Hi Ranbir I've worked with freeIPA a little, but without your doveconf or some other context information, it is difficult to identify the issue. Regards, Manuel Delgado ----------------------------------------------------------- *Usuario Linux* *#520940 <http://counter.li.org/>* Mag. Computaci?n e Inform?tica Universidad de Costa Rica Centro de Inform?tica On Mon, Sep 7, 2015 at 8:47 AM, Kanwar Ranbir Sandhu < m3freak at thesandhufamily.ca> wrote:> On Sun, 2015-09-06 at 17:41 -0400, Kanwar Ranbir Sandhu wrote: > > I've followed official documentation from Red Hat and read numerous wiki > > articles on how to configure Dovecot to get it to use GSSAPI correctly. > > I don't think I've done anything incorrectly, but it refuses to work. > > This is the error I'm seeing: > > > > mailman02 dovecot: imap-login: Disconnected (tried to use unsupported > > auth mechanism): user=<>, method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, TLS, > > session=<QhWSqxofyAAKyAkM> > > > > I don't understand why no username is being passed. My mail client is > > Evolution 3.10.4. > > Anyone? I could really use some help with trouble shooting my setup. > > Kerberos + Dovecot apparently works really well, but not for > me...yet. :( > > Ranbir > > -- > Kanwar R.S. Sandhu >
On Mon, 2015-09-07 at 09:14 -0600, Manuel Delgado wrote:> Hi Ranbir > > I've worked with freeIPA a little, but without your doveconf or some other > context information, it is difficult to identify the issue.Crap...I meant to include that. Here's what it looks like when I enable GSSAPI: # 2.2.10: /etc/dovecot/dovecot.conf # OS: Linux 3.10.0-229.11.1.el7.x86_64 x86_64 CentOS Linux release 7.1.1503 (Core) auth_default_realm = theinside.rnr auth_gssapi_hostname = mailman02.theinside.rnr auth_krb5_keytab = /etc/imap.keytab auth_mechanisms = gssapi auth_realms = theinside.rnr hostname = imap.thesandhufamily.ca listen = 1.1.0.0 mail_gid = virtual mail_location = maildir:~/Maildir mail_plugins = quota acl mail_uid = virtual managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mbox_write_locks = fcntl namespace { location = maildir:/var/spool/mail/thesandhufamily.ca/public prefix = Public. separator = . subscriptions = no type = public } namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } plugin { acl = vfile quota = maildir:User quota quota_rule = *:storage=500M sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } postmaster_address = postmaster@%d protocols = imap lmtp service auth-worker { user = $default_internal_user } service auth { inet_listener { address = 1.1.0.0 port = 17900 } unix_listener auth-userdb { group = virtual mode = 0600 user = virtual } } service imap-login { process_min_avail = 5 } service imap { process_limit = 10 } service lmtp { inet_listener lmtp { address = 1.1.0.0 port = 24 } } ssl = required ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem userdb { args = uid=virtual gid=virtual home=/var/spool/mail/%d/%n/ driver = static } verbose_proctitle = yes protocol lmtp { mail_plugins = quota acl sieve } protocol lda { mail_plugins = quota acl sieve } protocol imap { mail_plugins = quota acl imap_quota imap_acl } -- Kanwar R.S. Sandhu
Kanwar Ranbir Sandhu skrev den 2015-09-07 18:02:> args = uid=virtual gid=virtual home=/var/spool/mail/%d/%n/uid and gid must be nummeric just like output from id id virtual make the args have same info
>From the first message I noted this:mailman02 dovecot: imap-login: Disconnected (tried to use unsupported auth> mechanism): user=<>, method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, TLS, > session=<QhWSqxofyAAKyAkM>It seems that your client is not using GSSAPI, but PLAIN instead. About your config: On Mon, Sep 7, 2015 at 10:02 AM, Kanwar Ranbir Sandhu < m3freak at thesandhufamily.ca> wrote:> > > auth_default_realm = theinside.rnr > auth_realms = theinside.rnr >In my configs I was forced to use REALM in uppercase. When I used it lowercase I had issues mainly with PAM.> auth_krb5_keytab = /etc/imap.keytabDouble-check that your keytab is correctly authorized in IPA and it's still valid. In my case I had to setup a cron to refresh the keytab. (Remember chown it, so Dovecot can read it) Regards, Manuel Delgado ----------------------------------------------------------- *Usuario Linux* *#520940 <http://counter.li.org/>* Mag. Computaci?n e Inform?tica Universidad de Costa Rica Centro de Inform?tica