Discussion
Both Active Directory and Open Directory offer directory services which can be configured to work with Kerio MailServer running on Linux. This article describes how to perform this configuration.
Assumptions
Before you begin this article, the following must be true:
- A properly configured and working Active Directory or Open Directory domain.
- Valid DNS records for your AD or OD domain.
- A properly configured and working Kerio MailServer installation on a supported version of Linux
Choose the appropriate setup for your network from the options below and follow the steps in numerical order:
Open Directory
Steps
- Preparing Open Directory for Kerberos
- Obtaining the Kerberos Realm and DNS Names in Open Directory
- Configure the /etc/krb5.conf file
- Calibrate the time
- Edit the apple.map file (Open Directory)
- Join KMS to the Open Directory Service
- Troubleshooting
- Linux Packages
Active Directory
Steps
- Obtaining the Kerberos Realm and DNS Names in Active Directory
- Configure the /etc/krb5.conf file
- Calibrate the time
- Join KMS to the Active Directory Service
- Troubleshooting
- Linux Packages
Individual Steps
Preparing Open Directory for Kerberos
Linux uses a technology called Kerberos for directory services security. Support for Kerberos in Open depends on your version of OS X.
Mac OS X 10.3.9 and Mac OS X 10.4.x
On these versions, Open Directory is configured for Kerberos by default. To verifiy that Kerberos is working, follow these steps:
- On the Open Directory server run Server Admin
- Under "Computers & Services" choose the Open Directory server
- The "Overview" page should show "Kerberos is: Running"
If you do not see "Kerberos is: Running", it must be configured and started.
The following Apple documents explains how to configure and start Kerberos on a Mac OS X Server 10.4.x. Steps are similar for Mac OS X 10.3.9.
Mac OS X 10.2.x
Older versions of Mac OS X (versions 10.2 and older) can run Kerberos, but the configuration is more complicated. See the following Apple document:
Make sure Kerberos is running before proceeding with the steps in this article.
Obtaining the Kerberos Realm and DNS Names in Active Directory
On the Active Directory master perform the following steps:
- Open Programs-->Administrative Tools-->Active Directory Management
- Choose "Active Directory Domains and Trusts."
- The Active Directory domain names are listed.
The Active Directory domain name is also the coresponding Kerberos realm name and DNS domain name. Pick the domain you want to join the mailserver to. Always use the Kerberos realm name in upper case letters and the DNS domain name in lower case letters.
For more information about DNS, Kerberos, and domain names read Microsoft KB article Q248807:
Obtaining the Kerberos Realm and DNS Names in Open Directory
The Kerberos realm name and DNS domain name will already be known if it was necessary to setup Open Directory for Kerberos as described above.
If Open Directory is already running Kerberos, then use the following process:
- Open a terminal as an admin user
- Enter the following command:
sudo grep -A 2 domain_realm /Library/Preferences/edu.mit.Kerberos
(Example)
tiger:~ root# grep -A 2 domain_realm /Library/Preferences/edu.mit.Kerberos
[domain_realm]
.example.mac = TIGER.EXAMPLE.MAC
example.mac = TIGER.EXAMPLE.MAC
tiger:~ root#
The DNS domain name is on the left of the equals symbol, and the Kerberos realm name is on the right.
Always use upper case letters when referring to the Kerberos realm name even if you've seen it in lower case letters on the server. Always use lower case letters when referring to the DNS domain name. It prevents confusion since they are often the same in many networks.
Configure the /etc/krb5.conf File on Linux
Shortcut for Open Directory
The file on your Open Directory master called /Library/Preferences/edu.mit.Kerberos is a krb5.conf file. Copy that file from the Open Directory master to the Linux machine running KMS and use it as the /etc/krb5.conf file as follows:
(Example)
linux:~# cd /etc
linux:/etc# scp opendirectoryserver:/Library/Preferences/edu.mit.Kerberos ./krb5.conf
Replace "opendirectoryserver" with the hostname of your Open Directory server.
Step-By-Step Configuration of the /etc/krb5.conf File on Linux
A much more detailed description of the /etc/krb5.conf file is available at the official Kerberos web site.
For Active Directory or Open Directory with a more complicated network (such as multiple Kerberos realms) it is necessary to configure the existing krb5.conf file or create one from scratch. Linux is distributed with a /etc/krb5.conf file that contains references to EXAMPLE.COM as follows:
A typical default /etc/krb5.conf file on Linux
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Edit the file using the following guidelines:
- [libdefaults]
- Set default_realm to the Kerberos realm name for your network
- [realms] Each "realm" is listed as a realm name in upper case letters equals symbol and then a small section enclosed in curly braces as shown in the example above.
- Change the EXAMPLE.COM realm name to correct Kerberos realm name or if no example realm exists, copy the one from the example krb5.conf file shown above.
- Each realm contains "kdc" and "admin_server" values. Set those to the fully qualified DNS hostname of the Open Directory or Active Directory server.
- Set the default_domain to the DNS domain name bound to the realm.
- There can be multiple realms so Kerio MailServer can have multiple mail domains joined to different Kerberos realms.
Example: for realm KERIO.COM, Open Directory master master.kerio.com, and DNS domain kerio.com
[realms]
KERIO.COM = {
kdc = master.kerio.com:88
admin_server = master.kerio.com:749
default_domain = kerio.com
}
- [default_realm] This section simply contains DNS domain name, equals symbol, then Kerberos realm name then another line identical except with a preceding dot as shown in the example above.
- Change each instance of EXAMPLE.COM to your Kerberos realm name in upper case letters.
- Change each instance of example.com to your DNS domain name that is bound to the coresponding Kerberos realm.
- There can be similar entries in this section for other domains and their respective realms so Kerio MailServer can have different mail domains joined to different Kerberos realms.
Calibrate the time
The clock on the Linux server and the clock on the AD or OD directory master server ('domain controller') must not be different by more than 5 minutes (300 seconds).
Note: There can be problems if the [libdefaults] section of the krb5.conf file contains an entry called "clockskew" and it is set to a very low value. The default for this value is 300. Calibrating the clocks without a working NTP network can be difficult if this value is set too low. If the domain controller and Kerio MailServer computers are not calibrated by NTP, then remove this value if it exists. If they are calibrated by NTP but you still cannot authenticate, try increasing this value.
Edit the apple.map file
For Open Directory, it is necessary to tell KMS not to use Apple Password Service for authentication.
- On the KMS machine, open the file called /opt/kerio/mailserver/ldapmap/apple.map in a text editor.
- Find an XML value called Auth_Type that is most likely set to "4" ("4" stands for Apple Password Service).
- Change this value to "3" ("3" stands for Kerberos) but be careful to honor the XML formatting in this file. It should look exactly the same as before except the 4 has been changed to a 3.
- Save the file and quit out of the text editor.
Join KMS to the Active Directory or Open Directory Service
The following link to the Kerio MailServer manual describes how to join Kerio MailServer to a directory service in detail with illustrations:
Note: Be sure to check the domain search suffix. For a domain such as ad.example.com, the search suffix should be "dc=ad,dc=example,dc=com" but sometimes it will only show "dc=example,dc=com". This will prevent Active Directory authentication from working. Insure that it is correct for your domain name.
Troubleshooting
Be sure the DNS on the Linux mailserver is pointed to the DNS server provided by the Active Directory or Open Directory server. Many Kerberos issues are actually problems in DNS. The best policy is to always use the DNS provided by the directory service. Using 3rd party DNS is possible, but is not recommended and involves some configuration that is beyond the scope of this document. If it is not possible to use the correct DNS server, then be sure the correct DNS forwarding is configured so queries are still answered by the directory server machine.
For Kerberos problems in Open Directory that might be caused by DNS, visit the following article from Apple:
Essentially, the same steps provided in the Apple document apply to DNS on Active Directory as well.
If users still cannot authenticate to Kerio MailServer, yet there are no errors except password failures, then it is possible the keytab file is damaged. The keytab file is a special file used by Kerberos. The keytab file is more likely to get messed up in Open Directory than with Active Directory because Open Directory does not always depend on Kerberos whereas Active Directory depends on it for everything. The following document from Apple describes how to build a new keytab file.
Linux Packages
The correct packages for using Kerberos are distributed with most modern linuxes. However, if for some reason they are somehow missing, try installing the following packages: pam_krb5-1.31-1, krb5-libs-1.2.2-4, krb5-workstation-1.2.2-4 (note, these versions will change over time).
