powered by Jive Software

Linux SSO issue (yep, another!)

Hi,

I’ve been trying, and failing, to get SSO to work using the latest Openfire server (3.5.0 RC1) - having tried 3.4.5. It’s running on SLES10 and I’m trying to access it using Spark on a SuSe 10.2 client. The Kerberos environment used is MIT running on Solaris (yup, we love Unix ) - which is working fine, as we use it for SSO to our workstations and servers; as well as using it for Kerberos HTTP(S) authentication to our web server (which is running on the the same server as Openfire). I’m pretty sure (99.9999%'ish) I’ve got everything configured correctly, but I’m getting the following error (which seems to indicate that the service keytab is not being acknowledged,or sent, properly): No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

Now when I was checking the available docs for the umpteenth time I came across this little snippet (I missed it before, as it was under a section regarding DNS and we use krb5.conf files):

Multi-homed servers (servers with more than one IP address) are not supported with SSO at this time, but if you know what you are doing it may be possible.

Now the server I have installed Openfire on is most certainly multi-homed, having 3 separate IP addresses. So my question is (yes I’m finally getting to it), is the above statement still true? If so I’m boned

Incidentally, is there a way of setting Spark’s Kerberos settings, e.g. a gss.conf file equivalent - I would like to get it to store the service ticket in my ticket cache, so that I can at least verify I’m obtaining it correctly (the log file on the KDC seems to indicate I am, but I’d like to be sure).

Java’s implementation of Kerberos is lacking in multi-homed support, so its really beyond our control. It can work if you are careful, since we specify what name to use (most Kerberized services get that from the hostname). But- you will only be able to do SSO on a single hostname. Your best bet is to go with Java 6, since it will have the most improvements for that sort of thing. I would be interesting in “fixing” this issue as best as possible so if you are up for some one-on-one chat, send me a private message with your contact details and we can work something out. I live at GMT-0500.

Spark’s config is all done dynamically, so there is no gss.conf. And Java wont store the ticket in your cache anyway, I never understood why MIT’s kdc is pretty good with its logs, they can be trusted. What version are you running on the KDC?

Thank’s for the reply and sorry this follow-up is a bit tardy - due to usual sys admin woes of servers crashing, users moaning, etc

Due to my IM install requirement being rather urgent (aren’t they all), I’ve re-installed Openfire on a purloined/new server that only has one network connection. The good news is that SSO works on this server I’ve also managed to hack Spark so that it works with SSO automatically and modified the startup script to create a Kerberos ticket cache file that Spark is expecting (/tmp/krb5cc_<uid> rather than /tmp/krb5cc_<uid>_<random> we get from pam_krb5) - so I’m currently in a happy place.

As soon as I get the time, I’ll have another go at getting it to work on the multi-homed server and let you know how I get on. It might be a few weeks though as I’m soon off ski touring for a fortnight

I have a server with multiple names (only one ip) and sso wouldn’t work with that setup for me

I tested setting up aliases for my nic and that seems to work. not sure if that would work for you or not.

Okay I’ve got SSO working on a multi-homed host. As long as a separate IP address is used rather than a CNAME entry, everything seems to work fine.

I used xmpp.example.co.uk as the server hostname and xmpp/xmpp.example.co.uk as the kerberos principal. I have tested the server works when configured on an available interface, as well as a virtual interface. Suprisingly enough, it was all rather painless

That isn’t really a multi-homed setup- the server is, but you’ve forced Openfire to use only a single address, which works quite well. The problem is getting Openfire to be Multi-homed with SSO. There are a few hacks, I think, but Ive not had the opportunity to play with such a setup in quite some time now.