calendarserver on linux via NssDirectory
hello, i've successfully tried calendarserver with accounts.xml users, and now i'm trying to integrate it with my activedirectory domain. getent passwd shows all users account correcly (i use the winbind nss "plugin") and the kerberos authentication (from the kinit commandline) works. i create the krb5.keytab file on the (win 2003) kerberos server for the principal: HTTP/muttley.domain.net@DOMAIN.LOCAL and it is showed correctly with klist -k /etc/krb5.keytab on the linux machine. the calendarserver configuration is taken from the guido page: http://honk.sigxcpu.org/con/Apple_Calendarser_with_Name_Service_Switch_direc... connecting (with firefox) i got always the message: 9-02-23 15:50:34+0100 [-] [caldav-8008] [HTTPChannel,3,192.168.0.29] GET /calendars/users/marco.ghidinelli/ HTTP/1.1 2009-02-23 15:50:34+0100 [-] [caldav-8008] [HTTPChannel,3,192.168.0.29] "Authentication failed: Incorrect credentials for <NssUserRecord[users@27a5f82b-c2bd-5387-8942-a62eb12bb26c(domain.net)] marco.ghidinelli(marco.ghidinelli) 'Marco Ghidinelli'>" with the wrong or with the right password. tcpdump'ing the port 88 i can't see any packet exchanged from the machine. any idea? where i am wrong?
Hi Marco, --On February 23, 2009 3:58:33 PM +0100 Marco Ghidinelli <marco.ghidinelli@turboden.net> wrote:
i've successfully tried calendarserver with accounts.xml users, and now i'm trying to integrate it with my activedirectory domain.
getent passwd shows all users account correcly (i use the winbind nss "plugin") and the kerberos authentication (from the kinit commandline) works.
i create the krb5.keytab file on the (win 2003) kerberos server for the principal:
HTTP/muttley.domain.net@DOMAIN.LOCAL
and it is showed correctly with klist -k /etc/krb5.keytab on the linux machine.
the calendarserver configuration is taken from the guido page: http://honk.sigxcpu.org/con/Apple_Calendarser_with_Name_Service_Switch_di rectory_backend.html
connecting (with firefox) i got always the message:
9-02-23 15:50:34+0100 [-] [caldav-8008] [HTTPChannel,3,192.168.0.29] GET /calendars/users/marco.ghidinelli/ HTTP/1.1 2009-02-23 15:50:34+0100 [-] [caldav-8008] [HTTPChannel,3,192.168.0.29] "Authentication failed: Incorrect credentials for <NssUserRecord[users@27a5f82b-c2bd-5387-8942-a62eb12bb26c(domain.net)] marco.ghidinelli(marco.ghidinelli) 'Marco Ghidinelli'>"
with the wrong or with the right password.
tcpdump'ing the port 88 i can't see any packet exchanged from the machine.
Have you enabled Kerberos authentication in the server's caldavd.plist file? When the server starts up it ought to print out status information about the configured authentication mechanisms. What does it show for kerberos? -- Cyrus Daboo
On 02/23/2009 04:15 PM, Cyrus Daboo wrote:
Hi Marco,
Have you enabled Kerberos authentication in the server's caldavd.plist file? When the server starts up it ought to print out status information about the configured authentication mechanisms. What does it show for kerberos?
