Using Kerberos authentication for CERN E-mail services¶
Using Kerberos authentication for CERN E-mail services
CERN uses Microsoft Exchange to provide E-mail / Collaboration services. Microsoft Exchange provides multiple user authentication mechanisms: NTLM, Username/Password based and also Kerberos.
This documentation outlines the setup process allowing Linux clients to use Kerberos based authentication for CERN E-mail services access.
While the initial installation of required software is specific to CERN SLC6 and SLC5 Linux distributions, the same functionality shall be applicable on any modern Linux platform - configured for CERN Kerberos realm, running at least Thunderbird 10.X with Kerberos authentication enabled (and configured for cern.ch domain), Alpine 2.X (with an SMTP workaround patch, see below) or fetchmail with Kerberos support compiled in..
Configuration
Thunderbird
Software installation
As root on your SLC5, SLC6 or CC7 system run:# yum install mozilla-prefsonce installation of required software packages finishes, please restart Thunderbird.
(Note: As of SLC6/5 update of 12.03.2012 mozilla-prefs package is pre-installed on all systems.)
Setup: New account
 |
After starting thunderbird (Menu -> Applications -> Internet -> Thunderbird E-mail) new e-mail account setup screen will appear Enter Firstname Surname in Your name Enter Firstname.Surname@cern.ch in Email address Leave Password field empty and click Continue |
 |
Thunderbird autoconfiguration mechanism will find most of needed server settings, except SMTP/IMAP Kerberos authentication which is not default at CERN as of September 2012 Leave Password field empty and click Manual config |
 |
Manual configuration dialog will appear Leave Password field empty and click Re-test |
 |
Thunderbird autoconfiguration mechanism will find Kerberos / GSSAPI for both IMAP and SMTP servers. Leave Password field empty and click Create Account to finish configuration. |
Setup: Changing existing account authentication methods
 |
After starting thunderbird, select Edit -> Account Settings -> Server Settings Change Authentication method to Kerberos / GSSAPI Click OK to save changes. |
 |
Select Edit -> Account Settings -> Outgoing Server (SMTP) -> Edit Change Authentication method to Kerberos / GSSAPI Click OK to save changes. |
Alpine
On SLC5, SLC6 and CC7 systems alpine has been updated to version containing a workaround patch for Kerberos SMTP authentication, please check that alpine version on your system is at least 2.02-3 by running:rpm -q alpine(if your system is not SLC5/6 you can find the smtp workaround patch here.)
Before re(starting) alpine please make sure that your ~/.pinerc and system-wide /etc/alpine/pine.conf files do not contain a line saying:
disable-these-authenticators=GSSAPI,PLAINif it does: please change that line to read:
disable-these-authenticators=PLAINAfter starting alpine, you should be no more prompted for the authentication password.
Fetchmail
SLC5/SLC6/CC7 fetchmail has the GSSAPI/Kerberos authentication module compiled in:# fetchmail -v -V This is fetchmail release 6.3.17+GSS+RPA+NTLM+SDPS+SSL+HESIOD+NLS+KRB5. [...]In order to use Kerberos authentication your ~/.fetchmailrc server poll section should be configured as folllows:
[...]
poll imap.cern.ch with proto imap auth gssapi:
user LOGIN with ssl
[...]
(substitute LOGIN by your login id)
Troubleshooting
After applying settings described above thunderbird/alpine/fetchmail should not ask you for authentication password(s): If a password prompt still appears, please verify that your Kerberos ticket is valid by running:# kliston your system. The output should show a valid ticket with expiry date in the future:
Ticket cache: FILE:/tmp/krb5cc_14213_RZEYN11810
Default principal: jpolok@CERN.CH
Valid starting Expires Service principal
08/13/12 14:27:29 08/14/12 14:07:50 krbtgt/CERN.CH@CERN.CH
renew until 08/18/12 12:44:34
Note: Above configuration assumes that same account is used for e-mail services and interactive login, if this is not the case local Kerberos ticket acquired for one cannot be used to authenticate other account in CERN Kerberos realm.