My first server. Problems and advice needed

[jangi]

Well, I would definately try and completely shut down the local kdc. You will not need it in your final setup. Then re-test with kinit before sxpamauth

[markrich]

I have shut it down. There is a kadmin.local and a kadmin on the server. Using kinit I log in with my admin username and password. Listing the princs shows those on the Kerberos server. If I use kadmin.local I see the local princs, don't I? There are fewer of them and no accounts for people in the company.

[markrich]

This morning I uninstalled the local Kerberos server from the Scalix machine. I can still get tickets etc. from the OS to the keberos server and can still use KADMIN to see all the principles from the Kerberos server, so everything seems fine there.

I removed all the principles and keytab records for the 4 scalix entries and recreated them as per the instructions yesterday.

However...

Still the same problem. I still cannot authenticate the scalix users to kerberos for login. Why is this so difficult? Where's the reason for this problem. I am becoming so frustrated. Had the company not put in the investment in servers and software I would have been inclinded to ditch for a competitors package. This shouldn't be so hard. Accepting my own ingnorance with this package and the many config files could be at fault the program interface should at least have the option to select the Kerberos server and a simple tick box to authenticate against it would have been a better approach.

All help appreciated getting this problem resolved.

[Valerion]

Post the output of kinit here, so we can see if there's anything there. Also, ensure that om_debug is in your pamcheck file, then run sxpamauth -vvv "User Name" and post the output here as well. May be good if you post your pamcheck file as well, this thread is getting rather long now. Also, on the user you are authenticating, do a omshowu -n "User Name" and post the output here as well, please?

As for a checkbox, that forces the system to make assumptions about authentication. There's two standard ways of authenticating against Kerberos, and if you mix LDAP/SMB into that it can get complex very quickly.

A quick suggested pamcheck file:

Code: Select all

auth required om_debug verbosity=3 file=stderr
auth  required om_krb5 user_unknown=ignore
auth  optional om_auth nullok use_first_pass
account  required om_auth
password required om_auth nullok

[markrich]

In dispair, I reformatted the server today and started again. I know, extreme, but am at witts end with this problem.
Did everything requested in this thread so far and the result has been the same as before.

Not sure what you mean by the output of KINIT. If you mean KLIST, then that's already been posted. However here is it again.

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 scalix-ual/snotra.mirifice.com@MIRIFICE.COM
3 scalix-ual/snotra.mirifice.com@MIRIFICE.COM
3 imap/snotra.mirifice.com@MIRIFICE.COM
3 imap/snotra.mirifice.com@MIRIFICE.COM
3 ubermanager/snotra.mirifice.com@MIRIFICE.COM
3 res/snotra.mirifice.com@MIRIFICE.COM


The pamcheck file, is what you have just provided so no need to post that again.

The output of sxpamauth -vvv marky@mirifice.com is:

pam_start_om("pamcheck", "marky@mirifice.com")
pam_authenticate()
om_debug: authenticate: PAM_USER = "RichMarksnotraMark Rich"
om_debug: authenticate: PAM_AUTHTOK not set
om_krb5 (authenticate):
user_unknown="Please ignore underlying account module"
service="scalix_ual"
om_krb5: authid = "mark.rich"
Kerberos Password:
om_krb5: service principal: "scalix-ual/snotra.mirifice.com"
om_krb5: unknown authentication failure: Decrypt integrity check failed
om_krb5: Authentication failure
om_auth: authenticate:
nullok: yes
recordbad: no
Scalix password:
om_auth: save non-empty password in PAM_AUTHTOK
om_auth: bad password count now 1 (not recorded)
om_auth: Authentication failure
pam_authenticate: Permission denied

Not authenticated: Permission denied


To be honest, not a lot of this makes any sense to me. What the options are for omauth is still difficult to grasp at this time.

