On Sun, Jun 17, 2012 at 3:27 PM, Simo Sorce <s...@redhat.com> wrote:
> On Sat, 2012-06-16 at 23:45 +0200, Natxo Asenjo wrote:
> > hi,
> > After some initial troubles (thanks rcrit on irc) I got this to work
> > nicely. I have used the openfire
> > http://www.igniterealtime.org/projects/openfire/index.jsp xmpp/jabber
> > server.
> > Instructions here:
> > http://test.asenjo.nl/index.php/Openfire_ipa
> Nice writeup Natxo,
> I am curious about the SSO setup. Why did you need to restrict the
> keytab to des3 ? Using the default settings (that include AES keys would
> be normally better). If it is due to restrictions in the java security
> library, you should be able to download a library with full support for
> AES from Oracle (they have a separate build due to some export control
> stuff that is available for download).
Apparently this is the recommended setting by openfire.
> I am also curious about the need to set isInitiator to false. Service
> keys in IPA can be used to init security contexts, what kind of failure
> did you see setting it to true ? The 'isInitiator=false' may be
> necessary in AD where servicePrincipals and userPrincipals are
> considered distinct entities and AD forbids servicePrincipals to perform
> AS Requests, but this is not limited in IPA, by default you should be
> able to initiate just fine.
when I set isInitiator=true; and reload openfire I get this error in the
Debug is true storeKey true useTicketCache false useKeyTab true
doNotPrompt true ticketCache is null isInitiator true KeyTab is
/opt/openfire/conf/openfire.keytab refreshKrb5Config is false principal is
xmpp/ipaclient01.ipa.asenjo...@ipa.asenjo.nx tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
principal's key obtained from the keytab
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Cannot get kdc for realm IPA.ASENJO.NX
I am not sure why it does not work, but it doesn't. Believe me, I tried :-)
According to the person who wrote this community doc
" Since the xmpp service principal is only a service principal, and not
mapped to an actual user account, we need to ensure that Java never
attempts to treat it like a user account. In order to assure that, we have
to add an additional line to gss.conf -- isInitiator.".
In the AD setups, the isInitiator directive is not necessary, apparently.
That is why I could not get it to work with the instructions on their site
until I found that clue.
> Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list