| Kerio, CentOS7 and AD LDAP KDC Authentication [message #140303] |
Thu, 28 June 2018 20:04  |
marketconnections
Messages: 2
Registered: May 2010
Location: Toronto
|
|
|
|
Fought this one for several hours and am posting a fix in case anyone else runs into problems like we did.
We setup a brand new CentOS 7 instance and installed Kerio and set it up to map accounts from our Active Directory server. Despite setting up in Kerio Admin identically to our previous server on CentOS6, and seeing all the users populate properly, we were unable to actually login using any of the AD accounts.
The Kerio Debug log kept reporting error code 0x00000016
Krb5: entering auth (user: username<_at_>AD.MYDOMAIN.COM)
Krb5: init_context(): failed, error code 0x00000016 (22)
The Security log kept saying
HTTP/WebMail: Authentication failed for user user<_at_>domain.com. Attempt from IP address xx.xx.xx.xx. External authentication service rejected authentication due to invalid password or authentication restriction.
This was despite the fact that we had successfully Tested the config in the Admin interface (Test button responded OK) and that we had successfully bound the machine to AD using SSSD and could successfully login to the machine over SSH against one of our AD accounts.
FIX:
The problem was this line from the top of the default krb5.conf file, which we had left in:
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
After commenting out the includedir line, authentication magically started working.
I did a few tests and it doesn't seem to matter where in the krb5.conf file that this line appears. The line seems to shut down the ability for Kerberos to read anything in the main config file.
|
|
|
|
| Re: Kerio, CentOS7 and AD LDAP KDC Authentication [message #140363 is a reply to message #140303] |
Sun, 08 July 2018 23:28  |
88fingerslukee
Messages: 92
Registered: November 2007
|
|
|
|
I had this same problem and support temporarily changed me to LDAP authentication. I'd like to go back to Kerberos.
Unfortunately, this fix did not work for me. I tried it and it still fails. I can't seem to find the debug log options to view Kerberos logs. I had it at one point but I can't find it anymore.
Can you point out where that is?
|
|
|
|
|
|
|
|
Members
Search
Help
Register
Login
Home
