Sorry for delay in answering, I've been testing a few things before going back to ask.
Thanks for the advice, I'll be careful with security :). I also tried as is explained in the url you shared with me and as you suspected that isn't the problem either. I installed Wireshark, packet capture shows me these errors: error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31) e-text: PREAUTH_FAILED Where the origin of these packages is the FreeIPA server and the destination is the Zimbra server. I think this may be causing problems. I'm ashamed to say this, but haven't known as I have to do to debug Imap process on the server using KRB5_TRACE. Thanks so much for all your help and if you have more suggestions, it would be appreciated. Have a good day. 2014-11-25 15:00 GMT-02:00 <[email protected]>: > Send Freeipa-users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. Re: Is it possible to set up SUDO with redudancy? > (Lukas Slebodnik) > 2. Re: Setting up a Kerberized IMAP Server. (Petr Spacek) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 25 Nov 2014 09:02:59 +0100 > From: Lukas Slebodnik <[email protected]> > To: William Muriithi <[email protected]> > Cc: [email protected] > Subject: Re: [Freeipa-users] Is it possible to set up SUDO with > redudancy? > Message-ID: <[email protected]> > Content-Type: text/plain; charset=utf-8 > > On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi < > [email protected]> wrote: > > > Evening, > > > > After looking at almost all the SUDO documentation I could find, it looks > > one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red > > hat advice to add in sssd config file. > > > > services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] > > sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com > > ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com > > ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ > > tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM > > krb5_server = grobi.idm.coe.muc.redhat.com > > > > The implications of adding above is that SUDO would break if the > > hardcoded ipa is not available even if there is another replica somewhere > > in the network. Is that correct assumption? > > > > Is there a better way of doing it that I have missed? > > > > Which version of sssd do you have? > sssd >= 1.10 has native ipa suod providers and you don't need to use > "sudo_provider = ldap". > > LS > > > > ------------------------------ > > Message: 2 > Date: Tue, 25 Nov 2014 10:11:42 +0100 > From: Petr Spacek <[email protected]> > To: [email protected] > Subject: Re: [Freeipa-users] Setting up a Kerberized IMAP Server. > Message-ID: <[email protected]> > Content-Type: text/plain; charset=windows-1252 > > On 24.11.2014 17:45, Maria Jose Ya?ez Dacosta wrote: > > Thank you for your prompt reply :). > > > > I still don't discover what caused the problem, but now I could get more > > information about the problem. > > > > I run the command that you commented me, I did as follows: > > > > - kinit usuipa > > - kvno imap/[email protected] > > > > (I said in my previous mail fi.example.com but should have said > > zimbrafreeipa.example.com. > > Forgiveness!!). > > > > Then run klist and got this: > > > > 11/24/14 14:04:53 11/25/14 14:04:50 krbtgt/ > [email protected] > > 11/24/14 14:05:52 11/25/14 14:04:50 imap/ > > [email protected] > > > > Then run > > KRB5_TRACE=/dev/stdout kvno imap/ > [email protected] > > and got this: > > --------------------------------------- OUTPUT > > --------------------------------------------------------------- > > [20649] 1416845334.9690: Getting credentials [email protected] -> > imap/ > > [email protected] using ccache > FILE:/tmp/krb5cc_0 > > [20649] 1416845334.27562: Retrieving [email protected] -> imap/ > > [email protected] from FILE:/tmp/krb5cc_0 with > > result: 0/Conseguido > > imap/[email protected]: kvno = 2 > > --------------------------------------- END OF OUTPUT > > --------------------------------------------------- > > > > When I rum > > KRB5_TRACE=/dev/stdout thunderbird > > this show: > > > > --------------------------------------- OUTPUT > > --------------------------------------------------------------- > > Gtk-Message: Failed to load module "canberra-gtk-module": > > libcanberra-gtk-module.so: no se puede abrir el fichero del objeto > > compartido: No existe el fichero o el directorio > > [20906] 1416845377.323420: ccselect module realm chose cache > > FILE:/tmp/krb5cc_0 with client principal [email protected] for > server > > principal imap/[email protected] > > [20906] 1416845377.323834: Retrieving [email protected] -> > > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > > FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found > > [20906] 1416845377.323939: Getting credentials [email protected] -> > > imap/[email protected] using ccache > > FILE:/tmp/krb5cc_0 > > [20906] 1416845377.324677: Retrieving [email protected] -> imap/ > > [email protected] from FILE:/tmp/krb5cc_0 with > > result: 0/Conseguido > > [20906] 1416845377.325617: Creating authenticator for > [email protected] > > -> imap/[email protected], seqnum 138355536, > > subkey aes256-cts/3BB4, session key aes256-cts/A007 > > [20906] 1416845377.353847: ccselect module realm chose cache > > FILE:/tmp/krb5cc_0 with client principal [email protected] for > server > > principal imap/[email protected] > > [20906] 1416845377.353971: Retrieving [email protected] -> > > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > > FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found > > [20906] 1416845377.354331: Read AP-REP, time 1416845380.325675, subkey > > (null), seqnum 1067232298 > > [20906] 1416845396.10173: ccselect module realm chose cache > > FILE:/tmp/krb5cc_0 with client principal [email protected] for > server > > principal imap/[email protected] > > [20906] 1416845396.10290: Retrieving [email protected] -> > > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > > FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found > > [20906] 1416845396.10316: Getting credentials [email protected] -> > imap/ > > [email protected] using ccache > FILE:/tmp/krb5cc_0 > > [20906] 1416845396.10391: Retrieving [email protected] -> imap/ > > [email protected] from FILE:/tmp/krb5cc_0 with > > result: 0/Conseguido > > [20906] 1416845396.10469: Creating authenticator for > [email protected] > > -> imap/[email protected], seqnum 592157704, > > subkey aes256-cts/5F4D, session key aes256-cts/A007 > > [20906] 1416845396.35033: ccselect module realm chose cache > > FILE:/tmp/krb5cc_0 with client principal [email protected] for > server > > principal imap/[email protected] > > [20906] 1416845396.35196: Retrieving [email protected] -> > > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > > FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found > > [20906] 1416845396.35293: Read AP-REP, time 1416845399.10477, subkey > > (null), seqnum 911725412 > > > > --------------------------------------- END OF OUTPUT > > --------------------------------------------------- > > This seems okay, Thunderbird got necessary ticket so the problem could be > on > server side. (Just to be 100% sure: Did you configure > network.negotiate-auth > option in Thunderbird according to > https://jpolok.web.cern.ch/jpolok/kerberos-macosx.html ?) > > > About permissions on keytab file, I have as following: > > > > ls -l /opt/zimbra/conf/krb5.keytab > > -rwxrwxrwx 1 zimbra zimbra 366 nov 20 14:45 /opt/zimbra/conf/krb5.keytab > > > > Selinux (/etc/selinux/config) > > SELINUX=disabled > > > > What do you think about this?, > > That it is completely insecure :-) Seriously, keytab contains symmetric > cryptographic keys so it should be protected as much as feasible. > > It is fine for testing purposes (assuming that you do not forget to secure > file permissions and generate new keytab before moving it to production). > > As a next step please raise debug levels on the server and possibly use > KRB5_TRACE=/dev/stdout trick for IMAP server process. > > -- > Petr^2 Spacek > > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 76, Issue 111 > ********************************************** > -- Maria José
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
