Kerberos authentication by PAM againts AD Windows 2003 Server domain
Martin Schweizer
lists_freebsd at bluewin.ch
Sun Aug 30 18:00:46 UTC 2009
Hello
My goal is to authenticate my Cyrus Imapd users against Windos 2003
Active Directory with Kerberos . I have the following setup:
Kerberos5 client
===========
FreeBSD acsvfbsd06.domain.tld 7.2-RELEASE FreeBSD 7.2-RELEASE
/etc/krb.conf:
[libdefaults]
default_realm = domain.tld
default_etypes_des = des-cbc-md5
[realms]
ACUTRONIC.CH = {
kdc = tcp/acsv3k04.domain.tld:88
}
[logging]
kdc = SYSLOG:INFO:AUTH
admin_server = SYSLOG:INFO:AUTH
default = SYSLOG:INFO:AUTH
/etc/krb5.keytab (ktutil list output):
For the keytab file I followed:
http://technet.microsoft.com/en-us/library/bb742433.aspx
FILE:/etc/krb5.keytab:
Vno Type Principal
1 des-cbc-md5 host/acsvfbsd06.domain.tld at DOMAIN.TLD
I get tickets if I use kinit user:
acsvfbsd06# kinit user
martin at DOMAIN.TLD's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
klist:
Credentials cache: FILE:/tmp/krb5cc_0
Principal: user at DOMAIN.TLD
Issued Expires Principal
Jul 31 17:58:09 Aug 1 03:57:44 krbtgt/DOMAIN.TLD at DOMAIN.TLD
I can no more use ldapsearch as follows:
acsvfbsd06# ldapsearch -v -LLL -b
"OU=Mitgliedsserver,OU=ACH,DC=Domain,DC=tld" -h acsv3k04.domain.tld description
Which in the past worked. And really I did not change anything.
I checked also the DNS and Kerberos communication by tcpdump without any
strange issues. As the DNS server I use is the KDC server (all the DNS
Kerberos erntries are correct).
My PAM configurations is:
/etc/pam.d/imap:
auth required pam_krb5.so try_first_pass debug
I tried with testsaslautd -u username - password different combinations of
user names and passwords. As expected the wrong ones would be denied. But I
get no PAM_SUCCESS for the correct ones, with one exception: If I use
sufficient as PAM option then all username and password combinations (wrong or
not) would be accepted! With the option required (and the others) I see in
/var/log/auth.log:
Aug 30 18:27:04 acsvfbsd06 saslauthd[9188]: rel_accept_lock : released accept
lock
Aug 30 18:27:04 acsvfbsd06 saslauthd[9188]: pam_krb5: verify_krb_v5_tgt():
krb5_rd_req(): Key table entry not found
Aug 30 18:27:04 acsvfbsd06 saslauthd[9188]: DEBUG: auth_pam: pam_authenticate
failed: authentication error
Aug 30 18:27:04 acsvfbsd06 saslauthd[9188]: do_auth : auth failure:
[user=martin] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
Aug 30 18:27:04 acsvfbsd06 saslauthd[9188]: get_accept_lock : acquired accept
lock
I read FreeBSDs PAM documentation backwards and forwards but did not find any
clue. Also I did not find any hints about the debugging for PAM problems.
So I have now no more ideas where I can check. Any hints are welcome.
Kind regards,
--
Martin Schweizer
<office at pc-service.ch>
PC-Service M. Schweizer GmbH; Bannholzstrasse 6; CH-8608 Bubikon
Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch;
public key : http://www.pc-service.ch/pgp/public_key.asc;
fingerprint: EC21 CA4D 5C78 BC2D 73B7 10F9 C1AE 1691 D30F D239;
More information about the freebsd-questions
mailing list