Spark OpenFire SSO/LDAP with Win10 and 2k16 - SASLError using GSSAPI

Alex60 · September 18, 2018, 9:34am

Here’s some bits I had: Openfire SSO Issue?

Before attempting SSO does LDAP/AD username/password work with spark?

Although I have it now working with CentOS but it’s basically all the same. The principal is super important as that is the dns name that the client HAS to connect with. I’d also recommend doing an ‘A’ record rather than a CNAME record, and double checking the reverse dns ptr entry also shows the fqdn of the principal name.

In my krb5.conf/ini file I wouldn’t include the types (they actually recommend you -dont- include them, unless you need to use older types)

default_tgs_enctypes
              Identifies  the  supported  list of session key encryption types that the client should request when making a TGS-REQ, in
              order of preference from highest to lowest.  The list may be delimited with commas or whitespace.   See  Encryption_types
              in  kdc.conf(5)  for  a  list  of  the  accepted  values  for  this  tag.   The  default value is aes256-cts-hmac-sha1-96
              aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc  des-cbc-md5
              des-cbc-md4,  but single-DES encryption types will be implicitly removed from this list if the value of allow_weak_crypto
              is false.

As such… you might be alright with just the following:

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = SAPPHIRE.UK
[realms]
 SAPPHIRE.UK = {
 }

[domain_realm]
 sapphire.uk = SAPPHIRE.UK
 .sapphire.uk = SAPPHIRE.UK

For gss.conf, I’d have:

com.sun.security.jgss.krb5.accept {
        com.sun.security.auth.module.Krb5LoginModule required
        storeKey=true
        keyTab="/opt/openfire/resources/xmpp.keytab"
        doNotPrompt=true
        useKeyTab=true
        isInitiator=true
        debug=true
        realm="SAPPHIRE.UK"
        principal="xmpp/openfire.sapphire.uk";
};

Then in system properties in the openfire web console:

sasl.gssapi.config 	 	 	 	/opt/openfire/conf/gss.conf
sasl.gssapi.useSubjectCredsOnly 	 	false
sasl.realm 	 	 	 	 	SAPPHIRE.UK
xmpp.domain					sapphire.uk
xmpp.fqdn					openfire.sapphire.uk

In your configs, I also notice you have a space between SAPPHIRE. and UK - is this intentional on your part?

The other mistake I made was being too impatient for spn/keytab/password changes to replicate around the domain controllers.

If you get desperate (I did!) there’s also a way to run the openfire server in a console mode which shows the dark secrets of the kerberos stuff and where it might be failing! I’ll have to dig the full command up. But hope this kinda helps!