Re: [Freeipa-users] Kerberos error: PREAUTH_FAILED: KRB5KRB_AP_ERR_BAD_INTEGRITY
On Wed, 26 Nov 2014 18:04:21 +0100 Petr Spacek wrote: > Hello, > > Simo, do you have an idea what may be causing the problem? The most probable explanation is that the Zimbra server has the wrong key. Unfortuinately there isn't enough data in the email to guess further. Simo. > Maria, generally, you can try to do two things on Zimbra server: > $ kinit -kt > "imap/zimbrafreeipa.example@fi.example.com" > > It should succeed. This will very that content of the keytab is okay. > > Regarding KRB5_TRACE trick: > You have to find init script or systemd unit file which is used to > start Zimbra server process. Edit that script and add KRB5_TRACE to > it before the actual server start. > > Let us know your findings :-) > > Petr^2 Spacek > > On 25.11.2014 19:02, Maria Jose Yañez Dacosta wrote: > > Sorry for delay in answering, I've been testing a few things before > > going back to ask. > > > > Thanks for the advice, I'll be careful with security :). > > > > I also tried as is explained in the url you shared with me and as > > you suspected that isn't the problem either. > > > > I installed Wireshark, packet capture shows me these errors: > > > > error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31) > > e-text: PREAUTH_FAILED > > > > Where the origin of these packages is the FreeIPA server and the > > destination is the Zimbra server. > > > > I think this may be causing problems. > > > > I'm ashamed to say this, but haven't known as I have to do to debug > > Imap process on the server using KRB5_TRACE. > > > > Thanks so much for all your help and if you have more suggestions, > > it would be appreciated. > > > > Have a good day. > > > > > > > > > > 2014-11-25 15:00 GMT-02:00 : > > > >> Send Freeipa-users mailing list submissions to > >> freeipa-users@redhat.com > >> > >> To subscribe or unsubscribe via the World Wide Web, visit > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> or, via email, send a message with subject or body 'help' to > >> freeipa-users-requ...@redhat.com > >> > >> You can reach the person managing the list at > >> freeipa-users-ow...@redhat.com > >> > >> When replying, please edit your Subject line so it is more specific > >> than "Re: Contents of Freeipa-users digest..." > >> > >> > >> Today's Topics: > >> > >>1. Re: Is it possible to set up SUDO with redudancy? > >> (Lukas Slebodnik) > >>2. Re: Setting up a Kerberized IMAP Server. (Petr Spacek) > >> > >> > >> -- > >> > >> Message: 1 > >> Date: Tue, 25 Nov 2014 09:02:59 +0100 > >> From: Lukas Slebodnik > >> To: William Muriithi > >> Cc: freeipa-users@redhat.com > >> Subject: Re: [Freeipa-users] Is it possible to set up SUDO with > >> redudancy? > >> Message-ID: <20141125080259.gb2...@mail.corp.redhat.com> > >> Content-Type: text/plain; charset=utf-8 > >> > >> On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi < > >> william.murii...@gmail.com> wrote: > >> > >>> Evening, > >>> > >>> After looking at almost all the SUDO documentation I could find, > >>> it looks one has to hardcode FreeIPA hostname on sssd.conf file. > >>> Below is what red hat advice to add in sssd config file. > >>> > >>> services = nss, pam, ssh, pac, sudo > >>> [domain/idm.coe.muc.redhat.com] sudo_provider = ldap ldap_uri = > >>> ldap://grobi.idm.coe.muc.redhat.com ldap_sudo_search_base = > >>> ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com ldap_sasl_mech = > >>> GSSAPI ldap_sasl_authid = host/ tiffy.idm.coe.muc.redhat.com > >>> ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM krb5_server = > >>> grobi.idm.coe.muc.redhat.com > >>> > >>> The implications of adding above is that SUDO would break if the > >>> hardcoded ipa is not available even if there is another replica > >>> somewhere in the network. Is that correct assumption? > >>> > >>> Is there a better way of doing it that I have missed? > >>> > >> > >> Which version of sssd do you have? > >> sssd >= 1.10 has native ipa suod providers and you don't need to > >> use "sudo_provider = ldap". > >> > >> LS > >> > >> > >> > >> -- > >> > >> Message: 2 > >> Date: Tue, 25 Nov 2014 10:11:42 +0100 > >> From: Petr Spacek > >> To: freeipa-users@redhat.com > >> Subject: Re: [Freeipa-users] Setting up a Kerberized IMAP Server. > >> Message-ID: <547447ce.8090...@redhat.com> > >> Content-Type: text/plain; charset=windows-1252 > >> > >> On 24.11.2014 17:45, Maria Jose Ya?ez Dacosta wrote: > >>> Thank you for your prompt reply :). > >>> > >>> I still don't discover what caused the problem, but now I could > >>> get more information about the problem. > >>> > >>> I run the command that you commented me, I did as follows: > >>> > >>> - kinit usuipa > >>> - kvno imap/zimbrafreeipa.example@fi.example.com > >>> > >>> (I said in my previous mail fi.example.com but should have said > >>> zimbrafreeipa.example.com. > >>> Forgiveness!!). > >>> > >>> Then run klist a
