Hi everyone,
I found the following error: "authentication failed (no account associated with Kerberos principal [email protected])". I suspect that is missing in FreeIPA give to this user permissions to access by kerberos. what do you think about it ?. I'm newbie in these matters, so I appreciate any help or comments :) Oh!, This is the full error message: ------------------------------------------ LOG --------------------------------------- 2014-11-27 09:35:50,067 WARN [ImapServer-2] [ip=192.168.99.100;] account - authentication failed (no account associated with Kerberos principal [email protected]) 2014-11-27 09:35:50,068 WARN [ImapServer-2] [ip=192.168.99.100;] imap - SaslServer.evaluateResponse() failed javax.security.sasl.SaslException: Problem with callback handler [Caused by javax.security.sasl.SaslException: [email protected] is not authorized to connect as usuipa] at com.sun.security.sasl.gsskerb.GssKrb5Server.doHandshake2(GssKrb5Server.java:309) at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:149) at com.zimbra.cs.security.sasl.GssAuthenticator.handle(GssAuthenticator.java:182) at com.zimbra.cs.imap.ImapHandler.continueAuthentication(ImapHandler.java:269) at com.zimbra.cs.imap.ImapHandler.continueAuthentication(ImapHandler.java:260) at com.zimbra.cs.imap.NioImapHandler.processRequest(NioImapHandler.java:121) at com.zimbra.cs.imap.NioImapHandler.messageReceived(NioImapHandler.java:61) at com.zimbra.cs.server.NioHandlerDispatcher.messageReceived(NioHandlerDispatcher.java:88) at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) at com.zimbra.cs.server.NioLoggingFilter.messageReceived(NioLoggingFilter.java:60) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:75) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTask(OrderedThreadPoolExecutor.java:780) at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTasks(OrderedThreadPoolExecutor.java:772) at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.run(OrderedThreadPoolExecutor.java:714) at java.lang.Thread.run(Thread.java:744) Caused by: javax.security.sasl.SaslException: [email protected] is not authorized to connect as usuipa at com.sun.security.sasl.gsskerb.GssKrb5Server.doHandshake2(GssKrb5Server.java:301) ... 21 more --------------------------------------- END LOG --------------------------------------- 2014-11-25 16:02 GMT-02:00 Maria Jose Yañez Dacosta <[email protected] >: > Sorry for delay in answering, I've been testing a few things before going > back to ask. > > Thanks for the advice, I'll be careful with security :). > > I also tried as is explained in the url you shared with me and as you > suspected that isn't the problem either. > > I installed Wireshark, packet capture shows me these errors: > > error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31) > e-text: PREAUTH_FAILED > > Where the origin of these packages is the FreeIPA server and the > destination is the Zimbra server. > > I think this may be causing problems. > > I'm ashamed to say this, but haven't known as I have to do to debug Imap > process on the server using KRB5_TRACE. > > Thanks so much for all your help and if you have more suggestions, it > would be appreciated. > > Have a good day. > > > > > 2014-11-25 15:00 GMT-02:00 <[email protected]>: > > Send Freeipa-users mailing list submissions to >> [email protected] >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://www.redhat.com/mailman/listinfo/freeipa-users >> or, via email, send a message with subject or body 'help' to >> [email protected] >> >> You can reach the person managing the list at >> [email protected] >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Freeipa-users digest..." >> >> >> Today's Topics: >> >> 1. Re: Is it possible to set up SUDO with redudancy? >> (Lukas Slebodnik) >> 2. Re: Setting up a Kerberized IMAP Server. (Petr Spacek) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Tue, 25 Nov 2014 09:02:59 +0100 >> From: Lukas Slebodnik <[email protected]> >> To: William Muriithi <[email protected]> >> Cc: [email protected] >> Subject: Re: [Freeipa-users] Is it possible to set up SUDO with >> redudancy? >> Message-ID: <[email protected]> >> Content-Type: text/plain; charset=utf-8 >> >> On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi < >> [email protected]> wrote: >> >> > Evening, >> > >> > After looking at almost all the SUDO documentation I could find, it >> looks >> > one has to hardcode FreeIPA hostname on sssd.conf file. Below is what >> red >> > hat advice to add in sssd config file. >> > >> > services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] >> > sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com >> > ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com >> > ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ >> > tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM >> > krb5_server = grobi.idm.coe.muc.redhat.com >> > >> > The implications of adding above is that SUDO would break if the >> > hardcoded ipa is not available even if there is another replica >> somewhere >> > in the network. Is that correct assumption? >> > >> > Is there a better way of doing it that I have missed? >> > >> >> Which version of sssd do you have? >> sssd >= 1.10 has native ipa suod providers and you don't need to use >> "sudo_provider = ldap". >> >> LS >> >> >> >> ------------------------------ >> >> Message: 2 >> Date: Tue, 25 Nov 2014 10:11:42 +0100 >> From: Petr Spacek <[email protected]> >> To: [email protected] >> Subject: Re: [Freeipa-users] Setting up a Kerberized IMAP Server. >> Message-ID: <[email protected]> >> Content-Type: text/plain; charset=windows-1252 >> >> On 24.11.2014 17:45, Maria Jose Ya?ez Dacosta wrote: >> > Thank you for