[Freeipa-users] Kerberos error: PREAUTH_FAILED: KRB5KRB_AP_ERR_BAD_INTEGRITY
Hello, Simo, do you have an idea what may be causing the problem? Maria, generally, you can try to do two things on Zimbra server: $ kinit -kt path to keytab used by Zimbra server imap/zimbrafreeipa.example@fi.example.com It should succeed. This will very that content of the keytab is okay. Regarding KRB5_TRACE trick: You have to find init script or systemd unit file which is used to start Zimbra server process. Edit that script and add KRB5_TRACE to it before the actual server start. Let us know your findings :-) Petr^2 Spacek On 25.11.2014 19:02, Maria Jose Yañez Dacosta wrote: Sorry for delay in answering, I've been testing a few things before going back to ask. Thanks for the advice, I'll be careful with security :). I also tried as is explained in the url you shared with me and as you suspected that isn't the problem either. I installed Wireshark, packet capture shows me these errors: error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31) e-text: PREAUTH_FAILED Where the origin of these packages is the FreeIPA server and the destination is the Zimbra server. I think this may be causing problems. I'm ashamed to say this, but haven't known as I have to do to debug Imap process on the server using KRB5_TRACE. Thanks so much for all your help and if you have more suggestions, it would be appreciated. Have a good day. 2014-11-25 15:00 GMT-02:00 freeipa-users-requ...@redhat.com: Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-requ...@redhat.com You can reach the person managing the list at freeipa-users-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-users digest... Today's Topics: 1. Re: Is it possible to set up SUDO with redudancy? (Lukas Slebodnik) 2. Re: Setting up a Kerberized IMAP Server. (Petr Spacek) -- Message: 1 Date: Tue, 25 Nov 2014 09:02:59 +0100 From: Lukas Slebodnik lsleb...@redhat.com To: William Muriithi william.murii...@gmail.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Is it possible to set up SUDO with redudancy? Message-ID: 20141125080259.gb2...@mail.corp.redhat.com Content-Type: text/plain; charset=utf-8 On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi william.murii...@gmail.com wrote: Evening, After looking at almost all the SUDO documentation I could find, it looks one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red hat advice to add in sssd config file. services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM krb5_server = grobi.idm.coe.muc.redhat.com The implications of adding above is that SUDO would break if the hardcoded ipa is not available even if there is another replica somewhere in the network. Is that correct assumption? Is there a better way of doing it that I have missed? Which version of sssd do you have? sssd = 1.10 has native ipa suod providers and you don't need to use sudo_provider = ldap. LS -- Message: 2 Date: Tue, 25 Nov 2014 10:11:42 +0100 From: Petr Spacek pspa...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Setting up a Kerberized IMAP Server. Message-ID: 547447ce.8090...@redhat.com Content-Type: text/plain; charset=windows-1252 On 24.11.2014 17:45, Maria Jose Ya?ez Dacosta wrote: Thank you for your prompt reply :). I still don't discover what caused the problem, but now I could get more information about the problem. I run the command that you commented me, I did as follows: - kinit usuipa - kvno imap/zimbrafreeipa.example@fi.example.com (I said in my previous mail fi.example.com but should have said zimbrafreeipa.example.com. Forgiveness!!). Then run klist and got this: 11/24/14 14:04:53 11/25/14 14:04:50 krbtgt/ fi.example@fi.example.com 11/24/14 14:05:52 11/25/14 14:04:50 imap/ zimbrafreeipa.fi.example@fi.example.com Then run KRB5_TRACE=/dev/stdout kvno imap/ zimbrafreeipa.example@fi.example.com and got this: --- OUTPUT --- [20649] 1416845334.9690: Getting credentials usu...@fi.example.com - imap/ zimbrafreeipa.fi.example@fi.example.com using ccache FILE:/tmp/krb5cc_0 [20649] 1416845334.27562: Retrieving usu...@fi.example.com - imap/
Re: [Freeipa-users] Kerberos error: PREAUTH_FAILED: KRB5KRB_AP_ERR_BAD_INTEGRITY
On Wed, Nov 26, 2014 at 06:04:21PM +0100, Petr Spacek wrote: Hello, Simo, do you have an idea what may be causing the problem? Maybe there is a version mismatch between the keys on the server and on the client? On the IPA server you can check with #kadmin.local getprinc imap/zimbrafreeipa.example@fi.example.com on the IMAP server klist -k -t path to keytab used by Zimbra server the KVNO should be the same, if not you can generate a fresh keytab with ipa-getkeytab. hth bye, Sumit Maria, generally, you can try to do two things on Zimbra server: $ kinit -kt path to keytab used by Zimbra server imap/zimbrafreeipa.example@fi.example.com It should succeed. This will very that content of the keytab is okay. Regarding KRB5_TRACE trick: You have to find init script or systemd unit file which is used to start Zimbra server process. Edit that script and add KRB5_TRACE to it before the actual server start. Let us know your findings :-) Petr^2 Spacek On 25.11.2014 19:02, Maria Jose Yañez Dacosta wrote: Sorry for delay in answering, I've been testing a few things before going back to ask. Thanks for the advice, I'll be careful with security :). I also tried as is explained in the url you shared with me and as you suspected that isn't the problem either. I installed Wireshark, packet capture shows me these errors: error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31) e-text: PREAUTH_FAILED Where the origin of these packages is the FreeIPA server and the destination is the Zimbra server. I think this may be causing problems. I'm ashamed to say this, but haven't known as I have to do to debug Imap process on the server using KRB5_TRACE. Thanks so much for all your help and if you have more suggestions, it would be appreciated. Have a good day. 2014-11-25 15:00 GMT-02:00 freeipa-users-requ...@redhat.com: Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-requ...