On 17-02-2022 10:17, Aki Tuomi wrote:
On 17/02/2022 11:16 Kees van Vloten <keesvanvlo...@gmail.com> wrote:
On 17-02-2022 10:02, Aki Tuomi wrote:
On 17/02/2022 10:39 Kees van Vloten <keesvanvlo...@gmail.com> wrote:
On 17-02-2022 09:16, Aki Tuomi wrote:
On 17/02/2022 10:14 Kees van Vloten <keesvanvlo...@gmail.com> wrote:
On 17-02-2022 07:28, Aki Tuomi wrote:
On 16/02/2022 21:40 Kees van Vloten <keesvanvlo...@gmail.com> wrote:
Hi Team,
I am trying to setup mailbox sharing. But although user test2 shares
INBOX with test1, it is not visible for user1.
doveadm acl get -u test2 INBOX
ID Global Rights
user=test1 admin create delete expunge insert lookup post read
write write-deleted write-seen
cat /srv/mail/dovecot/lib/shared-mailboxes.db
shared/shared-boxes/user/test1/te...@example.com
1
Log output:
<snip />
I think your problem is that you are using test1 and test2 as usernames, but
shared folder is for te...@example.com
The sharing must happen with same user names as your users are logging in.
Aki
Users are logging in with username only (and in most situations with a
krb5 ticket):
auth_username_format = %Lu
Is there a way to prevent sharing as the %n name (te...@example.com)?
Or is the better approach to login with %n (and would that work with
gssapi login)?
Why not use auth_username_format=%Ln then?
Also consistently use %n instead of %u in your configuration. Also doveadm acl
set -u test2 user=test1 and so on.
etc.
Aki
It is a little more complex.
There is a single SambaDC domain: "example.com" against which users
login (often with a krb5-ticket).
passdb {
driver = ldap
args = /etc/dovecot/ldap_user_to_principal.conf.ext
pass = yes
}
passdb {
# If no Kerberos ticket was passed, use pam to verify user/password`
driver = pam
}
# /etc/dovecot/ldap_user_to_principal.conf.ext
base = OU=User Accounts,OU=Interactive Users,OU=Groupware,DC=example,DC=com
scope = subtree
pass_filter =
(&(objectClass=user)(sAMAccountName=%n)(memberOf:1.2.840.113556.1.4.1941:=CN=mail_user-%d,OU=Mail
Domains,OU=Groups,DC=example,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs = \
=user=%u, \
=nopassword=Y, \
=k5principals=%{ldap:userPrincipalName}
But mail arrives for multiple DNS domains: example.com, mydomain.com,
otherdomain.com
Users can receive all mails for in their example.com mailbox (must be
this because krb5 will only use this domain). An LDAP query is done to
change the target domain:
userdb {
# Rewrite domain for users (but not for functional mailboxes)
driver = ldap
args = /etc/dovecot/ldap_user_domain.conf.ext
result_success = continue
result_failure = continue
}
# /etc/dovecot/ldap_user_domain.conf.ext
base = OU=User Accounts,OU=Interactive Users,OU=Groupware,DC=example,DC=com
scope = subtree
user_filter =
(&(objectClass=user)(sAMAccountName=%n)(memberOf:1.2.840.113556.1.4.1941:=CN=mail_user-%d,OU=Mail
Domains,OU=Groups,DC=example,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
user_attrs = \
=domain=example.com
Then there are functional mailboxes, like sa...@mydomain.com,
sa...@otherdomain.com. These are not mapped to the Samba domain because
sa...@mydomain.com is not handled by the same user as
sa...@otherdomain.com. As they remain separate ACLs can be set to share
it with the desired user.
And to add to complexity users can share there own mailbox to someone
else from the mail-client (and that is always within the SambaDC domain
example.com)
Is what I am doing here the right approach?
Do you still recommend to switch "auth_username_format = %Lu" to %Ln?
