SSO troubles "Cannot locate default realm"

ghof · June 29, 2022, 1:46pm

I am using Pidgin which supports GSSAPI, attempting to login as just “joe”

OpenFire was configured to support SSO per instructions here.

I am getting an exception thrown by OpenFire with message “Cannot locate default realm”

Can anyone provide a clue to what I am doing wrong?

klist before opening pidgin

joe@debian:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000_lSHJoZ
Default principal: joe@MYDOMAIN.COM

Valid starting       Expires              Service principal
06/29/2022 09:10:55  06/30/2022 09:10:53  krbtgt/MYDOMAIN.COM@MYDOMAIN.COM

klist after opening pidgin

joe@debian:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000_lSHJoZ
Default principal: joe@MYDOMAIN.COM

Valid starting       Expires              Service principal
06/29/2022 09:20:37  06/30/2022 09:20:35  krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
06/29/2022 09:20:44  06/30/2022 09:20:35  krbtgt/mydomain.com@MYDOMAIN.COM
06/29/2022 09:20:44  06/30/2022 09:20:35  xmpp/chat.mydomain.com@mydomain.com
	Ticket server: xmpp/chat.mydomain.com@MYDOMAIN.COM
06/29/2022 09:20:44  06/30/2022 09:20:35  xmpp/chat.mydomain.com@MYDOMAIN.COM

Openfire config files and permissions and keytab

root@openfire:/# ls -l /var/lib/openfire/conf/{openfire.keytab,gss.conf} && klist -ek openfire.keytab
-rwxr-x--- 1 openfire openfire 315 Jun 28 20:30 /var/lib/openfire/conf/gss.conf
-rwxr-x--- 1 openfire openfire 166 Jun 28 19:50 /var/lib/openfire/conf/openfire.keytab
Keytab name: FILE:openfire.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 xmpp/chat.mydomain.com@MYDOMAIN.COM (aes256-cts-hmac-sha1-96) 
   1 xmpp/chat.mydomain.com@MYDOMAIN.COM (aes128-cts-hmac-sha1-96) 

root@openfire:/# cat /var/lib/openfire/conf/gss.conf 
com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule
    required
    storeKey=true
    keyTab="/var/lib/openfire/conf/openfire.keytab"
    doNotPrompt=true
    useKeyTab=true
    realm="MYDOMAIN.COM"
    principal="xmpp/chat.mydomain.com@MYDOMAIN.COM"
    debug=true
    isInitiator=false;
};

Openfire settings

sasl.gssapi.config 	/var/lib/openfire/conf/gss.conf
sasl.gssapi.debug 	true 
sasl.gssapi.useSubjectCredsOnly 	false 
sasl.mechs.00001 	PLAIN
sasl.mechs.00002 	DIGEST-MD5
sasl.mechs.00003 	SCRAM-SHA-1
sasl.mechs.00004 	CRAM-MD5
sasl.mechs.00005 	GSSAPI
sasl.realm 	MYDOMAIN.COM
xmpp.domain 	chat.mydomain.com
xmpp.fqdn 	chat.mydomain.com

tcpdump for all traffic except 5222

09:16:54.939327 veth00fccb3 P   IP 192.168.170.5.38593 > 10.100.0.15.53: 3343+ A? chat.mydomain.com. (33)
09:16:54.939477 veth00fccb3 Out IP 10.100.0.15.53 > 192.168.170.5.38593: 3343* 1/0/0 A 10.100.0.27 (49)
09:16:54.939895 veth00fccb3 P   IP 192.168.170.5.52047 > 10.100.0.15.53: 34528+ PTR? 27.0.100.10.in-addr.arpa. (41)
09:16:54.939988 veth00fccb3 Out IP 10.100.0.15.53 > 192.168.170.5.52047: 34528* 1/0/0 PTR chat.mydomain.com. (70)

