Re: [Evolution] Connectivity warning
- From: Jon Gerdes <gerdesj blueloop net>
- To: "evolution-list gnome org" <evolution-list gnome org>
- Subject: Re: [Evolution] Connectivity warning
- Date: Fri, 22 Jul 2022 22:31:19 +0000
On Thu, 2022-07-07 at 01:43 +0200, Ángel wrote:
On 2022-07-06 at 22:44 +0000, Jon Gerdes wrote:
Dear all
I'm not sure where to go to make interface suggestions so I'll start
here.
8< *snip*
Of course, you could still have issues derived to evolution not being
able to connect to the server.
I'm a bit suspicious that the evolution error is actually derived from
the winbind one. I suspect it may be that your system ends up confused
with the proper route to your internal servers, which then causes
errors both to winbind and evolution.
Regarding kerberos ticket refreshes, I had issues as well in that the
machine didn't renew them automatically. I managed to 'solve' it by
running kinit -R with cron at a suitable interval. YMMV.
Turns out it was DNS! Its always DNS, especially when Kerberos is involved.
I have a site to site VPN to work from home with IPv4 and 6 involved (IPSEC routed, with FRR - BGP at both
ends) and I
have a "dial up" VPN (OpenVPN) again with IPv4 and 6 on my laptop.
I also front our on prem. Exchange with HA Proxy - handy for PCI DSS compliance and generally securing the
bloody thing.
Anyone who has to endure Exchange knows that it can have rather a lot of names but Kerberos is merciless
about names
(DNS) and that's probably one of the reasons why MS seem to be deprecating it and whipping themselves into a
frenzy over
"Modern authentication" - it also fits getting you into their cloud and a subscription.
Don't forget that IPv4 also has the wonky internal and external thing so split DNS is indicated (lol!)
Anyway, I have an internal DNS CNAME for my Exchange server pointing at the HA Proxy's A record which then
resolves to
an IP. That meant that Kerberos would grab a ticket for the HA Proxy's name and try to muddle on through.
It sort of
worked with enough kinits and restarting winbind.
I created a DNS override on my home pfSense that causes the Exchange server's name to resolve to HA's IP
directly,
without the CNAME. Now I get a ticket for the correct name (principle) and go via HA Proxy still.
Lovely!
I don't know why it took me so long to resolve this given that I do this lark for a living. To be fair to me
- it is
quite involved!
Cheers
Jon
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
