[Freeipa-users] Dovecot imap authentication with IPA/Kerberos

Dale Macartney dale at themacartneyclan.com
Tue Jan 31 21:03:33 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Simo

I have used oddjob in the past and it works a treat, however this was
with ipa-client-install..

I was just dappling around with the script over diner and saw you were
an author...

whenever I use the flag --mkhomedir with ipa-client-install, i get the
wrong contexts on the home dirs...

I raised a bugzilla ticket just before I left the office. Bug *786223*
<https://bugzilla.redhat.com/show_bug.cgi?id=786223>.

I'll keep playing with it an see what I come across. I'll feed back if
anything useful comes up.

Dale



On 01/31/2012 06:48 PM, Simo Sorce wrote:
> On Tue, 2012-01-31 at 18:22 +0000, Dale Macartney wrote:
>>
> All
>
> I just found the culprit for the selinux error
>
> I have the user's home dir automatically created when I was testing
> the account was working.
>
> ssh user2 at mail02.example.com... etc
>
> for some reason, the selinux context of the users homedir is set to
> home_root_t instead of user_home_dir_t.
>
> > If you use pam_mkhomedir I suggest changing to use pam_oddjob_mkhomedir
> > The seocnd one can properly deal with SELinux labeling on creation.
>
> once a restorecon was run on /home (restorecon -R /home) the selinux
> errors disappeared when accessing mail via imap.
>
> I'll do a write up of the details for the wiki so it is documented.
>
>
> Dale
>
>
>
> On 01/31/2012 04:40 PM, Dale Macartney wrote:
> >>>
> >>> thanks Siggi,
> >>>
> >>> I was just browsing past those mails from earlier today as well...
> I'll
> >>> make those changes before it goes on the wiki.
> >>>
> >>>
> >>>
> >>> On 01/31/2012 04:37 PM, Sigbjorn Lie wrote:
> >>>> On 01/31/2012 05:07 PM, Dale Macartney wrote:
> >>>>>
> >>>>> sed -i "s-#auth_krb5_keytab =-auth_krb5_keytab
> = /etc/krb5.keytab-g"
> >>>>> /etc/dovecot/conf.d/10-auth.conf
> >>>>>
> >>>
> >>>> Perhaps I could recommend to retreive the imap/imaps keytabs into
> a
> >>> seperate keytab file, and configure the auth_krb5_keytab config file
> >>> option in dovecot.conf to point to this file. This increases the
> >>> security by a tenfold as pointed out earlier in this thread.
> >>>
> >>>
> >>>
> >>>> Regards,
> >>>> Siggi
> >>>
> >>>> _______________________________________________
> >>>> Freeipa-users mailing list
> >>>> Freeipa-users at redhat.com
> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPKFcYAAoJEAJsWS61tB+qA6IP/0ciTfwfa/Tz4GAYu8HdMHBL
NQvfPyZaVhDjpBrhxTv01/E8P71uDqOYcTjfeOGPiykthrmNJKeDBhi09vs5fL9K
NNUO1TovyACtuF9Z/Hrzm5ziZQ6wDQdXq+Hmh3lncMThLxzLpq+31/3NFKoNkID/
T88zodOp9j0QZT7fIzoLbnJteiQy0APZD2L4Y7p5hGKBrXrRK81UxjrRW1B6HF5C
WhRYGngXRT3sEFMvL95ReckHMsJFLbBDbAPSfNZt6fsMrQ2ZS7lGl0U8jq8EoAkT
kJ/FDUcwSup0PUy+W55zrTuc6pIK8rJ/bRjtzGuAnBDONy52uazU7fiTsljtupnG
AvZFbPDJOmhQx1ea/K/uRjFkn02eng7wIhWaLzCEKqAR/yfdR+lsT6SN8LvzIz62
WcwCLaur6909OEQP7nJrsHVbCOqmThwOUKiowUWV60rA69neeOZ/OLptkXxY3+3m
UAitAd4mESuB8vWKBpZU51pgq0SKGexbSnLK3T8ch1eNM+1hQyYZBbRO5O2DWoRW
xgu7SM0W/qXvlqfnStQj1KVnnKGiLwGIVeKkxaYZTAaFdLQULASqO86b2UN3+kxj
QHSY4lciyu2J8nds1fWQ0H94VXBebEwQ+XbfldkaQ71rwgUfToOJTEiS51kDQ318
YXgRmVB+fAFxegdQiF5t
=b8Gw
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120131/f4cdcfef/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120131/f4cdcfef/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120131/f4cdcfef/attachment.sig>

More information about the Freeipa-users mailing list