The output of your other request, omshowu -n mark.rich is:

Authentication ID: mark.rich
Globally Unique ID: 44c345b8-33c1-102d-8c0a-847adda04031
User Name : Mark Rich /CN=Mark Rich
MailNode : snotra
Internet Address : mark.rich@mirifice.com=mrich@mirifice.com=markr@mirifice.com=markrich@mirifice.com=marky@mirifice.com=markytest2@mirifice.co.uk
System Login : 55014
Password : unset
Admin Capabilities : NO
Mailbox Admin Capabilities : NO
Language : ENGLISH
Mail Account: Unlocked
Last Signon : 06.17.09 15:37:04
Receipt of mail : ENABLED
Service level : 0
Excluded from Tidyall : NO
Recovery Folder visible : NO
User Class : Limited
SIS URL : sxidx://snotra.mirifice.com/0c200000636 ... 21.861.291

I wasn't aware the threads had limits on their size so as long as the problem persists, I'll keep posting. In addition the time difference means thread replies usually come as I'm winding up for the day. Thus the continual requests for help on a system which seems very tricky to setup without prior knowledge. Not impossible, just very hard.

I don't think my system setup is that complicated. I have a mail server, an LDAP server and a Kerberos server.

Thanks for your help so far and every bit appreciated.

Marky

[markrich]

An interesting addition to my efforts here may help us?

I created a new user. Unlike the other users I did not assign a short ID. I create a user called "Scalix Testuser" and used the now working omldapsync to transfer his details to the Scalix server. All that worked fine. No errors.

I used the sxpamauth command again and the results were slightly different.

pam_start_om("pamcheck", "Scalix Testuser")
pam_authenticate()
om_debug: authenticate: PAM_USER = "TestuserScalixsnotraScalix Testuser"
om_debug: authenticate: PAM_AUTHTOK not set
om_krb5 (authenticate):
user_unknown="Please ignore underlying account module"
service="scalix_ual"
om_krb5: authid = "scalix.testuser"
Kerberos Password:
om_krb5: service principal: "scalix-ual/snotra.mirifice.com"
om_krb5: authentication successful, set PAM_AUTHTOK
om_krb5: Success
om_auth: authenticate:
nullok: yes
recordbad: no
om_auth: use existing password
om_auth: save non-empty password in PAM_AUTHTOK
om_auth: bad password count now 1 (not recorded)
om_auth: Authentication failure
pam_authenticate: Permission denied

Not authenticated: Permission denied

Note: the authentication was partially sucessful. The password was only requested once and here is the result. Now there is still an issue there to resolve but perhaps this additional piece of my problem may help us to come up with a solution?

Additional: Out of curiosity I tried to log into webmail with this account and it worked however I could not send any email as the system keeps bringing up a dialogue box indicating 'Connection Failure'. Therefore we have two problems. 1) why is this error still present in the debug output and how to resolve and send the mail and 2) why does it not work with my own account?

Marky

[jangi]

Now we're getting somewhere.
Please check the pamcheck file. The line 'auth optional om_auth' should prevent the overall auth from failing when kerberos is successful. You could try removing this line, but it should work the way it's posted.

[jangi]

Looking closer, I'm not sure what the line:
pam_authenticate: Permission denied
means...

[Valerion]

Are you sure about your Auth ID? Normally Kerberos needs the realm as well, to differentiate. So your authID needs to be username@REALM where REALM is the Kerberos realm in upper case (Kerberos is case sensitive). May or may not be the issue, though.

[markrich]

Success at last. Hopefully the end of the road is in sight here.

Here's the solution so far. LDAP has a record UID for each user as:

uid=firstname.secondname,ou=staff,ou=people,dc=mirifice,dc=com

There was a change of policy before I joined the company to move away from long names to short names to aid login to the servers. But the LDAP records still are generated by the new user scripts with long names. Now this isn't a problem when the Kerberos and LDAP records match but when there is a difference as in mark.rich for LDAP and marky for Kerberos, then Scalix gets upset.

