<div dir="ltr"><div>Hi everyone, I found the following error: "authentication failed (no account associated with Kerberos principal <a href="mailto:usuipa@FI.EXAMPLE.COM">usuipa@FI.EXAMPLE.COM</a>)". I suspect that is missing in FreeIPA give to this user permissions to access by kerberos. what do you think about it ?. I'm newbie in these matters, so I appreciate any help or comments :) Oh!, This is the full error message: </div>------------------------------------------ LOG --------------------------------------- 2014-11-27 09:35:50,067 WARN [ImapServer-2] [ip=192.168.99.100;] account - authentication failed (no account associated with Kerberos principal <a href="mailto:usuipa@FI.EXAMPLE.COM">usuipa@FI.EXAMPLE.COM</a>) 2014-11-27 09:35:50,068 WARN [ImapServer-2] [ip=192.168.99.100;] imap - SaslServer.evaluateResponse() failed javax.security.sasl.SaslException: Problem with callback handler [Caused by javax.security.sasl.SaslException: <a href="mailto:usuipa@FI.EXAMPLE.COM">usuipa@FI.EXAMPLE.COM</a> is not authorized to connect as usuipa] at com.sun.security.sasl.gsskerb.GssKrb5Server.doHandshake2(GssKrb5Server.java:309) at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:149) at com.zimbra.cs.security.sasl.GssAuthenticator.handle(GssAuthenticator.java:182) at com.zimbra.cs.imap.ImapHandler.continueAuthentication(ImapHandler.java:269) at com.zimbra.cs.imap.ImapHandler.continueAuthentication(ImapHandler.java:260) at com.zimbra.cs.imap.NioImapHandler.processRequest(NioImapHandler.java:121) at com.zimbra.cs.imap.NioImapHandler.messageReceived(NioImapHandler.java:61) at com.zimbra.cs.server.NioHandlerDispatcher.messageReceived(NioHandlerDispatcher.java:88) at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) at com.zimbra.cs.server.NioLoggingFilter.messageReceived(NioLoggingFilter.java:60) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:75) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTask(OrderedThreadPoolExecutor.java:780) at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTasks(OrderedThreadPoolExecutor.java:772) at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.run(OrderedThreadPoolExecutor.java:714) at java.lang.Thread.run(Thread.java:744) Caused by: javax.security.sasl.SaslException: <a href="mailto:usuipa@FI.EXAMPLE.COM">usuipa@FI.EXAMPLE.COM</a> is not authorized to connect as usuipa at com.sun.security.sasl.gsskerb.GssKrb5Server.doHandshake2(GssKrb5Server.java:301) ... 21 more --------------------------------------- END LOG --------------------------------------- <div> </div></div><div class="gmail_extra"> <div class="gmail_quote">2014-11-25 16:02 GMT-02:00 Maria Jose Yañez Dacosta <<a href="mailto:mariajose1982@gmail.com" target="_blank">mariajose1982@gmail.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Sorry for delay in answering, I've been testing a few things before going back to ask. Thanks for the advice, I'll be careful with security :). I also tried as is explained in the url you shared with me and as you suspected that isn't the problem either. I installed Wireshark, packet capture shows me these errors: error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31) e-text: PREAUTH_FAILED Where the origin of these packages is the FreeIPA server and the destination is the Zimbra server. I think this may be causing problems. I'm ashamed to say this, but haven't known as I have to do to debug Imap process on the server using KRB5_TRACE. </div><div>Thanks so much for all your help and if you have more suggestions, it would be appreciated. </div><div>Have a good day. </div><div> </div><div> </div></div><div class="gmail_extra"> <div class="gmail_quote">2014-11-25 15:00 GMT-02:00 <<a href="mailto:freeipa-users-request@redhat.com" target="_blank">freeipa-users-request@redhat.com</a>>:<div><div class="h5"> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Freeipa-users mailing list submissions to <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a> To subscribe or unsubscribe via the World Wide Web, visit <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> or, via email, send a message with subject or body 'help' to <a href="mailto:freeipa-users-request@redhat.com" target="_blank">freeipa-users-request@redhat.com</a> You can reach the person managing the list at <a href="mailto:freeipa-users-owner@redhat.com" target="_blank">freeipa-users-owner@redhat.com</a> When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-users digest..." Today's Topics: 1. Re: Is it possible to set up SUDO with redudancy? (Lukas Slebodnik) 2. Re: Setting up a Kerberized IMAP Server. (Petr Spacek) ---------------------------------------------------------------------- Message: 1 Date: Tue, 25 Nov 2014 09:02:59 +0100 From: Lukas Slebodnik <<a href="mailto:lslebodn@redhat.com" target="_blank">lslebodn@redhat.com</a>> To: William Muriithi <<a href="mailto:william.muriithi@gmail.com" target="_blank">william.muriithi@gmail.com</a>> Cc: <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a> Subject: Re: [Freeipa-users] Is it possible to set up SUDO with redudancy? Message-ID: <<a href="mailto:20141125080259.GB2590@mail.corp.redhat.com" target="_blank">20141125080259.GB2590@mail.corp.redhat.com</a>> Content-Type: