[Freeipa-users] Introduction and question regarding SMTP/IMAP

Simo Sorce simo at redhat.com
Wed Jun 25 13:17:58 UTC 2014 

On Sun, 2014-06-22 at 11:41 -0500, Dave Gonzalez wrote:
> Hello there everyone David here,
> 
> I'm big time Red Hat fan, I work for a company where we have a small 20+ 
> people directory, I'm currently using Samba4 to offer authentication to 
> Openfire, Postfix, Dovecot (using GroupOffice); but I want to switch 
> ebcause samba is a hassle to setup and whenever replication breaks it's 
> nearly impossible to rebuild, anyways, My current environment is Proxmox 
> VE 3 as virtualization platform and many CentOS/RedHat Servers holding 
> my services.
> 
> Please excuse me if this was already answered but after I went trhough 
> the archives I coulnd't find anyone facing the same issue, please bear 
> with me as I'm a newbie to FreeIPA and LDAP. I know I'm missing 
> something or doing it wrong but after a week struggling with this setup 
> I decided  to call for the help of the experts.
> 
> My environment:
> FreeIPA Server
> CentOS 6.5 x86_64
> 
> Mail Server
> CentOS 6.5
> postfix-2.6.6-6.el6_5.x86_64
> dovecot-2.0.9-7.el6.x86_64
> ipa-python-3.0.0-37.el6.x86_64
> ipa-client-3.0.0-37.el6.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> libipa_hbac-1.9.2-129.el6_5.4.x86_64
> libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
> 
> I've followed these posts from Dale McCartney, whom I've also read his 
> posts around here
> 
> https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/
> 
> http://www.freeipa.org/page/Dovecot_Integration
> 
> None of them seem to work at the moment when using Thunderbird with the 
> server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also reports that
> 
> <quote>
> "The kerberos/GSSAPI ticket was not accepted by the IMAP server 
> david at domain.com. Please chack that you're logged in to the 
> Kerberos/GSSAPI realm"
> </quote>


Need more details here.

What is the imap server name ?

Check the KDC logs do you see the client asking for a ticket ? Is it
successful ?

Withouth any data I am using my crystal ball and thinking the most
probably cause is that you are using a different name in the client than
what you configured your IMAP server's keytab with.

> with Dovecot I'm getting this
> 
> <code>
> Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth 
> attempts): rip=1.1.1.1, lip=217.1.2.3
> </code>

This is because I guess the client copuldn't get a ticket so it didn't
even attempt authentication.

> I tried manual telnet and use a authenticate gssapi which retuns "+" 
> which means module is indeed loading and the server is gssapi ready for 
> the challenge.
> 
> If anyone of you could point me into the right direction I'd really 
> value that.

HTH,
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list