On Wed, Feb 2, 2011 at 4:41 PM, Romain LEGUAY <[email protected]> wrote: > I try your modification but it doesn't change. What is not changed? ktab -l? kinit...?
> I have a question (again ^^): is the filter bean in web.xml needed with cas > (I copy/paste the filter from > http://spnego.sourceforge.net/spnego_tomcat.html part Modifying the web.xml > file) No, not for CAS. Maybe this is doing some nasty things. Follow basic CAS SPNEGO setup on: https://wiki.jasig.org/display/CASUM/SPNEGO Only difference is (I guess), that you have to specify krb5.conf file location on tomcat command line. > I have some questions on jcifsConfig: > > What is jcifsServicePrincipal? The spn account or the value we paste during > spn user creation? > An example: > setspn -a HTTP/machine user > jcifsServicePrincipal is HTTP/machine@DOMAIN ? Yes, @DOMAIN is always included automatically when you don't specify (from krb5.conf file). Than: setspn -a HTTP/machine user means: setspn -a HTTP/machine@DOMAIN user > What is jcifsServicePassword? The password when I create the keytab? Password of user which has mapping for service HTTP/machine@DOMAIN > An example: > ktab -a user password -k keytab.keytab Don't know what 'ktab' is, but from manual: ktpass.exe /out myspnaccount.keytab /princ HTTP/[email protected] /pass * /mapuser [email protected] /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT you have to type password of user 'myspnaccount' and this is this password (or you can omit password and specify only keytab file what is nothing more than password in encoded form ;-). When you change password of user you have to always regenerate keytab file or if keytab file is compromised just change password on service account and generate new keytab). Pavel -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
