[Freeipa-users] Introduction and question regarding SMTP/IMAP
Dave Gonzalez
dgonzalezh at gmail.com
Wed Jun 25 14:52:16 UTC 2014
inline quote follows
On 6/25/2014 8:17 AM, Simo Sorce wrote:
> On Sun, 2014-06-22 at 11:41 -0500, Dave Gonzalez wrote:
>> Hello there everyone David here,
>>
>> I'm big time Red Hat fan, I work for a company where we have a small 20+
>> people directory, I'm currently using Samba4 to offer authentication to
>> Openfire, Postfix, Dovecot (using GroupOffice); but I want to switch
>> ebcause samba is a hassle to setup and whenever replication breaks it's
>> nearly impossible to rebuild, anyways, My current environment is Proxmox
>> VE 3 as virtualization platform and many CentOS/RedHat Servers holding
>> my services.
>>
>> Please excuse me if this was already answered but after I went trhough
>> the archives I coulnd't find anyone facing the same issue, please bear
>> with me as I'm a newbie to FreeIPA and LDAP. I know I'm missing
>> something or doing it wrong but after a week struggling with this setup
>> I decided to call for the help of the experts.
>>
>> My environment:
>> FreeIPA Server
>> CentOS 6.5 x86_64
>>
>> Mail Server
>> CentOS 6.5
>> postfix-2.6.6-6.el6_5.x86_64
>> dovecot-2.0.9-7.el6.x86_64
>> ipa-python-3.0.0-37.el6.x86_64
>> ipa-client-3.0.0-37.el6.x86_64
>> python-iniparse-0.3.1-2.1.el6.noarch
>> libipa_hbac-1.9.2-129.el6_5.4.x86_64
>> libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
>>
>> I've followed these posts from Dale McCartney, whom I've also read his
>> posts around here
>>
>> https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/
>>
>> http://www.freeipa.org/page/Dovecot_Integration
>>
>> None of them seem to work at the moment when using Thunderbird with the
>> server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also reports that
>>
>> <quote>
>> "The kerberos/GSSAPI ticket was not accepted by the IMAP server
>> david at domain.com. Please chack that you're logged in to the
>> Kerberos/GSSAPI realm"
>> </quote>
>
> Need more details here.
>
> What is the imap server name ?
Dovecot and Postfix running on the same server which I alread added with
ipa service-add mail.domain.net, downloaded the keytabs, set up
everything as per the howtos mentioned on my first post
> Check the KDC logs do you see the client asking for a ticket ? Is it
> successful ?
Yes -- the ipa server is indeed showing some tickets, here's the
/var/log/krb5kdc.log
6 23}) 217.23.15.26: NEEDED_PREAUTH: smtp/mail.domain.net at DOMAIN.NET for
krbtgt/DOMAIN.NET at DOMAIN.NET, Additional pre-authentication required
Jun 25 08:30:01 ipa.domain.net krb5kdc[25103](info): AS_REQ (4 etypes
{18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH:
host/mail.domain.net at DOMAIN.NET for krbtgt/DOMAIN.NET at DOMAIN.NET,
Additional pre-authentication required
Jun 25 08:30:01 ipa.domain.net krb5kdc[25102](info): AS_REQ (4 etypes
{18 17 16 23}) 217.23.15.26: ISSUE: authtime 1403703001, etypes {rep=18
tkt=18 ses=18}, host/mail.domain.net at DOMAIN.NET for
krbtgt/DOMAIN.NET at DOMAIN.NET
Jun 25 08:30:01 ipa.domain.net krb5kdc[25105](info): TGS_REQ (4 etypes
{18 17 16 23}) 217.23.15.26: ISSUE: authtime 1403703001, etypes {rep=18
tkt=18 ses=18}, host/mail.domain.net at DOMAIN.NET for
ldap/ipa.domain.net at DOMAIN.NET
Jun 25 08:30:01 ipa.domain.net krb5kdc[25105](info): AS_REQ (4 etypes
{18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH:
smtp/mail.domain.net at DOMAIN.NET for krbtgt/DOMAIN.NET at DOMAIN.NET,
Additional pre-authentication required
Jun 25 08:31:01 ipa.domain.net krb5kdc[25104](info): AS_REQ (4 etypes
{18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH:
smtp/mail.domain.net at DOMAIN.NET for krbtgt/DOMAIN.NET at DOMAIN.NET,
Additional pre-authentication required
Jun 25 08:32:01 ipa.domain.net krb5kdc[25104](info): AS_REQ (4 etypes
{18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH:
smtp/mail.domain.net at DOMAIN.NET for krbtgt/DOMAIN.NET at DOMAIN.NET,
Additional pre-authentication required
> Withouth any data I am using my crystal ball and thinking the most
> probably cause is that you are using a different name in the client than
> what you configured your IMAP server's keytab with.
I did this:
ipa-client-install -U -p admin -w mysecretpassword
auth_mechanisms = gssapi
auth_gssapi_hostname = mail01.example.com
auth_krb5_keytab = /etc/dovecot/krb5.keytab
auth_realms = example.com
auth_default_realm = example.com
# kinit admin
Password for admin at EXAMPLE.COM:
# ipa service-add imap/mail01.example.com
# ipa-getkeytab -s ds01.example.com -p imap/mail01.example.com -k /etc/dovecot/krb5.keytab
With my own values of course.
