Before setting Kerberos user authentication at Linux, it is recommended to check that authentication against the domain functions correctly (check this by logging in the system using an account defined in the Active Directory).
It is also necessary to ensure the following:
Kerio MailServer's host uses the domain controller of the Active Directory domain as the primary DNS server.
If the network configuration requires authentication against multiple domain controllers at a time, add all domain controllers where Kerio MailServer will be authenticated as DNS servers.
Time of the Kerio MailServer host and the Active Directory must be synchronized.
For proper authentication, define the /etc/krb5.conf
file.
Example of krb5.conf
file's configuration:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = COMPANY.COM dns_lookup_realm = false dns_lookup_kdc = yes [realms] COMPANY.CZ = { kdc = server.company.com admin_server = server.company.com default_domain = company.com } [domain_realm] .company.com = COMPANY.COM company.com = COMPANY.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
If authentication against the Kerberos server works in full functionality, it is possible to set authentication at Kerio MailServer. To set this, go to the Directory Service a Advanced tabs in .
Before setting Kerberos user authentication at Linux, it is recommended to check that authentication against the domain functions correctly (check this by logging in the system using an account defined in the Open Directory). If the attempt fails, check out the following issues:
Kerio MailServer must belong to the Kerberos area (Open Directory domain) against which it authenticates. If Kerio MailServer is not the area member, the Kerberos system will not be working and the users will have to use a local password, i.e. different from the password for the domain.
the DNS service must be set correctly on the Kerio MailServer's host.
time of the Kerio MailServer host and the Open Directory must be synchronized.
For proper authentication, define the /etc/krb5.conf
file.
Example of krb5.conf
file's configuration:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = COMPANY.COM dns_lookup_realm = false dns_lookup_kdc = yes [realms] COMPANY.CZ = { kdc = server.company.com admin_server = server.company.com default_domain = company.com } [domain_realm] .company.com = COMPANY.COM company.com = COMPANY.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
If authentication against the Kerberos server works in full functionality, it is possible to set authentication at Kerio MailServer. To set this, go to the Directory Service a Advanced tabs in .
To use authentication against a stand-alone Kerberos server (Key Distribution Center), it is necessary to maintain the username and password database both in Key Distribution Center and in Kerio MailServer.
Before setting Kerberos user authentication at Linux, it is recommended to check that authentication against the Kerberos area functions correctly (check this by logging in the system using an account defined in the Key Distribution Center). If the attempt fails, check out the following issues:
Kerio MailServer is a member of the Kerberos area to be authenticated against:
the Kerberos client must be installed on the computer,
usernames and passwords of all users created in Kerio MailServer must be defined in the Key Distribution Center (required for authentication in Kerberos).
the DNS service must be set correctly at Kerio MailServer's host (Key Distribution Center uses DNS queries).
Time of Kerio MailServer and Key Distribution Center (all hosts included in the Kerberos area) must be synchronized.
For proper authentication, define the /etc/krb5.conf
file.
Example of krb5.conf
file's configuration:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = COMPANY.COM dns_lookup_realm = false dns_lookup_kdc = yes [realms] COMPANY.CZ = { kdc = server.company.com admin_server = server.company.com default_domain = company.com } [domain_realm] .company.com = COMPANY.COM company.com = COMPANY.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Using the kinit
utility, it is possible to test whether Kerio MailServer is able to authenticate against the Key Distribution Center Simply open the prompt line and use the following command:
kinit -S host/name_KMS@KERBEROS_REALM user_name
for example:
kinit -S host/mail.company.com@COMPANY.COM wsmith
If the query was processed correctly, you will be asked to enter password for the particular user. Otherwise, an error will be reported.
Then, perform corresponding settings in Kerio MailServer (see chapter 7.7 Authentication of domain users).