I encountered this once before so I feel really bad that I can't find my notes on how I resolved this...
We have a centos 7 server with Kerio Connect 9.2.4 (3252) and we've set up kerberos to work with our macOS 10.11.6 Open Directory server. Kerio gets a complete list of all users from LDAP but it can't authenticate any LDAP users using kerberos. I can authenticate a user through kerberos using kinit against the OD server. That works perfectly. Email is being delivered into all the directory user's inboxes.
On the mail server A sample of the relevant error -
HTTP/EWS: Authentication failed for user training<_at_>kerioserver.com. Attempt from IP address 192.168.8.142. External authentication service rejected authentication due to invalid password or authentication restriction.
But on the directory server its not so clear there are 'errors' and non-errors -
Oct 2 15:39:15 od kdc: AS-REQ [email]diradmin@OD.SERVER.COM[/email] from 127.0.0.1:63806 for krbtgt/OD.SERVER.COM<_at_>OD.SERVER.COM
Oct 2 15:39:15 --- last message repeated 1 time ---
Oct 2 15:39:15 od kdc: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
Oct 2 15:39:15 od kdc: ENC-TS pre-authentication succeeded -- diradmin<_at_>OD.SERVER.COM
Oct 2 15:39:15 od kdc: DSUpdateLoginStatus: Unable to synchronize login time for diradmin: 77009
Oct 2 15:39:15 od kdc: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
Oct 2 15:39:15 od kdc: Requested flags: renewable, forwardable
Both servers are sync'd to the same time server and their times match up to less than one second. The error about not being able to synchronize time may be unimportant as I see that one all over my searches and mostly the causes don't apply in our environment. We have good tested DNS and a working internal time server. As mentioned earlier if I connect to the Kerio server using ssh and then authenticate any user using kinit the user gets logged in but when this is done through Kerio it fails even though it looks like on the OD server side there is no error.
[server names have been changed to protect the guilty]
[Updated on: Wed, 04 October 2017 00:57]
Report message to a moderator