[Freeipa-users] Setting up a Kerberized IMAP Server.

Petr Spacek pspacek at redhat.com
Tue Nov 25 09:11:42 UTC 2014 

On 24.11.2014 17:45, Maria Jose Yañez Dacosta wrote:
> Thank you for your prompt reply :).
> 
> I still don't discover what caused the problem, but now I could get more
> information about the problem.
> 
> I run the command that you commented me, I did as follows:
> 
> - kinit usuipa
> - kvno imap/zimbrafreeipa.example.com at FI.example.com
> 
> (I said in my previous mail fi.example.com but should have said
> zimbrafreeipa.example.com.
>  Forgiveness!!).
> 
> Then run klist and got this:
> 
> 11/24/14 14:04:53  11/25/14 14:04:50  krbtgt/FI.EXAMPLE.COM at FI.EXAMPLE.COM
> 11/24/14 14:05:52  11/25/14 14:04:50  imap/
> zimbrafreeipa.fi.example.com at FI.EXAMPLE.COM
> 
> Then run
> KRB5_TRACE=/dev/stdout kvno imap/zimbrafreeipa.example.com at FI.EXAMPLE.COM
> and got this:
> ---------------------------------------     OUTPUT
> ---------------------------------------------------------------
> [20649] 1416845334.9690: Getting credentials usuipa at FI.EXAMPLE.COM -> imap/
> zimbrafreeipa.fi.example.com at FI.EXAMPLE.COM using ccache FILE:/tmp/krb5cc_0
> [20649] 1416845334.27562: Retrieving usuipa at FI.EXAMPLE.COM -> imap/
> zimbrafreeipa.fi.example.com at FI.EXAMPLE.COM from FILE:/tmp/krb5cc_0 with
> result: 0/Conseguido
> imap/zimbrafreeipa.fi.example.com at FI.EXAMPLE.COM: kvno = 2
> ---------------------------------------    END OF OUTPUT
> ---------------------------------------------------
> 
> When I rum
> KRB5_TRACE=/dev/stdout thunderbird
> this show:
> 
> ---------------------------------------     OUTPUT
> ---------------------------------------------------------------
> Gtk-Message: Failed to load module "canberra-gtk-module":
> libcanberra-gtk-module.so: no se puede abrir el fichero del objeto
> compartido: No existe el fichero o el directorio
> [20906] 1416845377.323420: ccselect module realm chose cache
> FILE:/tmp/krb5cc_0 with client principal usuipa at FI.EXAMPLE.COM for server
> principal imap/zimbrafreeipa.fi.example.com at FI.EXAMPLE.COM
> [20906] 1416845377.323834: Retrieving usuipa at FI.EXAMPLE.COM ->
> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
> FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
> [20906] 1416845377.323939: Getting credentials usuipa at FI.EXAMPLE.COM ->
> imap/zimbrafreeipa.fi.example.com at FI.EXAMPLE.COM using ccache
> FILE:/tmp/krb5cc_0
> [20906] 1416845377.324677: Retrieving usuipa at FI.EXAMPLE.COM -> imap/
> zimbrafreeipa.fi.example.com at FI.EXAMPLE.COM from FILE:/tmp/krb5cc_0 with
> result: 0/Conseguido
> [20906] 1416845377.325617: Creating authenticator for usuipa at FI.EXAMPLE.COM
> -> imap/zimbrafreeipa.fi.example.com at FI.EXAMPLE.COM, seqnum 138355536,
> subkey aes256-cts/3BB4, session key aes256-cts/A007
> [20906] 1416845377.353847: ccselect module realm chose cache
> FILE:/tmp/krb5cc_0 with client principal usuipa at FI.EXAMPLE.COM for server
> principal imap/zimbrafreeipa.fi.example.com at FI.EXAMPLE.COM
> [20906] 1416845377.353971: Retrieving usuipa at FI.EXAMPLE.COM ->
> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
> FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
> [20906] 1416845377.354331: Read AP-REP, time 1416845380.325675, subkey
> (null), seqnum 1067232298
> [20906] 1416845396.10173: ccselect module realm chose cache
> FILE:/tmp/krb5cc_0 with client principal usuipa at FI.EXAMPLE.COM for server
> principal imap/zimbrafreeipa.fi.example.com at FI.EXAMPLE.COM
> [20906] 1416845396.10290: Retrieving usuipa at FI.EXAMPLE.COM ->
> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
> FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
> [20906] 1416845396.10316: Getting credentials usuipa at FI.EXAMPLE.COM -> imap/
> zimbrafreeipa.fi.example.com at FI.EXAMPLE.COM using ccache FILE:/tmp/krb5cc_0
> [20906] 1416845396.10391: Retrieving usuipa at FI.EXAMPLE.COM -> imap/
> zimbrafreeipa.fi.example.com at FI.EXAMPLE.COM from FILE:/tmp/krb5cc_0 with
> result: 0/Conseguido
> [20906] 1416845396.10469: Creating authenticator for usuipa at FI.EXAMPLE.COM
> -> imap/zimbrafreeipa.fi.example.com at FI.EXAMPLE.COM, seqnum 592157704,
> subkey aes256-cts/5F4D, session key aes256-cts/A007
> [20906] 1416845396.35033: ccselect module realm chose cache
> FILE:/tmp/krb5cc_0 with client principal usuipa at FI.EXAMPLE.COM for server
> principal imap/zimbrafreeipa.fi.example.com at FI.EXAMPLE.COM
> [20906] 1416845396.35196: Retrieving usuipa at FI.EXAMPLE.COM ->
> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from
> FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
> [20906] 1416845396.35293: Read AP-REP, time 1416845399.10477, subkey
> (null), seqnum 911725412
> 
> ---------------------------------------    END OF OUTPUT
> ---------------------------------------------------

This seems okay, Thunderbird got necessary ticket so the problem could be on
server side. (Just to be 100% sure: Did you configure network.negotiate-auth
option in Thunderbird according to
https://jpolok.web.cern.ch/jpolok/kerberos-macosx.html ?)

> About permissions on keytab file, I have as following:
> 
> ls -l /opt/zimbra/conf/krb5.keytab
> -rwxrwxrwx 1 zimbra zimbra 366 nov 20 14:45 /opt/zimbra/conf/krb5.keytab
> 
> Selinux (/etc/selinux/config)
> SELINUX=disabled
> 
> What do you think about this?,

That it is completely insecure :-) Seriously, keytab contains symmetric
cryptographic keys so it should be protected as much as feasible.

It is fine for testing purposes (assuming that you do not forget to secure
file permissions and generate new keytab before moving it to production).

As a next step please raise debug levels on the server and possibly use
KRB5_TRACE=/dev/stdout trick for IMAP server process.

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list