[Freeipa-users] Introduction and question regarding SMTP/IMAP

Dave Gonzalez dgonzalezh at gmail.com
Wed Jun 25 16:20:55 UTC 2014 

On 6/25/2014 10:25 AM, Simo Sorce wrote:
> On Wed, 2014-06-25 at 09:52 -0500, Dave Gonzalez wrote:
>> I don't know if the fact that the server is already enrolled as
>> smtp/mail.domain.net make dovecot not request any ticket as
>> imap/mail.domain.net as I don't see any entries for that system on
>> the
>> KDC log
> Dovecot does not require any ticket, it's your clients that do, and you
> showed me no logs of clients.
Sorry about the client logs, I don't really know where does Thunderbird 
stores those but it's Good to understand that, I thought there was some 
issue with the IMAP server, now it's clear.

I'm getting further and further with the setup as I told you after I 
installed the MIT Kerberos Windwos 8 client and check the DNS records 
I'm getting the Principal/password prompt, now it's apparently some 
missing files and wrong permissions from Dovecot thta I need to figure 
out too:

Jun 25 10:32:35 mail dovecot: imap-login: Login: 
user=<david at domain.net>, method=GSSAPI, rip=181.140.146.136, 
lip=217.23.15.26, mpid=5253, TLS
Jun 25 10:32:36 mail dovecot: imap(david at domain.net): Error: 
open(/var/mail/david at domain.net) failed: Permission denied 
(euid=97(dovecot) egid=31800003(mailusers) missing +w perm: /var/mail, 
euid is not dir owner)
Jun 25 10:32:36 mail dovecot: imap(david at domain.net): Error: Opening 
INBOX failed: Mailbox doesn't exist: INBOX
Jun 25 10:34:49 mail dovecot: imap(david at domain.net): Error: 
open(/var/mail/david at domain.net) failed: Permission denied 
(euid=97(dovecot) egid=31800003(mailusers) missing +w perm: /var/mail, 
euid is not dir owner)

> If you are configuring your client to talk to mail.domain.net, then you
> *must* have a keys for imap/mail.domain.net on your IMAP server.
> Keys for imap/mail01.example.net will be useless as the client won't be
> looking for that ticket.

Yuo -- I see that from the Kerberos client I see

david at DOMAIN.NEY
     krbtgt/DOMAIN.NET at DOMAIN.NET
     imap/mail.domain.net@
     imap/mail.domain.net at DOMAIN.NET

With their respective remaining times

> When a client is configured to talk to mail.domain.net it will ask the
> KDC for a ticket for the principal named imap/mail.domain.net.
> The client also may need to be told what KDC to contact for the
> domain.net domain if it really is a different domain from your main one.
> You used example.com and domain.net both, so unless it is a bad
> substitution, it means you may want to check the documentation for
> setting up a correct domain_realm section in your krb5.conf (note that
> modern IPA clients that use SSSD do not need manual configuration as
> long as you configure the domains list in the ipa server).

Sorry about that example.com / domain.net typo, I just copied the 
wording form the howto, but as substition for my real domain which I 
need to substitute for obvious reasons, I do have everything to my 
correct domain name.

> You can, of course, have multiple keys if you advertise your service
> under multiple names to different clients.
>
> Simo.

Thank you very much for such helpful information you've provided Simo. I 
know I need to do much much more reading to get this all done.

Now, after I get the permission stuff sorted out I need to delve into 
Postfix as I haven't yet found any clear info on setting it uo with IPA 
Server.

--Regards David G

More information about the Freeipa-users mailing list