Single-Sign-On Kerberos Authentication and Samba domain

[BaldBoy]

Following documentation as depicted in "Scalix Setup and Administration guide 11.3 (page 54 and on)" the procedure to enable Kerberos SSO involves the creation of an identity ("scalix-ual") in active directory to act as principal name. The procedure is correct unless your scalix server is configured with Samba joint to Active Directory domain.
In this scenario, in fact, the procedure endorsed by Samba to join the domain, creates a new computer account in active directory using the form HOST.yourdomain.com where HOST is the name of your Scalix server. In addition Samba automatically creates the keytab db used by kerberos.
This all said if you try to create the scalix-ual account in Active directory while your Scalix computer is already joint to AD domain by the means of Samba you will end up with:

• Event id 11 from KDC in System Event Log of any of yours AD Domain Controllers saying : "There are multiple accounts with name scalix-ual/HOST.FQDN of type DS_SERVICE_PRINCIPAL_NAME."
• If you import the keytab file generate on the Windows Server computer in your kerberos database on Linux the SSO will not work. Even trying to reset the Kerberos database and importing only the newly created keytab file will aint no use.

This is due to the fact the computer account added by Samba into AD acts as a wildcard for a bunch of services. Therefore there is no need to create a new principal (scalix-ual) to establish Kerberos tokens exchange.
So, if you plan to join your Scalix server to Active Directory using Samba (or if you already have done so), all you have to do is :

• Join the domain with your Scalix server (net ads join)
• Open Active Directory for Users and Computers on any of your Windows AD Domain Controllers
• Locate the newly created computer corresponding to your Scalix server
• Edit it's properties.
• Open the "Delegation" tab
• Tick the option "Trust this computer for delegation to any service (Kerberos only)".
• Apply and close

If you do not do this (if you do not trust the computer for delegation) your SSO logic will apparently work but you if you audit logon failures (like I do) you will get a lot of "PreAuthentication Failed" events in your Security Event log on Windows Domain Controller.

So ... to make long story short:

• Scenario 1 - Scalix server has not Samba installed and is not joined to AD Domain: follow the instructions provided by Scalix documentation and create scalix-ual account as principal name and import the generated keytab;
• Scenario 2 - Scalix server has Samba installed and is joined to AD Domain: do not follow the instructions about how to create scalix-ual principal accunt and do not import any keytab file. Simply edit the scalix's computer account in AD and Trust computer for delegation.