Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Linux, AD, and KRB5 woes (Don't believe everything you see)
  •  
corpunix

Messages: 4
Karma: 0
Send a private message to this user
After spending around 4 hours on an outage this morning, it became apparent that the AD settings in the Kerio Admin GUI are not honored like you might think they are.

The entries for your particular realm in /etc/krb5.conf seem to be used in some sort of round-robin fashion by Linux, regardless of the settings in the GUI.

The primary DC went down, so I changed it in the admin GUI and added the same entry to the appropriate realms section in /etc/krb5.conf. I added it above the old entry for the server that was down, as it was a temporary change that I would revert later.

Bad idea, come to find out. Even though the down DC was no longer listed in the admin GUI, Linux was happily still trying to use all the entries in krb5.conf. I was able to login the first time just fine, at which point my credentials were cached. As soon as I logged out and attempted to login again, the login page would hang indefinitely. Linux had apparently moved on to the next entry in the krb5.conf list, which was the down server.

Unfortunately (for me), krb wasn't logging anything like I expected it to - not even with debugging turned on. I ended up going through every single troubleshooting and installation step until I ran into that extra krb5.conf entry I left and decided to remove it to see what happened. Bingo!


Hopefully this will help someone else in the future. We are a very large site (over 45 DC's just for this one domain), so this might have been somewhat unique to our situation.
  •  
corpunix

Messages: 4
Karma: 0
Send a private message to this user
I forgot to mention the other head-scratching issue with this outage: The incorrect realm settings for one domain were somehow causing issues with the other realm that had not changed at all. Users in both domains could no longer login after the first attempt. Fixing the first realm solved both problems.

This was all on a CentOS 5.5 x86_64 server with the latest updates, running the last release of Kerio Mailserver before they changed it to Connect.
Previous Topic: Replace Disks for Kerio
Next Topic: Email footer 3rd party tool recommendations?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 20:53:50 CET 2017

Total time taken to generate the page: 0.00355 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.