On 27.11.2014 13:27, Maria Jose Yañez Dacosta wrote: > Hi everyone, > > > I found the following error: "authentication failed (no account associated > with Kerberos principal [email protected])". > > I suspect that is missing in FreeIPA give to this user permissions to > access by kerberos. > > what do you think about it ?. > > I'm newbie in these matters, so I appreciate any help or comments :) > > Oh!, This is the full error message: > > ------------------------------------------ LOG > --------------------------------------- > 2014-11-27 09:35:50,067 WARN [ImapServer-2] [ip=192.168.99.100;] account - > authentication failed (no account associated with Kerberos principal > [email protected]) > 2014-11-27 09:35:50,068 WARN [ImapServer-2] [ip=192.168.99.100;] imap - > SaslServer.evaluateResponse() failed > javax.security.sasl.SaslException: Problem with callback handler [Caused by > javax.security.sasl.SaslException: [email protected] is not authorized > to connect as usuipa] > at > com.sun.security.sasl.gsskerb.GssKrb5Server.doHandshake2(GssKrb5Server.java:309) > at > com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:149) > at > com.zimbra.cs.security.sasl.GssAuthenticator.handle(GssAuthenticator.java:182) > at > com.zimbra.cs.imap.ImapHandler.continueAuthentication(ImapHandler.java:269) > at > com.zimbra.cs.imap.ImapHandler.continueAuthentication(ImapHandler.java:260) > at > com.zimbra.cs.imap.NioImapHandler.processRequest(NioImapHandler.java:121) > at > com.zimbra.cs.imap.NioImapHandler.messageReceived(NioImapHandler.java:61) > at > com.zimbra.cs.server.NioHandlerDispatcher.messageReceived(NioHandlerDispatcher.java:88) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) > at > com.zimbra.cs.server.NioLoggingFilter.messageReceived(NioLoggingFilter.java:60) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) > at > org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:75) > at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) > at > org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTask(OrderedThreadPoolExecutor.java:780) > at > org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTasks(OrderedThreadPoolExecutor.java:772) > at > org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.run(OrderedThreadPoolExecutor.java:714) > at java.lang.Thread.run(Thread.java:744) > Caused by: javax.security.sasl.SaslException: [email protected] is not > authorized to connect as usuipa
Judging from this message, I guess that Zimbra is not configured properly to use LDAP as source of user information. I.e. Kerberos successfully authenticated the user "[email protected]" but the mapping to an IMAP user is missing. Did you configure Zimbra to use LDAP? You can get some inspiration from http://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA but please note that this how-to is about LDAP authentication, not about Kerberos authentication. Petr^2 Spacek > at > com.sun.security.sasl.gsskerb.GssKrb5Server.doHandshake2(GssKrb5Server.java:301) > ... 21 more > > --------------------------------------- END LOG > --------------------------------------- > > > > > 2014-11-25 16:02 GMT-02:00 Maria Jose Yañez Dacosta <[email protected] >> : > >> Sorry for delay in answering, I've been testing a few things before going >> back to ask. >> >> Thanks for the advice, I'll be careful with security :). >> >> I also tried as is explained in the url you shared with me and as you >> suspected that isn't the problem either. >> >> I installed Wireshark, packet capture shows me these errors: >> >> error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31) >> e-text: PREAUTH_FAILED >> >> Where the origin of these packages is the FreeIPA server and the >> destination is the Zimbra server. >> >> I think this may be causing problems. >> >> I'm ashamed to say this, but haven't known as I have to do to debug Imap >> process on the server using KRB5_TRACE. >> >> Thanks so much for all your help and if you have more suggestions, it >> would be appreciated. >> >> Have a good day. >> >> >> >> >> 2014-11-25 15:00 GMT-02:00 <[email