On Thu, 2022-07-07 at 01:43 +0200, Ángel wrote: > On 2022-07-06 at 22:44 +0000, Jon Gerdes wrote: > > Dear all > > > > I'm not sure where to go to make interface suggestions so I'll start > > here. >
8< *snip* > Of course, you could still have issues derived to evolution not being > able to connect to the server. > > I'm a bit suspicious that the evolution error is actually derived from > the winbind one. I suspect it may be that your system ends up confused > with the proper route to your internal servers, which then causes > errors both to winbind and evolution. > > Regarding kerberos ticket refreshes, I had issues as well in that the > machine didn't renew them automatically. I managed to 'solve' it by > running kinit -R with cron at a suitable interval. YMMV. > Turns out it was DNS! Its always DNS, especially when Kerberos is involved. I have a site to site VPN to work from home with IPv4 and 6 involved (IPSEC routed, with FRR - BGP at both ends) and I have a "dial up" VPN (OpenVPN) again with IPv4 and 6 on my laptop. I also front our on prem. Exchange with HA Proxy - handy for PCI DSS compliance and generally securing the bloody thing. Anyone who has to endure Exchange knows that it can have rather a lot of names but Kerberos is merciless about names (DNS) and that's probably one of the reasons why MS seem to be deprecating it and whipping themselves into a frenzy over "Modern authentication" - it also fits getting you into their cloud and a subscription. Don't forget that IPv4 also has the wonky internal and external thing so split DNS is indicated (lol!) Anyway, I have an internal DNS CNAME for my Exchange server pointing at the HA Proxy's A record which then resolves to an IP. That meant that Kerberos would grab a ticket for the HA Proxy's name and try to muddle on through. It sort of worked with enough kinits and restarting winbind. I created a DNS override on my home pfSense that causes the Exchange server's name to resolve to HA's IP directly, without the CNAME. Now I get a ticket for the correct name (principle) and go via HA Proxy still. Lovely! I don't know why it took me so long to resolve this given that I do this lark for a living. To be fair to me - it is quite involved! Cheers Jon _______________________________________________ evolution-list mailing list [email protected] To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
