[Freeipa-users] Dovecot imap authentication with IPA/Kerberos

[Dale Macartney]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Erinn, funny you mention that actually, I was adding service
principles when i was first troubleshooting that.

SSO is definitely on the planned cards for me to be honest. I'll send
through the details to the list one I have a reproducible configuration :-)

thanks for the positive feedback.

Dale



On 01/30/2012 07:41 PM, Erinn Looney-Triggs wrote:
> On 01/30/2012 10:20 AM, Dale Macartney wrote:
>>
>> Hi Erinn
>>
>> I originally asked the question as I was thinking my auth attempts were
>> failing when using ipa, however this was not the case.
>>
>> On closer inspection, i found that the authentication was successful yet
>> dovecot was failing to read a "missing" mailbox.
>>
>> I found that dovecot was simply missing the mailbox_location directive,
>> detailed below.
>>
>> mail_location = mbox:~/mail:INBOX=/var/mail/%u
>>
>> Once I restarted dovecot with this extra line, the authentication was
>> again validated. I was then prompted to accept the self-signed
>> certificate from dovecot and I was able to retrieve the mail as intended.
>>
>> Does this help clear things up?
>>
>>
>> Dale
>
>>> So I am a bit confused here, is this working for you or not? It looked
>>> like you were asking a question to begin with, but then at then end you
>>> are saying it is 100% working?
>>
>>> Just trying to figure out whether you need help,
>>> -Erinn
>>
>
> Hey sounds good to me, just glad it is working for you :). The only
> other question/suggestion I have is that it looks like you aren't
> leveraging kerberos in your configuration for SSO, You might want to
> think about doing this as it can be a pretty nice configuration.
>
> Essentially you would just need to add service principles for the host
> in the form of imap and or pop, and change the auth line in your dovecot
> config to allow for gssapi auth, like so:
>
> sed -i -r "s&(\smechanisms =).*&\1 gssapi plain&"
>
> Then assuming your user has a ticket, and their client is properly
> configured, they no longer need to do anything upon logging into their
> system, kerb will auth the rest.
>
> If you are on a multihomed system, you will need two additional changes,
> service principles for the other host name, and the following modification:
> sed -i -r 's&#auth_gssapi_hostname.*&auth_gssapi_hostname = $ALL&'
>
> I got a little caught up when you referenced the /etc/krb5.keytab file
> as possibly part of the problem so I thought this was more a kerb issue.
>
> -Erinn
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPJvSFAAoJEAJsWS61tB+qG9oP/0pDktSo4y5iRKEvMVOplSEx
NFIl2cRm3OsjcOJuCMoFotMTFon90H6KxYQz0sYvtERZZWrB7nkpKneRGHZ/ri9R
e4eEV/Edp/3yck8INAZ2COMGTKGCm8SFdN1ihnAU7QQ1EDC+kKq/pKUfxyq4LKH2
2KDkCnR02zRfjr+bzaL5tWZkNIAxifsFr6ycuT0GrX03y1KErjPAbre4BPjTq3lG
b5xHkZBGVCfFp6bxdfQSs2d4BLcNOwCA1vW0KXAUy4ps1dS220ceeutO+9WbM6Y/
f0g1Iupsa/mIHIIAr6SBi0RGqSEUVkYaRzSxqRSEckfYAK+hPlnl5r46O1UxOFaw
jaiizMTgkK3Q2skEtsaVSmPGleNoK0sefvf+Tkuea+1qdSdPUQaqiLwteLGo/QxR
KsNPcO8+SN/YtXMynSw2bCY/uejn+NWNJVAW39vWsTlUV4+dtm0SIIcp8s57CLb0
3fZ2XLsfAajF83EucYv0BJE/flnZBQkLFEK6WdM0d/6jcEwn3RE17gOm/ufzvyVQ
c3fpRinNSoO+nxwg/wzyljSkd2vsZFIB0oPSeapg+OTccQooXg/QKxGD2ViDIJeq
y0pqV6wl3YreKTrdNFG4Eurz99EBG3vZcXFDq7JNd3NMo5nxrrExHDYU9brrTsyN
E8BCvhI6AIwHW/5rwOlN
=QFxQ
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120130/822b7fcf/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120130/822b7fcf/attachment.sig>