Troubleshooting authentication issues

A command called kinit is available in the command prompt on either Linux or Mac (any version). This command is used to issue KerberosAn authentication protocol for client/server applications. queries and can confirm if Kerio authentication should work. Here are the two ways you can run this command to test authentication.

Method 1

Run the following command:

kinit username

When running, replace username by a valid user on the directory server such as diradmin or administrator. It will prompt you for a password, and would return no errors if it works.

Method 2

It is recommended to also run this command even if the previous kinit command worked. As there still might be a problem with the SMP host. For example when testing on mail.company.com, the command would look like:

kbd>kinit -S host/mail.company.com@SERVER01.COMPANY.COM

Note that this will throw a Kerberos error if the mailserver machine is not properly joined. in this command, mail.company.com is the hostname of the mailserver, and SERVER01.COMPANY.COM is the kerberos realm name.

Ensure that the DNSDomain Name System - Enables the translation of hostnames to IP addresses and provides other domain related information. on the Linux mailserver is pointed to the DNS server provided by the Active Directory or Open Directory server.

Many Kerberos issues are actually problems in DNS. The best policy is to always use the DNS provided by the directory service. Using 3rd party DNS is possible, but is not recommended and involves some configuration that is beyond the scope of this document. If it is not possible to use the correct DNS server, then be sure the correct DNS forwarding is configured so queries are still answered by the directory server machine.

For Kerberos problems in Open Directory that might be caused by DNS, visit the following article from Apple and go to chapter 10: Kerberos is Stopped on an Open Directory Master or Replica.

Essentially, the same steps provided in the Apple document apply to DNS on Active Directory as well.

If users still cannot authenticate to Kerio MailServer, yet there are no errors except password failures, then it is possible the keytab file is damaged. The keytab file is a special file used by Kerberos. The keytab file is more likely to get messed up in Open Directory than with Active Directory because Open Directory does not always depend on Kerberos whereas Active Directory depends on it for everything.