On 2022-12-14 14:19, Alexander Bokovoy via FreeIPA-users wrote:
Could you please share your Dovecot and krb5 configuration on that Dovecot server?
It is hard to help without seeing anything.
Sure mate. This was what I could think of that was relevant. If there's anything missing just ask.
# egrep -v "^#|^$" /etc/dovecot/conf.d/10-auth.conf auth_realms = INT.R3PEK.ORG auth_default_realm = INT.R3PEK.ORG auth_username_format = %Ln auth_gssapi_hostname = mail01.int.r3pek.org auth_krb5_keytab = /etc/dovecot/mail.keytab auth_mechanisms = gssapi plain !include auth-system.conf.ext
# egrep -v "^\s*#|^$" /etc/dovecot/conf.d/auth-system.conf.ext passdb { driver = pam } userdb { driver = passwd override_fields = home=/email/%Lu }
# klist -k /etc/dovecot/mail.keytab Keytab name: FILE:mail.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 smtp/mail01.int.r3pek.org@INT.R3PEK.ORG 1 smtp/mail01.int.r3pek.org@INT.R3PEK.ORG 1 smtp/mail01.int.r3pek.org@INT.R3PEK.ORG 1 smtp/mail01.int.r3pek.org@INT.R3PEK.ORG 1 imap/mail01.int.r3pek.org@INT.R3PEK.ORG 1 imap/mail01.int.r3pek.org@INT.R3PEK.ORG 1 imap/mail01.int.r3pek.org@INT.R3PEK.ORG 1 imap/mail01.int.r3pek.org@INT.R3PEK.ORG
# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/mail01.int.r3pek.org@INT.R3PEK.ORG 1 host/mail01.int.r3pek.org@INT.R3PEK.ORG 1 host/mail01.int.r3pek.org@INT.R3PEK.ORG 1 host/mail01.int.r3pek.org@INT.R3PEK.ORG
# cat /etc/sssd/sssd.conf [domain/int.r3pek.org]
id_provider = ipa ipa_server = _srv_, ipa01.int.r3pek.org ipa_domain = int.r3pek.org ipa_hostname = mail01.int.r3pek.org auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt dyndns_update = True dyndns_iface = enp6s18 krb5_store_password_if_offline = True [sssd] services = nss, pam, ssh, sudo
domains = int.r3pek.org [nss] homedir_substring = /home
Thanks.