text/plain; charset=utf-8 On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi < <a href="mailto:william.muriithi@gmail.com" target="_blank">william.muriithi@gmail.com</a>> wrote: > Evening, > > After looking at almost all the SUDO documentation I could find, it looks > one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red > hat advice to add in sssd config file. > > services = nss, pam, ssh, pac, sudo [domain/<a href="http://idm.coe.muc.redhat.com" target="_blank">idm.coe.muc.redhat.com</a>] > sudo_provider = ldap ldap_uri = ldap://<a href="http://grobi.idm.coe.muc.redhat.com" target="_blank">grobi.idm.coe.muc.redhat.com</a> > ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com > ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ > <a href="http://tiffy.idm.coe.muc.redhat.com" target="_blank">tiffy.idm.coe.muc.redhat.com</a> ldap_sasl_realm = <a href="http://IDM.COE.MUC.REDHAT.COM" target="_blank">IDM.COE.MUC.REDHAT.COM</a> > krb5_server = <a href="http://grobi.idm.coe.muc.redhat.com" target="_blank">grobi.idm.coe.muc.redhat.com</a> > > The implications of adding above is that SUDO would break if the > hardcoded ipa is not available even if there is another replica somewhere > in the network. Is that correct assumption? > > Is there a better way of doing it that I have missed? > Which version of sssd do you have? sssd >= 1.10 has native ipa suod providers and you don't need to use "sudo_provider = ldap". LS ------------------------------ Message: 2 Date: Tue, 25 Nov 2014 10:11:42 +0100 From: Petr Spacek <<a href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>> To: <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a> Subject: Re: [Freeipa-users] Setting up a Kerberized IMAP Server. Message-ID: <<a href="mailto:547447CE.8090400@redhat.com" target="_blank">547447CE.8090400@redhat.com</a>> Content-Type: text/plain; charset=windows-1252 On 24.11.2014 17:45, Maria Jose Ya?ez Dacosta wrote: > Thank you for your prompt reply :). > > I still don't discover what caused the problem, but now I could get more > information about the problem. > > I run the command that you commented me, I did as follows: > > - kinit usuipa > - kvno imap/<a href="mailto:zimbrafreeipa.example.com@FI.example.com" target="_blank">zimbrafreeipa.example.com@FI.example.com</a> > > (I said in my previous mail <a href="http://fi.example.com" target="_blank">fi.example.com</a> but should have said > <a href="http://zimbrafreeipa.example.com" target="_blank">zimbrafreeipa.example.com</a>. > Forgiveness!!). > > Then run klist and got this: > > 11/24/14 14:04:53 11/25/14 14:04:50 krbtgt/<a href="mailto:FI.EXAMPLE.COM@FI.EXAMPLE.COM" target="_blank">FI.EXAMPLE.COM@FI.EXAMPLE.COM</a> > 11/24/14 14:05:52 11/25/14 14:04:50 imap/ > <a href="mailto:zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM" target="_blank">zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM</a> > > Then run > KRB5_TRACE=/dev/stdout kvno imap/<a href="mailto:zimbrafreeipa.example.com@FI.EXAMPLE.COM" target="_blank">zimbrafreeipa.example.com@FI.EXAMPLE.COM</a> > and got this: > --------------------------------------- OUTPUT > --------------------------------------------------------------- > [20649] 1416845334.9690: Getting credentials <a href="mailto:usuipa@FI.EXAMPLE.COM" target="_blank">usuipa@FI.EXAMPLE.COM</a> -> imap/ > <a href="mailto:zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM" target="_blank">zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM</a> using ccache FILE:/tmp/krb5cc_0 > [20649] 1416845334.27562: Retrieving <a href="mailto:usuipa@FI.EXAMPLE.COM" target="_blank">usuipa@FI.EXAMPLE.COM</a> -> imap/ > <a href="mailto:zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM" target="_blank">zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM</a> from FILE:/tmp/krb5cc_0 with > result: 0/Conseguido > imap/<a href="mailto:zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM" target="_blank">zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM</a>: kvno = 2 > --------------------------------------- END OF OUTPUT > --------------------------------------------------- > > When I rum > KRB5_TRACE=/dev/stdout thunderbird > this show: > > --------------------------------------- OUTPUT > --------------------------------------------------------------- > Gtk-Message: Failed to load module "canberra-gtk-module": > libcanberra-gtk-module.so: no se puede abrir el fichero del objeto > compartido: No existe el fichero o el directorio > [20906] 1416845377.323420: ccselect module realm chose cache > FILE:/tmp/krb5cc_0 with client principal <a href="mailto:usuipa@FI.EXAMPLE.COM" target="_blank">usuipa@FI.EXAMPLE.COM</a> for server > principal imap/<a href="mailto:zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM" target="_blank">zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM</a> > [20906] 1416845377.323834: Retrieving <a href="mailto:usuipa@FI.EXAMPLE.COM" target="_blank">usuipa@FI.EXAMPLE.COM</a> -> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found > [20906] 1416845377.323939: Getting credentials <a href="mailto:usuipa@FI.EXAMPLE.COM" target="_blank">usuipa@FI.EXAMPLE.COM</a> -> > imap/<a