Notes on Kerberos troubleshooting (Kerio)


2012/09/17

Let me start with a big disclaimer: I don't fully grok Kerberos and I definitely do not grok how Kerio interfaces with it to get directory service authentication. These notes are therefore somewhat in the realm of "magic", which is something I really detest in troubleshooting: incant the magic words (or type them correctly, more likely) and things will work. I hate that, but I have neither sufficient time nor a sufficient test environment to dig deeply into the mysteries of Kerberos and Kerio's interaction with it.

Kerio does have a Knowledge Base article: How do I join Kerio Connect running on Linux to Open Directory or Active Directory? that covers the basics and some troubleshooting. That's where you should start, and it may be all you need. If you follow those instructions and don't mistype anything, things are very likely to just work and you can happily move on to the remainder of your configuration.

The Connect user guide also has useful information on Kerberos, including some troubleshooting tips not included in that Knowledge Base article. Microsoft also has tools that can help check from that side of things:.


If things do NOT work, pay attention to the section of those articles that has the heading "Troubleshooting". Those are basic tests you can do at the Linux command line to validate your configuration. Until those work, there's no chance Kerio is going to have any luck either.

What about the "Test" button?

Test%20Connection%20button%20in%20Directory%20Service%20Configuration

You might be forgiven for thinking that should actually mean that your configuration is correct if it tests correctly, but it doesn't. Apparently "The tests checks only AD server availability over LDAP. It does not check Kerberos client configuration". You need to drop to the command line and run the kinit tool as suggested in that Knowledge Base article to actually test the Kerberos config.

Note: it has been suggested that this "test" should include a kinit lookup. I suspect this will be added in some future version.

However, even that may not be enough. For example, I had a customer who had entered the correct server address in the Kerio configuration pane, but had referenced the backup domain controller in the Kerberos as though it were the primary. This caused authentication to ALWAYS use the backup domain controller, which led to a very confusing time when he tried shutting down that backup for an upgrade! As he had also accidentally mistyped the IP of the primary (the backup as far as Kerberos knew), that caused an error log full of "Cannot contact any KDC for requested realm, error code 0x96c73a9c" messages - quite baffling until he noticed the Kerberos configuration error.

Speaking of logs, turning on User Authentication and Directory Service Lookup in the Kerio Debug log can also help you track down odd authentication problems. Without those, Kerio logs won't help you much.

Generic LDAP and SAMBA

As implied by the title of that KB article, Kerio assumes Microsoft Active Directory or Apple Open Directory. However, because Apple Open Directory is an LDAP configuration, you can use other LDAP servers. Kerio does warn against this:


Please note this is not directly supported by Technical Support and you are using this feature at your own risk!!! We recommend to consider if this is really required scenario and we recommend to use some supported solution for not experienced users like the Active Directory integration or the Open Directory integration.

This is an area where I do have the infrastructure needed to test, but have simply lacked the time and sufficient motivation to set it up.

I'll therefore just note these articles for now and wish you luck:


Kerio's Unity

Another option for directory service authentication is Kerio's own Unity Directory server. This doesn't use Kerberos, which eliminates that part of troubleshooting. Kerio Unity is presently in beta but is probably coming out soon.

Work to be done

I'd really like to set up some test servers here as virtual machines, but I don't presently own any Microsoft server products. If anyone wants to donate a LEGAL non-OEM cd and license, that would help.

On the Apple side, I have Mountain Lion and could upgrade it to Server for $19.99; my only hesitation is not knowing how much and for how long that upgrade is likely to affect my daily work. If anyone reading this has actually done that upgrade, please let me know.

With that infrastructure, I could deploy a "break it on purpose" campaign and perhaps have more to offer here.

Next: Mountain Lion Server in Parallels Desktop.



Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Notes on Kerberos troubleshooting (Kerio)


7 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Mon Sep 17 23:16:32 2012: 11327   NickBarron

gravatar


You could load 10.8 into a VM then move it to server?





Mon Sep 17 23:36:15 2012: 11328   TonyLawrence

gravatar


I don't know? Can you do that? I've never read anything that said you could - legally or illegally.. load another copy of 10.8, yes, but Server?



Tue Sep 18 13:36:40 2012: 11331   TonyLawrence

gravatar


I've asked over at the Apple Support boards - no answers yet..



Tue Sep 18 13:50:25 2012: 11332   NickBarron

gravatar


I put a comment in after but it didn't register, I was on a mobile connection though.

You can virtualise 10.8 on your Apple hardware legally. Then just purchase 10.8 server for the VM you can then test away merrily.



Tue Sep 18 13:54:52 2012: 11333   TonyLawrence

gravatar


Yes, I know I can install Lion as a guest legally - I haven't seen anything that says it's OK to upgrade that to server though..



Tue Sep 18 14:34:49 2012: 11334   TonyLawrence

gravatar



(iii) to install, use and run up to two (2) additional copies or instances
of the Apple Software within virtual operating system environments on each
Mac Computer you own or control that is already running the Apple Software,
for purposes of: (a) software development; (b) testing during software
development; (c) using OS X Server; or (d) personal, non-commercial use.


I guess it's (c) using OS X Server - so I'll try it..



Tue Sep 18 15:00:42 2012: 11335   TonyLawrence

gravatar


Did it - it appears to be working..

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





If debugging is the process of removing bugs, then programming must be the process of putting them in. (Edsger W. Dijkstra)

Some people, when confronted with a problem, think "I know, I'll use sed." Now they have two problems. (Jamie Zawinski)








This post tagged: