Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » CentOS Can't Authenticate Using macOS Open Directory (Kerberos is working from the OS but not from Kerio Connect)
  •  
stahancyk is currently offline stahancyk

Messages: 15

IP: 70.102.2.242
Karma: 1
I encountered this once before so I feel really bad that I can't find my notes on how I resolved this...

We have a centos 7 server with Kerio Connect 9.2.4 (3252) and we've set up kerberos to work with our macOS 10.11.6 Open Directory server. Kerio gets a complete list of all users from LDAP but it can't authenticate any LDAP users using kerberos. I can authenticate a user through kerberos using kinit against the OD server. That works perfectly. Email is being delivered into all the directory user's inboxes.

On the mail server A sample of the relevant error -

HTTP/EWS: Authentication failed for user training<_at_>kerioserver.com. Attempt from IP address 192.168.8.142. External authentication service rejected authentication due to invalid password or authentication restriction.


But on the directory server its not so clear there are 'errors' and non-errors -

Oct  2 15:39:15 od kdc[104]: AS-REQ [email]diradmin@OD.SERVER.COM[/email] from 127.0.0.1:63806 for krbtgt/OD.SERVER.COM<_at_>OD.SERVER.COM
Oct  2 15:39:15 --- last message repeated 1 time ---
Oct  2 15:39:15 od kdc[104]: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
Oct  2 15:39:15 od kdc[104]: ENC-TS pre-authentication succeeded -- diradmin<_at_>OD.SERVER.COM
Oct  2 15:39:15 od kdc[104]: DSUpdateLoginStatus: Unable to synchronize login time for diradmin: 77009 
Oct  2 15:39:15 od kdc[104]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
Oct  2 15:39:15 od kdc[104]: Requested flags: renewable, forwardable


Both servers are sync'd to the same time server and their times match up to less than one second. The error about not being able to synchronize time may be unimportant as I see that one all over my searches and mostly the causes don't apply in our environment. We have good tested DNS and a working internal time server. As mentioned earlier if I connect to the Kerio server using ssh and then authenticate any user using kinit the user gets logged in but when this is done through Kerio it fails even though it looks like on the OD server side there is no error.

[server names have been changed to protect the guilty]
  •  
ag4apple is currently offline ag4apple

Messages: 14
IP: 100.36.121.234
Karma: 0
Stahancyk,

I recently had this exact same problem. I was getting "external authentication service rejected authentication due to invalid password or authentication restriction." LDAP worked fine, as did kinit from the server command line. We are running Kerio on Centos 7 64 bit, connecting to an OD server for authentication.

In our case, it turned out something was wrong with our krb5.keytab file. If you navigate to /etc on your server, you will find it there. What I did was copy it to a different file as a backup, like this:

$ cp krb5.keytab krb5.keytab.sep.2017.bak


Then remove the original:

$ rm krb5.keytab


Just doing this immediately resolved the issue for us. Give it a shot, it may help in your case. If not, you can always rename the backup file back to the original name.

Kyle
  •  
stahancyk is currently offline stahancyk

Messages: 15

IP: 71.59.141.123
Karma: 1
Thank you for the suggestion. Actually, our centOS 7 64-bit system did not have a .keytab file. I had manually created the krb5.conf file as well as trying to use the authconfig app to create one. In both cases it made no difference to Kerio. In the spirit of trying everything I went ahead a created a keytab file, tested it, but it hasn't made a difference.
  •  
stahancyk is currently offline stahancyk

Messages: 15

IP: 70.102.2.242
Karma: 1
Update on this issue:

We contacted GFI for support over 6 weeks ago and have had minimal responses and no actual help. We've repeatedly had to inquire about the status after receiving no new information for many days. They seem to not be reading the past information on the ticket, as they've requested the same information repeatedly, offered the same solutions or KB articles that we've already stated haven't addressed or solved our problems.

At least twice we've gotten a message saying it's going to Level 3 support and we'll hear back within 48 hours, then after at least twice as long we get a request for information already given, or an 'answer' that we know won't work. We humor them and try it any way, but then don't get any reply.

A week ago they claimed it was going to a Level 3 tech (perhaps the previous times Level 3 techs were just consulted, but that took a lot of time). But we've heard nothing back after a full week.

This support has been very poor, and not up to the standard of our experiences with Kerio support prior to GFI.

And we are still looking for a solution to this issue. If anyone, Kerio, GFI or other can offer a solution, we would appreciate it.
Previous Topic: kerio Config
Next Topic: Wrong time in Kerio Webmail calendar
Goto Forum:
  

 ] [ PDF ]

Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Dec 16 14:06:13 CET 2017

Total time taken to generate the page: 0.88527 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.