Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » OSX Open Directory Kerberos Authentication Problems
  •  
mwesten

Messages: 5
Karma: 0
Send a private message to this user
I Can't authenticate to my Open Directory Master with Kerberos Authentication...

Running Kerio 6.3.1 on OSX Server 10.4.8 (intel)
Changed the port of the Kerio LDAP service to 390 and started OSX Open Directory as a Master on the same system.

Importing the Users is working ok, buth authenticating with Kerberos is another thing.
The Debuglog gives me the following result:
Quote:

[02/Feb/2007 11:02:35][42669568] {auth} Krb5: entering auth (user: pietje.puk<.a.t.>MAIL.INTERN.***.NL)
[02/Feb/2007 11:02:35][42669568] {auth} Krb5: get_init_creds_password(krbtgt/MAIL.INTERN.***.NL<.a.t.>MAIL.INTERN.***.NL, pietje.puk<.a.t.>MAIL.INTERN.***.NL): Client not found in Kerberos database, error code 0x96c73a06 (-1765328378)


Because we (now) only need a central userdatabase with 1 central password, I tried to use 'normal' Open Directory PasswordServer auth, but this crashed the server and even disabled the local user accounts from Kerio....

I'm lost as to what to do next to let kerio authenticate the users to OD.

Anyone an idea to what to try next ?

Thanx,

Max

[Updated on: Fri, 02 February 2007 13:06]

  •  
netcaffeinated

Messages: 4
Karma: 0
Send a private message to this user
It sounds like perhaps Kerberos isn't working correctly on your OS X Server. What does your KDC log say? A problem like this usualy means that DNS and/or the servers hostname is not synchronized when you first enabled Open Directory. Look in your /var/log/system.log to see if the server's hostname is synchonized. Verify that you can lookup your IP address, hostname and FQDN. If you changed the hostname, ip address, or DNS records relating to the OD Serve without running the changeip command, it will causes Kerberos and / or OD to not run or at least not run properly.

One note about security. I would recomened running Kerio on a server that is not an OD Master or Replica.

Hope that points you in the right direction.

Ken Holden
Netcaffeinated, Inc.
  •  
mwesten

Messages: 5
Karma: 0
Send a private message to this user
netcaffeinated wrote on Fri, 02 February 2007 14:47

It sounds like perhaps Kerberos isn't working correctly on your OS X Server. What does your KDC log say? A problem like this usualy means that DNS and/or the servers hostname is not synchronized when you first enabled Open Directory. Look in your /var/log/system.log to see if the server's hostname is synchonized. Verify that you can lookup your IP address, hostname and FQDN. If you changed the hostname, ip address, or DNS records relating to the OD Serve without running the changeip command, it will causes Kerberos and / or OD to not run or at least not run properly.


The IP and FQDN are in order according to changeip -checkhostname.

Hmmm The weird thing is that I can authenticate with the Kerberos Client (/System/Library/Kerberos) as diradmin<.a.t.>MAIL.INTERN.***.NL using the service: krbtgt/MAIL.INTERN.***.NL<.a.t.>MAIL.INTERN.***.NL I normally get a ticket assigned without problems.
It surely seems to narrow down in not beeing able to auth to OD in the first place......
The KDC Log gives me the good login of diradmin and the error-login of the user pietje.puk:

KDC Log:


Feb 02 15:59:30 mail.intern.***.nl krb5kdc[227](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.100.1: CLIENT_NOT_FOUND: pietje.puk<.a.t.>MAIL.INTERN.***.NL for krbtgt/MAIL.INTERN.***.NL<.a.t.>MAIL.INTERN.***.NL, Client not found in Kerberos database
Feb 02 16:03:49 mail.intern.***.nl krb5kdc[227](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.100.1: ISSUE: authtime 1170427145, etypes {rep=16 tkt=16 ses=16}, diradmin<.a.t.>MAIL.INTERN.***.NL for host/mail.intern.***.nl<.a.t.>MAIL.INTERN.***.NL



Setting a new password (changing it first to crypt and after that to OD) doesn't seem to change a thing.
The user is normally added using Workgroupmanager so what the problem is, is still a mystery to me....

netcaffeinated wrote on Fri, 02 February 2007 14:47

One note about security. I would recomened running Kerio on a server that is not an OD Master or Replica.


That's something I'm aware of, but we are in a transition state of implementing Open Directory on our Network. The actual will start later this year, so instead of creating the accounts now as local users and migrating them later to directory users, we decided to implement the directory immediately (allthough not in final state).
In a later stage the new directoryserver could be set up as a slave; then the slave could be made master and the kerio system could become just a kerberos authenticated system.
But that's something we would like to do at a later point in time.

Thanks in advance,

Max

[Updated on: Fri, 02 February 2007 16:23]

  •  
netcaffeinated

Messages: 4
Karma: 0
Send a private message to this user
Quote:
"I tried to use 'normal' Open Directory PasswordServer auth, but this crashed the server and even disabled the local user accounts from Kerio"

* What did the log logs say when the server crashed?

* Have you changed the LDAP scheema within Open Directory prior to installing / configuring the Kerio Open Directory Plugin?

* What happens when you do the following from the terminal as an OD user

computer_name:~OD_User$ klist

computer_name:~OD_User$ kinit


* Have you tried disabling the Kerio LDAP service, un-check use Open Directory for Authentication, reboot the server and then try to enable Open Directory Authentication from within Kerio Admin Console. Perhaps there is a an port or socket conflict

Ken
  •  
mwesten

Messages: 5
Karma: 0
Send a private message to this user
Hmmm.... After messing around a lot with the server today I came to the conclusion that there was a problem with the dot in our names.
With emailaddresses and user-accounts we have a naming convention of first-name.lastname.

Open Directory needs the first shortname(uid) without dots, so we add a second one with a dot. If we import users from LDAP to Kerio, it standard uses the uid, so the entry without the dot and uses that as username and emailaddress. We hacked-up the apple-krb.map file and used a custom field, so we could use dots in our names... This however had effect on the kerberos authentication.... Kerberos expects the first uid and not one of the other uid's that are added. OSX 'knows' this and uses the primary uid for authenticating against the kerberos service.
Kerio however uses just the given username to directly authenticate against kerberos. This offcourse fails.

Previous Topic: Mailserver Does Not Store Mails
Next Topic: spamhaus.org PBL Zone now Live
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 03:37:04 CET 2017

Total time taken to generate the page: 0.00497 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.