Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Distributed Domains and Apple Open Directory problems
  •  
p0ddie

Messages: 242
Karma: -3
Send a private message to this user
Hi,

I have the following setup:

Location 1: Xserve, 10.6.3 Server (OD Master) , Kerio Connect 7.0.0.p2 as a distributed domain master, OD-Extensions
Location 2: Mac Pro, 10.6.3 Server (OD Replica), Kerio Connect 7.0.0.p2 as a distributed domain slave, OD-Extensions

The replication takes place via a vpn.

LDAP protocol of the OD replica gives me:


server slapd[19564]: <= bdb_equality_candidates: (kerio-Mail-Address) not indexed

LDAP protocol of the OD master gives me (a lot less often):

xserve slapd[65147]: <= bdb_equality_candidates: (kerio-Mail-HomeServer) not indexed

Kerio-wise, The Mac Pro (Kerio slave server) is set up to authenticate against the OD/Kerio master (Xserve) via Kerberos 5, and has a backup record of himself in the backup field.

Actual problem: I set up a new user in the OD. I then activate that user on the replica/slave server and try to log on. Kerio log keeps telling me the authentication has failed.

I tried changing the password, starting an OD sync manually (just in case), nothing works.

What is going on here?

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
What does the debug log say? (Directory Service lookup and Authentication module)
  •  
p0ddie

Messages: 242
Karma: -3
Send a private message to this user
Hi,

thanks for taking care of my problem.

checking both Directory Service lookup and Authentication module debugs give (replaced the username and domain stuff with mock data):

[06/Apr/2010 21:21:09][2988224512] {ldapdb} user<_at_>domain.com: Looking up in cache...
[06/Apr/2010 21:21:09][2988224512] {ldapdb} user<_at_>domain.com: found in cache
[06/Apr/2010 21:21:09][2988224512] {auth} Krb5: entering auth (user: user<_at_>xserve.internaldomain.internal)
[06/Apr/2010 21:21:09][2988224512] {auth} Krb5: get_init_creds_password(krbtgt/xserve.internaldomain.internal@xserve.internaldomain.internal, user<_at_>xserve.internaldomain.internal): Cannot resolve network address for KDC in requested realm, error code 0x96c73adc (-1765328164)


"Cannot resolve network address for KDC in requested realm" would mean it can't find the KDC (in this case, the xserve, as it is the OD master) via DNS?

xserve.internaldomain.internal resolves to the actual internal IP of the xserve, dig -x of the IP gives xserve.internaldomain.internal, IP is pingable. The system time of the od master and replica is completely in sync, same time zone.

Help please!
  •  
p0ddie

Messages: 242
Karma: -3
Send a private message to this user
As a follow-up, I temporarily switched Kerio to Password Server authentication and it works fine. I do want Kerberos though.

Any progress on the solution or should I file a bug report?
  •  
FFPR IT

Messages: 40
Karma: 0
Send a private message to this user
Hi,

i had the same problem and found a solution or rather the cause.

In the user's system settings to our Xserve Kerio mail server, the directory server was not registered. Once that was fixed, worked the Kerberos authentication and I could log on to webmail.

Now I know that the problem was only on the mail server. On our OD or any other client / server worked the Webmail login.

Maybe my description helps.

MacSEK
Previous Topic: Thunderbird + LDAP / CardDAV
Next Topic: sync conflict messages
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Sep 19 21:01:15 CEST 2017

Total time taken to generate the page: 0.00464 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.