Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerio+Ubuntu+Active Directory
  •  
siigna

Messages: 12
Karma: 0
Send a private message to this user
Hi all,

Testing out this Mail Server on Linux and run into a snag...

Looking through these forums and other sites I saw information regarding the configuration of kerberos in order to be able to authenticate the Kerio MailServer under linux against an Active Directory.

Only problem is nothing seems to fit my network configuration.

We have a SonicWall. The way our network is set up, all LAN traffic is NAT'd out onto the public internet via one IP, and our Active Directory server is behind this LAN with a host of hc.local


The Linux server is on the DMZ with public IPs and public hostnames.

I forwarded the correct port for LDAP from the DMZ to the AD box on the LAN, so connecting to the Active Directory is fine (I pulled all the accounts from the AD to the Linux Mail Server just fine).

However what I've read about kerberos configuration says I need to set the DNS servers of the Linux box to the DNS server on the Active Directory... I could forward the ports, yes, but I would think this wouldn't work as the DNS on the Active Directory is completely private IP addresses and this Linux box is in the public space.

Basically I need to figure out how to do the kerberos configuration if the linux server is on the public internet and the Active Directory is behind a firewall.

Anyway, this probably didn't make any sense, although it does in my head Wink Ask me whatever you please.
  •  
jshaw541

Messages: 462
Karma: 0
Send a private message to this user

Kerio MailServer 6.7.1 w/AD
Windows Server 2003 SP 1
Dell PowerEdge 2850 (Dual Xeon 3.2ghz and 2 GB RAM)
~1300 users
~1000+ concurrent IMAPS connections
iPhone users
Outlook 2007 KOFF users
Apple iCal 10.5/10.6 users
  •  
siigna

Messages: 12
Karma: 0
Send a private message to this user
I've been through this guide a few times, but it doesn't quite show how the config file (krb5.conf) should look for an instance like mine. Here's an example of my config file, the Active Directory does not have a valid internet hostname as it's strictly for the internal network so I'm using the IP address of the firewall (which has port 88 forwarded from the DMZ'd linux box to the Active Directory and vice-versa):

[libdefaults]
                ticket_lifetime = 600
                default_realm = HC.LOCAL
                default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
                default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
                HC.LOCAL = {
                        kdc = xxx.xxx.xx.xx:88
                        default_domain = HC.LOCAL
                }
[domain_realm]
                .hc.local  = HC.LOCAL
                hc.local   = HC.LOCAL


Also here is the error I get when doing kinit administrator<_a.t_>hc.local:
root<_a.t_>kearny:~# kinit administrator<_a.t_>hc.local
kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
  •  
Petr Dobry (Kerio)

Messages: 776
Karma: 61
Send a private message to this user
Kerberos is extremely sensitive to correct DNS settings (and reverse DNS). Try to add
[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = false

Petr Dobry
Product Development Manager | Kerio
  •  
siigna

Messages: 12
Karma: 0
Send a private message to this user
Added these settings to my config file and restarted all the kerberos daemons under /etc/init.d and still getting the same error from kinit.

I also have this line in my /etc/hosts file thinking that it would help things, but it hasn't.

xxx.xxx.xx.xxx mentry hc.local mentry.hc.local
  •  
Petr Dobry (Kerio)

Messages: 776
Karma: 61
Send a private message to this user
Also make sure you're trying to get ticket for proper principal name. Principal names are case sensitive, so administrator<_a.t_>hc.local is not the same as administrator<_a.t_>HC.LOCAL

Petr Dobry
Product Development Manager | Kerio
  •  
siigna

Messages: 12
Karma: 0
Send a private message to this user
Alright, still doesn't work but kinit is giving me different errors for each.

root<_a.t_>kearny:/etc/init.d# kinit administrator<_a.t_>hc.local
kinit(v5): Cannot find KDC for requested realm while getting initial credentials


and

root<_a.t_>kearny:/etc/init.d# kinit administrator<_a.t_>HC.LOCAL
kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
  •  
siigna

Messages: 12
Karma: 0
Send a private message to this user
Just realized I goofed on the config file, while copying it over to the forums I replaced the IP address with X's... Ooops

Anyway, now running kinit gives me this... I think we're making progress...

root<_a.t_>kearny:~# kinit administrator<_a.t_>HC.LOCAL
kinit(v5): KDC has no support for encryption type while getting initial credentials
  •  
siigna

Messages: 12
Karma: 0
Send a private message to this user
Finally got it working. Checked kinit with a regular user account and it worked, so I did some research and found out the administrator account needed its password reset.