@redhat.com You can reach the person managing the list at freeipa-users-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-users digest... Today's Topics: 1. Re: Is it possible to set up SUDO with redudancy? (Lukas Slebodnik) 2. Re: Setting up a Kerberized IMAP Server. (Petr Spacek) -- Message: 1 Date: Tue, 25 Nov 2014 09:02:59 +0100 From: Lukas Slebodnik lsleb...@redhat.com To: William Muriithi william.murii...@gmail.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Is it possible to set up SUDO with redudancy? Message-ID: 20141125080259.gb2...@mail.corp.redhat.com Content-Type: text/plain; charset=utf-8 On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi william.murii...@gmail.com wrote: Evening, After looking at almost all the SUDO documentation I could find, it looks one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red hat advice to add in sssd config file. services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM krb5_server = grobi.idm.coe.muc.redhat.com The implications of adding above is that SUDO would break if the hardcoded ipa is not available even if there is another replica somewhere in the network. Is that correct assumption? Is there a better way of doing it that I have missed? Which version of sssd do you have? sssd = 1.10 has native ipa suod providers and you don't need to use sudo_provider = ldap. LS -- Message: 2 Date: Tue, 25 Nov 2014 10:11:42 +0100 From: Petr Spacek pspa...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Setting up a Kerberized IMAP Server. Message-ID: 547447ce.8090...@redhat.com Content-Type: text/plain; charset=windows-1252 On 24.11.2014 17:45, Maria Jose Ya?ez Dacosta wrote: Thank you for your prompt reply :). I still don't discover what caused the problem, but now I could get more information about the problem. I run the command that you commented me, I did as follows: - kinit usuipa - kvno imap/zimbrafreeipa.example@fi.example.com (I said in my previous mail fi.example.com but should have said zimbrafreeipa.example.com. Forgiveness!!). Then run klist and got this: 11/24/14 14:04:53 11/25/14
Re: [Freeipa-users] Kerberos error: PREAUTH_FAILED: KRB5KRB_AP_ERR_BAD_INTEGRITY
On Wed, 26 Nov 2014 18:04:21 +0100 Petr Spacek pspa...@redhat.com wrote: Hello, Simo, do you have an idea what may be causing the problem? The most probable explanation is that the Zimbra server has the wrong key. Unfortuinately there isn't enough data in the email to guess further. Simo. Maria, generally, you can try to do two things on Zimbra server: $ kinit -kt path to keytab used by Zimbra server imap/zimbrafreeipa.example@fi.example.com It should succeed. This will very that content of the keytab is okay. Regarding KRB5_TRACE trick: You have to find init script or systemd unit file which is used to start Zimbra server process. Edit that script and add KRB5_TRACE to it before the actual server start. Let us know your findings :-) Petr^2 Spacek On 25.11.2014 19:02, Maria Jose Yañez Dacosta wrote: Sorry for delay in answering, I've been testing a few things before going back to ask. Thanks for the advice, I'll be careful with security :). I also tried as is explained in the url you shared with me and as you suspected that isn't the problem either. I installed Wireshark, packet capture shows me these errors: error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31) e-text: PREAUTH_FAILED Where the origin of these packages is the FreeIPA server and the destination is the Zimbra server. I think this may be causing problems. I'm ashamed to say this, but haven't known as I have to do to debug Imap process on the server using KRB5_TRACE. Thanks so much for all your help and if you have more suggestions, it would be appreciated. Have a good day. 2014-11-25 15:00 GMT-02:00 freeipa-users-requ...@redhat.com: Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-requ...@redhat.com You can reach the person managing the list at freeipa-users-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-users digest... Today's Topics: 1. Re: Is it possible to set up SUDO with redudancy? (Lukas Slebodnik) 2. Re: Setting up a Kerberized IMAP Server. (Petr Spacek) -- Message: 1 Date: Tue, 25 Nov 2014 09:02:59 +0100 From: Lukas Slebodnik lsleb...@redhat.com To: William Muriithi william.murii...@gmail.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Is it possible to set up SUDO with redudancy? Message-ID: 20141125080259.gb2...@mail.corp.redhat.com Content-Type: text/plain; charset=utf-8 On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi william.murii...@gmail.com wrote: Evening, After looking at almost all the SUDO documentation I could find, it looks one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red hat advice to add in sssd config file. services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM krb5_server = grobi.idm.coe.muc.redhat.com The implications of adding above is that SUDO would break if the hardcoded ipa is not available even if there is another replica somewhere in the network. Is that correct assumption? Is there a better way of doing it that I have missed? Which version of sssd do you have? sssd = 1.10 has native ipa suod providers and you don't need to use sudo_provider = ldap. LS -- Message: 2 Date: Tue, 25 Nov 2014 10:11:42 +0100 From: Petr Spacek pspa...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Setting up a Kerberized IMAP Server. Message-ID: 547447ce.8090...@redhat.com Content-Type: text/plain; charset=windows-1252 On 24.11.2014 17:45, Maria Jose Ya?ez Dacosta wrote: Thank you for your prompt reply :). I still don't discover what caused the problem, but now I could get more information about the problem. I run the command that you commented me, I did as follows: - kinit usuipa - kvno imap/zimbrafreeipa.example@fi.example.com (I said in my previous mail fi.example.com but should have said zimbrafreeipa.example.com. Forgiveness!!). Then run klist and got this: 11/24/14 14:04:53 11/25/14 14:04:50 krbtgt/ fi.example@fi.example.com 11/24/14 14:05:52 11/25/14 14:04:50 imap/ zimbrafreeipa.fi.example@fi.example.com Then run KRB5_TRACE=/dev/stdout kvno imap/
