Fwd: Mailbox sharing not working

Kees van Vloten keesvanvloten at gmail.com
Thu Feb 17 13:59:57 UTC 2022 

On 17-02-2022 10:17, Aki Tuomi wrote:
>> On 17/02/2022 11:16 Kees van Vloten <keesvanvloten at gmail.com> wrote:
>>
>>   
>> On 17-02-2022 10:02, Aki Tuomi wrote:
>>>> On 17/02/2022 10:39 Kees van Vloten <keesvanvloten at gmail.com> wrote:
>>>>
>>>>    
>>>> On 17-02-2022 09:16, Aki Tuomi wrote:
>>>>>> On 17/02/2022 10:14 Kees van Vloten <keesvanvloten at gmail.com> wrote:
>>>>>>
>>>>>> On 17-02-2022 07:28, Aki Tuomi wrote:
>>>>>>>> On 16/02/2022 21:40 Kees van Vloten <keesvanvloten at gmail.com> wrote:
>>>>>>>>
>>>>>>>> Hi Team,
>>>>>>>>
>>>>>>>>
>>>>>>>> I am trying to setup mailbox sharing. But although user test2 shares
>>>>>>>> INBOX with test1, it is not visible for user1.
>>>>>>>>
>>>>>>>> doveadm  acl get -u test2 INBOX
>>>>>>>> ID         Global Rights
>>>>>>>> user=test1        admin create delete expunge insert lookup post read
>>>>>>>> write write-deleted write-seen
>>>>>>>>
>>>>>>>> cat /srv/mail/dovecot/lib/shared-mailboxes.db
>>>>>>>> shared/shared-boxes/user/test1/test2 at example.com
>>>>>>>> 1
>>>>>>>>
>>>>>>>> Log output:
>>>>>>>>
>>>>>>> <snip />
>>> I think your problem is that you are using test1 and test2 as usernames, but shared folder is for test2 at example.com
>>>
>>> The sharing must happen with same user names as your users are logging in.
>>>
>>> Aki
>>
>> Users are logging in with username only (and in most situations with a
>> krb5 ticket):
>>
>> auth_username_format = %Lu
>>
>> Is there a way to prevent sharing as the %n name (test2 at example.com)?
>>
>> Or is the better approach to login with %n (and would that work with
>> gssapi login)?
> Why not use auth_username_format=%Ln then?
>
> Also consistently use %n instead of %u in your configuration. Also doveadm acl set -u test2 user=test1 and so on.
>
> etc.
>
> Aki


Solved !! But a bit different then the above suggestion.
There was a discrepancy between users logged in with a krb5-ticket and 
users without.

passdb {
   args = /etc/dovecot/ldap_user_to_principal.conf.ext
   driver = ldap
   pass = yes
}
passdb {
   driver = pam
}

The issue was in ldap_user_to_principal.conf.ext, it contained:

pass_attrs = \
     =user=%u, \
     =nopassword=Y, \
     =k5principals=%{ldap:userPrincipalName}

I changed user to %n and now it is handled the same as handling through 
pam for users without ticket.

Now the ACLs look alright:

cat /srv/mail/dovecot/lib/shared-mailboxes.db
shared/shared-boxes/user/test1/test2
1

doveadm acl get -u test2 INBOX
ID         Global Rights
user=test1        admin create delete expunge insert lookup post read 
write write-deleted write-seen

And even better, the 'test2' mailbox shows up in the mail-client of 'test1'.

Thank for your help, Aki.
It did help to point me in the right direction !

- Kees

More information about the dovecot mailing list