Openfire+Spark - another SSO trouble

I’'m trying to setup openfire-3.3.2 and spark-2.5.4 to use SSO.

Platform - linux.

I already have working kerberos, actually all my users login to their workstation using kerberos accounts.

Here is my setup:

Openfire:

I’'ve set up Openfire with internal databases and created “haizaar” user (besides “admin” user).

Then I’'ve followed this instructions:

http://wiki.igniterealtime.org/display/WILDFIRE/GSSAPI+Authentication

When Spark tries to connect, I see in stdout.log that xmpp/orion.mydomain.com@MYDOMAIN.COM principal is successfully loaded from keytab. So I assume my setup is right.

Spark:

After running

ln -s /tmp/krb5cc_wdk3kf /tmp/krb5cc_1000

(1000 is my uid), Spark was able to successfully load my TGT and to obtain ticket for xmpp/orion.mydomain.com@MYDOMAIN.COM (I’'ve saw this by running klist and in KDC logs).

In Spark, I’'ve clicked Advanced and entered orion.mydomain.com in Host field. And flagged “Use single-sign-on…” in SSO tab.

Everything looked perfect, but when I pressed “login” button, authentication failed. with the following exception listed in Openfire’'s warn.log:

javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

It looks to me that there is some mismatch in FQDN, JID,… soup, that breaks the whole setup.

My realm is: MYDOMAIN.COM

My domain is: mydomain.com

Server runs on: orion.mydomain.com

Server uses principal: xmpp/orion.mydomain.com

I’'m trying to connect as user: haizaar@MYDOMAIN.COM

Also, I’‘m worried that there is sign near “Server Name” field in OpenFire admin console. I’'ve set Server Name field and xmpp.domain property to ‘‘orion.mydomain.com’’.

Any suggestions?

Here is conversation between client and server, as captured by Ethereal:

Client request:

<stream:stream to="" xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”>

Server response:

<stream:stream xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client” from=“orion.mydomain.com” id=“28cf13” xml:lang=“en” version=“1.0”>

Server response:

Client request (which looks like base64 encoded KRB5 auth request)

YIICWgYJKoZIhvcSAQICAQBuggJJMIICRaADAgEFoQMCAQ6iBwMFAAAAAACjggE0YYIBMDCC

ASygAwIBBaEPGw1NWURPTUFJTi5DT02iJjAkoAMCAQGhHTAbGwR4bXBwGxNvcmlvbi5teWRv

bWFpbi5jb22jgeswgeigAwIBEqEDAgEBooHbBIHYM3JFO8nkEj1Fm3zEXdhM66aUypIay7nF

0QZmu5PFC5WaEEEAwfJ6OK4nbj4pKR5D2jCuw6OV7NM5RV2cboNtRlH2RyTzEXzGPaP3/S4k

Da2mU/2zv4W3q5sLgLezrfrVBGgMP0BMsPAQwCXUdJp1koRZl0gsp8tx8v5FIMazmG+2g88z

SqC3M9pVLiWG0rjjtfdBcG0ll8dqmb2QjRInEO1fpUWzJ5au9uDDj+JBU1/7C9xxxCk5ZcrQ

Ye70fCDYNCUO4GcoLfSjDBfIgAFL/5fUkoYFOsS6pIH3MIH0oAMCARKigewEgemTV72t3Zrx

m9cIynQwGhlqvT30SQlzTl47rqXs0jScAPAK7MvXf8xncxSa0v1PLPRxGrNfCi8sM6RlW8V8

SXEeMPBKP+ArYX9oKbaJ4fxmpp/orion.mydomain.comtdNJ5joeBJuLqdPThgvcHaUJnIXMpojfpr9 qc1r69X3wxem/90

45qmVfQelAlQspT8fO17tyK8PhC1DUfKFnNcU2c3y9EvI8nQZT0eirUbJ9xGEXyqndqxEz

FbL0w13zIJDIqbKKDQ7XSZedXtvNuyzK1w9O6HQymaLFwZOZJEGY0mnNIY0r1amghKDhkd

iZQLZx/6tZf+uQo=

Server response:

You have things a little mixed up. xmpp.domain is the domain you are using in your JID’'s: so mydomain.com for you. you need to set xmpp.fqdn to set the proper hostname (orian.mydomain.com)

That should get things going in the right direction for you.

Set:

xmpp.domain to mydomain.com

xmpp.fqdn to orion.mydmain.com

Same errors

Where JID comes into play?

All my users are named like this: haizaar@

Lets make sure the FQDN of the server is correct first-

You need to look up what the reverse DNS entry for your server’'s IP is. You can do this several ways on linux:

nslookup 10.12.12.13

host 10.11.12.13

dig -x 10.11.12.13

That name is what belongs in the xmpp.fqdn AND in the service principal name in the keytab (and gss.conf).

If that all checks out- then we need to check into the logs a bit more. Turn on debugging in openfire, and also in the gss.conf (set the debug=true option). You will want to restart the server.

If the error about not getting valid credentials goes away, you need to look for messages about the authorization. This is where the JID comes into play. The principal ( user@REALM ) needs to be authorized to a username on the server ( plain username or username@xmpp.domain ). The logs should tell you what is going on here.

Yes, PTR record for orion.mydomain.com was missing. After adding it, I have these errors:

Spark immediately throws:

Final handshake failed caused by GSSException: Defective token detected

and then after some time throws this (twice)

java.lang.IllegalStateException: Not connected to server

and then finally gives up

Openfire with debug enabled both in openfire.xml and gss.conf show nothing! And only after Spark gives up prints:

java.net.SocketTimeoutException: Read timed out

Ethereal shows that conversation has changed:

After client sends

That challenge/response containing only single ‘’=’’ looks very suspicious to me.

On the client, what version of Java? What version of MIT Kerberos are you using?

What is the encryption type in the ticket cache (klist -e will tell you)?

It sounds like Java is unhappy with what it is getting from the ticket cache. There is another post in the fourms here that talks about using Java’'s Native interface for GSSAPI- that might be worth trying too.

Also, can you post the GSSAPI token that does get passed from client to server? The error also sounds like that token may be bad or incomplete at best.

The problem was very stupid.

I’'ve modified Spark startup script as described here:

http://www.igniterealtime.org/forum/thread.jspa?threadID=27282&tstart=25

When I’‘ve removed -Dsun.security.jgss.native=true, I’'ve succeeded to login.

So the only thing I’'ve misses were PTR records and xmpp.* properties.

Thanks a lot for your help!