Skip to content

Using Kerberos authentication for CERN E-mail services

Using Kerberos authentication for CERN E-mail services

CERN uses Microsoft Exchange to provide E-mail / Collaboration services. Microsoft Exchange provides multiple user authentication mechanisms: NTLM, Username/Password based and also Kerberos.

This documentation outlines the setup process allowing Linux clients to use Kerberos based authentication for CERN E-mail services access.

While the initial installation of required software is specific to CERN SLC6 and SLC5 Linux distributions, the same functionality shall be applicable on any modern Linux platform - configured for CERN Kerberos realm, running at least Thunderbird 10.X with Kerberos authentication enabled (and configured for cern.ch domain), Alpine 2.X (with an SMTP workaround patch, see below) or fetchmail with Kerberos support compiled in..

Configuration

Thunderbird

Software installation

As root on your SLC5, SLC6 or CC7 system run:
# yum install mozilla-prefs
once installation of required software packages finishes, please restart Thunderbird.
(Note: As of SLC6/5 update of 12.03.2012 mozilla-prefs package is pre-installed on all systems.)

Setup: New account

After starting thunderbird (Menu -> Applications -> Internet -> Thunderbird E-mail) new e-mail account setup screen will appear

Enter Firstname Surname in Your name

Enter Firstname.Surname@cern.ch in Email address

Leave Password field empty and click Continue

Thunderbird autoconfiguration mechanism will find most of needed server settings, except SMTP/IMAP Kerberos authentication which is not default at CERN as of September 2012

Leave Password field empty and click Manual config

Manual configuration dialog will appear

Leave Password field empty and click Re-test

Thunderbird autoconfiguration mechanism will find Kerberos / GSSAPI for both IMAP and SMTP servers.

Leave Password field empty and click Create Account to finish configuration.

Setup: Changing existing account authentication methods

After starting thunderbird, select Edit -> Account Settings -> Server Settings

Change Authentication method to Kerberos / GSSAPI

Click OK to save changes.

Select Edit -> Account Settings -> Outgoing Server (SMTP) -> Edit

Change Authentication method to Kerberos / GSSAPI

Click OK to save changes.

Alpine

On SLC5, SLC6 and CC7 systems alpine has been updated to version containing a workaround patch for Kerberos SMTP authentication, please check that alpine version on your system is at least 2.02-3 by running:
rpm -q alpine
(if your system is not SLC5/6 you can find the smtp workaround patch here.)

Before re(starting) alpine please make sure that your ~/.pinerc and system-wide /etc/alpine/pine.conf files do not contain a line saying:

disable-these-authenticators=GSSAPI,PLAIN
if it does: please change that line to read:
disable-these-authenticators=PLAIN
After starting alpine, you should be no more prompted for the authentication password.

Fetchmail

SLC5/SLC6/CC7 fetchmail has the GSSAPI/Kerberos authentication module compiled in:
# fetchmail -v -V
This is fetchmail release 6.3.17+GSS+RPA+NTLM+SDPS+SSL+HESIOD+NLS+KRB5.
[...]
In order to use Kerberos authentication your ~/.fetchmailrc server poll section should be configured as folllows:
[...]
poll imap.cern.ch with proto imap auth gssapi:
    user LOGIN with ssl
[...]
(substitute LOGIN by your login id)

Troubleshooting

After applying settings described above thunderbird/alpine/fetchmail should not ask you for authentication password(s): If a password prompt still appears, please verify that your Kerberos ticket is valid by running:
# klist
on your system. The output should show a valid ticket with expiry date in the future:
Ticket cache: FILE:/tmp/krb5cc_14213_RZEYN11810
Default principal: jpolok@CERN.CH

Valid starting     Expires            Service principal
08/13/12 14:27:29  08/14/12 14:07:50  krbtgt/CERN.CH@CERN.CH
        renew until 08/18/12 12:44:34
        

Note: Above configuration assumes that same account is used for e-mail services and interactive login, if this is not the case local Kerberos ticket acquired for one cannot be used to authenticate other account in CERN Kerberos realm.