On 17-02-2022 10:17, Aki Tuomi wrote:
On 17/02/2022 11:16 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 10:02, Aki Tuomi wrote:
On 17/02/2022 10:39 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 09:16, Aki Tuomi wrote:
On 17/02/2022 10:14 Kees van Vloten keesvanvloten@gmail.com wrote:
On 17-02-2022 07:28, Aki Tuomi wrote: >> On 16/02/2022 21:40 Kees van Vloten keesvanvloten@gmail.com wrote: >> >> Hi Team, >> >> >> I am trying to setup mailbox sharing. But although user test2 shares >> INBOX with test1, it is not visible for user1. >> >> doveadm acl get -u test2 INBOX >> ID Global Rights >> user=test1 admin create delete expunge insert lookup post read >> write write-deleted write-seen >> >> cat /srv/mail/dovecot/lib/shared-mailboxes.db >> shared/shared-boxes/user/test1/test2@example.com >> 1 >> >> Log output: >> > <snip /> I think your problem is that you are using test1 and test2 as usernames, but shared folder is for test2@example.com
The sharing must happen with same user names as your users are logging in.
Aki
Users are logging in with username only (and in most situations with a krb5 ticket):
auth_username_format = %Lu
Is there a way to prevent sharing as the %n name (test2@example.com)?
Or is the better approach to login with %n (and would that work with gssapi login)? Why not use auth_username_format=%Ln then?
Also consistently use %n instead of %u in your configuration. Also doveadm acl set -u test2 user=test1 and so on.
etc.
Aki It is a little more complex.
There is a single SambaDC domain: "example.com" against which users login (often with a krb5-ticket).
passdb { driver = ldap args = /etc/dovecot/ldap_user_to_principal.conf.ext pass = yes } passdb { # If no Kerberos ticket was passed, use pam to verify user/password` driver = pam }
# /etc/dovecot/ldap_user_to_principal.conf.ext
base = OU=User Accounts,OU=Interactive Users,OU=Groupware,DC=example,DC=com
scope = subtree
pass_filter =
(&(objectClass=user)(sAMAccountName=%n)(memberOf:1.2.840.113556.1.4.1941:=CN=mail_user-%d,OU=Mail
Domains,OU=Groups,DC=example,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs =
=user=%u,
=nopassword=Y,
=k5principals=%{ldap:userPrincipalName}
But mail arrives for multiple DNS domains: example.com, mydomain.com, otherdomain.com
Users can receive all mails for in their example.com mailbox (must be this because krb5 will only use this domain). An LDAP query is done to change the target domain:
userdb { # Rewrite domain for users (but not for functional mailboxes) driver = ldap args = /etc/dovecot/ldap_user_domain.conf.ext result_success = continue result_failure = continue }
# /etc/dovecot/ldap_user_domain.conf.ext
base = OU=User Accounts,OU=Interactive Users,OU=Groupware,DC=example,DC=com
scope = subtree
user_filter =
(&(objectClass=user)(sAMAccountName=%n)(memberOf:1.2.840.113556.1.4.1941:=CN=mail_user-%d,OU=Mail
Domains,OU=Groups,DC=example,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
user_attrs =
=domain=example.com
Then there are functional mailboxes, like sales@mydomain.com, sales@otherdomain.com. These are not mapped to the Samba domain because sales@mydomain.com is not handled by the same user as sales@otherdomain.com. As they remain separate ACLs can be set to share it with the desired user.
And to add to complexity users can share there own mailbox to someone else from the mail-client (and that is always within the SambaDC domain example.com)
Is what I am doing here the right approach? Do you still recommend to switch "auth_username_format = %Lu" to %Ln?