Openfire log

2022.06.29 13:16:54 DEBUG [socket_c2s-thread-2]: org.jivesoftware.openfire.net.SASLAuthentication - SASL negotiation failed for session: LocalClientSession{address=chat.mydomain.com/31wfg8k463, streamID=31wfg8k463, status=1 (connected), isSecure=true, isDetached=false, serverName='chat.mydomain.com', isInitialized=false, hasAuthToken=false, peer address='10.68.21.11', presence='
<presence type="unavailable"/>'}
javax.security.sasl.SaslException: Failure to initialize security context
	at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(GssKrb5Server.java:127) ~[jdk.security.jgss:?]
	at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85) ~[jdk.security.jgss:?]
	at javax.security.sasl.Sasl.createSaslServer(Sasl.java:581) ~[?:?]
	at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java:324) [xmppserver-4.7.1.jar:4.7.1]
	at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:182) [xmppserver-4.7.1.jar:4.7.1]
	at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:183) [xmppserver-4.7.1.jar:4.7.1]
	at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:1015) [mina-core-2.1.3.jar:?]
	at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
	at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
	at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
	at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122) [mina-core-2.1.3.jar:?]
	at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
	at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
	at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
	at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:413) [mina-core-2.1.3.jar:?]
	at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:257) [mina-core-2.1.3.jar:?]
	at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
	at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
	at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
	at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:106) [mina-core-2.1.3.jar:?]
	at org.apache.mina.core.session.IoEvent.run(IoEvent.java:89) [mina-core-2.1.3.jar:?]
	at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTask(OrderedThreadPoolExecutor.java:766) [mina-core-2.1.3.jar:?]
	at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTasks(OrderedThreadPoolExecutor.java:758) [mina-core-2.1.3.jar:?]
	at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.run(OrderedThreadPoolExecutor.java:697) [mina-core-2.1.3.jar:?]
	at java.lang.Thread.run(Thread.java:833) [?:?]
Caused by: org.ietf.jgss.GSSException: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm)
	at sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:127) ~[java.security.jgss:?]
	at sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:99) ~[java.security.jgss:?]
	at sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:184) ~[java.security.jgss:?]
	at sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:469) ~[java.security.jgss:?]
	at sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:202) ~[java.security.jgss:?]
	at sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:171) ~[java.security.jgss:?]
	at sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:119) ~[java.security.jgss:?]
	at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(GssKrb5Server.java:108) ~[jdk.security.jgss:?]
	... 24 more

Pidgin debug log

(09:16:54) certificate: Successfully verified certificate for chat.mydomain.com
(09:16:54) jabber: Sending (ssl) (joe@chat.mydomain.com): <stream:stream to='chat.mydomain.com' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
(09:16:54) jabber: Recv (ssl)(631): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="chat.mydomain.com" id="31wfg8k463" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>GSSAPI</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><ver xmlns="urn:xmpp:features:rosterver"/><c xmlns="http://jabber.org/protocol/caps" hash="sha-1" node="https://www.igniterealtime.org/projects/openfire/" ver="t3TvhZ1QHlVr4fACnmAXQhORDAI="/></stream:features>
(09:16:54) sasl: Mechs found: PLAIN GSSAPI
(09:16:54) sasl: GSSAPI client step 1
(09:16:54) jabber: Sending (ssl) (joe@chat.mydomain.com): <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='GSSAPI' xmlns:ga='http://www.google.com/talk/protocol/auth' ga:client-uses-full-bind-result='true'>password removed</auth>
(09:16:54) jabber: Recv (ssl)(77): <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure>

speedy · June 29, 2022, 2:57pm

What did you use to create your keytab file? That and/or DNS is usually the culprit. Unfortunately, I don’t have experience running sso in linux. However, here is a video I create a few year ago that might provide some additional insight.

ghof · June 29, 2022, 3:17pm

I am using FreeIPA, use the command:

ipa-getkeytab -s freeipa.mydomain.com -p xmpp/chat.mydomain.com -k /tmp/openfire.keytab

ghof · June 29, 2022, 3:45pm

I fixed it by creating an /etc/krb5.conf file. Not sure why Java would need this file as it wouldn’t be using native krb libraries but whatever…

[libdefaults]
default_realm = MYDOMAIN.COM

[realms]
MYDOMAIN.COM = {
	kdc = freeipa.mydomain.com
	admin_server = freeipa.mydomain.com
	default_domain = mydomain.com
}

[domain_realms]
mydomain.com = MYDOMAIN.COM
.mydomain.com = MYDOMAIN.COM

speedy · June 29, 2022, 4:04pm

Its possible your DNS is not setup to provide your realm information.