Scalix Forums

Skip to content

Kerberos Authentication working for webmail but not SAC

Discuss Scalix Management Services ( formerly Scalix Admin Console )

Moderator: ScalixSupport

Post Reply
cbandrew
Posts: 14
Joined: Fri Feb 17, 2006 4:07 pm

Kerberos Authentication working for webmail but not SAC

Postby cbandrew » Thu Apr 27, 2006 2:23 pm

Hi,

I have gotten kerberos authentication to work off of AD. I can change passwords and when I login to webmail, the passwords are authenticating against AD. However, when I try to login to the SAC, with admin privilleges, setup by a sync'd active directory account, I cannot login.

If I create the account in the SAC, it works fine. If I change the password for the above mentioned AD sync'd account in the SAC, it works fine. It also maintains the original password from AD for the webmail account, not the new SAC password.

In checking the log files, the caa.log states that it is invalid authentication. Is there another log I can check for more information?

Is there a switch that needs to be turned on to allow Kerberos authentication to the SAC?

thanks
Top
florian
Scalix
Scalix
Posts: 3852
Joined: Fri Dec 24, 2004 8:16 am
Location: Frankfurt, Germany
Contact:
Contact florian

Postby florian » Fri Apr 28, 2006 12:36 pm

SAC Authenticates against Scalix LDAP, as opposed to Scalix IMAP which is used by SWA.

LDAP uses the ~/sys/pam.d/omslapdent PAM config file while IMAP uses ual.remote; maybe you've only changed one of them to use the om_krb5 PAM module.

Cheers,
Florian.
Florian von Kurnatowski, Die Harder!
Top
cbandrew
Posts: 14
Joined: Fri Feb 17, 2006 4:07 pm

Postby cbandrew » Fri Apr 28, 2006 3:49 pm

Thanks, I uncommented the correct lines in the file under

/var/opt/scalix/sys/pam.d/omslapdeng and got it to work.
Top
pbcadmin
Posts: 10
Joined: Tue Feb 28, 2006 6:30 pm
Contact:
Contact pbcadmin

Postby pbcadmin » Tue May 16, 2006 2:34 pm

Can you let me know which lines you commented/uncommented to get this to work. I have the same problem, and i tried modifyihg that file with no success.

Thanks.
Top
cbandrew
Posts: 14
Joined: Fri Feb 17, 2006 4:07 pm

Postby cbandrew » Wed May 17, 2006 9:27 am

Under the file listed above, first comment the line:

#auth required om_auth nullok

then uncomment these two lines under the Kerberos authentication :

auth sufficient om_auth nullok
auth sufficient om_krb5 use_first_pass

If you are still having troubles, you can go to this website for a graphical tutorial on how to set up kerberos with AD:

http://www.netometer.com/video/

Check under video, and look the drop box on the left side.

good luck
Top
pbcadmin
Posts: 10
Joined: Tue Feb 28, 2006 6:30 pm
Contact:
Contact pbcadmin

Postby pbcadmin » Thu May 18, 2006 11:40 am

Thanks for the reply.

I actually have Kerberos Authenticaiton working with AD for swa. My problem is that I can't get anybody other than sxadmin to login to sac. I have a few group managers that need to login to manage there groups. When they try to login the caa.log shows this error:
2006-05-18 08:36:24,611 ERROR [RbacAuthorizationHelper.authenticateUser:87] Exception:
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at com.scalix.sac.ubermgr.ldap.LDAPQuery.initContext(LDAPQuery.java:71)
at com.scalix.sac.ubermgr.rbac.RbacAuthorizationHelper.authenticateUser(RbacAuthorizationHelper.java:58)
at com.scalix.sac.ubermgr.ldap.LDAPServiceHandler.Login(LDAPServiceHandler.java:112)
at com.scalix.sac.ubermgr.caa.RESService.authenticateAndAuthorizeUser(RESService.java:157)
at com.scalix.sac.ubermgr.caa.RESService.doRequest(RESService.java:83)
at com.scalix.caa.soap.SOAPDispatcherServlet.onMessage(SOAPDispatcherServlet.java:267)
at com.scalix.caa.soap.SAAJServlet.doPost(SAAJServlet.java:123)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:300)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:374)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:743)
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:675)
at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:866)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
at java.lang.Thread.run(Unknown Source)

Any thoughts on why this is happening. Thanks.
Top
pbcadmin
Posts: 10
Joined: Tue Feb 28, 2006 6:30 pm
Contact:
Contact pbcadmin

Postby pbcadmin » Thu May 18, 2006 11:49 am

I just want to add that I di d try cbandrew's suggestions and I still had the same problem.
Top
dresdn
Posts: 92
Joined: Wed Apr 05, 2006 5:11 pm

Postby dresdn » Thu Jul 27, 2006 11:49 am

Have you had any resolve to this? I'm seeing the exact same problem. When I modify the /var/opt/scalix/sys/pam.d/omslapdeng, modify my sxadmin by

Code: Select all

ommodu --authid admin@REALM sxadmin


I'm still not able to login to the SAC using a username of "sxadmin@mail.domain.com" or "sxadmin@domain.com" or even just "sxadmin". I get the same error message as above. Webmail, IMAP, SMTP, etc. all work without a problem.

Suggestions?

-Mike
Top
ScalixSupport
Scalix
Scalix
Posts: 5503
Joined: Thu Mar 25, 2004 8:15 pm

Postby ScalixSupport » Fri Aug 04, 2006 4:56 am

Hi,

what does omsearch show for sxadmin account?

Thanks,
Yuri
Top
Post Reply

Return to “Scalix Management Services”



Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB® Forum Software © phpBB Limited