Re: [CalendarServer-users] calendarserver on debian via nss and kerberos
Hi Marco, it seems that kerberos does not work on your client or on your server the main interesting things might be: <!-- XML File Directory Service --> <key>DirectoryService</key> <dict> <key>type</key> <string>twistedcaldav.directory.xmlfile.XMLDirectoryService</ string> <key>params</key> <dict> <key>xmlFile</key> <string>/etc/caldavd/accounts.xml</string> </dict> </dict> <!-- Authentication --> <key>Authentication</key> <dict> <!-- Clear text; best avoided --> <key>Basic</key> <dict> <key>Enabled</key> <false/> </dict> <!-- Digest challenge/response --> <key>Digest</key> <dict> <key>Enabled</key> <false/> <key>Algorithm</key> <string>md5</string> <key>Qop</key> <string></string> </dict> <!-- Kerberos/SPNEGO --> <key>Kerberos</key> <dict> <key>Enabled</key> <true/> <key>ServicePrincipal</key> <string>http/server07.e4.physik.uni-dortmund.de@E4.PHYSIK.UNI-DORTMUND.DE </string> </dict> </dict> <!-- SSL/TLS --> <!-- Public key --> <key>SSLCertificate</key> <string>/etc/ssl/certs/server07_crt.pem</string> <!-- Private key --> <key>SSLPrivateKey</key> <string>/etc/ssl/certs/server07_privatekey.pem</string> The accounts.xml looks like this: <!DOCTYPE accounts SYSTEM "accounts.dtd"> <accounts realm="E4 Calendars"> <user> <uid>User1</uid> <guid>User1</guid> <name>User1 Bla</name> </user> ... </accounts> root@server07:/etc/caldavd# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 HTTP/server07.e4.physik.uni-dortmund.de@E4.PHYSIK.UNI-DORTMUND.DE 4 HTTP/server07.e4.physik.uni-dortmund.de@E4.PHYSIK.UNI-DORTMUND.DE 6 host/server07.e4.physik.uni-dortmund.de@E4.PHYSIK.UNI-DORTMUND.DE 6 host/server07.e4.physik.uni-dortmund.de@E4.PHYSIK.UNI-DORTMUND.DE 3 http/server07.e4.physik.uni-dortmund.de@E4.PHYSIK.UNI-DORTMUND.DE 3 http/server07.e4.physik.uni-dortmund.de@E4.PHYSIK.UNI-DORTMUND.DE root@server07:/etc/caldavd# You have to create your keytab with the administrative tools from your kerberos server I used kadmin for that. You need a hostticket a http and a HTTP ticket create them with a randkey commands are addprinc an ktadd Before doing that you should be sure that kerberos ist running well. Look if single-sign on works e.g. Georg Am 04.03.2009 um 13:09 schrieb Marco Ghidinelli:
On 03/04/2009 12:50 PM, Georg Troska wrote:
Hi,
hello georg,
have you tried to disable all other kinds of authorisation than kerberos?
i tried, but when i do that it complains that:
2009-03-04 12:57:37+0100 [-] [caldav-8008] [HTTPChannel, 0,192.168.0.29] "Client authentication scheme digest is not provided by server ['negotiate']"
and i got a 403 (forbidden) result.
without the digest it doesn't work, so i have to keep it enabled.
could you send me your configuration files? i fear that i just forget something around.
how you got your /etc/krb5.keytab?
what is your output of: klist -k /etc/krb5.keytab ??
now i'm downloading the ubuntu server for replicating your running environment.
thank you very much.
participants (1)
-
Georg Troska