Using Kerberos For *Everything*

[dresdn]

I know I've recently posted about using Kerberos and multiple domains, but I'm having problems with Kerberos elsewhere.

Basically I want to use Kerberos authentication for *everything* - smtp-auth, IMAP, POP, SAC, Webmail, etc.

Is there a single file in ~/sys/pam.d that I can modify to enable this? In addition, I'd like to disable the Scalix internal passwords (which I believe are stored in the ldap server?). I've imported a lot of users with a generic password (for mail migration purposes), and can still be used instead of the proper Kerberos passwords. I just want to minimize the security risk.

I modified the ual.remote file and that seems to do it for IMAP and Webmail, but I can't figure out SMTP. I've modified the following files:

~/sys/pam.d/smtpd

Code: Select all

auth    sufficient om_krb5 use_first_pass
auth    required pam_deny
account  required pam_permit


~/sys/pam.d/smtpd.auth

Code: Select all

auth    sufficient om_krb5 use_first_pass
auth    required pam_deny
account  required om_auth


~/sys/pam.d/omslapdeng

Code: Select all

auth    sufficient om_auth nullok
auth    sufficient om_krb5 use_first_pass
auth    required pam_deny
account  required om_auth


~/sys/pam.d/ual.remote

Code: Select all

auth    sufficient om_krb5 use_first_pass
auth    required pam_deny
account  required om_auth
password required om_auth nullok


This allows me to SMTP auth with both my Kerberos password and my generic Scalix password, but I don't see any auth parameters having to do with the internal auth. mech.

Also, this kills my SAC login ability as well. If I have my sxadmin user with an authid of a Kerberos principal, I get a "Could not login." If the sxadmin has the proper authid, I still can't login.

Can someone help point me in the right direction? I'd also like to know what pam files are for what service.

Thanks,
Mike

[ScalixSupport]

The files you changed are the correct ones except for smtpd. You should revert that one back to it's original state.

When you are talking aboutn internal auth mechanism, is that just LOGIN, PLAIN etc for SMTP or did you mean something else ?

SAC uses an authenticated bind against the Scalix LDAP server so, if you can use your Kerberos password to sign in to SWA and view your personal contacts, SAC authentication should work.

Cheers

Dave

[dresdn]

The files you changed are the correct ones except for smtpd. You should revert that one back to it's original state.

Alright, I restored that one back to the default one. I can still use the default password to SMTP AUTH though. When I migrated over, I did a massive omaddu --bulk with a generic password (so I could then imapsync using that password). Now, all I want to do is just have every application *not* use that generic password, but not change it either, just disable it.

Here's the omshowu for my user:

Code: Select all

]# omshowu "Mike Bydalek"
Authentication ID: mbydalek@CONTENTCONNECTIONS.COM
User Name : Mike Bydalek /CN=Mike Bydalek
MailNode : mail,contentconnections
Internet Address : mbydalek@contentconnections.com="Mike Bydalek" <mike@contentconnections.com>
System Login : 60572
Password : set
Admin Capabilities : YES
Mailbox Admin Capabilities : NO
Language : C
Virtual Vault : Enabled (default)
Mail Account: Unlocked
Last Signon : 06.01.06 07:17:29
Receipt of mail : ENABLED
Service level : 0
Excluded from Tidying : NO
User Class : Full


I would expect that since I changed the authid field, that it should not successfully authenticate to whatever backend is used by default (see below).

When you are talking aboutn internal auth mechanism, is that just LOGIN, PLAIN etc for SMTP or did you mean something else ?

I guess what I was trying to say was, "The backend which provides authentication by default for Scalix, ie. LDAP, SQL, Kerberos, SASL, etc." Basically, where are the passwords stored in a default Scalix install?

The reason I ask is because like I said above, I'm getting mixed results on some applications where I can use just my Kerberos, or where I can use either my Kerberos or Scalix password.

SAC uses an authenticated bind against the Scalix LDAP server so, if you can use your Kerberos password to sign in to SWA and view your personal contacts, SAC authentication should work.

Unfortunately, I'm not seeing these results. If I ommodu --authid <kerberos> my sxadmin account, I'm able to login to SWA, but not SAC. If I ommodu --authid <scalix>, I'm able to login to SAC, but not SWA.

In addition, I'm not able to login to SAC as my user (see above). I think I have all the permissions correct ....

I tried to look for the SAC logs, but didn't find them off hand. I think they're on the forums here, so I'll give a look.

Out of curiousity, there isn't a global pam.d/ file which over-rides everything else where I can just set Kerberos? Sort of like how Gentoo has moved to the pam.d/system-auth and everything else references that one, but you can change individual ones if you'd like to not use the "system default."

Thanks!

-Mike

[dresdn]

Any suggestions on this one?

I have several people who are going to need to admin. mailboxes and I really don't want to give them access to the sxadmin account. I'd rather have them use their own username/password for the SAC.

Also, there is still a security risk with the SMTP-AUTH still using the Scalix-LDAP password, rather than the Kerberos one.

Thanks in advance.

-Mike