Problem with NS6.5 and LDAP/AD sogo integration

pierre_bourdin · March 18, 2015, 4:30pm

Hi NS community

I’m using NethServer 6.5 in production on company i’m working on.
NS is joined to AD 2008 r2 (nobody’s perfect…)
I’ve installed Groupware solution with nethserver-sogo packages and everything is working well.

Sometimes, i have something who is blocking dovecot (BIG problem because crash of sogo and thunderbird), and the logs are saying :

Mar 18 16:06:00 dmz1 dovecot: auth-worker(53032): Error: LDAP: binding failed (dn (none)): Local error, SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Requested effective lifetime is negative or too short)

I’ve tried signal-event nethserver-mail-* but nothing new.

One other way is date, in my case, Nethserver is virtualized with Hyper-V witch is automaticly update time from hyperviser… AD have 5 minutes more than NS…
Iv’e ntp those 2 machines and i’m seeking for bug reproduce…

If anyone have this problem…

Thx --all

davidep · March 18, 2015, 5:00pm

Clocks differences between AD and the mail server must be less than 5 minutes in order to have Kerberos working.

I had some troubles with Hyper-V timing source in the past. Using NTP is a requirement when NethServer is an AD member.

"Requested effective lifetime is negative or too short"
https://technet.microsoft.com/en-us/library/bb463167.aspx

pierre_bourdin · March 19, 2015, 1:16pm

Thanks for link.
I stay tuned and looking if bug can be reproduce…
All of my machines are ntpized now.

pierre_bourdin · March 25, 2015, 3:51pm

Sup --all !

The bug is back…

To ge around the bug, i need to reboot server.
I can see there is a problem with kerberos ticket wich is seems to be expired like logs of dovecot say :

indent preformatted text by 4 spacesMar 25 16:42:55 dmz1 dovecot: auth: Error: LDAP: binding failed (dn (none)): Local error, SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Ticket expired)

There is a socket file for kerberos in /tmp…
Just after rebooting, i can see this in dovecot log file :

Mar 25 16:45:58 dmz1 dovecot: master: Dovecot v2.1.16 starting up (core dumps disabled)

It confirm that krb5cc_xx file is created when the service is up :

-rw-------.  1 postfix root    3451 Mar 25 13:04 krb5cc_89
-rw-------.  1 dovecot root    3451 Mar 25 16:45 krb5cc_97

I need to see if a file is present when bug will be reproduced…If anyone have ideas…

Thanks a lot, and cheers to NS 6.6 Final !

++

davidep · March 25, 2015, 4:50pm

This seems a different problem: now the ticket is completely expired. The /etc/cron.hourly/smbads_tgt should check it every hour end refresh it when it will expire soon. As a temporary workaround, maybe service dovecot restart is enough.

The AD machine has been down for a while?

Could you dig into /var/log/messages and /var/log/maillog?