[Freeipa-users] Setting up a Kerberized IMAP Server.
Petr Spacek
pspacek at redhat.com
Mon Nov 24 13:32:24 UTC 2014
On 24.11.2014 13:56, Maria Jose Yañez Dacosta wrote:
> Hi!,
>
> I'm installing a Zimbra server to authenticate using SSO against FreeIPA.
> When when trying to access I'm getting an error which makes me think that
> probably I forget set something else in FreeIPA configuration.
>
> Because I'm a newbie with using FreeIPA.
> And when I configured SSO with existing Kerberos installation it worked.
> So surely the mistake is mine to configure something on FreeIPA.
>
> I tell some details about it but if you need more information y can share
> it with all you.
>
> As a client to access via GSSAPI use Thunderbird.
>
> The error I get:
>
> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server
> usuipa at fi.example.com.
> Please check that you are logged in to the Kerberos/GSSAPI realm".
>
> Steps to Reproduce in FreeIPA:
>
> 1) I add the entry to the imap service by Identity Management.
> In Services HBAC add imap/fi.example.com at FI.EXAMPLE.COM.
>
> By clicking on it.
> I get the following information about status:
> - Key current Kerberos Service provided
> - Service Certificate: Certificate not valid
>
> 2) I got the keytab which is then used in the installation of Zimbra as
> follows:
>
> ipa-getkeytab freeipafi.example.com -p -s imap /
> zimbrafreeipa.fi.example.com -k /tmp/keytab/ticket.keytab
>
> Thanks for any help or clarification.
> Greetings!.
For the beginning, try to run this on the *client* machine:
$ kvno imap/fi.example.com at FI.EXAMPLE.COM
If it works then Kerberos principal itself and client configuration should be
okay and it is necessary to look at server configuration.
If it doesn't work you may try to run it as:
$ KRB5_TRACE=/dev/stdout kvno imap/fi.example.com at FI.EXAMPLE.COM
or alternatively
$ KRB5_TRACE=/dev/stdout thunderbird
and check debug messages.
Usual mistakes:
- wrong file permissions on keytab file used by server
- wrong SELinux label on the keytab file
- wrong DNS configuration which prevents client from finding server or KDC
(this possibility should be eliminated by kvno command above)
Have a nice day!
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list