I have clearly identified a problem that I can not solve. I suspect I'm missing something when setting the service running on Centos 6 on Windows Server 2003.
First I tell the environment that I'm working and I'm trying to do, then the problem.
I have a Windows Server 2003 without SP1 whose IP is xxx.xxx.xxx.xxx and his name win2003srv2.ejemplo.org.
In this same team that Cyrus Imap Server I have also I have installed Thunderbird as mail client for testing.
In the Active Directory Windows Server 2003 add a new user called imap and has:
Logon Name: imap/prueba-mail.ejemplo.org@ejemplo.org
Logon name of user (pre-Windows 2000): EJEMPLO\imap0.
Importantly @ejemplo.org not put in capitals because this set by default and can not be modified in the window to create the user.
I have added the SPN for imap, the list I have this:
C:\Documents and Settings\Administrador>SETSPN -L prueba-mail
Registered ServicePrincipalNames for CN=prueba-mail,CN=Computers,DC=ejemplo,DC=org:
imap/prueba-mail.ejemplo.org:143
imap/prueba-mail
imap/prueba-mail.ejemplo.org
host/prueba-mail.ejemplo.org
host/prueba-mail
Also generate the keytab on Windows Server 2003:
C:\Documents and Settings\Administrador\Escritorio\TEST>Ktpass -princ imap/prueba-mail.ejemplo.org@EJEMPLO.ORG -mapuser imap -pass zzzzz -crypto DES-CBC-MD5 -out UNIXimap.keytab
Targeting domain controller: win2003srv2.ejemplo.org
Successfully mapped host/prueba-mail.ejemplo.org to imap0.
Key created.
Output keytab to UNIXimap.keytab:
Keytab version: 0x502
keysize 65 imap/prueba-mail.ejemplo.org@EJEMPLO.ORG ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8 (0x85589d4fef0d5e20)
Account imap0 has been set for DES-only encryption.
Then add it to the keytab where I have imap server.
PROBLEM:
When I log with Thunderbird, I look at the wireshark (they are added at the end of this post) to request a TGS ticket "imap/test-mail.ejemplo.org" and not find it.
Also if I try to execute this command same thing happens:
kvno imap/prueba-mail.ejemplo.org@EJEMPLO.ORG
kvno: Server not found in Kerberos database while getting credentials for imap/prueba-mail.ejemplo.org@EJEMPLO.ORG
However kvno imap/test-mail@EJEMPLO.ORG works well:
kvno imap/prueba-mail@EJEMPLO.ORG
imap/prueba-mail@EJEMPLO.ORG: kvno = 59
That may be what this missing me to find the service?.
If you can find this "imap/prueba-mail@EJEMPLO.ORG" because I can locate an "imap/prueba-mail.ejemplo.org@EJEMPLO.ORG"?.
I show below the contents of krb5.conf and catches I made with Wireshark, any help is appreciated.
