[Freeipa-users] Introduction and question regarding SMTP/IMAP

Dave Gonzalez dgonzalezh at gmail.com
Wed Jun 25 18:28:31 UTC 2014 

So with more reading I've gotten even further, things never mentioned on 
those howtos:

* You must have some means to authenticate to the Kerberos realm for 
your domain, in my case the MIT Kerberos client for windows 8

I've got Dovecot working as expected authenticating using teh GSSAPI 
authentication mechanism which is great.

Postfix is also talking to SASL Auth daemon but I'm getting some auth 
errors like this:

Jun 25 13:09:46 mail postfix/smtpd[8616]: warning: SASL authentication 
failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide 
more information ()

While Thunderbird reports this:

Sending of message failed.
The Kerberos/GSSAPI ticket was not accepted by the SMTP server 
mail.domain.net. Please check that you are logged in to the 
Kerberos/GSSAPI realm.

I'm in fact logged in to the realm from what I can see in the MIT 
Kerberos client interface:

I hope the attachment can be seen by the list:



So, as you can see both smtp/mail.domain.net and imap/mail.domain.net 
are there, so whatever is causing the issue has to do with SASL but I 
haven't been able to find any useful debug commands for it apart from 
testsaslauthd whic yells

[root at mail ~]# testsaslauthd -u david at domain.net -p pass
0: NO "authentication failed"

I don't know if I need the /etc/saslauthd.conf file as described on some 
postfix+LDAP documents I tested that with no luck, here's a sample of 
what I tried.

[root at mail ~]# cat saslauthd.conf
ldap_servers: ldap://ipa.domain.net
ldap_search_base: cn=users,cn=accounts,dc=domain,dc=net
ldap_filter: (|(uid=%u)(mail=%u))
ldap_bind_dn: uid=david,cn=users,cn=accounts,dc=domain,dc=net
ldap_bind_pw: pass

Any advise from you will be greatly appreciated.

Then again, Thanks In Advance guys.

--Regards DavidG

On 6/25/2014 10:25 AM, Simo Sorce wrote:
> On Wed, 2014-06-25 at 09:52 -0500, Dave Gonzalez wrote:
>> I don't know if the fact that the server is already enrolled as
>> smtp/mail.domain.net make dovecot not request any ticket as
>> imap/mail.domain.net as I don't see any entries for that system on
>> the
>> KDC log
> Dovecot does not require any ticket, it's your clients that do, and you
> showed me no logs of clients.
>
> If you are configuring your client to talk to mail.domain.net, then you
> *must* have a keys for imap/mail.domain.net on your IMAP server.
> Keys for imap/mail01.example.net will be useless as the client won't be
> looking for that ticket.
>
> When a client is configured to talk to mail.domain.net it will ask the
> KDC for a ticket for the principal named imap/mail.domain.net.
> The client also may need to be told what KDC to contact for the
> domain.net domain if it really is a different domain from your main one.
> You used example.com and domain.net both, so unless it is a bad
> substitution, it means you may want to check the documentation for
> setting up a correct domain_realm section in your krb5.conf (note that
> modern IPA clients that use SSSD do not need manual configuration as
> long as you configure the domains list in the ipa server).
>
> You can, of course, have multiple keys if you advertise your service
> under multiple names to different clients.
>
> Simo.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140625/1a2059a1/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chhigicb.png
Type: image/png
Size: 27835 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140625/1a2059a1/attachment.png>

More information about the Freeipa-users mailing list