On 03/05/2009 09:28 AM, Guido Günther wrote:
Hi Marco,
hi guido, the kerberos authentication works: $ kinit -V -k -t /etc/krb5.keytab HTTP/muttley.domain.local@DOMAIN.LOCAL Authenticated to Kerberos v5 $ klist Ticket cache: FILE:/tmp/krb5cc_103 Default principal: HTTP/muttley.domain.local@DOMAIN.LOCAL Valid starting Expires Service principal 03/05/09 12:14:31 03/05/09 22:14:34 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL renew until 03/06/09 12:14:31 but the calendarserver doesn't initialize the kerberos things (the windows machine try to inizialize the NTLM login and not the GSS).
And you have enabled kerberos in /etc/caldavd/caldavd.plist: <!-- Kerberos/SPNEGO --> <key>Kerberos</key> <dict> <key>Enabled</key> <true/> <key>ServicePrincipal</key> <string>HTTP/server.example.com@EXAMPLE.COM</string> </dict>
the same as mine. the strange thing is that it doesn't even try to connect to the kdc server when i start the calendar server. i tried to understand the python-kerberos api, but without documentation is not that easy. :-/
Does the user have a valid HTTP/... ticket after trying to authenticate in its keytab? Besides that I'm a bit out of ideas.
i'm sorry, i don't understand: i try to (give a shell to the caldav user and) kinit with the keytab, and then restart the calendarserver, but with no luck. i didn't apply the patch to use a keytab different from the default /etc/krb5.keytab: maybe the python kerberos doesn't look at that file?