Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerio on Linux and Active Directory/Kerberos Auth.
  •  
yacine

Messages: 9

Karma: 0
Send a private message to this user
Hi,

I am using KMS on Linux (RedHat9), I setup a domain to retreive account and a windows 2000 AD...

I can retreive all my AD accounts, create a new one on AD, ... but the AD/Kerberos Auth is not working for all of them :

[10/Feb/2004 23:10:28] Krb5: user yacine<at>***** not authenticated: error code -1765328230
[10/Feb/2004 23:10:28] WEBMAIL: Invalid password for user yacine

The passwd is correct, I have installed a windows version of kerio on the AD box with exactly the same setting as on my Linux box: it work perfectly...

Any ideas/help will be appreciated as I am completely stuck on this one :-<

Thanks,
Yacine.
  •  
miro

Messages: 25
Karma: 0
Send a private message to this user
do you have also same settings of DNS on the tcp/ip on both machines?
  •  
yacine

Messages: 9

Karma: 0
Send a private message to this user
No on my Linux box I use my ISP DNS and on the Windows AD I use the Windows DNS...

I have suspected a DNS issue but I have changed my resolv.conf file on Linux to query the Windows DNS: it does not change anything.

Do you think that kerio on Linux try to find the domain controller as a windows client ? (+ SRV records...) ?

I used tcpdump and I did not find anything special.
  •  
miro

Messages: 25
Karma: 0
Send a private message to this user
i solve next problem:

gateway computer with two NIC with KWF.
kerberos auth. against AD was not functional.
we found with support, that i have on the internal NIC as first DNS server primary DNS server for internet domain.

this was bad, because when kwf try to authenticate against AD, contact a some services on AD, and need to have response from AD LDAP database and from AD integrated DNS.

maybee must have Linux machine some records in AD?
i found on google next:

error:-1765328164-Requesting ticket can't get forwardable tickets
Cannot resolve network address for KDC in requested realm while
getting AFS tickets
look on www.monitorware.com/Common/en/SecurityReference/Kerberos-fai lures.asp
  •  
yacine

Messages: 9

Karma: 0
Send a private message to this user
Hi,

Here is an update, my Linux box as been added into the AD DNS, I can resolve and ping it (seem to be important in the windows world).

I also changed my /etc/krb5.conf file and I still have the same issue :< with the same kerberos error :
[13/Feb/2004 15:29:50] Krb5: user yacine<at>sasf8.local not authenticated: error code -1765328230
[13/Feb/2004 15:29:50] WEBMAIL: Invalid password for user yacine<at>sasforce8.fr

FYI, here is my krb5.conf file :
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = sasf8.local
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
SASF8.LOCAL = {
kdc = srvfood.sasf8.local:88
admin_server = srvfood.sasf8.local:749
default_domain = sasf8.local
}

[domain_realm]
.sasf8.local = SASF8.LOCAL
sasf8.local = SASF8.LOCAL

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}


I have also added srvfood.sasf8.local in my /etc/hosts file...

  •  
kokhong

Messages: 37
Karma: -1
Send a private message to this user
Did you eventually managed to get it working? I'm also having some difficulty getting the authentication to work. It appears that some additional setup is required on the underlying OS before Kerio Mailserver can authenticate against the AD.

Have you come across any documentations that points to this?

Thanks
  •  
kokhong

Messages: 37
Karma: -1
Send a private message to this user
For the above to work:

On Linux
1) configure /etc/krb5.conf
2) ensure dns resolution to AD server is setup
3) ensure that the system time between Kerio/AD is synchronised

On Kerio Admin
1) Specify the Kerberos Realm in CAPS. EXAMPLE.COM
2) At domain settings, map users/acct to AD
3) At user settings, select Kerberos Authentication for accts that will use AD for authentication.

On AD Server
1) Install the Kerio AD extension if you want to create/activate accounts thru AD. Not needed if Kerio Accts are created via Kerio Admin, and AD is use only for authentication.

Previous Topic: Failed POP3 login from ip address
Next Topic: Kerio Config
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Nov 23 13:46:17 CET 2017

Total time taken to generate the page: 0.00439 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.