I am using Openfire 3.6.3 on Ubuntu Linux 8.10 amd64. I am trying to use GSSAPI authentication from Pidgin 2.5.2 with a UNIX KDC. Users are in an OpenLDAP directory. According to the XML Console in Pidgin, Openfire advertises both GSSAPI and PLAIN SASL mechanisms. PLAIN authentication works correctly with Openfire authenticating the password against the LDAP directory, but GSSAPI does not. Pidgin does first attempt GSSAPI and sends an initial request to Openfire who returns failure: not-authorized. According to klist, a service ticket was acquired for xmpp/jabber.example.com/EXAMPLE.ORG which is the same principal configured in /etc/openfire/gss.conf and in the keytab /etc/openfire/krb5.keytab. The keytab contains one key for des3-cbc-sha1:normal. I have the server property sasl.gssapi.debug set to true and the debug log enabled, but the only relavent information I can find in the logs is in the warn log and is “User Login Failed. Failure to initialize security context.” I can’t seem to get anymore debugging information out or figure out why GSSAPI isn’t working.
Can you paste the debug log somewhere? Or maybe send it to me privately if you dont want it public? Without seeing that, it will be hard to troubleshoot.
A few things to check:
Can the server read the keytab? If openfire is not running as root, it cannot typically read from /etc/krb5.keytab, so a different keytab file with different permissions/ownership will be needed.
Do the krb5 principals match up with the JIDs? For example, is the kerberos principal jdoe@EXAMPLE.COM the JID jdoe@example.com? Or does it map in some other way?