i put this in the config file: <!-- Kerberos/SPNEGO --> <key>Kerberos</key> <dict> <key>Enabled</key> <true/> <key>ServicePrincipal</key> <string>HTTP/muttley.domain.net@DOMAIN.LOCAL</string> </dict> and then i chgrp caldavd /etc/krb5.keytab chmod g+r /etc/krb5.keytab but in my startup log i didn't see any kerberos initialization: 2009-02-23 16:25:03+0100 [-] Log opened. 2009-02-23 16:25:03+0100 [-] twistd 8.1.0 (/usr/bin/python 2.5.2) starting up 2009-02-23 16:25:03+0100 [-] reactor class: <class 'twisted.internet.selectreactor.SelectReactor'> 2009-02-23 16:25:03+0100 [-] twistedcaldav.logging.AMPLoggingFactory starting on "'/var/run/caldavd/caldavd.socket'" 2009-02-23 16:25:03+0100 [-] [caldav-8008] /usr/lib/python2.5/site-packages/twisted/plugins/twisted_web2.py:22: DeprecationWarning: mktap and related support modules are deprecated as of Twisted 8.0. Use Twisted Application Plugins with the 'twistd' command directly, as described in 'Writing a Twisted Application Plugin for twistd' chapter of the Developer Guide. 2009-02-23 16:25:03+0100 [-] [caldav-8008] from twisted.scripts.mktap import _tapHelper 2009-02-23 16:25:03+0100 [-] [caldav-8008] [-] Log opened. 2009-02-23 16:25:03+0100 [-] [caldav-8008] [-] twistd 8.1.0 (/usr/bin/python 2.5.2) starting up 2009-02-23 16:25:03+0100 [-] [caldav-8008] [-] reactor class: <class 'twisted.internet.selectreactor.SelectReactor'> 2009-02-23 16:25:03+0100 [-] [caldav-8008] [-] twisted.web2.channel.http.HTTPFactory starting on 8008 2009-02-23 16:25:03+0100 [-] [caldav-8008] [-] Starting factory <twisted.web2.channel.http.HTTPFactory instance at 0x166f3b0> 2009-02-23 16:25:03+0100 [-] [caldav-8008] [-] set uid/gid 103/105 2009-02-23 16:25:03+0100 [twistedcaldav.logging.AMPLoggingFactory] AMPLoggingProtocol connection established (HOST:UNIXSocket('/var/run/caldavd/caldavd.socket') PEER:UNIXSocket('')) 2009-02-23 16:25:03+0100 [-] [caldav-8008] [-] AMP connection established (HOST:UNIXSocket(None) PEER:UNIXSocket('/var/run/caldavd/caldavd.socket'))
Hi Marco, --On February 23, 2009 4:27:20 PM +0100 Marco Ghidinelli <marco.ghidinelli@turboden.net> wrote:
2009-02-23 16:25:03+0100 [-] Log opened. 2009-02-23 16:25:03+0100 [-] twistd 8.1.0 (/usr/bin/python 2.5.2) starting up 2009-02-23 16:25:03+0100 [-] reactor class: <class 'twisted.internet.selectreactor.SelectReactor'> 2009-02-23 16:25:03+0100 [-] twistedcaldav.logging.AMPLoggingFactory starting on "'/var/run/caldavd/caldavd.socket'" 2009-02-23 16:25:03+0100 [-] [caldav-8008] /usr/lib/python2.5/site-packages/twisted/plugins/twisted_web2.py:22: DeprecationWarning: mktap and related support modules are deprecated as of Twisted 8.0. Use Twisted Application Plugins with the 'twistd' command directly, as described in 'Writing a Twisted Application Plugin for twistd' chapter of the Developer Guide. 2009-02-23 16:25:03+0100 [-] [caldav-8008] from twisted.scripts.mktap import _tapHelper 2009-02-23 16:25:03+0100 [-] [caldav-8008] [-] Log opened. 2009-02-23 16:25:03+0100 [-] [caldav-8008] [-] twistd 8.1.0 (/usr/bin/python 2.5.2) starting up 2009-02-23 16:25:03+0100 [-] [caldav-8008] [-] reactor class: <class 'twisted.internet.selectreactor.SelectReactor'> 2009-02-23 16:25:03+0100 [-] [caldav-8008] [-] twisted.web2.channel.http.HTTPFactory starting on 8008 2009-02-23 16:25:03+0100 [-] [caldav-8008] [-] Starting factory <twisted.web2.channel.http.HTTPFactory instance at 0x166f3b0> 2009-02-23 16:25:03+0100 [-] [caldav-8008] [-] set uid/gid 103/105 2009-02-23 16:25:03+0100 [twistedcaldav.logging.AMPLoggingFactory] AMPLoggingProtocol connection established (HOST:UNIXSocket('/var/run/caldavd/caldavd.socket') PEER:UNIXSocket('')) 2009-02-23 16:25:03+0100 [-] [caldav-8008] [-] AMP connection established (HOST:UNIXSocket(None) PEER:UNIXSocket('/var/run/caldavd/caldavd.socket'))
Can you set the DefaultLogLevel to "debug" in the caldavd.plist and then restart the server and see if any kerberos entries appear in the log? -- Cyrus Daboo
On 02/23/2009 06:29 PM, Cyrus Daboo wrote:
Hi Marco,
hi cyrus,
Can you set the DefaultLogLevel to "debug" in the caldavd.plist and then restart the server and see if any kerberos entries appear in the log?
i tried, but it says: 2009-02-24 11:47:21+0100 [-] [caldav-8008] 'Ignoring unknown configuration option: DefaultLogLevel' i put in my caldav.plist <key>DefaultLogLevel</key> <string>debug</string> taken from: http://trac.calendarserver.org/browser/CalendarServer/trunk/twistedcaldav/te... i try even to change in twistedcaldav/logging.py to currentLogLevel = logtypes["debug"] but i cannot see any kerberos messages.
