1

I have to renew tickets manually in my server terminal for users to have access to their mail accounts. I am using kerberos as a login authentication to access a local mail server. My local machine has a name of remote.X.pt and is providing mail to a domain of X.pt (@X.pt) which is being used in my ISP mail server. Right now I am just able to send mail from my mail clients, but I have not figure out yet how to receive mail; but I believe that the problem may not be related to this.

There is a timeout on tickets, and users can no longer use their accounts.

Another basic thing that I dont understand is, is there not supposed to be a ticket per person--if no, then why when I do kinit for several users and then klist, I only see the last ticket placed--or is there a credential per user and a ticket for several credentials?

How can I renew the tickets/credentials automatically when users try to login from their clients?

bourneN5years
  • 219
  • 1
  • 2
  • 11
marafado88
  • 372
  • 2
  • 8
  • 27
  • Are both OSX versions (on the server and clients), as well as the Server.app version (relative to the OS build) all the same? I have noticed that some services don't work correctly at all, if the versions are not compatible, I would assume Kerberos would be the same way, as well as any other things in involved like single-sign-on, etc. – bourneN5years Oct 26 '16 at 22:07
  • Thanks for the reply bournN5years. I am using a 10.9.5 version of OSX from 2013 and my server app is in version 3.2.2 (cannot confirm the release date). If it was not compatible it wouldnt be possible to install right? It was not me who have installed server app in this OS X. – marafado88 Oct 27 '16 at 08:22
  • According to this [wiki](https://en.wikipedia.org/wiki/MacOS_Server#OS_X_10.9_.28Mavericks_Server.29) that server is using Postfix 2.9.4. Can you please also say which OSX version are the clients, or if they are using other operating systems. – bourneN5years Oct 27 '16 at 19:19
  • Also, I notice that you have tagged the post "roundcube," so does that mean you are using [Roundcubemail](https://github.com/roundcube/roundcubemail) for web access on the clients? Also which authentication are you using: Open Directory, Active Directory, or "Custom values" e.g. and/or which combination, so far we know only Kerberos. – bourneN5years Oct 27 '16 at 19:26
  • Thanks for the reply bournN5years. I have tried only in this OSX, through roundcubemail and Mail app, both connected to my mail service. My Mail service is using Open Directory, who allows both kerberos, CRAM-MD5 and MD5. In my OSX i only have kerberos users. My idea is to use just kerberos for users that are using both Windows (Outlook) and Macs (Mail apps) in this network. – marafado88 Oct 28 '16 at 10:21

1 Answers1

0

Most likely the clocks are out of sync on your clients and servers, or they are using different NTP Servers, or the ticket-life is way too short in your Kerberos settings; it explains how to extend Kerberos ticket life in this Apple forum on Kerberos.

The link above covers some of the most-very-basic problems in configuration. I would recommend doing some research of your own and also seeing if you have the mail server configuration correct, because you have many other options for authentication that are simpler for many users (for example Open Directory).

Pending more information about your complete authentication method as commented above, it sounds like there are problems with your Kerberos setup. As well, your question contains many sub-questions which are more suitable to a wiki or to break out into more separate questions after you know more about serving mail on OSX Server in general. There is quite a bit of duplicate discussion about klist online, including even here on https://serverfault.com/search?q=klist.

bourneN5years
  • 219
  • 1
  • 2
  • 11
  • Thanks for the reply bournN5years. I am using a ticket-life of 10 hours. remote:~ root# date Fri 28 Oct 2016 11:27:06 WEST remote:~ root# kinit teste2@X.PT teste2@X.PT's Password: remote:~ root# klist Credentials cache: API:8A47F46D-063F-4536-8688-7006EB1F38D8 Principal: teste2@X.PT Issued Expires Principal Oct 28 11:27:12 2016 Oct 28 21:27:10 2016 krbtgt/X.PT@X.PT It is my first time setting up an mail server and on OSX server. – marafado88 Oct 28 '16 at 10:28
  • I forgot to say but i have config my mail server through that tutorial that you have posted, the kerberos through this (https://www.yesdevnull.net/2013/10/os-x-mavericks-server-open-directory-master/) – marafado88 Oct 28 '16 at 13:17