SSO Problem Ubuntu 18.04.6 LTS, Windows Domain (2012 R2)

Hello.
I seted up enviroment following this guide:

with no luck.

Here is my enviroment:

            ad_fqdn: "ga.local"
            ad_realm: "GA.LOCAL"
            ad_kdc: "dc01.ga.local"
            openfire_server_fqdn: xmpp-srv.ga.local

opefire server: Ubuntu 18.04.6 LTS, Openfire 4.7.4, build 51b9db9

java -version:

openjdk version "1.8.0_222"
OpenJDK Runtime Environment (build 1.8.0_222-8u222-b10-1ubuntu1~16.04.1-b10)
OpenJDK 64-Bit Server VM (build 25.222-b10, mixed mode)

/etc/krb5.conf:

[libdefaults]
  default_realm = GA.LOCAL
  default_keytab_name = /usr/share/openfire/resources/openfire.keytab
  default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
  default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
  permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

[realms]
  GA.LOCAL = {
    kdc = dc01.ga.local
    admin_server = dc01.ga.local
    default_domain = ga.local
  }

[domain_realms]
  ga.local = GA.LOCAL
  .ga.local = GA.LOCAL

/etc/openfire/gss.conf:

com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule
  required
  storeKey=true
  keyTab="/usr/share/openfire/resources/openfire.keytab"
  doNotPrompt=true
  useKeyTab=true
  realm="GA.LOCAL"
  principal="xmpp/xmpp-srv.ga.local@GA.LOCAL"
  debug=true;
};

sudo kinit -V -k -t /usr/share/openfire/resources/openfire.keytab xmpp/xmpp-
srv.ga.local@GA.LOCAL

Using default cache: /tmp/krb5cc_0
Using principal: xmpp/xmpp-srv.ga.local@GA.LOCAL
Using keytab: /usr/share/openfire/resources/openfire.keytab
Authenticated to Kerberos v5

sudo klist -ek /usr/share/openfire/resources/openfire.keytab

Keytab name: FILE:/usr/share/openfire/resources/openfire.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 xmpp/xmpp-srv.ga.local@GA.LOCAL (arcfour-hmac)

PS> setspn -L xmpp-user

Registered ServicePrincipalNames for CN=xmpp-user,CN=Users,DC=ga,DC=local:
        xmpp/xmpp-srv.ga.local
        xmpp/xmpp-srv.ga.local@GA.LOCAL

Authorization based on login and password work OK. SSO Autorization fail, Spark log:

org.jivesoftware.smack.sasl.SASLErrorException: SASLError using GSSAPI: not-authorized
	at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:286)
	at org.jivesoftware.smack.AbstractXMPPConnection.lambda$new$2(AbstractXMPPConnection.java:407)
	at org.jivesoftware.smack.NonzaCallback$ClassAndConsumer.accept(NonzaCallback.java:177)
	at org.jivesoftware.smack.NonzaCallback$ClassAndConsumer.access$200(NonzaCallback.java:166)
	at org.jivesoftware.smack.NonzaCallback.onNonzaReceived(NonzaCallback.java:46)
	at org.jivesoftware.smack.AbstractXMPPConnection.parseAndProcessNonza(AbstractXMPPConnection.java:1440)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1700(XMPPTCPConnection.java:131)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1010)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$700(XMPPTCPConnection.java:916)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:939)
	at java.lang.Thread.run(Unknown Source)

Wireshark traffic onservice openfire start:

No.,"Time","Source","Destination","Protocol","Length","Info"
1,"0.000000","10.1.70.111","10.1.66.162","DNS","81","Standard query 0xa487 A xmpp-srv.ga.local"
2,"0.000000","10.1.70.111","10.1.66.162","DNS","81","Standard query 0xb497 AAAA xmpp-srv.ga.local"
3,"0.000414","10.1.66.162","10.1.70.111","DNS","93","Standard query response 0xa487 A xmpp-srv.ga.local A 10.1.70.111"
4,"0.000479","10.1.66.162","10.1.70.111","DNS","129","Standard query response 0xb497 AAAA xmpp-srv.ga.local SOA dc01.ga.local"
5,"1.194044","10.1.66.162","10.1.70.111","DNS","125","Standard query response 0x6027 Server failure SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.sandbox.local"
6,"1.194407","10.1.70.111","10.1.66.162","ICMP","157","Destination unreachable (Port unreachable)"
7,"1.752158","10.1.70.111","10.1.66.162","DNS","81","Standard query 0x9cd5 A xmpp-srv.ga.local"
8,"1.752158","10.1.70.111","10.1.66.162","DNS","81","Standard query 0x5ce1 AAAA xmpp-srv.ga.local"
9,"1.752500","10.1.66.162","10.1.70.111","DNS","93","Standard query response 0x9cd5 A xmpp-srv.ga.local A 10.1.70.111"
10,"1.752585","10.1.66.162","10.1.70.111","DNS","129","Standard query response 0x5ce1 AAAA xmpp-srv.ga.local SOA dc01.ga.local"
11,"2.094089","10.1.66.162","10.1.70.111","DNS","88","Standard query response 0x149d Server failure SRV _kerberos._tcp.SANDBOX.LOCAL"
12,"2.095634","10.1.70.111","10.1.66.162","DNS","93","Standard query 0x7cca SRV _kerberos._http.SANDBOX.LOCAL"

Hi, are you using Spark on Windows with the latest updates? Perhaps the problem is in the deprecated DES3 algorithm

Also attach useful topics

O, it’s working!
I recreate keytab with the key “/crypto All”:

ktpass /princ xmpp/xmpp-srv.ga.local@GA.LOCAL -mapUser xmpp-user@GA.LOCAL /pass **** /crypto All /ptype KRB5_NT_PRINCIPAL /out c:\openfire.keytab

and chage config file /etc/krb5.conf:

[libdefaults]
  default_realm = GA.LOCAL
  default_keytab_name = /usr/share/openfire/resources/openfire.keytab
  default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac
  default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac
  permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac

[realms]
  GA.LOCAL = {
    kdc = dc01.ga.local
    admin_server = dc01.ga.local
    default_domain = ga.local
  }

[domain_realms]
  ga.local = GA.LOCAL
  .ga.local = GA.LOCAL

Thanks a lot!

2 Likes