On Mon, Feb 23, 2009 at 03:58:33PM +0100, Marco Ghidinelli wrote:
hello,
i've successfully tried calendarserver with accounts.xml users, and now i'm trying to integrate it with my activedirectory domain. To use nss you need a patch that is not in mainline. Did you apply that one?
getent passwd shows all users account correcly (i use the winbind nss "plugin") and the kerberos authentication (from the kinit commandline) works.
Did you set network.negotiate-auth.trusted-uris in firefox? -- Guido
On 02/26/2009 04:08 PM, Guido Günther wrote: sorry for the delay.
On Mon, Feb 23, 2009 at 03:58:33PM +0100, Marco Ghidinelli wrote:
hello,
i've successfully tried calendarserver with accounts.xml users, and now i'm trying to integrate it with my activedirectory domain. To use nss you need a patch that is not in mainline. Did you apply that one?
i'm using the debian package, which i think already integrates those patches. calendarserver 1.2.dfsg-8
getent passwd shows all users account correcly (i use the winbind nss "plugin") and the kerberos authentication (from the kinit commandline) works. Did you set network.negotiate-auth.trusted-uris in firefox?
yes, on iceweasel(firefox) and on iceowl(sunbird). network.negotiate-auth.trusted-uris: http:// the machine is a clean debian 5.0. thanks, m.
Hi Marco, On Mon, Mar 02, 2009 at 12:50:43PM +0100, Marco Ghidinelli wrote:
On 02/26/2009 04:08 PM, Guido Günther wrote:
sorry for the delay.
On Mon, Feb 23, 2009 at 03:58:33PM +0100, Marco Ghidinelli wrote:
hello,
i've successfully tried calendarserver with accounts.xml users, and now i'm trying to integrate it with my activedirectory domain. To use nss you need a patch that is not in mainline. Did you apply that one?
i'm using the debian package, which i think already integrates those patches.
calendarserver 1.2.dfsg-8 Yes, it's all in there.
getent passwd shows all users account correcly (i use the winbind nss "plugin") and the kerberos authentication (from the kinit commandline) works. Did you set network.negotiate-auth.trusted-uris in firefox?
yes, on iceweasel(firefox) and on iceowl(sunbird).
network.negotiate-auth.trusted-uris: http://
the machine is a clean debian 5.0. And you have enabled kerberos in /etc/caldavd/caldavd.plist:
<!-- Kerberos/SPNEGO --> <key>Kerberos</key> <dict> <key>Enabled</key> <true/> <key>ServicePrincipal</key> <string>HTTP/server.example.com@EXAMPLE.COM</string> </dict> Does the user have a valid HTTP/... ticket after trying to authenticate in its keytab? Besides that I'm a bit out of ideas. -- Guido
On 03/05/2009 09:28 AM, Guido Günther wrote:
Hi Marco,
hi guido, the kerberos authentication works: $ kinit -V -k -t /etc/krb5.keytab HTTP/muttley.domain.local@DOMAIN.LOCAL Authenticated to Kerberos v5 $ klist Ticket cache: FILE:/tmp/krb5cc_103 Default principal: HTTP/muttley.domain.local@DOMAIN.LOCAL Valid starting Expires Service principal 03/05/09 12:14:31 03/05/09 22:14:34 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL renew until 03/06/09 12:14:31 but the calendarserver doesn't initialize the kerberos things (the windows machine try to inizialize the NTLM login and not the GSS).
And you have enabled kerberos in /etc/caldavd/caldavd.plist: <!-- Kerberos/SPNEGO --> <key>Kerberos</key> <dict> <key>Enabled</key> <true/> <key>ServicePrincipal</key> <string>HTTP/server.example.com@EXAMPLE.COM</string> </dict>
the same as mine. the strange thing is that it doesn't even try to connect to the kdc server when i start the calendar server. i tried to understand the python-kerberos api, but without documentation is not that easy. :-/
Does the user have a valid HTTP/... ticket after trying to authenticate in its keytab? Besides that I'm a bit out of ideas.
i'm sorry, i don't understand: i try to (give a shell to the caldav user and) kinit with the keytab, and then restart the calendarserver, but with no luck. i didn't apply the patch to use a keytab different from the default /etc/krb5.keytab: maybe the python kerberos doesn't look at that file?
participants (3)
-
Cyrus Daboo
-
Guido Günther
-
Marco Ghidinelli