[Freeipa-users] Re: Kerberos/GSSAPI dovecot auth wierdeness?

Wed, 14 Dec 2022 06:42:01 -0800 

On 2022-12-14 14:34, Alexander Bokovoy via FreeIPA-users wrote:

Thanks. I also asked for krb5 configuration: /etc/krb5.conf and files
included from it, I think they are in /etc/krb5.conf.d and
/var/lib/sss/pubconf/krb5.include.d

You can see a full list of the directories with

  grep includedir /etc/krb5.conf



# egrep -v "^\s*#|^$" /etc/krb5.conf.d/*
/etc/krb5.conf.d/crypto-policies:[libdefaults]
/etc/krb5.conf.d/crypto-policies:permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96 /etc/krb5.conf.d/enable_sssd_conf_dir:includedir /var/lib/sss/pubconf/krb5.include.d/ 
/etc/krb5.conf.d/freeipa:[libdefaults]
/etc/krb5.conf.d/freeipa:    spake_preauth_groups = edwards25519
/etc/krb5.conf.d/kcm_default_ccache:[libdefaults]
/etc/krb5.conf.d/kcm_default_ccache:    default_ccache_name = KCM:
/etc/krb5.conf.d/sssd_enable_idp:[plugins]
/etc/krb5.conf.d/sssd_enable_idp: clpreauth = {
/etc/krb5.conf.d/sssd_enable_idp: module = idp:/usr/lib64/sssd/modules/sssd_krb5_idp_plugin.so 
/etc/krb5.conf.d/sssd_enable_idp: }
/etc/krb5.conf.d/sssd_enable_idp: kdcpreauth = {
/etc/krb5.conf.d/sssd_enable_idp: module = idp:/usr/lib64/sssd/modules/sssd_krb5_idp_plugin.so 
/etc/krb5.conf.d/sssd_enable_idp: }

# egrep -v "^\s*#|^$" /var/lib/sss/pubconf/krb5.include.d/*
/var/lib/sss/pubconf/krb5.include.d/domain_realm_int_r3pek_org:[domain_realm]
/var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults:[libdefaults]
/var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults: canonicalize = true 
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin:[plugins]
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin: localauth = {
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin: module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so 
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin: }
While also testing some stuff out, if I force the IP address of the mail01.r3pek.org server to be the internal one, the auth works. Am I missing something or is the normal? 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to