My organization is in the process of deploying Kerberos SSO. The KDCs are Active Directory. We have things working nicely across Windows XP, MacOS X, and Red Hat Linux. Functional apps include ssh, WinSCP, ldapsearch, curl, FireFox, IE (of course), Safari, IE, and Apache. All in the way of establishing background
However, this is my first exposure to the Java Kerberos implementation.
So Iā'm very excited to see the SSO feature in Spark. I followed the instructions at http://wiki.igniterealtime.org/display/WILDFIRE/Configuring+Openfire+for+Kerbero s and was able to get a test box hosted on Linux working in about 20 minutes, with Spark 2.5.4ā¦ Whee!
Then I tried to get it working in a broader scope, and things broke down:
Issue 1: Getting Spark 2.5.4 (java 1.6.0_01 and 1.5.0_09) on Linux to use SSO with my test server. Note, Spark on Windows works with this server so we know the server config is good. On Linux Spark will connect using SASL PLAIN, but when I try to enable SSO the tab says āSpark is unable to find the principal to use for Single Sign-Onā¦ā.
I definitely have a TGT, and can get tickets for services (Web servers, sshd, etc.). So Kerberos is definitely functional on this client. KRB5CCNAME is set in the environment. The krb5.conf is in the standard /etc/krb5.conf location and is world readable. So itāās not clear to me why it isnā't able to get the credential.
If I turn on debugging I get the following in output.log:
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt tr
ue ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fals
e principal is null tryFirstPass is false useFirstPass is false storePass is fal
se clearPass is false
Acquire TGT from Cache
Principal is null
null credentials from Ticket Cache
authentication failed
Unable to obtain Princpal Name for authentication
which pretty much says what I already know. How to solve?
Issue 2:
Trying to enable our production server. We do use SRV records, however I have been configuring my client to connect specifically to the underlying hostname rather than using automatic discovery, and the keytab on the server is for the SPN xmpp/hostname@REALM (and that SPN is specified in the principal= part of the gss.conf). I believe this should work around the known issues with SRV records since the client-side Kerberos code should just look up the target host, do a reverse lookup, and get the right hostname, but tell me if Iā'm just mistaken.
But it doesnāāt work. The underlying host definitely does have a working Keberos config - I can use Kerberized sshd to log on and I can do kinit to get a TGT using the xmpp serviceā's keytab.
When running my test server I start the server using openfire.sh, and I get useful Kerberos debug info in my console. Since this is production with ~1000 users I really donāāt want to run it that way, but the relevant log lines(snippet from the test system below) donāāt seem to show up in the openfire log files. How do I get this server to log the data somewhere useful so I can see what it is doing? And while weā're at it, is there any way to get the server to reload this config without shutting it down?
Example of what Iā'd like to see (for working test system):
added Krb5Principal xmpp/host@REALM to Subject
Added serverā's keyKerberos Principal xmpp/host@REALMKey Version 2key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: AE 62 1C FB 54 1C D6 25
Even the Windows Spark doesnāāt work, although it does seem to get a ticket and do a SASL GSSAPI exchange. How can I tell exactly which service principal name Spark is trying to use? Even when it is working with the test box a ticket never shows up in the credential cache (either the LSA or the GSSAPI cache used by MITāās Kerberos for Windows), so klist isnā't useful. I assume this is because Java is using its own credential cache (hence the need to extract the TGT from the LSA). But it makes it almighty difficult to debug this sort of thing.
Thanks for any help you can provide.
- Ken