Re: [Freeipa-users] Kerberos error: PREAUTH_FAILED: KRB5KRB_AP_ERR_BAD_INTEGRITY
On Wed, Nov 26, 2014 at 06:04:21PM +0100, Petr Spacek wrote: > Hello, > > Simo, do you have an idea what may be causing the problem? Maybe there is a version mismatch between the keys on the server and on the client? On the IPA server you can check with #kadmin.local > getprinc imap/zimbrafreeipa.example@fi.example.com on the IMAP server klist -k -t the KVNO should be the same, if not you can generate a fresh keytab with ipa-getkeytab. hth bye, Sumit > > Maria, generally, you can try to do two things on Zimbra server: > $ kinit -kt > "imap/zimbrafreeipa.example@fi.example.com" > > It should succeed. This will very that content of the keytab is okay. > > Regarding KRB5_TRACE trick: > You have to find init script or systemd unit file which is used to start > Zimbra server process. Edit that script and add KRB5_TRACE to it before the > actual server start. > > Let us know your findings :-) > > Petr^2 Spacek > > On 25.11.2014 19:02, Maria Jose Yañez Dacosta wrote: > > Sorry for delay in answering, I've been testing a few things before going > > back to ask. > > > > Thanks for the advice, I'll be careful with security :). > > > > I also tried as is explained in the url you shared with me and as you > > suspected that isn't the problem either. > > > > I installed Wireshark, packet capture shows me these errors: > > > > error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31) > > e-text: PREAUTH_FAILED > > > > Where the origin of these packages is the FreeIPA server and the > > destination is the Zimbra server. > > > > I think this may be causing problems. > > > > I'm ashamed to say this, but haven't known as I have to do to debug Imap > > process on the server using KRB5_TRACE. > > > > Thanks so much for all your help and if you have more suggestions, it would > > be appreciated. > > > > Have a good day. > > > > > > > > > > 2014-11-25 15:00 GMT-02:00 : > > > >> Send Freeipa-users mailing list submissions to > >> freeipa-users@redhat.com > >> > >> To subscribe or unsubscribe via the World Wide Web, visit > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> or, via email, send a message with subject or body 'help' to > >> freeipa-users-requ...@redhat.com > >> > >> You can reach the person managing the list at > >> freeipa-users-ow...@redhat.com > >> > >> When replying, please edit your Subject line so it is more specific > >> than "Re: Contents of Freeipa-users digest..." > >> > >> > >> Today's Topics: > >> > >>1. Re: Is it possible to set up SUDO with redudancy? > >> (Lukas Slebodnik) > >>2. Re: Setting up a Kerberized IMAP Server. (Petr Spacek) > >> > >> > >> -- > >> > >> Message: 1 > >> Date: Tue, 25 Nov 2014 09:02:59 +0100 > >> From: Lukas Slebodnik > >> To: William Muriithi > >> Cc: freeipa-users@redhat.com > >> Subject: Re: [Freeipa-users] Is it possible to set up SUDO with > >> redudancy? > >> Message-ID: <20141125080259.gb2...@mail.corp.redhat.com> > >> Content-Type: text/plain; charset=utf-8 > >> > >> On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi < > >> william.murii...@gmail.com> wrote: > >> > >>> Evening, > >>> > >>> After looking at almost all the SUDO documentation I could find, it looks > >>> one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red > >>> hat advice to add in sssd config file. > >>> > >>> services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] > >>> sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com > >>> ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com > >>> ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ > >>> tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM > >>> krb5_server = grobi.idm.coe.muc.redhat.com > >>> > >>> The implications of adding above is that SUDO would break if the > >>> hardcoded ipa is not available even if there is another replica somewhere > >>> in the network. Is that correct assumption? > >>> > >>> Is there a better way of doing it that I have missed? > >>> > >> > >> Which version of sssd do you have? > >> sssd >= 1.10 has native ipa suod providers and you don't need to use > >> "sudo_provider = ldap". > >> > >> LS > >> > >> > >> > >> -- > >> > >> Message: 2 > >> Date: Tue, 25 Nov 2014 10:11:42 +0100 > >> From: Petr Spacek > >> To: freeipa-users@redhat.com > >> Subject: Re: [Freeipa-users] Setting up a Kerberized IMAP Server. > >> Message-ID: <547447ce.8090...@redhat.com> > >> Content-Type: text/plain; charset=windows-1252 > >> > >> On 24.11.2014 17:45, Maria Jose Ya?ez Dacosta wrote: > >>> Thank you for your prompt reply :). > >>> > >>> I still don't discover what caused the problem, but now I could get more > >>> information about the problem. > >>> > >>> I run the command that you commented me, I did as follows: > >>> > >>> - kinit usuipa > >>> - kvno imap/zimbrafreeipa.ex
