My organization is in the process of deploying Kerberos SSO. The KDCs are Active Directory. We have things working nicely across Windows XP, MacOS X, and Red Hat Linux. Functional apps include ssh, WinSCP, ldapsearch, curl, FireFox, IE (of course), Safari, IE, and Apache. All in the way of establishing background
However, this is my first exposure to the Java Kerberos implementation.
So I’'m very excited to see the SSO feature in Spark. I followed the instructions at http://wiki.igniterealtime.org/display/WILDFIRE/Configuring+Openfire+for+Kerbero s and was able to get a test box hosted on Linux working in about 20 minutes, with Spark 2.5.4… Whee!
Then I tried to get it working in a broader scope, and things broke down:
Issue 1: Getting Spark 2.5.4 (java 1.6.0_01 and 1.5.0_09) on Linux to use SSO with my test server. Note, Spark on Windows works with this server so we know the server config is good. On Linux Spark will connect using SASL PLAIN, but when I try to enable SSO the tab says “Spark is unable to find the principal to use for Single Sign-On…”.
I definitely have a TGT, and can get tickets for services (Web servers, sshd, etc.). So Kerberos is definitely functional on this client. KRB5CCNAME is set in the environment. The krb5.conf is in the standard /etc/krb5.conf location and is world readable. So it’‘s not clear to me why it isn’'t able to get the credential.
If I turn on debugging I get the following in output.log:
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt tr
ue ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fals
e principal is null tryFirstPass is false useFirstPass is false storePass is fal
se clearPass is false
Acquire TGT from Cache
Principal is null
null credentials from Ticket Cache
Unable to obtain Princpal Name for authentication
which pretty much says what I already know. How to solve?
Trying to enable our production server. We do use SRV records, however I have been configuring my client to connect specifically to the underlying hostname rather than using automatic discovery, and the keytab on the server is for the SPN xmpp/hostname@REALM (and that SPN is specified in the principal= part of the gss.conf). I believe this should work around the known issues with SRV records since the client-side Kerberos code should just look up the target host, do a reverse lookup, and get the right hostname, but tell me if I’'m just mistaken.
But it doesn’‘t work. The underlying host definitely does have a working Keberos config - I can use Kerberized sshd to log on and I can do kinit to get a TGT using the xmpp service’'s keytab.
When running my test server I start the server using openfire.sh, and I get useful Kerberos debug info in my console. Since this is production with ~1000 users I really don’‘t want to run it that way, but the relevant log lines(snippet from the test system below) don’‘t seem to show up in the openfire log files. How do I get this server to log the data somewhere useful so I can see what it is doing? And while we’'re at it, is there any way to get the server to reload this config without shutting it down?
Example of what I’'d like to see (for working test system):
added Krb5Principal xmpp/host@REALM to Subject
Added server’'s keyKerberos Principal xmpp/host@REALMKey Version 2key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: AE 62 1C FB 54 1C D6 25
Even the Windows Spark doesn’‘t work, although it does seem to get a ticket and do a SASL GSSAPI exchange. How can I tell exactly which service principal name Spark is trying to use? Even when it is working with the test box a ticket never shows up in the credential cache (either the LSA or the GSSAPI cache used by MIT’‘s Kerberos for Windows), so klist isn’'t useful. I assume this is because Java is using its own credential cache (hence the need to extract the TGT from the LSA). But it makes it almighty difficult to debug this sort of thing.
Thanks for any help you can provide.