On Sun, Jun 17, 2012 at 2:40 PM, Hasini Gunasinghe <[email protected]> wrote: > Hi, > > I am trying to use IS as KDC server to obtain a kerberos token to talk to a > service in ESB which is secured with security scenario 16. > I observe the following error in IS back end and client fails with "The > security token could not be authenticated or authorized (Kerberos login > failed)" > > WARN > {org.apache.directory.server.kerberos.shared.store.operations.StoreUtils} - > No server entry found for kerberos principal name krbtgt/[email protected] > [2012-06-17 14:21:10,694] WARN > {org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler} - > Server not found in Kerberos database (7) > > Appreciate a lot any insights to overcome it. I have attached > embedded-ldap.xml and user-mgt.xml in IS side and krb5.conf, security policy > in client side for reference. > > Let me also mention some of the suggestions for improvements here which I > observed when trying to get the above scenario working. > > 1. "krb5.conf" and "jaas.conf" files are shipped with IS. But the > information in krb5.conf doesn't match with default KDC server shipped with > IS - i.e: realm name and supported algorithms. > I changed the configuration according to the details in the below mail. > I believe it would be useful if we also include the configurations that > match with default KDC server. > > 2. Since above two files are required for sec scenario 16 to work, I think > it would be useful if we make those files install with security management > feature so that they will also be available in ESB and AS where this > security scenario is available.
Hi Hasini, Please create Jiras to incorporate above mentioned improvements. I guess we dont need to ship krb.conf and jaas.conf wihin IS once we include them in the security-mgt feature. krb.conf and jaas.conf are only used by service and client. KDC does not need them. Thanks AmilaJ > > Thanks, > Hasini. > > > ---------- Forwarded message ---------- > From: Amila Jayasekara <[email protected]> > Date: Fri, May 25, 2012 at 12:48 PM > Subject: Re: [Architecture] How to we map IS users to Kerberos Principals > To: [email protected], [email protected] > > > Hi Srinath, > > Please find answers in-line. > > On Fri, May 25, 2012 at 11:29 AM, Srinath Perera <[email protected]> wrote: >> Hi All, >> >> Few questions >> >> Do we map IS users to Kerberos Principals in our Kerberos (KDC) >> integration >> with IS? > > Yes, for this you need to use embedded LDAP server. Please enable KDC > server in embedded LDAP configuration > ($CARBON_HOME/repository/conf/embedded-ldap.xml) > > E.g :- > > <KDCServer> > <Property name="name">defaultKDC</Property> > <Property name="enabled">true</Property> > .... > </KDCServer> > > Above will start the KDC server. Also in-order to define service > principals using UI please set "<Property > name="kdcEnabled">false</Property>" to true in user-mgt.xml. > > If you already have users defined in LDAP they will not get KDC > attributes. Therefore please remove content in repository/data and > restart the server. > >> >> How to do we map principals to users? (example will help) > > Once you enable KDC server, users will automatically assigned as user > principals. So if you add a user through management console that user > will be a Kerberos principal. To define service principals please > "Kerberos Principals" menu in IS ui. > >> what is the domain name and host name we use in principals? How can I >> change them? > > Default domain is set to "wso2.org". You can change the domain using > embedded-ldap.xml. > > <DefaultPartition> > <Property name="id">root</Property> > <Property name="realm">wso2.org</Property> > ... > </DefaultPartition> > > Host is set to localhost. You can change it using embedded-ldap.xml > <KDCServer> configuration, > > <KDCServer> > .... > <Property name="host">localhost</Property> > .... > </KDCServer> > > >> Have we tried our KDC with kinit and klist commands? Please point me >> to instructions > > Yes, we have. You need setup realm information /etc/krb5.conf. I am > pasting content of a sample file [1]. Based on the algorithms you > define in krb5.conf you may need to disable pre-authentication. For > sample in [1] please disable pre-authentication using > embedded-ldap.xml KDCServer/preAuthenticationTimeStampEnabled. > > E.g :- > > amila@aj:~/runenv/Run/kerberos/wso2is-3.2.2/repository/conf$ kinit > [email protected] > Password for [email protected]: > amila@aj:~/runenv/Run/kerberos/wso2is-3.2.2/repository/conf$ > amila@aj:~/runenv/Run/kerberos/wso2is-3.2.2/repository/conf$ klist > Ticket cache: FILE:/tmp/krb5cc_1000 > Default principal: [email protected] > > Valid starting Expires Service principal > 05/25/12 07:12:02 05/25/12 09:36:02 krbtgt/[email protected] > renew until 05/26/12 07:12:02 > > >> If I go and change a user in IS, does that change the associated >> Kerberos Principal as well? > > Changing user in the sense, changing password of the user ? If so > change will get affected. Also client code needs to make sure it is > not using cached credentials from "kinit". > > Thanks > AmilaJ > > [1] > > [libdefaults] > default_realm = WSO2.ORG > default_tgs_enCtypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 > default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 > permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 > allow_weak_crypto = true > > [realms] > WSO2.ORG = { > kdc = 127.0.0.1:8000 > } > > [domain_realm] > .wso2.org = WSO2.ORG > wso2.org = WSO2.ORG > > [login] > krb4_convert = true > krb4_get_tickets = false > >> >> --Srinath >> >> -- >> ============================ >> Srinath Perera, Ph.D. >> Senior Software Architect, WSO2 Inc. >> Visiting Faculty, University of Moratuwa >> Member, Apache Software Foundation >> Research Scientist, Lanka Software Foundation >> Blog: http://srinathsview.blogspot.com/ >> Photos: http://www.flickr.com/photos/hemapani/ >> Phone: 0772360902 >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > > > > -- > Mobile : +94773330538 > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- Mobile : +94773330538 _______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