your prompt reply :). >> > >> > I still don't discover what caused the problem, but now I could get more >> > information about the problem. >> > >> > I run the command that you commented me, I did as follows: >> > >> > - kinit usuipa >> > - kvno imap/[email protected] >> > >> > (I said in my previous mail fi.example.com but should have said >> > zimbrafreeipa.example.com. >> > Forgiveness!!). >> > >> > Then run klist and got this: >> > >> > 11/24/14 14:04:53 11/25/14 14:04:50 krbtgt/ >> [email protected] >> > 11/24/14 14:05:52 11/25/14 14:04:50 imap/ >> > [email protected] >> > >> > Then run >> > KRB5_TRACE=/dev/stdout kvno imap/ >> [email protected] >> > and got this: >> > --------------------------------------- OUTPUT >> > --------------------------------------------------------------- >> > [20649] 1416845334.9690: Getting credentials [email protected] -> >> imap/ >> > [email protected] using ccache >> FILE:/tmp/krb5cc_0 >> > [20649] 1416845334.27562: Retrieving [email protected] -> imap/ >> > [email protected] from FILE:/tmp/krb5cc_0 >> with >> > result: 0/Conseguido >> > imap/[email protected]: kvno = 2 >> > --------------------------------------- END OF OUTPUT >> > --------------------------------------------------- >> > >> > When I rum >> > KRB5_TRACE=/dev/stdout thunderbird >> > this show: >> > >> > --------------------------------------- OUTPUT >> > --------------------------------------------------------------- >> > Gtk-Message: Failed to load module "canberra-gtk-module": >> > libcanberra-gtk-module.so: no se puede abrir el fichero del objeto >> > compartido: No existe el fichero o el directorio >> > [20906] 1416845377.323420: ccselect module realm chose cache >> > FILE:/tmp/krb5cc_0 with client principal [email protected] for >> server >> > principal imap/[email protected] >> > [20906] 1416845377.323834: Retrieving [email protected] -> >> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from >> > FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not >> found >> > [20906] 1416845377.323939: Getting credentials [email protected] -> >> > imap/[email protected] using ccache >> > FILE:/tmp/krb5cc_0 >> > [20906] 1416845377.324677: Retrieving [email protected] -> imap/ >> > [email protected] from FILE:/tmp/krb5cc_0 >> with >> > result: 0/Conseguido >> > [20906] 1416845377.325617: Creating authenticator for >> [email protected] >> > -> imap/[email protected], seqnum 138355536, >> > subkey aes256-cts/3BB4, session key aes256-cts/A007 >> > [20906] 1416845377.353847: ccselect module realm chose cache >> > FILE:/tmp/krb5cc_0 with client principal [email protected] for >> server >> > principal imap/[email protected] >> > [20906] 1416845377.353971: Retrieving [email protected] -> >> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from >> > FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not >> found >> > [20906] 1416845377.354331: Read AP-REP, time 1416845380.325675, subkey >> > (null), seqnum 1067232298 >> > [20906] 1416845396.10173: ccselect module realm chose cache >> > FILE:/tmp/krb5cc_0 with client principal [email protected] for >> server >> > principal imap/[email protected] >> > [20906] 1416845396.10290: Retrieving [email protected] -> >> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from >> > FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not >> found >> > [20906] 1416845396.10316: Getting credentials [email protected] -> >> imap/ >> > [email protected] using ccache >> FILE:/tmp/krb5cc_0 >> > [20906] 1416845396.10391: Retrieving [email protected] -> imap/ >> > [email protected] from FILE:/tmp/krb5cc_0 >> with >> > result: 0/Conseguido >> > [20906] 1416845396.10469: Creating authenticator for >> [email protected] >> > -> imap/[email protected], seqnum 592157704, >> > subkey aes256-cts/5F4D, session key aes256-cts/A007 >> > [20906] 1416845396.35033: ccselect module realm chose cache >> > FILE:/tmp/krb5cc_0 with client principal [email protected] for >> server >> > principal imap/[email protected] >> > [20906] 1416845396.35196: Retrieving [email protected] -> >> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from >> > FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not >> found >> > [20906] 1416845396.35293: Read AP-REP, time 1416845399.10477, subkey >> > (null), seqnum 911725412 >> > >> > --------------------------------------- END OF OUTPUT >> > --------------------------------------------------- >> >> This seems okay, Thunderbird got necessary ticket so the problem could be >> on >> server side. (Just to be 100% sure: Did you configure >> network.negotiate-auth >> option in Thunderbird according to >> https://jpolok.web.cern.ch/jpolok/kerberos-macosx.html ?) >> >> > About permissions on keytab file, I have as following: >> > >> > ls -l /opt/zimbra/conf/krb5.keytab >> > -rwxrwxrwx 1 zimbra zimbra 366 nov 20 14:45 /opt/zimbra/conf/krb5.keytab >> > >> > Selinux (/etc/selinux/config) >> > SELINUX=disabled >> > >> > What do you think about this?, >> >> That it is completely insecure :-) Seriously, keytab contains symmetric >> cryptographic keys so it should be protected as much as feasible. >> >> It is fine for testing purposes (assuming that you do not forget to secure >> file permissions and generate new keytab before moving it to production). >> >> As a next step please raise debug levels on the server and possibly use >> KRB5_TRACE=/dev/stdout trick for IMAP server process. >> >> -- >> Petr^2 Spacek >> >> >> >> ------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> End of Freeipa-users Digest, Vol 76, Issue 111 >> ********************************************** >> > > > > -- > Maria José > -- Maria José
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
