Hi,i changed a lot of things, moved accoounts to test environment etc.So now, the kinit and klist on the machine where openfire runs on show the expected output.Clienst also get their tgt and so on.As you could imagine, sso doesn’t work, i get the foloowing eror (warn):
2008.02.28 11:04:56 SaslException
GSS initiate failed [Caused by GSSException: Failure unspecified at
GSS-API level (Mechanism level: Invalid argument (400) - Cannot find
key of appropriate type to decrypt AP REP - DES CBC mode with MD5)]+
-
at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java :159)+
-
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :229)+
-
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:152)+
-
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)+
-
at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)+
-
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)+
-
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)+
-
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)+
-
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)+
-
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:173)+
-
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)+
-
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)+
-
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)+
-
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)+
-
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)+
-
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 650)+
-
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675) +
-
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51) +
-
at java.lang.Thread.run(Thread.java:595)+
-
Caused
by: GSSException: Failure unspecified at GSS-API level (Mechanism
level: Invalid argument (400) - Cannot find key of appropriate type to
decrypt AP REP - DES CBC mode with MD5)+
-
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:730)+
-
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)+
-
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)+
-
at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java :137)+
-
... 18 more+
-
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - DES CBC mode with MD5+
-
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)+
-
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)+
-
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.jav a:79)+
-
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:715)+
-
... 21 more+
I created the keytab with a command like the following:<code>ktpass -princ xmpp/jabber.test-domain.local@TEST-DOMAIN.LOCAL -pass password -mapuser xmpp-openfire -out xmpp.keytab -ptype KRB5_NT_PRINCIPAL</code>When i use kinit, i have to type a password? could this be a problem caus the server does’nt do that?Or is it only that i’ve created the keytab wrong or the config or…I’m also not sure about that config:
+<provider> <authorization> *<classList>org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy</classList>* </authorization> <vcard> <className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className> </vcard> <user> <className>org.jivesoftware.openfire.ldap.LdapUserProvider</className> </user> <auth> <className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className> </auth> <group> <className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className> </group> </provider>+
The bold i what i’ve addedin [http://wiki.igniterealtime.org/display/WILDFIRE/Configuring+Openfire+for+Kerbero s] there are different types of the line described:
The Lazy provider has a different name in the different versions of Openfire, as the logic changes.
Openfire Versions
Provider Names
3.3.0 and prior
LazyAuthorizationProvider
3.3.1 and later
LooseAuthorizationProvider
I’m running 3.4.4 so what’s to choose here?I hope you have some ideas !http://www.igniterealtime.org/community/images/emoticons/wink.gif!
edit:
by the way i searched through the java doc for the gss.conf file:
From the Docu:
storeKey=true useTicketCache = true doNotPrompt=true;;
This is an illegal combination since <code>storeKey</code> is set to
true but the key can not be obtained either by prompting the user or from
the keytab.A configuratin error will occur.
keyTab = < filename > doNotPrompt=true ;
This is an illegal combination since useKeyTab is not set to true and
the keyTab is set. A configuration error will occur.
so that’s an conflict or?