SSO and Kerberos setup

Jack_Bluebird · May 1, 2008, 5:00pm

I am in the process of configuring Openfire to allow SSO. My setup is Openfire 3.5.1 running on linux (OpenSuSE 10.2), and a Windows 2000 AD.

The problem I am getting is when I enable kerberos on the linux host, openfire will not start. All I get is an incorrect password error:

/etc/init.d/openfire start

Starting openfire: su: incorrect password

In /var/log/messages:

May 1 11:55:36 xxxxxxx su: FAILED SU (to daemon) root on /dev/pts/0

Sorry if this is a dumb question, but I have been looking through the forums and have not found an answer as of yet.

Thanks…

Jason_L · May 1, 2008, 5:37pm

does the user daemon exist on your server?

Jack_Bluebird · May 1, 2008, 5:57pm

Sorry, little lost. User daemon needs to exist on the windows AD server?

Jason_L · May 1, 2008, 6:35pm

no it has to exist on the machine you are starting up on, linux.

what the startup script is doing is starting up as root and then su to another user. this way you don’t have a a potentially buggy app (not openfire, just general idea) running as root.

so on linux, where you are starting openfire, does the user daemon exist? you can check /etc/passwd to find out.

Jack_Bluebird · May 1, 2008, 6:52pm

ok, I understand now. Yes - user daemon exists on the linux host, and if kerberos is disabled, openfire will start correctly. If I go into Yast and enable kerberos to match my AD settings, openfire will not start.

Jason_L · May 1, 2008, 7:45pm

ohhh, I get it now. when you enable kerberos in yast, sounds like its not falling back to local authentication and doing kerberos only, and the daemon user doesn’t exist in kerberos (which I wouldn’t think it would).

as a test, lets assume that openfire is installed to /opt/openfire

run the following command

#/opt/openfire/bin/openfire start

and see if it starts. if it does then the above is your problem. changing local authentication on suse to use kerberos doesn’t fall back to local if the user doesn’t exist in kerberos. On another note, I am using debian as my host. I didn’t have to actually make my debian server authenitacate against kerberos, I just had to install kerberos tools and put the appropriate config in my krb5.conf file. my linux server is still using local authentication, but openfire uses AD and kerberos for sso.

Jack_Bluebird · May 1, 2008, 8:36pm

Ok, you are correct. If I use the /opt/openfire/bin/openfire.sh script to start openfire, it will run. So… my linux box is not falling back to local authentication if kerberos is enabled. I will try to work through this again with kerberos disabled. I’m fairly certain I have the krb5.conf file configured properly as I am able to get a ticket. I will now work on the rest of this.

Thanks for your help!