While processing an AS request for target service krbtgt, the account Administrator did not  have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1).  The requested etypes were 16  1.  The accounts available etypes were 23  -133  -128.   Changing or resetting the password of Administrator will generate a proper key.


After resetting the password everything works.

Thanks for the help!
  •  
siigna

Messages: 12
Karma: 0
Send a private message to this user
Scratch that...

Alright, it seems that kerberos is set up on the linux server fine, and kinit for AD user accounts works.

However when I went in and added a new test domain and set it to pull users from the Active Directory (which works) I get the following errors in the Kerio debug log whenever somebody tries to login.

[17/Jul/2007 16:23:55][11142] {auth} Krb5: entering auth (user: Administrator<_a.t_>HC.LOCAL)
[17/Jul/2007 16:24:04][11142] {auth} Krb5: get_init_creds_password(krbtgt/HC.LOCAL<_a.t_>HC.LOCAL, Administrator<_a.t_>HC.LOCAL): Cannot contact any KDC for requested realm, error code 0x96c73a9c (-1765328228
  •  
siigna

Messages: 12
Karma: 0
Send a private message to this user
I got to thinking, does Kerio require you to install a seperate kerberos client or does Kerio come with one built in? The knowledgebase and manual aren't too clear on this issue.

I assumed that it didn't come with kerberos so I installed the MIT kerberos package.

Just wondering if this could be my issue, or if it's something more.
  •  
jshaw541

Messages: 462
Karma: 0
Send a private message to this user
siigna wrote on Thu, 19 July 2007 08:52

I got to thinking, does Kerio require you to install a seperate kerberos client or does Kerio come with one built in? The knowledgebase and manual aren't too clear on this issue.

I assumed that it didn't come with kerberos so I installed the MIT kerberos package.

Just wondering if this could be my issue, or if it's something more.


It requires a separate Kerberos client. It seems pretty clear to me from the KB article at:

http://support.kerio.com/index.php?_m=knowledgebase&_a=v iewarticle&kbarticleid=382&nav=0,1,8

But then, I'm one of those losers who has wasted countless hours learning Kerberos implementations and associated ickiness.

I think that KB article goes under two assumptions:

1. The administrator is very knowledgeable in Linux and Kerberos.
2. That you're using a Kerio-supported Linux distribution. All of which include Kerberos by default, iirc.

Kerio MailServer 6.7.1 w/AD
Windows Server 2003 SP 1
Dell PowerEdge 2850 (Dual Xeon 3.2ghz and 2 GB RAM)
~1300 users
~1000+ concurrent IMAPS connections
iPhone users
Outlook 2007 KOFF users
Apple iCal 10.5/10.6 users
  •  
siigna

Messages: 12
Karma: 0
Send a private message to this user
Okay cool, so that rules out that scenario. Just have to figure out why Kerio isn't picking up on it.

I know my kerberos installation is working because kinit gives me a password prompt, and using klist displays the active kerberos ticket, the question is just why can't Kerio find the KDC when kerberos has no problem with it.
  •  
siigna

Messages: 12
Karma: 0
Send a private message to this user
Alright, still can't find out why Kerio isn't picking up on the kerberos client configuration. I've posted some screenshots of what's in my domain config and the debug log, hopefully somebody has an idea about this.

siigna

Messages: 12
Karma: 0
Send a private message to this user
Also here's a screenshot of me doing kinit/klist, kerberos seems to be working.

  • Attachment: shell.gif
    (Size: 8.54KB, Downloaded 562 times)
Previous Topic: Public Tasks on WM6
Next Topic: mailing list admin
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 20:32:53 CET 2017

Total time taken to generate the page: 0.00492 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.