. On Sun, Jun 17, 2012 at 11:16 PM, Amila Jayasekara <[email protected]> wrote:
> On Sun, Jun 17, 2012 at 2:40 PM, Hasini Gunasinghe <[email protected]> > wrote: > > Hi, > > > > I am trying to use IS as KDC server to obtain a kerberos token to talk > to a > > service in ESB which is secured with security scenario 16. > > I observe the following error in IS back end and client fails with "The > > security token could not be authenticated or authorized (Kerberos login > > failed)" > > > > WARN > > > {org.apache.directory.server.kerberos.shared.store.operations.StoreUtils} - > > No server entry found for kerberos principal name krbtgt/ > [email protected] > > [2012-06-17 14:21:10,694] WARN > > {org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler} - > > Server not found in Kerberos database (7) > > > > Appreciate a lot any insights to overcome it. I have attached > > embedded-ldap.xml and user-mgt.xml in IS side and krb5.conf, security > policy > > in client side for reference. > > > > Let me also mention some of the suggestions for improvements here which I > > observed when trying to get the above scenario working. > > > > 1. "krb5.conf" and "jaas.conf" files are shipped with IS. But the > > information in krb5.conf doesn't match with default KDC server shipped > with > > IS - i.e: realm name and supported algorithms. > > I changed the configuration according to the details in the below mail. > > I believe it would be useful if we also include the configurations that > > match with default KDC server. > > > > 2. Since above two files are required for sec scenario 16 to work, I > think > > it would be useful if we make those files install with security > management > > feature so that they will also be available in ESB and AS where this > > security scenario is available. > > Hi Hasini, > > Please create Jiras to incorporate above mentioned improvements. I > guess we dont need to ship krb.conf and jaas.conf wihin IS once we > include them in the security-mgt feature. krb.conf and jaas.conf are > only used by service and client. KDC does not need them. > +1 and created the jira: https://wso2.org/jira/browse/CARBON-13463 Thanks, Hasini. > > Thanks > AmilaJ > > > > > Thanks, > > Hasini. > > > > > > ---------- Forwarded message ---------- > > From: Amila Jayasekara <[email protected]> > > Date: Fri, May 25, 2012 at 12:48 PM > > Subject: Re: [Architecture] How to we map IS users to Kerberos Principals > > To: [email protected], [email protected] > > > > > > Hi Srinath, > > > > Please find answers in-line. > > > > On Fri, May 25, 2012 at 11:29 AM, Srinath Perera <[email protected]> > wrote: > >> Hi All, > >> > >> Few questions > >> > >> Do we map IS users to Kerberos Principals in our Kerberos (KDC) > >> integration > >> with IS? > > > > Yes, for this you need to use embedded LDAP server. Please enable KDC > > server in embedded LDAP configuration > > ($CARBON_HOME/repository/conf/embedded-ldap.xml) > > > > E.g :- > > > > <KDCServer> > > <Property name="name">defaultKDC</Property> > > <Property name="enabled">true</Property> > > .... > > </KDCServer> > > > > Above will start the KDC server. Also in-order to define service > > principals using UI please set "<Property > > name="kdcEnabled">false</Property>" to true in user-mgt.xml. > > > > If you already have users defined in LDAP they will not get KDC > > attributes. Therefore please remove content in repository/data and > > restart the server. > > > >> > >> How to do we map principals to users? (example will help) > > > > Once you enable KDC server, users will automatically assigned as user > > principals. So if you add a user through management console that user > > will be a Kerberos principal. To define service principals please > > "Kerberos Principals" menu in IS ui. > > > >> what is the domain name and host name we use in principals? How can I > >> change them? > > > > Default domain is set to "wso2.org". You can change the domain using > > embedded-ldap.xml. > > > > <DefaultPartition> > > <Property name="id">root</Property> > > <Property name="realm">wso2.org</Property> > > ... > > </DefaultPartition> > > > > Host is set to localhost. You can change it using embedded-ldap.xml > > <KDCServer> configuration, > > > > <KDCServer> > > .... > > <Property name="host">localhost</Property> > > .... > > </KDCServer> > > > > > >> Have we tried our KDC with kinit and klist commands? Please point me > >> to instructions > > > > Yes, we have. You need setup realm information /etc/krb5.conf. I am > > pasting content of a sample file [1]. Based on the algorithms you > > define in krb5.conf you may need to disable pre-authentication. For > > sample in [1] please disable pre-authentication using > > embedded-ldap.xml KDCServer/preAuthenticationTimeStampEnabled. > > > > E.g :- > > > > amila@aj:~/runenv/Run/kerberos/wso2is-3.2.2/repository/conf$ kinit > > [email protected] > > Password for [email protected]: > > amila@aj:~/runenv/Run/kerberos/wso2is-3.2.2/repository/conf$ > > amila@aj:~/runenv/Run/kerberos/wso2is-3.2.2/repository/conf$ klist > > Ticket cache: FILE:/tmp/krb5cc_1000 > > Default principal: [email protected] > > > > Valid starting Expires Service principal > > 05/25/12 07:12:02 05/25/12 09:36:02 krbtgt/[email protected] > > renew until 05/26/12 07:12:02 > > > > > >> If I go and change a user in IS, does that change the associated > >> Kerberos Principal as well? > > > > Changing user in the sense, changing password of the user ? If so > > change will get affected. Also client code needs to make sure it is > > not using cached credentials from "kinit". > > > > Thanks > > AmilaJ > > > > [1] > > > > [libdefaults] > > default_realm = WSO2.ORG > > default_tgs_enCtypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 > > default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 > > permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 > > allow_weak_crypto = true > > > > [realms] > > WSO2.ORG = { > > kdc = 127.0.0.1:8000 > > } > > > > [domain_realm] > > .wso2.org = WSO2.ORG > > wso2.org = WSO2.ORG > > > > [login] > > krb4_convert = true > > krb4_get_tickets = false > > > >> > >> --Srinath > >> > >> -- > >> ============================ > >> Srinath Perera, Ph.D. > >> Senior Software Architect, WSO2 Inc. > >> Visiting Faculty, University of Moratuwa > >> Member, Apache Software Foundation > >> Research Scientist, Lanka Software Foundation > >> Blog: http://srinathsview.blogspot.com/ > >> Photos: http://www.flickr.com/photos/hemapani/ > >> Phone: 0772360902 > >> > >> _______________________________________________ > >> Architecture mailing list > >> [email protected] > >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >> > > > > > > > > -- > > Mobile : +94773330538 > > _______________________________________________ > > Architecture mailing list > > [email protected] > > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > > > > > _______________________________________________ > > Dev mailing list > > [email protected] > > http://wso2.org/cgi-bin/mailman/listinfo/dev > > > > > > -- > Mobile : +94773330538 >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
