Openfire+ad+kerberos+spark

Hi everybody,

I have decided to authencitate my spark openfire and AD via kerberos protocol. I have done step by step that it is described in the guide but connection spark with sso failed. In kerberos logs I can see

“TGS_REQ (5 etypes {3 1 23 16 17}) 192.168.3.44: PROCESS_TGS: authtime 0, for , No matching key in entry”

IN spark error log i’ve got

SASL authentication failed: -- caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Generic error (description in e-text) (60) - PROCESS_TGS)] at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:121) at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanism.java:86) at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:319) at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203) at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014) at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219) at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730) at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141) at java.lang.Thread.run(Unknown Source)Nested Exception: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Generic error (description in e-text) (60) - PROCESS_TGS)] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source) at org.jivesoftware.smack.sasl.SASLMechanism.authenticate(SASLMechanism.java:117) at org.jivesoftware.smack.sasl.SASLGSSAPIMechanism.authenticate(SASLGSSAPIMechanism.java:86) at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:319) at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203) at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014) at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219) at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730) at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141) at java.lang.Thread.run(Unknown Source)Caused by: GSSException: No valid credentials provided (Mechanism level: Generic error (description in e-text) (60) - PROCESS_TGS) at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) ... 10 moreCaused by: KrbException: Generic error (description in e-text) (60) - PROCESS_TGS at sun.security.krb5.KrbTgsRep.(Unknown Source) at sun.security.krb5.KrbTgsReq.getReply(Unknown Source) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source) at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source) ... 13 moreCaused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(Unknown Source) at sun.security.krb5.internal.TGSRep.init(Unknown Source) at sun.security.krb5.internal.TGSRep.(Unknown Source) ... 18 more

Openfire and kerberos are installed on debian server, spark is windows client

Any help would be welcome.

maybe this will help

http://community.igniterealtime.org/message/218449#218449

Unfortunately nothing has changed. I’ve change java version to 7 but steel in kerberos logs i have this:

krb5kdc[1808](info): TGS_REQ (5 etypes {3 1 23 16 17}) 192.168.3.44: PROCESS_TGS: authtime 0, <unknown client> for <unknown server>, No matching key in entry

Where 192.168.3.44 is a spark ip.

Principals for user who runs openfire have been added.

I have no idea what to do

to be honest, I haven’t had much luck getting linux to work with sso. however I’ve been able to get sso to work 100% in an all windows environment. Double check DNS and make sure you have a ptr record. Also you may want to double check your keytab file.

I have strong feeling that there I’ve done something wrong with users or server names. My conf is like this:

ad

• mk.local

openfire

• server - bu.mk.local
• user that runs chat server - openfire
• principles - openfire/bu.mk.local@MK.LOCAL

kerberos

• kdc = krb.mk.local
• admin_server = krb.mk.local

dns and hosts

• added record for bu.mk.local in dns
• added line in /etc/hosts (chat and kerberos are located on the same machine) - krb.mk.local
• added line in hosts on spark client computer

Is that correct? May be I should add some users to ad?