[Freeipa-users] Introduction and question regarding SMTP/IMAP

Dave Gonzalez dgonzalezh at gmail.com
Wed Jun 25 14:52:16 UTC 2014 

inline quote follows

On 6/25/2014 8:17 AM, Simo Sorce wrote:
> On Sun, 2014-06-22 at 11:41 -0500, Dave Gonzalez wrote:
>> Hello there everyone David here,
>>
>> I'm big time Red Hat fan, I work for a company where we have a small 20+
>> people directory, I'm currently using Samba4 to offer authentication to
>> Openfire, Postfix, Dovecot (using GroupOffice); but I want to switch
>> ebcause samba is a hassle to setup and whenever replication breaks it's
>> nearly impossible to rebuild, anyways, My current environment is Proxmox
>> VE 3 as virtualization platform and many CentOS/RedHat Servers holding
>> my services.
>>
>> Please excuse me if this was already answered but after I went trhough
>> the archives I coulnd't find anyone facing the same issue, please bear
>> with me as I'm a newbie to FreeIPA and LDAP. I know I'm missing
>> something or doing it wrong but after a week struggling with this setup
>> I decided  to call for the help of the experts.
>>
>> My environment:
>> FreeIPA Server
>> CentOS 6.5 x86_64
>>
>> Mail Server
>> CentOS 6.5
>> postfix-2.6.6-6.el6_5.x86_64
>> dovecot-2.0.9-7.el6.x86_64
>> ipa-python-3.0.0-37.el6.x86_64
>> ipa-client-3.0.0-37.el6.x86_64
>> python-iniparse-0.3.1-2.1.el6.noarch
>> libipa_hbac-1.9.2-129.el6_5.4.x86_64
>> libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
>>
>> I've followed these posts from Dale McCartney, whom I've also read his
>> posts around here
>>
>> https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/
>>
>> http://www.freeipa.org/page/Dovecot_Integration
>>
>> None of them seem to work at the moment when using Thunderbird with the
>> server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also reports that
>>
>> <quote>
>> "The kerberos/GSSAPI ticket was not accepted by the IMAP server
>> david at domain.com. Please chack that you're logged in to the
>> Kerberos/GSSAPI realm"
>> </quote>
>
> Need more details here.
>
> What is the imap server name ?
Dovecot and Postfix running on the same server which I alread added with 
ipa service-add mail.domain.net, downloaded the keytabs, set up 
everything as per the howtos mentioned on my first post

> Check the KDC logs do you see the client asking for a ticket ? Is it
> successful ?

Yes -- the ipa server is indeed showing some tickets, here's the 
/var/log/krb5kdc.log

6 23}) 217.23.15.26: NEEDED_PREAUTH: smtp/mail.domain.net at DOMAIN.NET for 
krbtgt/DOMAIN.NET at DOMAIN.NET, Additional pre-authentication required
Jun 25 08:30:01 ipa.domain.net krb5kdc[25103](info): AS_REQ (4 etypes 
{18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH: 
host/mail.domain.net at DOMAIN.NET for krbtgt/DOMAIN.NET at DOMAIN.NET, 
Additional pre-authentication required
Jun 25 08:30:01 ipa.domain.net krb5kdc[25102](info): AS_REQ (4 etypes 
{18 17 16 23}) 217.23.15.26: ISSUE: authtime 1403703001, etypes {rep=18 
tkt=18 ses=18}, host/mail.domain.net at DOMAIN.NET for 
krbtgt/DOMAIN.NET at DOMAIN.NET
Jun 25 08:30:01 ipa.domain.net krb5kdc[25105](info): TGS_REQ (4 etypes 
{18 17 16 23}) 217.23.15.26: ISSUE: authtime 1403703001, etypes {rep=18 
tkt=18 ses=18}, host/mail.domain.net at DOMAIN.NET for 
ldap/ipa.domain.net at DOMAIN.NET
Jun 25 08:30:01 ipa.domain.net krb5kdc[25105](info): AS_REQ (4 etypes 
{18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH: 
smtp/mail.domain.net at DOMAIN.NET for krbtgt/DOMAIN.NET at DOMAIN.NET, 
Additional pre-authentication required
Jun 25 08:31:01 ipa.domain.net krb5kdc[25104](info): AS_REQ (4 etypes 
{18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH: 
smtp/mail.domain.net at DOMAIN.NET for krbtgt/DOMAIN.NET at DOMAIN.NET, 
Additional pre-authentication required
Jun 25 08:32:01 ipa.domain.net krb5kdc[25104](info): AS_REQ (4 etypes 
{18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH: 
smtp/mail.domain.net at DOMAIN.NET for krbtgt/DOMAIN.NET at DOMAIN.NET, 
Additional pre-authentication required


> Withouth any data I am using my crystal ball and thinking the most
> probably cause is that you are using a different name in the client than
> what you configured your IMAP server's keytab with.

I did this:

ipa-client-install -U -p admin -w mysecretpassword


auth_mechanisms = gssapi
auth_gssapi_hostname = mail01.example.com
auth_krb5_keytab = /etc/dovecot/krb5.keytab
auth_realms = example.com
auth_default_realm = example.com


# kinit admin
Password for admin at EXAMPLE.COM:
# ipa service-add imap/mail01.example.com


# ipa-getkeytab -s ds01.example.com -p imap/mail01.example.com -k /etc/dovecot/krb5.keytab


With my own values of course.

