Configuring krb5.conf file

NOTE

This information is specific to a mailserver on Linux. If your mailserver is on Mac OS X Server, you can achieve this by simply joining the machine properly to Open Directory. If you face any problem in joining, take a look at the Troubleshooting section for information on the kinit command that is used to test authentication.

The /Library/Preferences/edu.mit.KerberosAn authentication protocol for client/server applications. file on your Open Directory master is a krb5.conf file. You can copy this file from the Open Directory master to the Linux machine running Kerio Connect and use it as the /etc/krb5.conf file.

For example, in linux:~# cd /etc linux:/etc# scp opendirectoryserver:/Library/Preferences/edu.mit.Kerberos./krb5.conf, replace opendirectoryserver with the hostname of your Open Directory server.

Step-By-Step Configuration of the /etc/krb5.conf File on Linux

A much more detailed description of the /etc/krb5.conf file is available on the official Kerberos website Kerberos: Configuration Files/krb5.conf.

For Active Directory or Open Directory with a more complicated network (such as multiple Kerberos realms) it is necessary to configure the existing krb5.conf file or create one from scratch. Linux is distributed with a /etc/krb5.conf file that contains references to EXAMPLE.COM as follows:

A typical default /etc/krb5.conf file on Linux looks something like this:

[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false [realms] EXAMPLE.COM = { kdc = kerberos.example.com:88 admin_server = kerberos.example.com:749 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM

Edit the file parameters using the following instructions:

Parameter Instructions
[libdefaults]

Set default to the Kerberos realm name for your network. For example, for realm name KERIO.COM the script would look like:

[libdefaults] default_realm = KERIO.COM dns_lookup_realm = false dns_lookup_kdc = false

[realms]

Each "realm" is listed as a realm name in upper case letters equals symbol and then a small section enclosed in curly braces as shown in the example above.

  1. Change the EXAMPLE.COM realm name to correct Kerberos realm name or if no example realm exists, copy the one from the example krb5.conf file shown above.
  2. Each realm contains "kdc" and "admin_server" values. Set those to the fully qualified DNSDomain Name System - Enables the translation of hostnames to IP addresses and provides other domain related information. hostname of the Open Directory or Active Directory server.
  3. Set the default_domain to the DNS domain name bound to the realm.
  4. There can be multiple realms so Kerio MailServer can have multiple mail domains joined to different Kerberos realms.

Example: for realm KERIO.COM, Open Directory master master.kerio.com, and DNS domain kerio.com

[realms] KERIO.COM = { kdc = master.kerio.com:88 admin_server = master.kerio.com:749 default_domain = kerio.com }

[default_realm]

This section simply contains DNS domain name, equals symbol, then Kerberos realm name then another line identical except with a preceding dot as shown in the example above.

  1. Change each instance of EXAMPLE.COM to your Kerberos realm name in upper case letters.
  2. Change each instance of example.com to your DNS domain name that is bound to the corresponding Kerberos realm.
  3. There can be similar entries in this section for other domains and their respective realms so Kerio MailServer can have different mail domains joined to different Kerberos realms.

For example, if realm is KERIO.COM and the DNS domain is kerio.com:

[default_realm] .kerio.com = KERIO.COM kerio.com = KERIO.COM