Kerberos Authentication with OSX 10.7 against an OpenDirectory Server
You see authentication errors after you bind an OSX 10.7 machine with Kerio Connect to an OD-Server using KerberosAn authentication protocol for client/server applications. authentication. This applies despite a successful test of the OD connection.
Starting with 10.7, Apple changed many things in the Kerberos environment. For the purpose of this article, we focus on the file edu.mit.Kerberos
This was automatically created in previous versions of the OSX server, when you bind an OSX machine to an OpenDirectory server. The default location is in /Library/Preferences - However, this will no longer be created in Lion Server, when you bind the Kerio machine to the OD-Server. Due to the way in which Kerio Connect integrates with an OD server, Kerio Connect still relies on that file.
Solution
You have to create this file manually with a text editor of your choice and save it as a plain text file in /Library/Preferences
- Open eg TextWrangler (free of charge)
- Copy & Paste the following in the automatically opened "New Document" window (or download the demo file at the end of this article and change it to your needs)
[libdefaults]
default_realm = COMPANY.COM
ticket_lifetime = 600
dns_fallback = no
[realms]
COMPANY.COM = {
kdc = server.company.com. :88
admin_server = server.company.com.
}
- Replace
COMPANY.COM
with the realm of your OD-Server, replaceserver.company.com
with the DNSDomain Name System - Enables the translation of hostnames to IP addresses and provides other domain related information. name of your OD-Server. - Save this file as a plain text file in
/Library/Preferences
of the Kerio Connect server and name itedu.mit.Kerberos
. - Restart your server.
Using the kinit utility, it is possible to test whether Kerio Connect is able to authenticate against Kerberos. Simply open the prompt line and use the following command: kinit -S
host/server_name@KERBEROS_REALM user_name@REALM
For example: kinit -S
host/od.company.com@COMPANY.COM
jdoe@COMPANY.COM
If the query was processed correctly, you will be asked to enter password for the particular user jdoe. Otherwise, an error will be reported.
Now, simply change configuration in Kerio Connect:In the "Domains" section in the Kerio Connect Web administration interface, specify the correct parameters on the "Directory Service" and the "Advanced" tabs (the Apple Open Directory realm must be specified in the Kerberos 5 entry)
IMPORTANT
The Kerberos realm specified on the Advanced tab must be identical to the name of the Kerberos realm specified in the file /Library/Preferences/edu.mit.Kerberos
. In particular, it must match the default_realm value in this file. As a result, the line may read: default_realm = COMPANY.COMIn the Kerio Connect administration interface, the Apple Open Directory authentication type must be set for user accounts.
Attachments: