Re: problem with 2003 krb and mit krb integration with mozilla thunderbird on a multiple realm scenario
- From: deengert@xxxxxxx ("Douglas E. Engert")
- Date: Thu, 02 Feb 2006 09:51:45 -0600
Tiago Quadra wrote:
Douglas,
Thanks for the quick answer.
Your first idea might work, but I have more realms that will remain with
the problem.
I will try your second idea, but before I can switch the default realm
on krb5.conf to CORP.MTI.COM.BR on my imap server I will have to create
hosts and services principals on the Win2003 KDC REALM. For the initial
test at least these two principals:
- host/cyrusimap.mti.com.br@xxxxxxxxxxxxxxx
- imap/cyrusimap.mti.com.br@xxxxxxxxxxxxxxx
In your first note, you said the third test failed, and it had gotten
a ticket for imap/cyrusimap.mti.com.br@xxxxxxxxxxxxxxxxx can you prove
that this will work? If you set the KRB5_CONFIG to point to a modified
krb5.conf, then start the imap server it will use this krb5.conf file.
I know I'll have to use ktpass to create... but I'm a little confused
with the parameters.
The basic are fine: -princ -pass and -out
Yes these will create a keytab file.
but I don't know if I will have to use -mapuser and/or -ptype...
In AD the account has a number of names, cn, samAccountName, that may be
different from the principal name. The account can have a userPrincipalName
and many servicePrincipalNames. The account has one password and one salt
use to generate the keys for all its principals.
The mapuser is used to associate a new principal name with an account.
If you don t use it, the ktpass will look up the principal name to find
the existing account.
according to the ktpass help it looks like I should use -ptype with
KRB5_NT_SRV_HST and not use -mapuser...
[- /] ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended
[- /] ptype : KRB5_NT_SRV_INST : user service instance
[- /] ptype : KRB5_NT_SRV_HST : host service instance
But all the documentation on the Internet tells to create a user account
with the hostname and user -mapuser to that user...
The term mapuser is misleading. It should be something like -account
Since users and computers have accounts, and look almost identical the
documentation said create a "user" account.
I don't like the way MS uses the same account for multiple principals,
so we are creating separate accounts for each, even if on the same host.
Since the account name must be unique in the forest, we are using
<service>-<host1>-<host2> where host1 and host2 are the first two
parts of the DNSname. There is a 19 byte limit, so we have to make
up some uniquename in some situations.
After you create the account, and run ktpass, you cna use mmc and adsi edit
to look at the account.
What we are stating to do is use a program, msktutil, that will use LDAP to
added the account and add the UPN and SPNs, and update the keytab. Its still
under development, and I hope the author will publicize it more in the future.
[I am BCC'ing him on this note.]
MacOS has something similar, and MS did have a netjoin sample program as well.
Samba has something called winbind that can also ad accounts.
Ideas?
TQ
Douglas E. Engert wrote:
The MS SSPI Kerberos on the client assumes the server is in one realm,
and the MIT Kerberos another. It looks like you added server principals
in to both realms to try an accommodate this.
But the server's gssapi libs is expecting to be in a single realm.
As a test, on the server, can you force the imap server to think
it is in the LABEXAMPLE.COM.BR realm? (Maybe by starting it with
its own krb5.conf with the default realm changed.)
Then the third test should work, but the others fail.
If this is the problem, then you could change the realm of
the server to be in the AD realm, by changing the krb5.conf
file on clients so they use the same realm as the SSPI.
You could also change the gssapi code to use any entry in the keytab
file for imap/hostname. (The MIT rlogin code will do it also already
and we have a mod for gss to do it too.)
Tiago Quadra wrote:
Hi all,
I'm trying to log in on cyrus imap running on a Linux box, using SSPI
from a Windows XP Pro workstation logged on a Windows 2003 DC using a
principal from MIT Kerberos.
So far, I've managed to:
- Set up the trust betwen the Windows 2003 KRB and MIT KRB
- Log on Windows 2003 DC using my MIT Kerberos.
My Windows 2003 DC Domain: CORP.MTI.COM.BR <http://CORP.MTI.COM.BR>.
My MIT KDC Server has multiple REALMS, where the default is
MTI.COM.BR <http://MTI.COM.BR> (an internal domain of my company).
I'm testing using a principal tquadra@xxxxxxxxxxxxxxxxx
<mailto:tquadra@xxxxxxxxxxxxxxxxx> on a MIT REALM.*
*1st test - Good: From a *Linux Box*,
using *kinit *to authenticate with tquadra@xxxxxxxxxxxxxxxxx
<mailto:tquadra@xxxxxxxxxxxxxxxxx>
and *imtest *to log on Cyrus IMAP *_I can login_ with GSSAPI.*
2nd test - Good: From a *Windows XP Pro sp2 workstation*,
using *MIT kerbeors client* to authenticate with
tquadra@xxxxxxxxxxxxxxxxx <mailto:tquadra@xxxxxxxxxxxxxxxxx>
and *Mozilla Thunderbird* to log on Cyrus IMAP *_I can login_
with GSSAPI.*
3rd test - Bad: From a *Windows XP Pro **sp2 **workstation*,
using the *credentias got from Windows Log on*
and *Mozilla Thunderbird* to log on Cyrus IMAP *_I cannot
login_ witg GSSAPI.*
On the 1st and 2nd tests I got a TGS ticket
imap/cyrusimap.mti.com.br@xxxxxxxxxx
<mailto:imap/cyrusimap.mti.com.br@xxxxxxxxxx>.
On the 3rd test I got a TGS ticket
imap/cyrusimap.mti.com.br@xxxxxxxxxxxxxxxxx
<mailto:imap/cyrusimap.mti.com.br@xxxxxxxxxxxxxxxxx>
My cyrusimap syslog shows the following error message:
Jan 31 15:46:30 cyrusimap imap[/PID/]: GSSAPI Error: Miscellaneous
failure (Wrong principal in request)
Jan 31 15:46:30 cyrusimap imap[/PID/]: badlogin: [/IP/] GSSAPI
[SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context]
I have both imap/cyrusimap.mti.com.br@xxxxxxxxxx
<mailto:imap/cyrusimap.mti.com.br@xxxxxxxxxx> AND
imap/cyrusimap.mti.com.br@xxxxxxxxxxxxxxxxx
<mailto:imap/cyrusimap.mti.com.br@xxxxxxxxxxxxxxxxx>
on my /etc/krb5.keytab.
I have krbtgt principals for trust between MTI.COM.BR
<http://MTI.COM.BR> and LABEXAMPLE.COM.BR <http://LABEXAMPLE.COM.BR>.
Any suggestions?
Best regards,
Tiago Quadra.
*Server with MIT Kerberos, host *mitkdc.mti.com.br
<http://mitkdc.mti.com.br>*:*
/etc/krb5.conf
[libdefaults]
default_realm = MTI.COM.BR <http://MTI.COM.BR>
CORP.MTI.COM.BR <http://CORP.MTI.COM.BR> = {
kdc = winkdc.mti.com.br:88 <http://winkdc.mti.com.br:88>
admin_server = winkdc.mti.com.br:749 <http://winkdc.mti.com.br:749>
kpasswd_server = winkdc.mti.com.br:464 <http://winkdc.mti.com.br:464>
default_domain = corp.mti.com.br <http://corp.mti.com.br>
}
MTI.COM.BR <http://MTI.COM.BR> = {
kdc = mitkdc.mti.com.br:88 <http://mitkdc.mti.com.br:88>
admin_server = mitkdc.mti.com.br:900 <http://mitkdc.mti.com.br:900>
kpasswd_server = mitkdc.mti.com.br:464 <http://mitkdc.mti.com.br:464>
default_domain = mti.com.br <http://mti.com.br>
}
LABEXAMPLE.COM.BR <http://LABEXAMPLE.COM.BR> = {
kdc = mitkdc.mti.com.br:88 <http://mitkdc.mti.com.br:88>
admin_server = mitkdc.mti.com.br:901 <http://mitkdc.mti.com.br:901>
kpasswd_server = mitkdc.mti.com.br:465 <http://mitkdc.mti.com.br:465>
default_domain = labexample.com.br <http://labexample.com.br>
}
*Server with Cyrus IMAP host *cyrusimap.mti.com.br
<http://cyrusimap.mti.com.br>*:*
/etc/krb5.conf
[libdefaults]
default_realm = MTI.COM.BR <http://MTI.COM.BR>
CORP.MTI.COM.BR <http://CORP.MTI.COM.BR> = {
kdc = winkdc.mti.com.br:88 <http://winkdc.mti.com.br:88>
admin_server = winkdc.mti.com.br:749 <http://winkdc.mti.com.br:749>
kpasswd_server = winkdc.mti.com.br:464 <http://winkdc.mti.com.br:464>
default_domain = corp.mti.com.br <http://corp.mti.com.br>
}
MTI.COM.BR <http://MTI.COM.BR> = {
kdc = mitkdc.mti.com.br:88 <http://mitkdc.mti.com.br:88>
