All,
I’ve followed all the directions that I can find and spent time combing the forums and I can’t find the answer to this problem. I’m running OpenFire 3.3.3 on Solaris 8, Spark 2.5.7 on Windows XP. AD is running on Windows2003.
Here’s the important portions of my openfire.xml:
<sasl>
<mechs>GSSAPI</mechs>
<realm>XX.EXAMPLE.COM</realm>
<gssapi>
<debug>true</debug>
<config>/opt/openfire/conf/gss.conf</config>
<useSubjectCredsOnly>false</useSubjectCredsOnly>
</gssapi>
</sasl>
<provider>
<authorization>
<classList>org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider< /classList>
</authorization>
</provider>
</jive>
Here’s my gss.conf:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="/opt/openfire/conf/openfire.keytab"
doNotPrompt=true
useKeyTab=true
realm=“XX.EXAMPLE.COM”
principal=“xmpp/openfire.example.com@XX.EXAMPLE.COM”
debug=true;
};
So, you can see that one interesting thing is that the AD domain has an additional part to it (“XX”). Whereas our UNIX DNS addresses do not.
Here’s what I see in the stdoutt.log:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/openfire/conf/openfire.keytab refreshKrb5Config is false principal is xmpp/openfire.example.com@XX.EXAMPLE.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal’s key obtained from the keytab
Acquire TGT using AS Exchange
principal is xmpp/openfire.example.com@XX.EXAMPLE.COM
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: FD D1 24 65 2E 11 0C 2B 81 D3 16 CB DA 71 0D A9 …$e…+…q…
Added server’s keyKerberos Principal xmpp/openfire.example.com@XX.EXAMPLE.COMKey Version 7key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: FD D1 24 65 2E 11 0C 2B 81 D3 16 CB DA 71 0D A9 …$e…+…q…
added Krb5Principal xmpp/openfire.example.com@XX.EXAMPLE.COM to Subject
Commit Succeeded
And here’s the error in the warn.log:
2007.10.10 13:10:38 SaslException
javax.security.sasl.SaslException: Failure to initialize security context Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(Unknown Source)
at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)
at javax.security.sasl.Sasl.createSaslServer(Unknown Source)
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :220)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:141)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)
at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:176)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
… 20 more
Can anyone help?
Thanks,
Brian