If Kerio MailServer is installed on Mac OS X and user accounts are mapped from the Active Directory, perform the following settings:
DNS configuration
To ensure that Mac OS X can access the Active Directory, enable resolving of DNS name from Active Directory. For this reason, it is also necessary to set Active Directory as the primary DNS server:
Open the System Preferences application and click on Network (see figure 27.3 DNS configuration)
to open the Network dialog box. On the TCP/IP tab, specify the IP address of the Active Directory server in the DNS servers entry.
If the network configuration requires authentication against multiple domain controllers at a time, add all domain controllers where Kerio MailServer will be authenticated as DNS servers.
Connection of the Kerio MailServer host to the Active Directory domain
To connect the computer to the Active Directory domain, use the Directory Access utility (Applications → Utilities) which is included in all basic Apple Mac OS X systems. For the configuration, follow these instructions:
Run the Directory Access application and enable the Active Directory service in the Services section (see figure 27.4 Directory Access — Services). Enter authentication name and password. The user who makes changes in the application needs administration rights for the system.
Enable the service, click on Active Directory domain name (see figure 27.5 Directory Access — configuration).
and specify theClick on Active Directory, administrator. The administrator will be allowed to add computers to the Active Directory domain (see figure 27.6 Directory Access — specification of administrator's login data).
and set username and password for theIf all settings are done correctly, it will take only a few seconds to connect the computer to the domain.
Kerberos settings
Once Mac OS X is successfully connected to the Active Directory domain, the special edu.mit.Kerberos
file is created in the /Library/Preferences/
directory. Make sure that the file has been created correctly. You can use the following example for comparison:
# WARNING This file is automatically created by Active Directory # do not make changes to this file; # autogenerated from : /Active Directory/company.com # generation_id : 0 [libdefaults] default_realm = COMPANY.COM ticket_lifetime = 600 dns_fallback = no [realms] COMPANY.CZ = { kdc = server.company.com. :88 admin_server = server.company.com. }
Using the kinit
utility, it is possible to test whether Kerio MailServer is able to authenticate against the Active Directory Simply open the prompt line and use the following command:
kinit -S host/name_KMS@KERBEROS_REALM user_name
for example:
kinit -S host/mail.company.com@COMPANY.COM wsmith
If the query was processed correctly, you will be asked to enter password for the particular user. Otherwise, an error will be reported.
Kerio MailServer can either be installed on the server with the Apple Open Directory directory service or on another server.
If Kerio MailServer is installed on the same server as Open Directory, it is not necessary to perform any additional configuration besides installation of the Kerio Open Directory Extension installation. If it is installed on another computer, external authentication through Kerberos to Open Directory must be set.
Kerio MailServer can be installed on servers with Mac OS X 10.3 and higher. The settings are similar for both versions. The following description applies to configuration on Mac OS X 10.4, any discrepancies will be mentioned.
External authentication is configured with a special application, Directory Access. The application can be found under . This application is used to create the special edu.mit.Kerberos
authentication file which is located under /Library/Preferences
. The following settings must be performed to make the authentication work properly:
Start the Directory Access application.
On the Services tab, check the LDAPv3 item (see figure 27.7 Directory Access — checking LDAP).
On the Services tab, use the mouse pointer to park the DAPv3 item and click on .
In the next dialog, click New.
This will open a dialog box where IP address and name of the server can be specified. Enter IP address or DNS name of the server where the Apple Open Directory service is running. Once the server is specified, click on the button (not necessary in the Mac OS X 10.3 version) and enter a name in the Configuration name text box (this item is used for reference only).
Save the configuration and select Open Directory Server in the LDAP Mappings menu.
Once Open Directory Server is selected, the dialog for specification of the search suffix is opened (Search Base Suffix). The suffix must be entered as shown in the example in figure 27.8 Directory Access — configuration of the Open Directory server:
od.company.com → dc=od,dc=company,dc=com
The figure implies that the suffix must be specified as follows: dc=subdomain,dc=domain
. Number of subdomains in the suffix must meet the number of subdomains in the server's name.