protected]>: >> >> Send Freeipa-users mailing list submissions to >>> [email protected] >>> >>> To subscribe or unsubscribe via the World Wide Web, visit >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> or, via email, send a message with subject or body 'help' to >>> [email protected] >>> >>> You can reach the person managing the list at >>> [email protected] >>> >>> When replying, please edit your Subject line so it is more specific >>> than "Re: Contents of Freeipa-users digest..." >>> >>> >>> Today's Topics: >>> >>> 1. Re: Is it possible to set up SUDO with redudancy? >>> (Lukas Slebodnik) >>> 2. Re: Setting up a Kerberized IMAP Server. (Petr Spacek) >>> >>> >>> ---------------------------------------------------------------------- >>> >>> Message: 1 >>> Date: Tue, 25 Nov 2014 09:02:59 +0100 >>> From: Lukas Slebodnik <[email protected]> >>> To: William Muriithi <[email protected]> >>> Cc: [email protected] >>> Subject: Re: [Freeipa-users] Is it possible to set up SUDO with >>> redudancy? >>> Message-ID: <[email protected]> >>> Content-Type: text/plain; charset=utf-8 >>> >>> On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi < >>> [email protected]> wrote: >>> >>>> Evening, >>>> >>>> After looking at almost all the SUDO documentation I could find, it >>> looks >>>> one has to hardcode FreeIPA hostname on sssd.conf file. Below is what >>> red >>>> hat advice to add in sssd config file. >>>> >>>> services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] >>>> sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com >>>> ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com >>>> ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ >>>> tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM >>>> krb5_server = grobi.idm.coe.muc.redhat.com >>>> >>>> The implications of adding above is that SUDO would break if the >>>> hardcoded ipa is not available even if there is another replica >>> somewhere >>>> in the network. Is that correct assumption? >>>> >>>> Is there a better way of doing it that I have missed? >>>> >>> >>> Which version of sssd do you have? >>> sssd >= 1.10 has native ipa suod providers and you don't need to use >>> "sudo_provider = ldap". >>> >>> LS >>> >>> >>> >>> ------------------------------ >>> >>> Message: 2 >>> Date: Tue, 25 Nov 2014 10:11:42 +0100 >>> From: Petr Spacek <[email protected]> >>> To: [email protected] >>> Subject: Re: [Freeipa-users] Setting up a Kerberized IMAP Server. >>> Message-ID: <[email protected]> >>> Content-Type: text/plain; charset=windows-1252 >>> >>> On 24.11.2014 17:45, Maria Jose Ya?ez Dacosta wrote: >>>> Thank you for your prompt reply :). >>>> >>>> I still don't discover what caused the problem, but now I could get more >>>> information about the problem. >>>> >>>> I run the command that you commented me, I did as follows: >>>> >>>> - kinit usuipa >>>> - kvno imap/[email protected] >>>> >>>> (I said in my previous mail fi.example.com but should have said >>>> zimbrafreeipa.example.com. >>>> Forgiveness!!). >>>> >>>> Then run klist and got this: >>>> >>>> 11/24/14 14:04:53 11/25/14 14:04:50 krbtgt/ >>> [email protected] >>>> 11/24/14 14:05:52 11/25/14 14:04:50 imap/ >>>> [email protected] >>>> >>>> Then run >>>> KRB5_TRACE=/dev/stdout kvno imap/ >>> [email protected] >>>> and got this: >>>> --------------------------------------- OUTPUT >>>> --------------------------------------------------------------- >>>> [20649] 1416845334.9690: Getting credentials [email protected] -> >>> imap/ >>>> [email protected] using ccache >>> FILE:/tmp/krb5cc_0 >>>> [20649] 1416845334.27562: Retrieving [email protected] -> imap/ >>>> [email protected] from FILE:/tmp/krb5cc_0 >>> with >>>> result: 0/Conseguido >>>> imap/[email protected]: kvno = 2 >>>> --------------------------------------- END OF OUTPUT >>>> --------------------------------------------------- >>>> >>>> When I rum >>>> KRB5_TRACE=/dev/stdout thunderbird >>>> this show: >>>> >>>> --------------------------------------- OUTPUT >>>> --------------------------------------------------------------- >>>> Gtk-Message: