[Freeipa-users] Introduction and question regarding SMTP/IMAP
Dave Gonzalez
dgonzalezh at gmail.com
Wed Jun 25 16:20:55 UTC 2014
On 6/25/2014 10:25 AM, Simo Sorce wrote:
> On Wed, 2014-06-25 at 09:52 -0500, Dave Gonzalez wrote:
>> I don't know if the fact that the server is already enrolled as
>> smtp/mail.domain.net make dovecot not request any ticket as
>> imap/mail.domain.net as I don't see any entries for that system on
>> the
>> KDC log
> Dovecot does not require any ticket, it's your clients that do, and you
> showed me no logs of clients.
Sorry about the client logs, I don't really know where does Thunderbird
stores those but it's Good to understand that, I thought there was some
issue with the IMAP server, now it's clear.
I'm getting further and further with the setup as I told you after I
installed the MIT Kerberos Windwos 8 client and check the DNS records
I'm getting the Principal/password prompt, now it's apparently some
missing files and wrong permissions from Dovecot thta I need to figure
out too:
Jun 25 10:32:35 mail dovecot: imap-login: Login:
user=<david at domain.net>, method=GSSAPI, rip=181.140.146.136,
lip=217.23.15.26, mpid=5253, TLS
Jun 25 10:32:36 mail dovecot: imap(david at domain.net): Error:
open(/var/mail/david at domain.net) failed: Permission denied
(euid=97(dovecot) egid=31800003(mailusers) missing +w perm: /var/mail,
euid is not dir owner)
Jun 25 10:32:36 mail dovecot: imap(david at domain.net): Error: Opening
INBOX failed: Mailbox doesn't exist: INBOX
Jun 25 10:34:49 mail dovecot: imap(david at domain.net): Error:
open(/var/mail/david at domain.net) failed: Permission denied
(euid=97(dovecot) egid=31800003(mailusers) missing +w perm: /var/mail,
euid is not dir owner)
> If you are configuring your client to talk to mail.domain.net, then you
> *must* have a keys for imap/mail.domain.net on your IMAP server.
> Keys for imap/mail01.example.net will be useless as the client won't be
> looking for that ticket.
Yuo -- I see that from the Kerberos client I see
david at DOMAIN.NEY
krbtgt/DOMAIN.NET at DOMAIN.NET
imap/mail.domain.net@
imap/mail.domain.net at DOMAIN.NET
With their respective remaining times
> When a client is configured to talk to mail.domain.net it will ask the
> KDC for a ticket for the principal named imap/mail.domain.net.
> The client also may need to be told what KDC to contact for the
> domain.net domain if it really is a different domain from your main one.
> You used example.com and domain.net both, so unless it is a bad
> substitution, it means you may want to check the documentation for
> setting up a correct domain_realm section in your krb5.conf (note that
> modern IPA clients that use SSSD do not need manual configuration as
> long as you configure the domains list in the ipa server).
Sorry about that example.com / domain.net typo, I just copied the
wording form the howto, but as substition for my real domain which I
need to substitute for obvious reasons, I do have everything to my
correct domain name.
> You can, of course, have multiple keys if you advertise your service
> under multiple names to different clients.
>
> Simo.
Thank you very much for such helpful information you've provided Simo. I
know I need to do much much more reading to get this all done.
Now, after I get the permission stuff sorted out I need to delve into
Postfix as I haven't yet found any clear info on setting it uo with IPA
Server.
--Regards David G
More information about the Freeipa-users
mailing list