Now, authentication will be set for the Open Directory server. Switch to the Authentication tab (see figure 27.9 Directory Access — Authentication settings).
In the Search menu, it is necessary to select Custom path.
Enter the name of the Open Directory server to the Directory Domains list. Click on . The Directory Access application automatically enters the Open Directory name specified on the previous tab. Simply confirm the offer.
Save the settings by the
button.
Directory Access creates the edu.mit.Kerberos
file in the /Library/Preferences
directory. Check if the file includes correct data. The following parameters should be included:
# WARNING This file is automatically created by Open Directory # do not make changes to this file; # autogenerated from : /Open Directory/company.com # generation_id : 0 [libdefaults] default_realm = COMPANY.COM ticket_lifetime = 600 dns_fallback = no [realms] COMPANY.CZ = { kdc = server.company.com. :88 admin_server = server.company.com. }
Using the kinit
utility, it is possible to test whether Kerio MailServer is able to authenticate against Kerberos. Simply open the prompt line and use the following command:
kinit -S host/KMS_hostname@KERBEROS_REALM username@REALM
for example:
kinit -S host/od.company.com@COMPANY.COM thenry@COMPANY.COM
If the query was processed correctly, you will be asked to enter password for the particular user. Otherwise, an error will be reported.
Now, simply change configuration in Kerio MailServer:
In the Domains section in the Kerio MailServer's administration console, specify parameters on the Directory Service and the Advanced tabs (the Apple Open Directory realm must be specified in the Kerberos 5 entry)
Kerberos realm specified on the Advanced tab must be identical with the name of the Kerberos realm specified in the /Library/Preferences/edu.mit.Kerberos
file. In particular, it must match the default_realm
value in this file. By result, the line may be for example default_realm = COMPANY.COM
In theKerio MailServer's administration console, the Apple Open Directory authentication type must be set for user accounts
To use authentication against a stand-alone Kerberos server (Key Distribution Center), it is necessary to maintain the username and password database both in Key Distribution Center and in Kerio MailServer.
Before setting Kerberos user authentication at Kerio MailServer, it is recommended to check that authentication against the Kerberos area functions correctly (check this by logging in the system using an account defined in the Key Distribution Center at the host where Kerio MailServer will be installed). If the attempt fails, check out the following issues:
Kerio MailServer is a member of the Kerberos area to be authenticated against:
the Kerberos client must be installed on the computer,
usernames and passwords of all users created in Kerio MailServer must be defined in the Key Distribution Center (required for authentication in Kerberos).
the DNS service must be set correctly at Kerio MailServer's host (Key Distribution Center uses DNS queries).
Time of Kerio MailServer and Key Distribution Center (all hosts included in the Kerberos area) must be synchronized.
Kerberos functionality can be tested by checking the /Library/Preferences/edu.mit.Kerberos
file. The following parameters should be included:
# WARNING This file is automatically created by KERBEROS # do not make changes to this file; # autogenerated from : /KERBEROS/company.com # generation_id : 0 [libdefaults] default_realm = COMPANY.COM ticket_lifetime = 600 dns_fallback = no [realms] COMPANY.CZ = { kdc = server.company.com. :88 admin_server = server.company.com. }
Using the kinit
utility, it is possible to test whether Kerio MailServer is able to authenticate against Kerberos. Simply open the prompt line and use the following command:
kinit -S host/KMS_hostname@KERBEROS_REALM username@REALM
for example:
kinit -S host/mail.company.com@COMPANY.COM
If the query was processed correctly, you will be asked to enter password for the particular user. Otherwise, an error will be reported.
When the previous steps are followed successfully, set authentication in Kerio MailServer on the Advanced tab under , (see chapter 7.7 Authentication of domain users).