href="mailto:zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM" target="_blank">zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM</a> using ccache > FILE:/tmp/krb5cc_0 > [20906] 1416845377.324677: Retrieving <a href="mailto:usuipa@FI.EXAMPLE.COM" target="_blank">usuipa@FI.EXAMPLE.COM</a> -> imap/ > <a href="mailto:zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM" target="_blank">zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM</a> from FILE:/tmp/krb5cc_0 with > result: 0/Conseguido > [20906] 1416845377.325617: Creating authenticator for <a href="mailto:usuipa@FI.EXAMPLE.COM" target="_blank">usuipa@FI.EXAMPLE.COM</a> > -> imap/<a href="mailto:zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM" target="_blank">zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM</a>, seqnum 138355536, > subkey aes256-cts/3BB4, session key aes256-cts/A007 > [20906] 1416845377.353847: ccselect module realm chose cache > FILE:/tmp/krb5cc_0 with client principal <a href="mailto:usuipa@FI.EXAMPLE.COM" target="_blank">usuipa@FI.EXAMPLE.COM</a> for server > principal imap/<a href="mailto:zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM" target="_blank">zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM</a> > [20906] 1416845377.353971: Retrieving <a href="mailto:usuipa@FI.EXAMPLE.COM" target="_blank">usuipa@FI.EXAMPLE.COM</a> -> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found > [20906] 1416845377.354331: Read AP-REP, time 1416845380.325675, subkey > (null), seqnum 1067232298 > [20906] 1416845396.10173: ccselect module realm chose cache > FILE:/tmp/krb5cc_0 with client principal <a href="mailto:usuipa@FI.EXAMPLE.COM" target="_blank">usuipa@FI.EXAMPLE.COM</a> for server > principal imap/<a href="mailto:zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM" target="_blank">zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM</a> > [20906] 1416845396.10290: Retrieving <a href="mailto:usuipa@FI.EXAMPLE.COM" target="_blank">usuipa@FI.EXAMPLE.COM</a> -> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found > [20906] 1416845396.10316: Getting credentials <a href="mailto:usuipa@FI.EXAMPLE.COM" target="_blank">usuipa@FI.EXAMPLE.COM</a> -> imap/ > <a href="mailto:zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM" target="_blank">zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM</a> using ccache FILE:/tmp/krb5cc_0 > [20906] 1416845396.10391: Retrieving <a href="mailto:usuipa@FI.EXAMPLE.COM" target="_blank">usuipa@FI.EXAMPLE.COM</a> -> imap/ > <a href="mailto:zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM" target="_blank">zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM</a> from FILE:/tmp/krb5cc_0 with > result: 0/Conseguido > [20906] 1416845396.10469: Creating authenticator for <a href="mailto:usuipa@FI.EXAMPLE.COM" target="_blank">usuipa@FI.EXAMPLE.COM</a> > -> imap/<a href="mailto:zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM" target="_blank">zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM</a>, seqnum 592157704, > subkey aes256-cts/5F4D, session key aes256-cts/A007 > [20906] 1416845396.35033: ccselect module realm chose cache > FILE:/tmp/krb5cc_0 with client principal <a href="mailto:usuipa@FI.EXAMPLE.COM" target="_blank">usuipa@FI.EXAMPLE.COM</a> for server > principal imap/<a href="mailto:zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM" target="_blank">zimbrafreeipa.fi.example.com@FI.EXAMPLE.COM</a> > [20906] 1416845396.35196: Retrieving <a href="mailto:usuipa@FI.EXAMPLE.COM" target="_blank">usuipa@FI.EXAMPLE.COM</a> -> > krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from > FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found > [20906] 1416845396.35293: Read AP-REP, time 1416845399.10477, subkey > (null), seqnum 911725412 > > --------------------------------------- END OF OUTPUT > --------------------------------------------------- This seems okay, Thunderbird got necessary ticket so the problem could be on server side. (Just to be 100% sure: Did you configure network.negotiate-auth option in Thunderbird according to <a href="https://jpolok.web.cern.ch/jpolok/kerberos-macosx.html" target="_blank">https://jpolok.web.cern.ch/jpolok/kerberos-macosx.html</a> ?) > About permissions on keytab file, I have as following: > > ls -l /opt/zimbra/conf/krb5.keytab > -rwxrwxrwx 1 zimbra zimbra 366 nov 20 14:45 /opt/zimbra/conf/krb5.keytab > > Selinux (/etc/selinux/config) > SELINUX=disabled > > What do you think about this?, That it is completely insecure :-) Seriously, keytab contains symmetric cryptographic keys so it should be protected as much as feasible. It is fine for testing purposes (assuming that you do not forget to secure file permissions and generate new keytab before moving it to production). As a next step please raise debug levels on the server and possibly use KRB5_TRACE=/dev/stdout trick for IMAP server process. -- Petr^2 Spacek ------------------------------ _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> End of Freeipa-users Digest, Vol 76, Issue 111 ********************************************** </blockquote></div></div></div> -- <div>Maria José</div> </div> </blockquote></div> -- <div class="gmail_signature">Maria José</div> </div>