[
https://issues.apache.org/jira/browse/DISPATCH-906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16321885#comment-16321885
]
ASF GitHub Bot commented on DISPATCH-906:
-----------------------------------------
Github user enkeys commented on the issue:
https://github.com/apache/qpid-dispatch/pull/241
We are trying to setup Kerberos for qpid-dispatch and it looks, that there
in /etc/sasl2/qdrouterd.conf is not mentioned option for keytab.
`keytab: /tmp/keytabs/server.keytab`
It is probably not required but it's needed to provide principal somehow. I
think that should be possible do it with external command:
`kinit -k -t /path/file.keytab myprincipal`
The next important think what's work for us is providing environment
variable KRB5_CONFIG before qdrouterd.
`KRB5_CONFIG=/tmp/qdrouterd_krb5.conf`
Else without set KRB5_CONFIG, qdrouterd get for every connection:
`SERVER (info) Connection from 1.2.3.4:56468 (to 0.0.0.0:amqp) failed:
proton:io:sasl_error SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information () (Failed to authenticate
client [mech=GSSAPI])`
(My explanation is that cyrus-sasl/gssapi can't know about realms.)
So our qdrouterd_krb5.conf wit IPA conf:
```
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = example
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
example = {
kdc = ipa-server.example:88
master_kdc = ipa-server.example:88
admin_server = ipa-server.example:749
default_domain = example
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.example = example
example = example
ipa-server.example = example
[dbmodules]
example = {
db_library = ipadb.so
}
```
Where "example" is TLD so can be used example.com division.example.com etc.
And we still are not able to provide any msg through (sender -> qdrouterd
-> receiver). But connection/results looks more promising.
> Document Kerberos integration
> -----------------------------
>
> Key: DISPATCH-906
> URL: https://issues.apache.org/jira/browse/DISPATCH-906
> Project: Qpid Dispatch
> Issue Type: Bug
> Components: Documentation
> Reporter: Ben Hardesty
> Assignee: Ben Hardesty
>
> Document requirements and for accepting Kerberos authenticated connections.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
