br>
> > <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> > <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
><br>
></span><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.13 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a class="moz-txt-link-freetext" href="http://www.enigmail.net/">http://www.enigmail.net/</a><br>
<br>
iQIcBAEBAgAGBQJROMknAAoJEAJsWS61tB+qSpIP/3hYrxCC7+f5TgH1QPeTB3Vg<br>
oDglme8LI5mkmuwvc5cFHmA/bVuzNSTUNndSmI5S8fjuvDB61KKuaMGuTHcKya1p<br>
xx07HLjkacg0JAcBida3NrMdW5p9d6ZSFddl5dHl49xwuFmTty4Ktp11gMR+TEcA<br>
ALkrv1h8XINhKh8N0BdVqig8pYPcTOnsZViOaOwXms9gbtq30VPZlaDNzvRt6lfF<br>
mwYjqte5nOP+nTYGmL5PR7XDF31gz7YbbKstcyGBrKkXLFjNIVOjIxINbQ4kC7NG<br>
gpnuS033ZnVMFBgcVlx61OV9B4x0rVCN+hfjnFOFTOiMiwFWC8fb2kXqFB5dWtNN<br>
qN+BbMTk03S0l/9eYEFuzb7NHnxWG4ktHoXr4EKn1aAHGwM4Dhw9TOE+EFAf7x4F<br>
HwK1x3WcgIVd7O96pLeW+FVyq//o63qdD3hxOXLd8zlKvzs8nRBIm+Q6BDi6NKi6<br>
iMOYGszCmgOWRzY13gbnBL4fPldKoA0702MulU46ZoFnl+jbKOAXQnrCDOWKkdSG<br>
qTOgJu3wKOhiD6/3V091PgL0ve/r1bcahP5mV9iQazBBWXmAskLXVc+a0VHhfBcM<br>
DrhbPQgdd9FVKUxpOquOg/WviCD/0+/aSArnuW6D8cKS/NifG2+BY5z9Afft1ORZ<br>
ktgkIVbz/wS3lY3lmSaP<br>
=Qz62<br>
-----END PGP SIGNATURE-----<br>
<br>
</body>
</html>