My first server. Problems and advice needed

[jangi]

My translates to section was incorrect, this is what is required to fallback to local auth:

Code: Select all

auth    sufficient om_auth nullok
auth    sufficient om_krb5 use_first_pass
auth    required pam_deny

account  required om_auth
password required om_auth nullok


[markrich]

I did this and typed in the command:

sxpamauth -v marky@mirifice.com (being the name I usually use to log into Kerberos systems)

It did recognise me. Because the result back was:

om_debug: authenticate: PAM_USER = "RichMarksnotraMark Rich"
om_debug: authenticate: PAM_AUTHTOK not set
Not authenticated: Permission denied

If the system had not reached out to the Kerberos server it could not know that 'marky' is 'mark rich' so I am confused now.

Any more help/advice appreciated.

I am a complete newbie on this and the multitude of OM files is confusing me a lot.

Marky

[markrich]

Been at this all morning and I think I have an idea what may be the problem so all help appreciated.

There is a Kerberos server at kerberos.mirifice.com.
There is a Scalix server at snotra.mirifice.com (aka scalix.mirifice.com).

The Configuration and Setup guide walks you though creating a Kerberos server on the Scalix server.
The omaddprincs command creates necessary Kerberos entries but they are not being added to the network Kerberos server, they are being added to the local one.

Now I could be barking up the wrong tree with this thinking so if anyone can help me more, then all appreciated as usual.

Marky

[jangi]

Please post /etc/krb5.conf. You should not have configured any local kerberos server. I believe there are instructions for generating the appropriate entries for a remote kerberos server, but it's been awhile since I've looked at the documentation.

[markrich]

Here is the file contents.
As you can see it does point to the correct server.

Code: Select all

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MIRIFICE.COM

[realms]
MIRIFICE.COM = {
   default_domain = mirifice.com
   kdc = kerberos.mirifice.com:88
   admin_server = kerberos.mirifice.com:749
}

[domain_realm]
mirifice.com = MIRIFICE.COM


[jangi]

Okay, first you may want to insure no local kerberos server is running. Then, based on this wiki document do the following:

copy /opt/scalix/bin/omaddprincs to your kdc.
run: omaddprincs -s all -h scalix.mirifice.com -o /tmp/keytab.ual
copy /tmp/keytab.ual to the scalix server
run: ommergekeys keytab.ual

[markrich]

Thank you for your help.

I did this and all seemed to go fine. However I still cannot log in. Looking around the forums I found a thread from someone having similar problems so amended my pamcheck file to read as follows:

Code: Select all

auth required om_debug verbosity=3 file=stderr
auth    required om_krb5 user_unknown=ignore
auth    optional om_auth nullok use_first_pass
#
account  required om_auth
password required om_auth nullok


Now when I type the command: sxpamauth -v marky@mirifice.com, I get back the following result:

om_debug: authenticate: PAM_USER = "RichMarksnotraMark Rich"
om_debug: authenticate: PAM_AUTHTOK not set
om_krb5 (authenticate):
user_unknown="Please ignore underlying account module"
service="scalix_ual"
om_krb5: authid = "mark.rich"
Kerberos Password:
om_krb5: service principal: "scalix-ual/snotra.mirifice.com"
om_krb5: unknown authentication failure: Decrypt integrity check failed
om_krb5: Authentication failure
om_auth: authenticate:
nullok: yes
recordbad: no
Scalix password:
om_auth: save non-empty password in PAM_AUTHTOK
om_auth: bad password count now 1 (not recorded)
om_auth: Authentication failure
Not authenticated: Authentication failure

Note: I have to enter my password twice. Am I in the right direction?

Marky

[jangi]

Yes, making definite progress. You have to enter your password the second time because kerberos failed, when it works you'll only be prompted once. I'm confused, the hostname in the service principal doesn't match what you've previously posted.

[markrich]

No, server name is right. snotra.mirifice.com is the name of the mail server. scalix.mirifice.com is a CNAME in the DNS records. I have not used scalix.mirifice.com in any part of this installation.

Any ideas?

[jangi]

Okay. Post the output of: klist -k /etc/krb5.keytab
I'm wondering if there are invalid leftover principals from your first attempt.

[markrich]

This is the result of that command:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 scalix-ual/snotra.mirifice.com@MIRIFICE.COM
3 scalix-ual/snotra.mirifice.com@MIRIFICE.COM
3 imap/snotra.mirifice.com@MIRIFICE.COM
3 imap/snotra.mirifice.com@MIRIFICE.COM
3 ubermanager/snotra.mirifice.com@MIRIFICE.COM
3 res/snotra.mirifice.com@MIRIFICE.COM

In case you were wondering, Snotra is a Norse god associated with Wisdom. Or so says WikiPedia.

[jangi]

Hmm.. You may want to try just deleting that file, and re-running the ommergekeys command (hopefully you still have the keytab file and don't have to regenerate). Also, are you running a MIT or Heimdal kdc?

[markrich]

Okay, I did that but the result back is identical.

The KDC is simply the one which came with a Debian installation of Linux.

[jangi]

You could try changing the scalix authid of your account to by user@REALM.COM (realm in caps), then trying sxpamauth again with the same.

Could you check what's installed on your kdc? I believe debian offers both kerberos implementations, not sure which is default. We're pretty much at the end of my expertise, I use a windows AD kdc which is a whole different monster. The kerberos error you are getting usually indicates the password stored in the keytab doesn't match the one on the kdc. Other than file corruption (transfered as text instead of binary?), the only thing I can think of is a different kerberos implementation on the other server. Hopefully someone else can chime in.

[markrich]

I don't think it's anything special with the KDC. I'm not sure how I can check which flavour it is.

I have just tried removing the principals for the four users from the local KDC and the kerberos server. Redid the omaddprincs command and then copied the file over a fresh. I still get the same output. Not sure why I see two entries for ual and imap though but I'm new to this system so unsure if that is normal.

I still get the same result on the login both in capitals and not on the domain name. That odd authentication error in the message.

Anyone who can help more pleeeeeease?