Fwd: Mailbox sharing not working
Kees van Vloten
keesvanvloten at gmail.com
Thu Feb 17 10:01:28 UTC 2022
On 17-02-2022 10:17, Aki Tuomi wrote:
>> On 17/02/2022 11:16 Kees van Vloten <keesvanvloten at gmail.com> wrote:
>>
>>
>> On 17-02-2022 10:02, Aki Tuomi wrote:
>>>> On 17/02/2022 10:39 Kees van Vloten <keesvanvloten at gmail.com> wrote:
>>>>
>>>>
>>>> On 17-02-2022 09:16, Aki Tuomi wrote:
>>>>>> On 17/02/2022 10:14 Kees van Vloten <keesvanvloten at gmail.com> wrote:
>>>>>>
>>>>>> On 17-02-2022 07:28, Aki Tuomi wrote:
>>>>>>>> On 16/02/2022 21:40 Kees van Vloten <keesvanvloten at gmail.com> wrote:
>>>>>>>>
>>>>>>>> Hi Team,
>>>>>>>>
>>>>>>>>
>>>>>>>> I am trying to setup mailbox sharing. But although user test2 shares
>>>>>>>> INBOX with test1, it is not visible for user1.
>>>>>>>>
>>>>>>>> doveadm acl get -u test2 INBOX
>>>>>>>> ID Global Rights
>>>>>>>> user=test1 admin create delete expunge insert lookup post read
>>>>>>>> write write-deleted write-seen
>>>>>>>>
>>>>>>>> cat /srv/mail/dovecot/lib/shared-mailboxes.db
>>>>>>>> shared/shared-boxes/user/test1/test2 at example.com
>>>>>>>> 1
>>>>>>>>
>>>>>>>> Log output:
>>>>>>>>
>>>>>>> <snip />
>>> I think your problem is that you are using test1 and test2 as usernames, but shared folder is for test2 at example.com
>>>
>>> The sharing must happen with same user names as your users are logging in.
>>>
>>> Aki
>>
>> Users are logging in with username only (and in most situations with a
>> krb5 ticket):
>>
>> auth_username_format = %Lu
>>
>> Is there a way to prevent sharing as the %n name (test2 at example.com)?
>>
>> Or is the better approach to login with %n (and would that work with
>> gssapi login)?
> Why not use auth_username_format=%Ln then?
>
> Also consistently use %n instead of %u in your configuration. Also doveadm acl set -u test2 user=test1 and so on.
>
> etc.
>
> Aki
It is a little more complex.
There is a single SambaDC domain: "example.com" against which users
login (often with a krb5-ticket).
passdb {
driver = ldap
args = /etc/dovecot/ldap_user_to_principal.conf.ext
pass = yes
}
passdb {
# If no Kerberos ticket was passed, use pam to verify user/password`
driver = pam
}
# /etc/dovecot/ldap_user_to_principal.conf.ext
base = OU=User Accounts,OU=Interactive Users,OU=Groupware,DC=example,DC=com
scope = subtree
pass_filter =
(&(objectClass=user)(sAMAccountName=%n)(memberOf:1.2.840.113556.1.4.1941:=CN=mail_user-%d,OU=Mail
Domains,OU=Groups,DC=example,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs = \
=user=%u, \
=nopassword=Y, \
=k5principals=%{ldap:userPrincipalName}
But mail arrives for multiple DNS domains: example.com, mydomain.com,
otherdomain.com
Users can receive all mails for in their example.com mailbox (must be
this because krb5 will only use this domain). An LDAP query is done to
change the target domain:
userdb {
# Rewrite domain for users (but not for functional mailboxes)
driver = ldap
args = /etc/dovecot/ldap_user_domain.conf.ext
result_success = continue
result_failure = continue
}
# /etc/dovecot/ldap_user_domain.conf.ext
base = OU=User Accounts,OU=Interactive Users,OU=Groupware,DC=example,DC=com
scope = subtree
user_filter =
(&(objectClass=user)(sAMAccountName=%n)(memberOf:1.2.840.113556.1.4.1941:=CN=mail_user-%d,OU=Mail
Domains,OU=Groups,DC=example,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
user_attrs = \
=domain=example.com
Then there are functional mailboxes, like sales at mydomain.com,
sales at otherdomain.com. These are not mapped to the Samba domain because
sales at mydomain.com is not handled by the same user as
sales at otherdomain.com. As they remain separate ACLs can be set to share
it with the desired user.
And to add to complexity users can share there own mailbox to someone
else from the mail-client (and that is always within the SambaDC domain
example.com)
Is what I am doing here the right approach?
Do you still recommend to switch "auth_username_format = %Lu" to %Ln?
More information about the dovecot
mailing list