On ke, 14 joulu 2022, Carlos Mogas da Silva wrote:
On 2022-12-14 14:19, Alexander Bokovoy via FreeIPA-users wrote:
>Could you please share your Dovecot and krb5 configuration on that
>Dovecot server?
>
>It is hard to help without seeing anything.
Sure mate. This was what I could think of that was relevant. If
there's anything missing just ask.
Thanks. I also asked for krb5 configuration: /etc/krb5.conf and files
included from it, I think they are in /etc/krb5.conf.d and
/var/lib/sss/pubconf/krb5.include.d
You can see a full list of the directories with
grep includedir /etc/krb5.conf
The rest of the configuration looks fine but krb5 configs will help to
understand how hostname to realm mapping would be performed and what
else is affecting the configuration.
# egrep -v "^#|^$" /etc/dovecot/conf.d/10-auth.conf
auth_realms =
INT.R3PEK.ORG
auth_default_realm =
INT.R3PEK.ORG
auth_username_format = %Ln
auth_gssapi_hostname =
mail01.int.r3pek.org
auth_krb5_keytab = /etc/dovecot/mail.keytab
auth_mechanisms = gssapi plain
!include auth-system.conf.ext
# egrep -v "^\s*#|^$" /etc/dovecot/conf.d/auth-system.conf.ext
passdb {
driver = pam
}
userdb {
driver = passwd
override_fields = home=/email/%Lu
}
# klist -k /etc/dovecot/mail.keytab
Keytab name: FILE:mail.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 smtp/mail01.int.r3pek.org(a)INT.R3PEK.ORG
1 smtp/mail01.int.r3pek.org(a)INT.R3PEK.ORG
1 smtp/mail01.int.r3pek.org(a)INT.R3PEK.ORG
1 smtp/mail01.int.r3pek.org(a)INT.R3PEK.ORG
1 imap/mail01.int.r3pek.org(a)INT.R3PEK.ORG
1 imap/mail01.int.r3pek.org(a)INT.R3PEK.ORG
1 imap/mail01.int.r3pek.org(a)INT.R3PEK.ORG
1 imap/mail01.int.r3pek.org(a)INT.R3PEK.ORG
# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/mail01.int.r3pek.org(a)INT.R3PEK.ORG
1 host/mail01.int.r3pek.org(a)INT.R3PEK.ORG
1 host/mail01.int.r3pek.org(a)INT.R3PEK.ORG
1 host/mail01.int.r3pek.org(a)INT.R3PEK.ORG
# cat /etc/sssd/sssd.conf
[
domain/int.r3pek.org]
id_provider = ipa
ipa_server = _srv_,
ipa01.int.r3pek.org
ipa_domain =
int.r3pek.org
ipa_hostname =
mail01.int.r3pek.org
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
dyndns_update = True
dyndns_iface = enp6s18
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo
domains =
int.r3pek.org
[nss]
homedir_substring = /home
Thanks.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland