<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font size="+2">Alexander, thank you very much for your config
sample, I took some time and compared to mine and they're pretty
much the same, I want to move mailboxes to Maildir style because
the system I'm planning to migrate to this IPA </font>deployment
does use Maildir style mailboxes.<br>
<br>
Thanks and cheers.<br>
<br>
<div class="moz-cite-prefix">On 6/25/2014 10:54 AM, Alexander
Bokovoy wrote:<br>
</div>
<blockquote cite="mid:20140625155448.GJ7233@redhat.com" type="cite">On
Sun, 22 Jun 2014, Dave Gonzalez wrote:
<br>
<blockquote type="cite">Hello there everyone David here,
<br>
<br>
I'm big time Red Hat fan, I work for a company where we have a
small 20+ people directory, I'm currently using Samba4 to offer
authentication to Openfire, Postfix, Dovecot (using
GroupOffice); but I want to switch ebcause samba is a hassle to
setup and whenever replication breaks it's nearly impossible to
rebuild, anyways, My current environment is Proxmox VE 3 as
virtualization platform and many CentOS/RedHat Servers holding
my services.
<br>
<br>
Please excuse me if this was already answered but after I went
trhough the archives I coulnd't find anyone facing the same
issue, please bear with me as I'm a newbie to FreeIPA and LDAP.
I know I'm missing something or doing it wrong but after a week
struggling with this setup I decided to call for the help of
the experts.
<br>
<br>
My environment:
<br>
FreeIPA Server
<br>
CentOS 6.5 x86_64
<br>
<br>
Mail Server
<br>
CentOS 6.5
<br>
postfix-2.6.6-6.el6_5.x86_64
<br>
dovecot-2.0.9-7.el6.x86_64
<br>
ipa-python-3.0.0-37.el6.x86_64
<br>
ipa-client-3.0.0-37.el6.x86_64
<br>
python-iniparse-0.3.1-2.1.el6.noarch
<br>
libipa_hbac-1.9.2-129.el6_5.4.x86_64
<br>
libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
<br>
<br>
I've followed these posts from Dale McCartney, whom I've also
read his posts around here
<br>
<br>
<a class="moz-txt-link-freetext" href="https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/">https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/</a>
<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Dovecot_Integration">http://www.freeipa.org/page/Dovecot_Integration</a>
<br>
<br>
None of them seem to work at the moment when using Thunderbird
with the server set up as STARTLS Kerberos/GSSAPI -- Thunderbird
also reports that
<br>
<br>
<quote>
<br>
"The kerberos/GSSAPI ticket was not accepted by the IMAP server
<a class="moz-txt-link-abbreviated" href="mailto:david@domain.com">david@domain.com</a>. Please chack that you're logged in to the
Kerberos/GSSAPI realm"
<br>
</quote>
<br>
<br>
with Dovecot I'm getting this
<br>
<br>
<code>
<br>
Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no
auth attempts): rip=1.1.1.1, lip=217.1.2.3
<br>
</code>
<br>
<br>
I tried manual telnet and use a authenticate gssapi which retuns
"+" which means module is indeed loading and the server is
gssapi ready for the challenge.
<br>
<br>
If anyone of you could point me into the right direction I'd
really value that.
<br>
</blockquote>
Following configuration works for me (generated with 'dovecot -n'
from
<br>
my actual config files):
<br>
<br>
# 2.2.13: /etc/dovecot/dovecot.conf
<br>
# OS: Linux 3.14.4-200.fc20.x86_64 x86_64 Fedora release 20
(Heisenbug) auth_default_realm = VDA.LI
<br>
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
<br>
auth_mechanisms = gssapi
<br>
auth_realms = VDA.LI
<br>
base_dir = /var/run/dovecot/
<br>
mail_location = maildir:~/Maildir
<br>
mbox_write_locks = fcntl
<br>
namespace inbox {
<br>
inbox = yes
<br>
location = mailbox Drafts {
<br>
special_use = \Drafts
<br>
}
<br>
mailbox Junk {
<br>
special_use = \Junk
<br>
}
<br>
mailbox Sent {
<br>
special_use = \Sent
<br>
}
<br>
mailbox "Sent Messages" {
<br>
special_use = \Sent
<br>
}
<br>
mailbox Trash {
<br>
special_use = \Trash
<br>
}
<br>
prefix = }
<br>
passdb {
<br>
driver = pam
<br>
}
<br>
userdb {
<br>
driver = passwd
<br>
}
<br>
ssl = required
<br>
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
<br>
ssl_key = </etc/pki/dovecot/private/dovecot.pem
<br>
<br>
<br>
The /etc/dovecot/dovecot.keytab contains the keytab, obtained with
<br>
# kinit admin
<br>
# ipa-getkeytab -s `hostname` -p imap/`hostname` -k
/etc/dovecot/dovecot.keytab
<br>
# chown dovecot /etc/dovecot/dovecot.keytab
<br>
<br>
<br>
</blockquote>
</body>
</html>