Re: Fwd: Mailbox sharing not working

Thu, 17 Feb 2022 06:00:42 -0800 


On 17-02-2022 10:17, Aki Tuomi wrote:

On 17/02/2022 11:16 Kees van Vloten <keesvanvlo...@gmail.com> wrote:


  
On 17-02-2022 10:02, Aki Tuomi wrote:

On 17/02/2022 10:39 Kees van Vloten <keesvanvlo...@gmail.com> wrote:


   
On 17-02-2022 09:16, Aki Tuomi wrote:

On 17/02/2022 10:14 Kees van Vloten <keesvanvlo...@gmail.com> wrote:

On 17-02-2022 07:28, Aki Tuomi wrote:

On 16/02/2022 21:40 Kees van Vloten <keesvanvlo...@gmail.com> wrote:

Hi Team,


I am trying to setup mailbox sharing. But although user test2 shares
INBOX with test1, it is not visible for user1.

doveadm  acl get -u test2 INBOX
ID         Global Rights
user=test1        admin create delete expunge insert lookup post read
write write-deleted write-seen

cat /srv/mail/dovecot/lib/shared-mailboxes.db
shared/shared-boxes/user/test1/te...@example.com
1

Log output:


<snip />

I think your problem is that you are using test1 and test2 as usernames, but 
shared folder is for te...@example.com

The sharing must happen with same user names as your users are logging in.

Aki


Users are logging in with username only (and in most situations with a
krb5 ticket):

auth_username_format = %Lu

Is there a way to prevent sharing as the %n name (te...@example.com)?

Or is the better approach to login with %n (and would that work with
gssapi login)?

Why not use auth_username_format=%Ln then?

Also consistently use %n instead of %u in your configuration. Also doveadm acl 
set -u test2 user=test1 and so on.

etc.

Aki



Solved !! But a bit different then the above suggestion.

There was a discrepancy between users logged in with a krb5-ticket and 
users without.


passdb {
  args = /etc/dovecot/ldap_user_to_principal.conf.ext
  driver = ldap
  pass = yes
}
passdb {
  driver = pam
}

The issue was in ldap_user_to_principal.conf.ext, it contained:

pass_attrs = \
    =user=%u, \
    =nopassword=Y, \
    =k5principals=%{ldap:userPrincipalName}


I changed user to %n and now it is handled the same as handling through 
pam for users without ticket.


Now the ACLs look alright:

cat /srv/mail/dovecot/lib/shared-mailboxes.db
shared/shared-boxes/user/test1/test2
1

doveadm acl get -u test2 INBOX
ID         Global Rights

user=test1        admin create delete expunge insert lookup post read 
write write-deleted write-seen


And even better, the 'test2' mailbox shows up in the mail-client of 'test1'.

Thank for your help, Aki.
It did help to point me in the right direction !

- Kees
























					Reply via email to