------------------------- /etc/krb5.conf: ------------------------------------------------
[logging]
default = /var/log/krb5libs.log
kdc = /var/log/krb5kdc.log
admin_server = /var/log/kadmind.log
[libdefaults]
rdns = false
ignore_acceptor_hostname = true
default_realm = EJEMPLO.ORG
dns_lookup_kdc = false
dns_lookup_realm = false
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
default_keytab_name = FILE:/etc/krb5.keytab
allow_weak_crypto = yes
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
[realms]
FNR.GUB.UY = {
kdc = xxx.xxx.xxx.xxx:88
}
[domain_realm]
.fnr.gub.uy = EJEMPLO.ORG
[login]
krb4_convert = false
------------------------------------- TGS-REQ ----------------------------------------------
No. Time Source Destination Protocol Info
6083 26.329448 yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx KRB5 TGS-REQ
Frame 6083 (647 bytes on wire, 647 bytes captured)
Arrival Time: Jul 26, 2013 11:24:05.747386000
[Time delta from previous captured frame: 0.012354000 seconds]
[Time delta from previous displayed frame: 26.329448000 seconds]
[Time since reference or first frame: 26.329448000 seconds]
Frame Number: 6083
Frame Length: 647 bytes
Capture Length: 647 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:kerberos]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: CadmusCo_13:dd:bd (08:00:27:13:dd:bd), Dst: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
Destination: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
Address: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
Address: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy), Dst: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 633
Identification: 0x43c1 (17345)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xa9c2 [correct]
[Good: True]
[Bad : False]
Source: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy)
Destination: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
User Datagram Protocol, Src Port: 58790 (58790), Dst Port: kerberos (88)
Source port: 58790 (58790)
Destination port: kerberos (88)
Length: 613
Checksum: 0x4d67 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Kerberos TGS-REQ
Pvno: 5
MSG Type: TGS-REQ (12)
padata: PA-TGS-REQ
Type: PA-TGS-REQ (1)
Value: 6E8201C6308201C2A003020105A10302010EA20703050000... AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 00000000
.0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
..0. .... .... .... .... .... .... .... = Mutual required: Mutual authentication is NOT required
Ticket
Tkt-vno: 5
Realm: EJEMPLO.ORG
Server Name (Service and Instance): krbtgt/EJEMPLO.ORG
Name-type: Service and Instance (2)
Name: krbtgt
Name: EJEMPLO.ORG
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 2
enc-part: 0ACDE6D2981DBF829935A102CB4A7700DD762C8CFFC4B183...
Authenticator des-cbc-md5
Encryption type: des-cbc-md5 (3)
Authenticator data: 86588D7C6AA08BE142100084FBBB0968878E567AE10228B0...
KDC_REQ_BODY
Padding: 0
KDCOptions: 50810000 (Forwardable, Proxiable, Renewable, Canonicalize)
.1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
...1 .... .... .... .... .... .... .... = Proxiable: PROXIABLE tickets are allowed/requested
.... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
.... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE
.... .... ...0 .... .... .... .... .... = Opt HW Auth: False
.... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
.... .... .... ...1 .... .... .... .... = Canonicalize: This is a request for a CANONICALIZED ticket
.... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
.... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets
.... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
.... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
.... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
Realm: EJEMPLO.ORG
Server Name (Service and Host): imap/prueba-mail.ejemplo.org
Name-type: Service and Host (3)
Name: imap
Name: prueba-mail.ejemplo.org
till: 2013-07-27 00:14:39 (UTC)
Nonce: 1374848677
Encryption Types: des-cbc-md5
Encryption type: des-cbc-md5 (3)
------------------------------------------ Reply -----------------------------------------
No. Time Source Destination Protocol Info
6084 26.330599 xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy KRB5 KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
Frame 6084 (171 bytes on wire, 171 bytes captured)
Arrival Time: Jul 26, 2013 11:24:05.748537000
[Time delta from previous captured frame: 0.001151000 seconds]
[Time delta from previous displayed frame: 0.001151000 seconds]
[Time since reference or first frame: 26.330599000 seconds]
Frame Number: 6084
Frame Length: 171 bytes
Capture Length: 171 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:kerberos]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Ibm_a5:b3:46 (00:09:6b:a5:b3:46), Dst: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
Destination: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
Address: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
Address: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx), Dst: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 157
Identification: 0x1ed3 (7891)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0xd08c [correct]
[Good: True]
[Bad : False]
Source: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
Destination: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 58790 (58790)
Source port: kerberos (88)
Destination port: 58790 (58790)
Length: 137
Checksum: 0xf316 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2013-07-26 14:24:37 (UTC)
susec: 524733
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: EJEMPLO.ORG
Server Name (Service and Host): imap/prueba-mail.ejemplo.org
Name-type: Service and Host (3)
Name: imap
Name: prueba-mail.ejemplo.org
e-data
