On 2015-09-09 14:21, Mike wrote:> Yep, I have it working. It's been almost 6 months since I set it up so > don't recall many details other than it was NOT trivial :). Have only > used alpine and thunderbird clients, both work fine.I wonder if that means Evolution is broken. In any case, could you tell me the changes you made to 10-auth.conf and any other files for GSSAPI auth to work? I would like to compare your setup to mine and to what I've read online. Thanks! Ranbir -- Kanwar R.S. Sandhu
On 09/10/2015 10:24 AM, Kanwar Ranbir Sandhu wrote:> On 2015-09-09 14:21, Mike wrote: >> Yep, I have it working. It's been almost 6 months since I set it up so >> don't recall many details other than it was NOT trivial :). Have only >> used alpine and thunderbird clients, both work fine. > > I wonder if that means Evolution is broken.I wouldn't be surprised, I stopped using evolution because it seemed to frequently experience a database corruption causing it to rebuild itself, re-downloading all the headers. That went on for me for months, it was most prominent on my laptop but it also happened on my desktop. It happened in CentOS and it happened in Fedora. So I said to hell with it, I don't want to use broken software. That didn't involve GSSAPI though, but I wouldn't be surprised if evolution is the problem.
On Thu, 10 Sep 2015, Kanwar Ranbir Sandhu wrote:> On 2015-09-09 14:21, Mike wrote: >> Yep, I have it working. It's been almost 6 months since I set it up so >> don't recall many details other than it was NOT trivial :). Have only >> used alpine and thunderbird clients, both work fine. > > I wonder if that means Evolution is broken. In any case, could you tell me > the changes you made to 10-auth.conf and any other files for GSSAPI auth to > work? I would like to compare your setup to mine and to what I've read > online. > > Thanks! > > RanbirIn looking at my notes I think it was LDAP integration that gave me the most headaches, GSSAPI was pretty straight forward. In any case for GSSAPI/SSO I'm pretty sure this is what I used primarily (noting that it was written with RHEL 6.2 as a target): http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On And I believe these are the primary changes that I made to the dovecot config. # diff ~/etc_dovecot_orig/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf 10a11> disable_plaintext_auth = no29a31> auth_realms = ourdomain.com33a36> auth_default_realm = ourdomain.com71a75> auth_gssapi_hostname = mx01.ourdomain.com76a81> auth_krb5_keytab = /etc/dovecot/krb5.keytab100c105,106 < auth_mechanisms = plain ---> #auth_mechanisms = plain > auth_mechanisms = gssapi cram-md5 plain login122c128 < !include auth-system.conf.ext ---> #!include auth-system.conf.ext124c130 < #!include auth-ldap.conf.ext ---> !include auth-ldap.conf.ext
On Thu, 2015-09-10 at 11:01 -0700, Mike wrote:> < !include auth-system.conf.extThis helped. I enabled pam for passdb and now my GSSAPI auth works, but I don't understand why. I also had to enable "allow_all_users=yes" otherwise the messages weren't delivered. I'm going to have to take this to the Dovecot list to get an explanation. Thanks to you and Alice for the help! -- Kanwar R.S. Sandhu