[Freeipa-users] Kerberos error: PREAUTH_FAILED: KRB5KRB_AP_ERR_BAD_INTEGRITY
Hello, Simo, do you have an idea what may be causing the problem? Maria, generally, you can try to do two things on Zimbra server: $ kinit -kt "imap/zimbrafreeipa.example@fi.example.com" It should succeed. This will very that content of the keytab is okay. Regarding KRB5_TRACE trick: You have to find init script or systemd unit file which is used to start Zimbra server process. Edit that script and add KRB5_TRACE to it before the actual server start. Let us know your findings :-) Petr^2 Spacek On 25.11.2014 19:02, Maria Jose Yañez Dacosta wrote: > Sorry for delay in answering, I've been testing a few things before going > back to ask. > > Thanks for the advice, I'll be careful with security :). > > I also tried as is explained in the url you shared with me and as you > suspected that isn't the problem either. > > I installed Wireshark, packet capture shows me these errors: > > error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31) > e-text: PREAUTH_FAILED > > Where the origin of these packages is the FreeIPA server and the > destination is the Zimbra server. > > I think this may be causing problems. > > I'm ashamed to say this, but haven't known as I have to do to debug Imap > process on the server using KRB5_TRACE. > > Thanks so much for all your help and if you have more suggestions, it would > be appreciated. > > Have a good day. > > > > > 2014-11-25 15:00 GMT-02:00 : > >> Send Freeipa-users mailing list submissions to >> freeipa-users@redhat.com >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://www.redhat.com/mailman/listinfo/freeipa-users >> or, via email, send a message with subject or body 'help' to >> freeipa-users-requ...@redhat.com >> >> You can reach the person managing the list at >> freeipa-users-ow...@redhat.com >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Freeipa-users digest..." >> >> >> Today's Topics: >> >>1. Re: Is it possible to set up SUDO with redudancy? >> (Lukas Slebodnik) >>2. Re: Setting up a Kerberized IMAP Server. (Petr Spacek) >> >> >> -- >> >> Message: 1 >> Date: Tue, 25 Nov 2014 09:02:59 +0100 >> From: Lukas Slebodnik >> To: William Muriithi >> Cc: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] Is it possible to set up SUDO with >> redudancy? >> Message-ID: <20141125080259.gb2...@mail.corp.redhat.com> >> Content-Type: text/plain; charset=utf-8 >> >> On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi < >> william.murii...@gmail.com> wrote: >> >>> Evening, >>> >>> After looking at almost all the SUDO documentation I could find, it looks >>> one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red >>> hat advice to add in sssd config file. >>> >>> services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] >>> sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com >>> ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com >>> ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ >>> tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM >>> krb5_server = grobi.idm.coe.muc.redhat.com >>> >>> The implications of adding above is that SUDO would break if the >>> hardcoded ipa is not available even if there is another replica somewhere >>> in the network. Is that correct assumption? >>> >>> Is there a better way of doing it that I have missed? >>> >> >> Which version of sssd do you have? >> sssd >= 1.10 has native ipa suod providers and you don't need to use >> "sudo_provider = ldap". >> >> LS >> >> >> >> -- >> >> Message: 2 >> Date: Tue, 25 Nov 2014 10:11:42 +0100 >> From: Petr Spacek >> To: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] Setting up a Kerberized IMAP Server. >> Message-ID: <547447ce.8090...@redhat.com> >> Content-Type: text/plain; charset=windows-1252 >> >> On 24.11.2014 17:45, Maria Jose Ya?ez Dacosta wrote: >>> Thank you for your prompt reply :). >>> >>> I still don't discover what caused the problem, but now I could get more >>> information about the problem. >>> >>> I run the command that you commented me, I did as follows: >>> >>> - kinit usuipa >>> - kvno imap/zimbrafreeipa.example@fi.example.com >>> >>> (I said in my previous mail fi.example.com but should have said >>> zimbrafreeipa.example.com. >>> Forgiveness!!). >>> >>> Then run klist and got this: >>> >>> 11/24/14 14:04:53 11/25/14 14:04:50 krbtgt/ >> fi.example@fi.example.com >>> 11/24/14 14:05:52 11/25/14 14:04:50 imap/ >>> zimbrafreeipa.fi.example@fi.example.com >>> >>> Then run >>> KRB5_TRACE=/dev/stdout kvno imap/ >> zimbrafreeipa.example@fi.example.com >>> and got this: >>> --- OUTPUT >>> --- >>> [20649] 1416845334.9690: Getting credentials usu...@fi.ex
