On ke, 14 joulu 2022, Carlos Mogas da Silva wrote:
On 2022-12-14 14:19, Alexander Bokovoy via FreeIPA-users wrote:
Could you please share your Dovecot and krb5 configuration on that Dovecot server?
It is hard to help without seeing anything.
Sure mate. This was what I could think of that was relevant. If there's anything missing just ask.
Thanks. I also asked for krb5 configuration: /etc/krb5.conf and files included from it, I think they are in /etc/krb5.conf.d and /var/lib/sss/pubconf/krb5.include.d
You can see a full list of the directories with
grep includedir /etc/krb5.conf
The rest of the configuration looks fine but krb5 configs will help to understand how hostname to realm mapping would be performed and what else is affecting the configuration.
# egrep -v "^#|^$" /etc/dovecot/conf.d/10-auth.conf auth_realms = INT.R3PEK.ORG auth_default_realm = INT.R3PEK.ORG auth_username_format = %Ln auth_gssapi_hostname = mail01.int.r3pek.org auth_krb5_keytab = /etc/dovecot/mail.keytab auth_mechanisms = gssapi plain !include auth-system.conf.ext
# egrep -v "^\s*#|^$" /etc/dovecot/conf.d/auth-system.conf.ext passdb { driver = pam } userdb { driver = passwd override_fields = home=/email/%Lu }
# klist -k /etc/dovecot/mail.keytab Keytab name: FILE:mail.keytab KVNO Principal
1 smtp/mail01.int.r3pek.org@INT.R3PEK.ORG 1 smtp/mail01.int.r3pek.org@INT.R3PEK.ORG 1 smtp/mail01.int.r3pek.org@INT.R3PEK.ORG 1 smtp/mail01.int.r3pek.org@INT.R3PEK.ORG 1 imap/mail01.int.r3pek.org@INT.R3PEK.ORG 1 imap/mail01.int.r3pek.org@INT.R3PEK.ORG 1 imap/mail01.int.r3pek.org@INT.R3PEK.ORG 1 imap/mail01.int.r3pek.org@INT.R3PEK.ORG
# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal
1 host/mail01.int.r3pek.org@INT.R3PEK.ORG 1 host/mail01.int.r3pek.org@INT.R3PEK.ORG 1 host/mail01.int.r3pek.org@INT.R3PEK.ORG 1 host/mail01.int.r3pek.org@INT.R3PEK.ORG
# cat /etc/sssd/sssd.conf [domain/int.r3pek.org]
id_provider = ipa ipa_server = _srv_, ipa01.int.r3pek.org ipa_domain = int.r3pek.org ipa_hostname = mail01.int.r3pek.org auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt dyndns_update = True dyndns_iface = enp6s18 krb5_store_password_if_offline = True [sssd] services = nss, pam, ssh, sudo
domains = int.r3pek.org [nss] homedir_substring = /home
Thanks.