Now as an update to the progress on my research I installed the MIT 
Kerberos Windwos Client and I'm gettinga prompt to enter my 
david at DOMAIN.NET and password, then after enabling Dovecot's IMAP logs

Jun 25 09:39:13 mail dovecot: auth: Debug: Loading modules from 
directory: /usr/lib64/dovecot/auth
Jun 25 09:39:13 mail dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Jun 25 09:39:13 mail dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Jun 25 09:39:13 mail dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/libmech_gssapi.so
Jun 25 09:39:13 mail dovecot: auth: Debug: auth client connected (pid=4576)
Jun 25 09:39:14 mail dovecot: auth: Debug: client in: 
AUTH#0111#011GSSAPI#011service=imap#011secured#011lip=217.23.15.26#011rip=181.140.146.136#011lport=143#011rport=64275
Jun 25 09:39:14 mail dovecot: auth: Debug: gssapi(?,181.140.146.136): 
Obtaining credentials for imap at mail.domain.net
Jun 25 09:39:14 mail dovecot: auth: Debug: client out: CONT#0111#011
Jun 25 09:39:14 mail dovecot: auth: Debug: client in: 
CONT#0111#011YIICbQYJKoZIhvcSAQICAQBuggJcMIICWKADAgEFoQMCAQ6iBwMFACAAAACjggFvYYIBazCCAWegAwIBBaEOGwxQQVlNVU5ETy5ORVSiJDAioAMCAQOhGzAZGwRpbWFwGxFtYWlsLnBheW11bmRvLm5ldKOCASgwggEkoAMCARKhAwIBA6KCARYEggESURD7IYGOw0RjKSrRT.....x1j6YNFQiORWEY5InF1HB7Thgi+DMMyZLSQ/7qMQ7d.....qSH/BQVlm7G2gRvfT4DW2O6Sq0j4+AqZDF+EJhIE9jiZmoBSdkVECKnurcsLNgEEDp+mX..........6X1qV0oXwLmiRw9k50/F4fkO7JC+6f1OutHALQwT72K1b0ZYHhp8vPAihiDX3ZKaPOJOlS7GIf2THufWzqf5lskJihkwcN6LAPOK........hwekM0WmY2rDWm2I8/jBYPlu4Yp4j1+8lE2y10f1iBIxkAgnMyG3ZbIqQUT7lE5qSBzzCBzKADAgESooHEBIHBRg+jmt1e3f7jnTegfWoiaBzIli3s/L1ZstEPq6hiwW4T8kUfZyuf6WTZKq/k0e4jz76lP4nCK5MHwV/OM0a+rBhUGeHU2mN7MQt63eLRlf+XAKT3FlmQArcqWzKCtjsIdTxtJj9dt9EhHUNU+PgjiTNAA9LeFxHNxN8l9xPDawy60j96wAka1QI4g==
Jun 25 09:39:14 mail dovecot: auth: Debug: 
gssapi(david at DOMAIN.NET,181.140.146.136): security context state completed.
Jun 25 09:39:14 mail dovecot: auth: Debug: client out: 
CONT#0111#011YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+ieq1mPuNUjd7eq2zRkDb8B0Im1Z5lPSxRL+Gn9Ljy7VOtJsQYq+EWgDlP+kPGWxVA6DtASk4hO+sD3jZTAd
Jun 25 09:39:14 mail dovecot: auth: Debug: client in: CONT#0111#011
Jun 25 09:39:14 mail dovecot: auth: Debug: 
gssapi(david at DOMAIN.NET,181.140.146.136): Negotiated security layer
Jun 25 09:39:14 mail dovecot: auth: Debug: client out: 
CONT#0111#011QF/wAMAAAQ2yTAH///8hlXwCrWScU=
Jun 25 09:39:15 mail dovecot: auth: Debug: client in: 
CONT#0111#011BQQE/wAMAAAEAAABkYXZpZFin/xrUh3Faw/W0IA==
Jun 25 09:39:15 mail dovecot: auth: Debug: client out: 
OK#0111#011user=david at domain.net
Jun 25 09:39:15 mail dovecot: auth: Debug: master in: 
REQUEST#0113104702465#0114576#0111#011d8d0053151d33c802
Jun 25 09:39:15 mail dovecot: auth: Debug: master out: 
USER#0113104702465#011david at domain.net#011uid=97#011gid=97#011home=/var/spool/mail/david at domain.net
Jun 25 09:39:15 mail dovecot: imap-login: Login: 
user=<david at domain.net>, method=GSSAPI, rip=181.140.146.136, 
lip=217.23.15.26, mpid=4579, TLS
Jun 25 09:39:15 mail dovecot: imap(david at domain.net): Error: user 
david at domain.net: Couldn't drop privileges: Mail access for users with 
UID 97 not permitted (see first_valid_uid in config file).
Jun 25 09:39:15 mail dovecot: imap(david at domain.net): Error: Internal 
error occurred. Refer to server log for more information.

Now the latter part regarding the first_valid_uid issue is never 
mentioned on the online howtos, so there's another new issue, but at 
least now I see the system and Thunderbird trying to authenticate


HTH, if you need any more info please let me know.

Thank you very much for taking the time to reply to my question.

>
>> with Dovecot I'm getting this
>>
>> <code>
>> Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth
>> attempts): rip=1.1.1.1, lip=217.1.2.3
>> </code>
> This is because I guess the client copuldn't get a ticket so it didn't
> even attempt authentication.

I don't know if the fact that the server is already enrolled as 
smtp/mail.domain.net make dovecot not request any ticket as 
imap/mail.domain.net as I don't see any entries for that system on the 
KDC log

>> I tried manual telnet and use a authenticate gssapi which retuns "+"
>> which means module is indeed loading and the server is gssapi ready for
>> the challenge.
>>
>> If anyone of you could point me into the right direction I'd really
>> value that.
> HTH,
> Simo.
>

More information about the Freeipa-users mailing list