[SOLVED] Kerberos and SWA

[xtype]

Hi,

i installed Kerberos to authenicate my SWA users as descibed in the Setup and Configuration Guide.

The users are synced by omldapsync from AD.

logon with local scalix accounts works fine, but users, which are authenticating against kerberos, are not able to login.

The Message says:

Dieser Benutzer konnte nicht gefunden werden oder das eingegebene Passwort ist falsch. Beachten Sie dass beim Passwort zwischen Gross- und Kleinschreibung unterschieden wird.

(its the German version )) )

The User is listed in SAC and omshowu.

kinit <username> and Passwort shows no error

the ual.remote entrys are

Code: Select all

# Kerberos authentication 2
#
# With this scheme, users that are known to the kerberos KDC, must
# authenticate using kerberos. Users not known to the kerberos KDC can log
# in using their Scalix password. See om_krb5(8) for more information.
#
 auth   required om_krb5 user_unknown=ignore
 auth   optional om_auth nullok use_first_pass


any ideas ehy they cant login?

thx for help

[Valerion]

I suggest using sxpamauth to find out what the error is. You will need to create an extra file (/var/opt/scalix/??/s/sys/pam.d/pamcheck) and put om_debug as the first item in there. Check the man pages for both sxpamauth and om_debug for usage instructions.

Could be as simple as clock drift cutting you off.

[xtype]

Hi,

i tried to use sxpamtauth:

While using i got following error:

Code: Select all

[root@scalix ~]# sxpamauth -vvvvvvvvvvvvv test@TEST.LOCAL
pam_start_om("pamcheck", "TEST@TEST.LOCAL")
pam_authenticate()
om_krb5 (authenticate):
    user_unknown="User not known to the underlying authentication module"
    service="scalix_ual"
Kerberos Password:


my pamckeck:

Code: Select all

auth required om_debug
account required om_debug
session required om_debug
password required om_debug

auth sufficient om_krb5 use_first_pass
auth required pam_deny


How can i specify the user? If is understood the man page correctly, it will be done by using the username as parameter?

PS: i checked the clock times manually ... thats not the problem .... at least not in this case

[Valerion]

What I normally use in pamcheck:

Code: Select all

auth    required om_debug file=stderr verbosity=3
auth    required om_krb5 user_unknown=ignore
auth    optional om_auth nullok use_first_pass

account  required om_auth
password required om_auth nullok

Then you don't need to specify all the -vvvv's. You can also use the username ("User Name") as opposed to the Auth ID.

[xtype]

auth seems to be working:

Code: Select all

[root@scalix ~]# sxpamauth -vvv test@TEST.LOCAL
pam_start_om("pamcheck", "test@TEST.LOCAL")
pam_authenticate()
om_debug: authenticate: PAM_USER = "test"
om_debug: authenticate: PAM_AUTHTOK not set
om_krb5 (authenticate):
    user_unknown="Please ignore underlying account module"
    service="scalix_ual"
om_krb5: authid = "test@TEST.LOCAL"
Kerberos Password:
om_krb5: service principal: "scalix-ual/scalix.test.local"
om_krb5: authentication successful, set PAM_AUTHTOK
om_krb5: Success
om_auth: authenticate:
    nullok: yes
    recordbad: no
om_auth: use existing password
om_auth: save non-empty password in PAM_AUTHTOK
om_auth: bad password count now 1 (not recorded)
om_auth: Authentication failure
pam_acct_mgmt()
om_auth: acct_mgmt
    max_age=-1
    exclude=<default>
    nocheck=<default>
    expiry
om_auth: Success

Authenticated
[root@scalix ~]#


but login at swa still not!

[Valerion]

Right. Now we know the pamcheck file works. Make a backup of ual.remote in the same directory, then copy pamcheck to ual.remote and remove the om_debug line, then try SWA again.

[xtype]

Hi,

thx for your help.

the problem was locatet in the ual.remote

i forgot to comment the line 6

Code: Select all

#auth     required om_auth nullok

out and how ever i have to uncomment the lines

Code: Select all

account  required om_auth
password required om_auth nullok

after this ist works perfectly.

)))
thx