So out of experiementation the LDAP record for me was changed to:

uid=marky,ou=staff,ou=people,dc=mirifice,dc=com

and omldapsync -u 13mirifice.com was run on the Scalix server to get the records in sync.

Then sxpamauth -vvv marky@mirifice.com was typed from a command prompt and the result was:

pam_start_om("pamcheck", "marky@mirifice.com")
pam_authenticate()
om_debug: authenticate: PAM_USER = "RichMarksnotraMark Rich"
om_debug: authenticate: PAM_AUTHTOK not set
om_krb5 (authenticate):
user_unknown="Please ignore underlying account module"
service="scalix_ual"
om_krb5: authid = "marky"
Kerberos Password:
om_krb5: service principal: "scalix-ual/snotra.mirifice.com"
om_krb5: authentication successful, set PAM_AUTHTOK
om_krb5: Success
om_auth: authenticate:
nullok: yes
recordbad: no
om_auth: use existing password
om_auth: save non-empty password in PAM_AUTHTOK
om_auth: bad password count now 1 (not recorded)
om_auth: Authentication failure
pam_acct_mgmt()
om_auth: acct_mgmt
max_age=-1
exclude=<default>
nocheck=<default>
expiry
om_auth: Success

Authenticated

Logging into webmail did not allow me to send any email until the smptd.auth file's contents was changed to match the same two Kerberos lines used in ual.remote and omslapdeng.
I would welcome any comments about this in case I have done that incorrectly and alternative lines are recommended.

I also tried with Apple Mail and IMAP. The app took almost 10 minutes to authenticate to the server when setting up the account which seemed very odd and comments appreciated on this. However once setup I was able to send email between mailboxes on the server and out of the company.

I could not have done all this without your help pointing me in the right direction and am happier again.

Thank you all!

Marky

[Valerion]

Congrats Now just ensure that your pam.d files don't have the om_debug in it, only pamcheck should have it. Also, you will need to replace ual.local as well. Did you experience similar auth delays in sxpamauth? If it was DNS or similar, you would have seen it there as well.

[markrich]

Well two steps forward, one step back.

I can no longer get into the Admin console and my omldapsync comand fails too.
I am using the local account sxadmin created on installation.

Any clues on how to resolve?

Marky

[Valerion]

Try running sxpamauth on the sxadmin user and post what you see. Perhaps also try changing the sxadmin password.

Recently I had a interesting issue with a 11.4.2 server. Enabled AD authentication. Worked for the few users we tested with that is in AD, and also for almost all of the non-AD users, except for 2 of them. We simply could not get those to authenticate, and eventually re-created those accounts. Worked fine after that.

[markrich]

I tried the command the result was:

pam_start_om("pamcheck", "sxadmin")
pam_authenticate()
om_debug: authenticate: PAM_USER = "sxadminsnotrasxadmin"
om_debug: authenticate: PAM_AUTHTOK not set
om_krb5 (authenticate):
user_unknown="Please ignore underlying account module"
service="scalix_ual"
om_krb5: authid = "sxadmin"
Kerberos Password:
om_krb5: service principal: "scalix-ual/snotra.mirifice.com"
om_krb5: authentication successful, set PAM_AUTHTOK
om_krb5: Success
om_auth: authenticate:
nullok: yes
recordbad: no
om_auth: use existing password
om_auth: save non-empty password in PAM_AUTHTOK
om_auth: Success
pam_acct_mgmt()
om_auth: acct_mgmt
max_age=-1
exclude=<default>
nocheck=<default>
expiry
om_auth: Success

Authenticated

So no problems there. I tried resetting the password and trying again. Same sucess. But still cannot log into the Admin console and omldapsync still fails.

I can, however log into webmail with the user and password.

Any clues?

[Valerion]

Then you will have to focus on the CAA web module. Try to see in the tomcat log files if there's a reason why it would fail. Both the admin console and omldapsync uses CAA to send commands to the server, the mail clients do not.