Using Kerberos authentication for CERN E-mail services¶
Using Kerberos authentication for CERN E-mail servicesCERN uses Microsoft Exchange to provide E-mail / Collaboration services. Microsoft Exchange provides multiple user authentication mechanisms: NTLM, Username/Password based and also Kerberos.
This documentation outlines the setup process allowing Linux clients to use Kerberos based authentication for CERN E-mail services access.
While the initial installation of required software is specific to CERN SLC6 and SLC5 Linux distributions, the same functionality shall be applicable on any modern Linux platform - configured for CERN Kerberos realm, running at least Thunderbird 10.X with Kerberos authentication enabled (and configured for cern.ch domain), Alpine 2.X (with an SMTP workaround patch, see below) or fetchmail with Kerberos support compiled in..
As root on your SLC5, SLC6 or CC7 system run:
# yum install mozilla-prefs
once installation of required software packages finishes, please restart Thunderbird.
(Note: As of SLC6/5 update of 12.03.2012 mozilla-prefs package is pre-installed on all systems.)
Setup: New account
Setup: Changing existing account authentication methods
On SLC5, SLC6 and CC7 systems alpine has been updated to version containing a workaround patch for Kerberos SMTP authentication, please check that alpine version on your system is at least 2.02-3 by running:
rpm -q alpine(if your system is not SLC5/6 you can find the smtp workaround patch here.)
Before re(starting) alpine please make sure that your ~/.pinerc and system-wide /etc/alpine/pine.conf files do not contain a line saying:
disable-these-authenticators=GSSAPI,PLAINif it does: please change that line to read:
disable-these-authenticators=PLAINAfter starting alpine, you should be no more prompted for the authentication password.
SLC5/SLC6/CC7 fetchmail has the GSSAPI/Kerberos authentication module compiled in:
# fetchmail -v -V This is fetchmail release 6.3.17+GSS+RPA+NTLM+SDPS+SSL+HESIOD+NLS+KRB5. [...]In order to use Kerberos authentication your ~/.fetchmailrc server poll section should be configured as folllows:
[...] poll imap.cern.ch with proto imap auth gssapi: user LOGIN with ssl [...](substitute LOGIN by your login id)
TroubleshootingAfter applying settings described above thunderbird/alpine/fetchmail should not ask you for authentication password(s): If a password prompt still appears, please verify that your Kerberos ticket is valid by running:
# kliston your system. The output should show a valid ticket with expiry date in the future:
Ticket cache: FILE:/tmp/krb5cc_14213_RZEYN11810 Default principal: jpolok@CERN.CH
Valid starting Expires Service principal 08/13/12 14:27:29 08/14/12 14:07:50 krbtgt/CERN.CH@CERN.CH renew until 08/18/12 12:44:34
Note: Above configuration assumes that same account is used for e-mail services and interactive login, if this is not the case local Kerberos ticket acquired for one cannot be used to authenticate other account in CERN Kerberos realm.