Now as an update to the progress on my research I installed the MIT
Kerberos Windwos Client and I'm gettinga prompt to enter my
david at DOMAIN.NET and password, then after enabling Dovecot's IMAP logs
Jun 25 09:39:13 mail dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Jun 25 09:39:13 mail dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Jun 25 09:39:13 mail dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Jun 25 09:39:13 mail dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libmech_gssapi.so
Jun 25 09:39:13 mail dovecot: auth: Debug: auth client connected (pid=4576)
Jun 25 09:39:14 mail dovecot: auth: Debug: client in:
AUTH#0111#011GSSAPI#011service=imap#011secured#011lip=217.23.15.26#011rip=181.140.146.136#011lport=143#011rport=64275
Jun 25 09:39:14 mail dovecot: auth: Debug: gssapi(?,181.140.146.136):
Obtaining credentials for imap at mail.domain.net
Jun 25 09:39:14 mail dovecot: auth: Debug: client out: CONT#0111#011
Jun 25 09:39:14 mail dovecot: auth: Debug: client in:
CONT#0111#011YIICbQYJKoZIhvcSAQICAQBuggJcMIICWKADAgEFoQMCAQ6iBwMFACAAAACjggFvYYIBazCCAWegAwIBBaEOGwxQQVlNVU5ETy5ORVSiJDAioAMCAQOhGzAZGwRpbWFwGxFtYWlsLnBheW11bmRvLm5ldKOCASgwggEkoAMCARKhAwIBA6KCARYEggESURD7IYGOw0RjKSrRT.....x1j6YNFQiORWEY5InF1HB7Thgi+DMMyZLSQ/7qMQ7d.....qSH/BQVlm7G2gRvfT4DW2O6Sq0j4+AqZDF+EJhIE9jiZmoBSdkVECKnurcsLNgEEDp+mX..........6X1qV0oXwLmiRw9k50/F4fkO7JC+6f1OutHALQwT72K1b0ZYHhp8vPAihiDX3ZKaPOJOlS7GIf2THufWzqf5lskJihkwcN6LAPOK........hwekM0WmY2rDWm2I8/jBYPlu4Yp4j1+8lE2y10f1iBIxkAgnMyG3ZbIqQUT7lE5qSBzzCBzKADAgESooHEBIHBRg+jmt1e3f7jnTegfWoiaBzIli3s/L1ZstEPq6hiwW4T8kUfZyuf6WTZKq/k0e4jz76lP4nCK5MHwV/OM0a+rBhUGeHU2mN7MQt63eLRlf+XAKT3FlmQArcqWzKCtjsIdTxtJj9dt9EhHUNU+PgjiTNAA9LeFxHNxN8l9xPDawy60j96wAka1QI4g==
Jun 25 09:39:14 mail dovecot: auth: Debug:
gssapi(david at DOMAIN.NET,181.140.146.136): security context state completed.
Jun 25 09:39:14 mail dovecot: auth: Debug: client out:
CONT#0111#011YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+ieq1mPuNUjd7eq2zRkDb8B0Im1Z5lPSxRL+Gn9Ljy7VOtJsQYq+EWgDlP+kPGWxVA6DtASk4hO+sD3jZTAd
Jun 25 09:39:14 mail dovecot: auth: Debug: client in: CONT#0111#011
Jun 25 09:39:14 mail dovecot: auth: Debug:
gssapi(david at DOMAIN.NET,181.140.146.136): Negotiated security layer
Jun 25 09:39:14 mail dovecot: auth: Debug: client out:
CONT#0111#011QF/wAMAAAQ2yTAH///8hlXwCrWScU=
Jun 25 09:39:15 mail dovecot: auth: Debug: client in:
CONT#0111#011BQQE/wAMAAAEAAABkYXZpZFin/xrUh3Faw/W0IA==
Jun 25 09:39:15 mail dovecot: auth: Debug: client out:
OK#0111#011user=david at domain.net
Jun 25 09:39:15 mail dovecot: auth: Debug: master in:
REQUEST#0113104702465#0114576#0111#011d8d0053151d33c802
Jun 25 09:39:15 mail dovecot: auth: Debug: master out:
USER#0113104702465#011david at domain.net#011uid=97#011gid=97#011home=/var/spool/mail/david at domain.net
Jun 25 09:39:15 mail dovecot: imap-login: Login:
user=<david at domain.net>, method=GSSAPI, rip=181.140.146.136,
lip=217.23.15.26, mpid=4579, TLS
Jun 25 09:39:15 mail dovecot: imap(david at domain.net): Error: user
david at domain.net: Couldn't drop privileges: Mail access for users with
UID 97 not permitted (see first_valid_uid in config file).
Jun 25 09:39:15 mail dovecot: imap(david at domain.net): Error: Internal
error occurred. Refer to server log for more information.
Now the latter part regarding the first_valid_uid issue is never
mentioned on the online howtos, so there's another new issue, but at
least now I see the system and Thunderbird trying to authenticate
HTH, if you need any more info please let me know.
Thank you very much for taking the time to reply to my question.
>
>> with Dovecot I'm getting this
>>
>> <code>
>> Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth
>> attempts): rip=1.1.1.1, lip=217.1.2.3
>> </code>
> This is because I guess the client copuldn't get a ticket so it didn't
> even attempt authentication.
I don't know if the fact that the server is already enrolled as
smtp/mail.domain.net make dovecot not request any ticket as
imap/mail.domain.net as I don't see any entries for that system on the
KDC log
>> I tried manual telnet and use a authenticate gssapi which retuns "+"
>> which means module is indeed loading and the server is gssapi ready for
>> the challenge.
>>
>> If anyone of you could point me into the right direction I'd really
>> value that.
> HTH,
> Simo.
>
More information about the Freeipa-users
mailing list