| CentOS Can't Authenticate Using macOS Open Directory [message #137129] |
Wed, 04 October 2017 00:55  |
stahancyk
Messages: 15
Registered: March 2010
Location: Portland, OR USA
|
|
|
|
I encountered this once before so I feel really bad that I can't find my notes on how I resolved this...
We have a centos 7 server with Kerio Connect 9.2.4 (3252) and we've set up kerberos to work with our macOS 10.11.6 Open Directory server. Kerio gets a complete list of all users from LDAP but it can't authenticate any LDAP users using kerberos. I can authenticate a user through kerberos using kinit against the OD server. That works perfectly. Email is being delivered into all the directory user's inboxes.
On the mail server A sample of the relevant error -
HTTP/EWS: Authentication failed for user training<_at_>kerioserver.com. Attempt from IP address 192.168.8.142. External authentication service rejected authentication due to invalid password or authentication restriction.
But on the directory server its not so clear there are 'errors' and non-errors -
Oct 2 15:39:15 od kdc[104]: AS-REQ [email]diradmin@OD.SERVER.COM[/email] from 127.0.0.1:63806 for krbtgt/OD.SERVER.COM<_at_>OD.SERVER.COM
Oct 2 15:39:15 --- last message repeated 1 time ---
Oct 2 15:39:15 od kdc[104]: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
Oct 2 15:39:15 od kdc[104]: ENC-TS pre-authentication succeeded -- diradmin<_at_>OD.SERVER.COM
Oct 2 15:39:15 od kdc[104]: DSUpdateLoginStatus: Unable to synchronize login time for diradmin: 77009
Oct 2 15:39:15 od kdc[104]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
Oct 2 15:39:15 od kdc[104]: Requested flags: renewable, forwardable
Both servers are sync'd to the same time server and their times match up to less than one second. The error about not being able to synchronize time may be unimportant as I see that one all over my searches and mostly the causes don't apply in our environment. We have good tested DNS and a working internal time server. As mentioned earlier if I connect to the Kerio server using ssh and then authenticate any user using kinit the user gets logged in but when this is done through Kerio it fails even though it looks like on the OD server side there is no error.
[server names have been changed to protect the guilty]
[Updated on: Wed, 04 October 2017 00:57] Report message to a moderator |
|
|
|
| Re: CentOS Can't Authenticate Using macOS Open Directory [message #137139 is a reply to message #137129] |
Wed, 04 October 2017 23:31  |
ag4apple
Messages: 4
Registered: February 2008
Location: Alexandria, VA
|
|
|
|
Stahancyk,
I recently had this exact same problem. I was getting "external authentication service rejected authentication due to invalid password or authentication restriction." LDAP worked fine, as did kinit from the server command line. We are running Kerio on Centos 7 64 bit, connecting to an OD server for authentication.
In our case, it turned out something was wrong with our krb5.keytab file. If you navigate to /etc on your server, you will find it there. What I did was copy it to a different file as a backup, like this:
$ cp krb5.keytab krb5.keytab.sep.2017.bak
Then remove the original:
Just doing this immediately resolved the issue for us. Give it a shot, it may help in your case. If not, you can always rename the backup file back to the original name.
Kyle
|
|
|
|
| Re: CentOS Can't Authenticate Using macOS Open Directory [message #137189 is a reply to message #137139] |
Fri, 06 October 2017 20:35 |
stahancyk
Messages: 15
Registered: March 2010
Location: Portland, OR USA
|
|
|
|
|
Thank you for the suggestion. Actually, our centOS 7 64-bit system did not have a .keytab file. I had manually created the krb5.conf file as well as trying to use the authconfig app to create one. In both cases it made no difference to Kerio. In the spirit of trying everything I went ahead a created a keytab file, tested it, but it hasn't made a difference.
|
|
|
|
| Re: CentOS Can't Authenticate Using macOS Open Directory [message #137795 is a reply to message #137189] |
Sat, 25 November 2017 00:39 |
stahancyk
Messages: 15
Registered: March 2010
Location: Portland, OR USA
|
|
|
|
Update on this issue:
We contacted GFI for support over 6 weeks ago and have had minimal responses and no actual help. We've repeatedly had to inquire about the status after receiving no new information for many days. They seem to not be reading the past information on the ticket, as they've requested the same information repeatedly, offered the same solutions or KB articles that we've already stated haven't addressed or solved our problems.
At least twice we've gotten a message saying it's going to Level 3 support and we'll hear back within 48 hours, then after at least twice as long we get a request for information already given, or an 'answer' that we know won't work. We humor them and try it any way, but then don't get any reply.
A week ago they claimed it was going to a Level 3 tech (perhaps the previous times Level 3 techs were just consulted, but that took a lot of time). But we've heard nothing back after a full week.
This support has been very poor, and not up to the standard of our experiences with Kerio support prior to GFI.
And we are still looking for a solution to this issue. If anyone, Kerio, GFI or other can offer a solution, we would appreciate it.
|
|
|
|
|
|
Members
Search
Help
Register
Login
Home
