Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » weird auth issues with 7.0.1 & OS X 10.6 Server & Kerberos
  •  
p0ddie

Messages: 242
Karma: -3
Send a private message to this user
hi,

I had the strangest behaviour when I set up some 40 users with Kerio mailboxes yesterday.

All users are in an Open Directory on a 10.6.2 server. Kerberos works flawlessly with logins and such.

Kerio 7.0.1 with the OD connector is installed and configured correctly.

I added a bunch of directory users to my Kerio server. Logging in to most of them worked with their password, but for some it just wouldn't work. Logging in via afp or smb worked fine with the provided password tho (in this case via PasswordServer, as these machines are currently standalone users). I could reset the user password, nothing happened. The debug log of Kerio just told me "invalid credentials". When I deleted the user and recreated it, it worked (different uid though).

This was just a minor hiccup as no users used any relevant other services and I could just reconnect them to their user folder just fine.

Still, out of curiosity, what could cause problems like this?
  •  
zentinL

Messages: 28
Karma: 0
Send a private message to this user
I've been having the same issue.

I had to fall back to Password Server. About 10 percent of users passwords don't work but only in Kerio. As soon as I'd fail back to password server it would work fine for everyone.
  •  
kthomas

Messages: 41
Karma: 0
Send a private message to this user
I've also seen this issue. It's happened for us on both Kerio 6.7.x and 7.0.1, our OD server is running 10.5.8.

I've been able to get Kerio logins working by going into the OD Workgroup Manager, click the user, then Advanced. Now change the User Password Type to Crypt, enter a new pass and Save.
Change the Password Type back to Open Directory and save again, now it works.

This process preserves the uid, but generates a new Password ID, FWIW.
Weird, indeed.
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
I experienced a similar issue. For me, the fix was to delete the user's entry in the password server slot on OD and create a new entry and Kerberos principal.

The easiest way to do this is:

1. ssh to your Open Directory server or open the terminal on the OD server
2. Enter the following command:

sudo slapconfig -settopasswordserver user directory-admin userspw diradminspw

See man slapconfig under the 'Password Server' section for usage details.

In 10.6, I recall you have to leave out the two passwords and have the command prompt for them.

I've only gotten this to work on the OD server itself (locally or via ssh). As best I can tell, the kerberos issues affected users that I had migrated from older OD servers via slapconfig -mergedb.

I thought my OD problems were behind me, but when I recently switched Kerio to use Kerberos vs. the Apple Password Server, a handful of users began generating password errors.

I used the OD>Crypt>OD trick for years ( http://www.afp548.com/forum/viewtopic.php?showtopic=7099 ). It sorta' works, but you won't see the Kerberos principal in WGM under AuthenticationAuthority, which can bite you the next time you migrate users to a new server.

Cheers,
Lyle Millander
Previous Topic: Where are the Kerio Connect options in Outlook 2010
Next Topic: Spamassassin RDNS in Kerio
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Oct 22 13:46:49 CEST 2017

Total time taken to generate the page: 0.00386 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.