admin_server = mitkdc.mti.com.br:900 <http://mitkdc.mti.com.br:900>
kpasswd_server = mitkdc.mti.com.br:464 <http://mitkdc.mti.com.br:464>
default_domain = mti.com.br <http://mti.com.br>
}
LABEXAMPLE.COM.BR <http://LABEXAMPLE.COM.BR> = {
kdc = mitkdc.mti.com.br:88 <http://mitkdc.mti.com.br:88>
admin_server = mitkdc.mti.com.br:901 <http://mitkdc.mti.com.br:901>
kpasswd_server = mitkdc.mti.com.br:465 <http://mitkdc.mti.com.br:465>
default_domain = labexample.com.br <http://labexample.com.br>
}
root@cyrusimap:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tquadra@xxxxxxxxxxxxxxxxx
<mailto:tquadra@xxxxxxxxxxxxxxxx>
Valid starting Expires Service principal
01/31/06 17:44:24 02/01/06 03:44:24
krbtgt/LABEXAMPLE.COM.BR@xxxxxxxxxxxxxxxxx
<mailto:krbtgt/MULTIPLAN.COM.BR@xxxxxxxxxxxxxxxx>
renew until 02/01/06 17:44:24
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
root@cyrusimap:~#
root@cyrusimap:~# imtest cyrusimap
S: * OK srv05 Cyrus IMAP4 v2.2.10 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
STARTTLS AUTH=GSSAPI SASL-IR
S: C01 OK Completed
C: A01 AUTHENTICATE GSSAPI ...
S: + ...
C:
S: + ...
C: ...
S: A01 OK Success (privacy protection)
Authenticated.
Security strength factor: 56
root@cyrusimap:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tquadra@ <mailto:tquadra@xxxxxxxxxxxxxxxxx>
LABEXAMPLE <mailto:tquadra@xxxxxxxxxxxxxxxx>.COM.BR
<mailto:tquadra@xxxxxxxxxxxxxxxxx>
Valid starting Expires Service principal
01/31/06 17:44:24 02/01/06 03:44:24 krbtgt/
<mailto:krbtgt/MULTIPLAN.COM.BR@xxxxxxxxxxxxxxxx> LABEXAMPLE
<mailto:tquadra@xxxxxxxxxxxxxxxx>.COM.BR@
<mailto:krbtgt/MULTIPLAN.COM.BR@xxxxxxxxxxxxxxxx> LABEXAMPLE
<mailto:tquadra@xxxxxxxxxxxxxxxx>.COM.BR
<mailto:krbtgt/MULTIPLAN.COM.BR@xxxxxxxxxxxxxxxx>
renew until 02/01/06 17:44:24
01/31/06 17:44:36 02/01/06 03:44:24 krbtgt/MTI.COM.BR@
<mailto:krbtgt/MTI.COM.BR@xxxxxxxxxxxxxxxx> LABEXAMPLE
<mailto:tquadra@xxxxxxxxxxxxxxxx>.COM.BR
<mailto:krbtgt/MTI.COM.BR@xxxxxxxxxxxxxxxx>
renew until 02/01/06 17:44:24
01/31/06 17:44:36 02/01/06 03:44:24
imap/cyrusimap.mti.com.br@xxxxxxxxxx
<mailto:imap/srv05.mti.com.br@xxxxxxxxxx>
renew until 02/01/06 17:44:24
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
*Tickets from SSPI on my Windows XP Pro sp2 workstation*
--
Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
.
- References:
- problem with 2003 krb and mit krb integration with mozilla thunderbirdon a multiple realm scenario
- From: Tiago Quadra
- Re: problem with 2003 krb and mit krb integration with mozilla thunderbirdon a multiple realm scenario
- From: "Douglas E. Engert"
- Re: problem with 2003 krb and mit krb integration with mozilla thunderbird on a multiple realm scenario
- From: Tiago Quadra
- problem with 2003 krb and mit krb integration with mozilla thunderbirdon a multiple realm scenario
- Prev by Date: Re: problem with 2003 krb and mit krb integration with mozilla thunderbird on a multiple realm scenario
- Next by Date: Re: Shall I capture Kerberos-password failure error message ALONE?
- Previous by thread: Re: problem with 2003 krb and mit krb integration with mozilla thunderbird on a multiple realm scenario
- Next by thread: Can use kerberized telnet, but cannot use pam_krb5
- Index(es):
Relevant Pages
|