Failed to load module "canberra-gtk-module": >>>> libcanberra-gtk-module.so: no se puede abrir el fichero del objeto >>>> compartido: No existe el fichero o el directorio >>>> [20906] 1416845377.323420: ccselect module realm chose cache >>>> FILE:/tmp/krb5cc_0 with client principal [email protected] for >>> server >>>> principal imap/[email protected] >>>> [20906] 1416845377.323834: Retrieving [email protected] -> >>>> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from >>>> FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not >>> found >>>> [20906] 1416845377.323939: Getting credentials [email protected] -> >>>> imap/[email protected] using ccache >>>> FILE:/tmp/krb5cc_0 >>>> [20906] 1416845377.324677: Retrieving [email protected] -> imap/ >>>> [email protected] from FILE:/tmp/krb5cc_0 >>> with >>>> result: 0/Conseguido >>>> [20906] 1416845377.325617: Creating authenticator for >>> [email protected] >>>> -> imap/[email protected], seqnum 138355536, >>>> subkey aes256-cts/3BB4, session key aes256-cts/A007 >>>> [20906] 1416845377.353847: ccselect module realm chose cache >>>> FILE:/tmp/krb5cc_0 with client principal [email protected] for >>> server >>>> principal imap/[email protected] >>>> [20906] 1416845377.353971: Retrieving [email protected] -> >>>> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from >>>> FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not >>> found >>>> [20906] 1416845377.354331: Read AP-REP, time 1416845380.325675, subkey >>>> (null), seqnum 1067232298 >>>> [20906] 1416845396.10173: ccselect module realm chose cache >>>> FILE:/tmp/krb5cc_0 with client principal [email protected] for >>> server >>>> principal imap/[email protected] >>>> [20906] 1416845396.10290: Retrieving [email protected] -> >>>> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from >>>> FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not >>> found >>>> [20906] 1416845396.10316: Getting credentials [email protected] -> >>> imap/ >>>> [email protected] using ccache >>> FILE:/tmp/krb5cc_0 >>>> [20906] 1416845396.10391: Retrieving [email protected] -> imap/ >>>> [email protected] from FILE:/tmp/krb5cc_0 >>> with >>>> result: 0/Conseguido >>>> [20906] 1416845396.10469: Creating authenticator for >>> [email protected] >>>> -> imap/[email protected], seqnum 592157704, >>>> subkey aes256-cts/5F4D, session key aes256-cts/A007 >>>> [20906] 1416845396.35033: ccselect module realm chose cache >>>> FILE:/tmp/krb5cc_0 with client principal [email protected] for >>> server >>>> principal imap/[email protected] >>>> [20906] 1416845396.35196: Retrieving [email protected] -> >>>> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from >>>> FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not >>> found >>>> [20906] 1416845396.35293: Read AP-REP, time 1416845399.10477, subkey >>>> (null), seqnum 911725412 >>>> >>>> --------------------------------------- END OF OUTPUT >>>> --------------------------------------------------- >>> >>> This seems okay, Thunderbird got necessary ticket so the problem could be >>> on >>> server side. (Just to be 100% sure: Did you configure >>> network.negotiate-auth >>> option in Thunderbird according to >>> https://jpolok.web.cern.ch/jpolok/kerberos-macosx.html ?) >>> >>>> About permissions on keytab file, I have as following: >>>> >>>> ls -l /opt/zimbra/conf/krb5.keytab >>>> -rwxrwxrwx 1 zimbra zimbra 366 nov 20 14:45 /opt/zimbra/conf/krb5.keytab >>>> >>>> Selinux (/etc/selinux/config) >>>> SELINUX=disabled >>>> >>>> What do you think about this?, >>> >>> That it is completely insecure :-) Seriously, keytab contains symmetric >>> cryptographic keys so it should be protected as much as feasible. >>> >>> It is fine for testing purposes (assuming that you do not forget to secure >>> file permissions and generate new keytab before moving it to production). >>> >>> As a next step please raise debug levels on the server and possibly use >>> KRB5_TRACE=/dev/stdout trick for IMAP server process. >>> >>> -- >>> Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
