27.2  Kerio MailServer on Linux

Authentication against Active Directory

Before setting Kerberos user authentication at Linux, it is recommended to check that authentication against the domain functions correctly (check this by logging in the system using an account defined in the Active Directory).

It is also necessary to ensure the following:

  1. Kerio MailServer's host uses the domain controller of the Active Directory domain as the primary DNS server.

    If the network configuration requires authentication against multiple domain controllers at a time, add all domain controllers where Kerio MailServer will be authenticated as DNS servers.

  2. Time of the Kerio MailServer host and the Active Directory must be synchronized.

For proper authentication, define the /etc/krb5.conf file.

Example of krb5.conf file's configuration:

			 [logging]
      default = FILE:/var/log/krb5libs.log
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmind.log
			 
    [libdefaults]
      ticket_lifetime = 24000
      default_realm = COMPANY.COM
      dns_lookup_realm = false
     dns_lookup_kdc = yes

    [realms]
     COMPANY.CZ = {
      kdc = server.company.com
		    admin_server = server.company.com
      default_domain = company.com
     } 

    [domain_realm]
		   .company.com = COMPANY.COM
     company.com = COMPANY.COM

    [kdc]
     profile = /var/kerberos/krb5kdc/kdc.conf

    [appdefaults]
     pam = {
      debug = false
		    ticket_lifetime = 36000
      renew_lifetime = 36000
      forwardable = true
      krb4_convert = false
     }

If authentication against the Kerberos server works in full functionality, it is possible to set authentication at Kerio MailServer. To set this, go to the Directory Service a Advanced tabs in Configuration → Domains.

Authentication against Open Directory

Before setting Kerberos user authentication at Linux, it is recommended to check that authentication against the domain functions correctly (check this by logging in the system using an account defined in the Open Directory). If the attempt fails, check out the following issues:

  1. Kerio MailServer must belong to the Kerberos area (Open Directory domain) against which it authenticates. If Kerio MailServer is not the area member, the Kerberos system will not be working and the users will have to use a local password, i.e. different from the password for the domain.

  2. the DNS service must be set correctly on the Kerio MailServer's host.

  3. time of the Kerio MailServer host and the Open Directory must be synchronized.

For proper authentication, define the /etc/krb5.conf file.

Example of krb5.conf file's configuration:

			 [logging]
      default = FILE:/var/log/krb5libs.log
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmind.log
			 
    [libdefaults]
      ticket_lifetime = 24000
      default_realm = COMPANY.COM
      dns_lookup_realm = false
     dns_lookup_kdc = yes

    [realms]
     COMPANY.CZ = {
      kdc = server.company.com
		    admin_server = server.company.com
      default_domain = company.com
     } 

    [domain_realm]
		   .company.com = COMPANY.COM
     company.com = COMPANY.COM

    [kdc]
     profile = /var/kerberos/krb5kdc/kdc.conf

    [appdefaults]
     pam = {
      debug = false
		    ticket_lifetime = 36000
      renew_lifetime = 36000
      forwardable = true
      krb4_convert = false
     }

If authentication against the Kerberos server works in full functionality, it is possible to set authentication at Kerio MailServer. To set this, go to the Directory Service a Advanced tabs in Configuration → Domains.

Authentication against a stand-alone Kerberos server (KDC)

To use authentication against a stand-alone Kerberos server (Key Distribution Center), it is necessary to maintain the username and password database both in Key Distribution Center and in Kerio MailServer.

Before setting Kerberos user authentication at Linux, it is recommended to check that authentication against the Kerberos area functions correctly (check this by logging in the system using an account defined in the Key Distribution Center). If the attempt fails, check out the following issues:

  1. Kerio MailServer is a member of the Kerberos area to be authenticated against:

    • the Kerberos client must be installed on the computer,

    • usernames and passwords of all users created in Kerio MailServer must be defined in the Key Distribution Center (required for authentication in Kerberos).

  2. the DNS service must be set correctly at Kerio MailServer's host (Key Distribution Center uses DNS queries).

  3. Time of Kerio MailServer and Key Distribution Center (all hosts included in the Kerberos area) must be synchronized.

For proper authentication, define the /etc/krb5.conf file.

Example of krb5.conf file's configuration:

			 [logging]
      default = FILE:/var/log/krb5libs.log
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmind.log
			 
    [libdefaults]
      ticket_lifetime = 24000
      default_realm = COMPANY.COM
      dns_lookup_realm = false
     dns_lookup_kdc = yes

    [realms]
     COMPANY.CZ = {
      kdc = server.company.com
		    admin_server = server.company.com
      default_domain = company.com
     } 

    [domain_realm]
		   .company.com = COMPANY.COM
     company.com = COMPANY.COM

    [kdc]
     profile = /var/kerberos/krb5kdc/kdc.conf

    [appdefaults]
     pam = {
      debug = false
		    ticket_lifetime = 36000
      renew_lifetime = 36000
      forwardable = true
      krb4_convert = false
     }

Using the kinit utility, it is possible to test whether Kerio MailServer is able to authenticate against the Key Distribution Center Simply open the prompt line and use the following command:

kinit -S host/name_KMS@KERBEROS_REALM user_name

for example:

kinit -S host/mail.company.com@COMPANY.COM wsmith

If the query was processed correctly, you will be asked to enter password for the particular user. Otherwise, an error will be reported.

Then, perform corresponding settings in Kerio MailServer (see chapter 7.7  Authentication of domain users).