google is your friend
that appears to be a good article.
This is also pretty much exactly my setup so I will give some details on what I did, especially since I could never really find a guide to match my setup when I did this. These are my notes and I wrote these while making sure I could reproduce my sso setup.
- on debian server install krb5-config and krb5-client and samba (for time syncing)
- sync time between your dc: net time set server=yourdc.fqdn.com
- edit /etc/krb5.conf to look like the attached
- create a keytab on the dc using notes below
- copy the keytab to your linux machine and put in the openfire dir /opt/openfire/resources/
- edit openfire.xml with the attached edits
- create gss.conf to match the attached
I also changed settings to remove my domain information so you will need to edit for your environment
first create a new domain user (openfire_username)
on your dc run the command setspn -l openfire_username
if any keytabs exist for the user delete them with setspn -d xmpp/debian.f.q.d.n openfire_username
I couldn’t get this to work with the w2k3 ktpass tool and downloaded the one from 2000 server
ktpass -princ xmpp/debian.f.q.d.n@MY.DOMAIN.COM -mapuser openfire_username -pass PASSWORD -out unique_filename
in the above, debian.f.q.d.n is the fqdn of your linux server. and in my attached files, case does matter.
After that I used the spark.properties on my client machine to replace the existing spark.properties and then started spark up and am able to connect.
I make no guarantees that this will work for you. My openfire server is 3.5.1 and I am running debian etch. for kerberos, time is crucial as is dns entries. so the time on the server should be very close to your dc (thats why I sync it with cron daily). I also couldn’t get this to work when I had multiple dns names pointing to the same machine.
Hope it helps.
server_krb5.conf.zip (752 Bytes)
gss.conf.zip (332 Bytes)
openfire.xml.zip (1414 Bytes)
spark.properties.zip (655 Bytes)