From owner-freebsd-questions@FreeBSD.ORG Sun Aug 30 18:00:46 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9BB21065693 for ; Sun, 30 Aug 2009 18:00:45 +0000 (UTC) (envelope-from martin@saturn.pcs.ms) Received: from mail1.hostpark.net (mail1.hostpark.net [212.243.197.31]) by mx1.freebsd.org (Postfix) with ESMTP id 773AF8FC12 for ; Sun, 30 Aug 2009 18:00:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail1.hostpark.net (Postfix) with ESMTP id 12D478517D; Sun, 30 Aug 2009 20:00:44 +0200 (CEST) X-Virus-Scanned: by Hostpark/NetZone Mailprotection at hostpark.net Received: from mail1.hostpark.net ([127.0.0.1]) by localhost (mail1.hostpark.net [127.0.0.1]) (amavisd-new, port 10124) with ESMTP id s7wISj99j0BP; Sun, 30 Aug 2009 20:00:43 +0200 (CEST) Received: from saturn.pcs.ms (47-131.3-85.cust.bluewin.ch [85.3.131.47]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail1.hostpark.net (Postfix) with ESMTP id 60BA6850EC; Sun, 30 Aug 2009 20:00:43 +0200 (CEST) Received: from saturn.pcs.ms (localhost [127.0.0.1]) by saturn.pcs.ms (8.14.3/8.14.2) with ESMTP id n7UI0oBN054565; Sun, 30 Aug 2009 20:00:51 +0200 (CEST) (envelope-from martin@saturn.pcs.ms) Received: (from martin@localhost) by saturn.pcs.ms (8.14.3/8.14.3/Submit) id n7UI0oqp054564; Sun, 30 Aug 2009 20:00:50 +0200 (CEST) (envelope-from martin) Date: Sun, 30 Aug 2009 20:00:50 +0200 From: Martin Schweizer To: freebsd-questions@freebsd.org Message-ID: <20090830180050.GA54419@saturn.pcs.ms> Mail-Followup-To: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i Organization: PC-Service M. Schweizer GmbH, CH-8608 Bubikon, Switzerland X-PGP-Key: http://www.pc-service.ch/pgp/public_key.asc X-Fingerprint: EC21 CA4D 5C78 BC2D 73B7 10F9 C1AE 1691 D30F D239 Subject: Kerberos authentication by PAM againts AD Windows 2003 Server domain X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Martin Schweizer List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Aug 2009 18:00:46 -0000 Hello My goal is to authenticate my Cyrus Imapd users against Windos 2003 Active Directory with Kerberos . I have the following setup: Kerberos5 client =========== FreeBSD acsvfbsd06.domain.tld 7.2-RELEASE FreeBSD 7.2-RELEASE /etc/krb.conf: [libdefaults] default_realm = domain.tld default_etypes_des = des-cbc-md5 [realms] ACUTRONIC.CH = { kdc = tcp/acsv3k04.domain.tld:88 } [logging] kdc = SYSLOG:INFO:AUTH admin_server = SYSLOG:INFO:AUTH default = SYSLOG:INFO:AUTH /etc/krb5.keytab (ktutil list output): For the keytab file I followed: http://technet.microsoft.com/en-us/library/bb742433.aspx FILE:/etc/krb5.keytab: Vno Type Principal 1 des-cbc-md5 host/acsvfbsd06.domain.tld@DOMAIN.TLD I get tickets if I use kinit user: acsvfbsd06# kinit user martin@DOMAIN.TLD's Password: kinit: NOTICE: ticket renewable lifetime is 1 week klist: Credentials cache: FILE:/tmp/krb5cc_0 Principal: user@DOMAIN.TLD Issued Expires Principal Jul 31 17:58:09 Aug 1 03:57:44 krbtgt/DOMAIN.TLD@DOMAIN.TLD I can no more use ldapsearch as follows: acsvfbsd06# ldapsearch -v -LLL -b "OU=Mitgliedsserver,OU=ACH,DC=Domain,DC=tld" -h acsv3k04.domain.tld description Which in the past worked. And really I did not change anything. I checked also the DNS and Kerberos communication by tcpdump without any strange issues. As the DNS server I use is the KDC server (all the DNS Kerberos erntries are correct). My PAM configurations is: /etc/pam.d/imap: auth required pam_krb5.so try_first_pass debug I tried with testsaslautd -u username - password different combinations of user names and passwords. As expected the wrong ones would be denied. But I get no PAM_SUCCESS for the correct ones, with one exception: If I use sufficient as PAM option then all username and password combinations (wrong or not) would be accepted! With the option required (and the others) I see in /var/log/auth.log: Aug 30 18:27:04 acsvfbsd06 saslauthd[9188]: rel_accept_lock : released accept lock Aug 30 18:27:04 acsvfbsd06 saslauthd[9188]: pam_krb5: verify_krb_v5_tgt(): krb5_rd_req(): Key table entry not found Aug 30 18:27:04 acsvfbsd06 saslauthd[9188]: DEBUG: auth_pam: pam_authenticate failed: authentication error Aug 30 18:27:04 acsvfbsd06 saslauthd[9188]: do_auth : auth failure: [user=martin] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] Aug 30 18:27:04 acsvfbsd06 saslauthd[9188]: get_accept_lock : acquired accept lock I read FreeBSDs PAM documentation backwards and forwards but did not find any clue. Also I did not find any hints about the debugging for PAM problems. So I have now no more ideas where I can check. Any hints are welcome. Kind regards, -- Martin Schweizer PC-Service M. Schweizer GmbH; Bannholzstrasse 6; CH-8608 Bubikon Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch; public key : http://www.pc-service.ch/pgp/public_key.asc; fingerprint: EC21 CA4D 5C78 BC2D 73B7 10F9 C1AE 1691 D30F D239;