calendarserver on debian via nss and kerberos
hello, anyone was able to use calendarserver on debian 5 with users from nssswitch and authentication via SPNEGO/Kerberos? I followed the README.Debian, but with no results. using strace i found that the user was found from nss but it doesn't even try to open the /etc/krb5.keytab. any idea? where I am wrong? thanks, mg.
Hi, I was able to do it with Ubuntu Intrepid. Kerberos works. NSS not at the moment. I wrote a script that runs via cronjob creating a xml-file from LDAP for the user information. I'm still working on the NSS thing. Use account.xml with no password and loginnames that are of the same kind than in your kerberos database. Make sure that your keytab is readable by caldavd and use lowercase http/ (not HTTP/) for the principal entry. Kerberos based login are depending on your client as well. Which one are you using? Georg Am 03.03.2009 um 12:27 schrieb Marco Ghidinelli:
hello, anyone was able to use calendarserver on debian 5 with users from nssswitch and authentication via SPNEGO/Kerberos?
I followed the README.Debian, but with no results.
using strace i found that the user was found from nss but it doesn't even try to open the /etc/krb5.keytab.
any idea? where I am wrong?
thanks, mg. _______________________________________________ calendarserver-users mailing list calendarserver-users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/calendarserver-users
On 03/03/2009 02:14 PM, Georg Troska wrote:
Hi, I was able to do it with Ubuntu Intrepid.
Kerberos works. NSS not at the moment. I wrote a script that runs via cronjob creating a xml-file from LDAP for the user information. I'm still working on the NSS thing.
i didn't understand: did nss works for you, but nss + kerberos doesn't authenticate, or nss doesn't work and so you didn't try nss+kerberos?
Use account.xml with no password and loginnames that are of the same kind than in your kerberos database. Make sure that your keytab is readable by caldavd and use lowercase http/ (not HTTP/) for the principal entry.
it's readable. i've tried with lowercase http, with the same results.
Kerberos based login are depending on your client as well. Which one are you using?
it doesn't work neither with sunbird nor with firefox (i've put in the network.negotiate-auth.trusted-uris "http://").
On Tue, Mar 03, 2009 at 02:14:34PM +0100, Georg Troska wrote:
Hi, I was able to do it with Ubuntu Intrepid.
Kerberos works. NSS not at the moment. I wrote a script that runs via cronjob creating a xml-file from LDAP for the user information. I'm still working on the NSS thing.
Use account.xml with no password and loginnames that are of the same kind than in your kerberos database. Make sure that your keytab is readable by caldavd and use lowercase http/ (not HTTP/) for the principal entry. Kerberos based login are depending on your client as well. Which one are you using?
Georg
I followed your idea, and now i'm trying with a generated account.xml with kerberos authentication. it still doesn't work, but with a more verbose error: here is the log. 2009-03-04 11:45:47+0100 [-] [caldav-8008] [-] Log opened. 2009-03-04 11:45:47+0100 [-] [caldav-8008] [-] twistd 8.1.0 (/usr/bin/python 2.5.2) starting up 2009-03-04 11:45:47+0100 [-] [caldav-8008] [-] reactor class: <class 'twisted.internet.selectreactor.SelectReactor'> 2009-03-04 11:45:47+0100 [-] [caldav-8008] [-] twisted.web2.channel.http.HTTPFactory starting on 8008 2009-03-04 11:45:47+0100 [-] [caldav-8008] [-] Starting factory <twisted.web2.channel.http.HTTPFactory instance at 0x188d7a0> 2009-03-04 11:45:47+0100 [-] [caldav-8008] [-] twisted.web2.channel.http.HTTPFactory starting on 8443 2009-03-04 11:45:48+0100 [-] [caldav-8008] [-] set uid/gid 103/105 2009-03-04 11:45:48+0100 [twistedcaldav.logging.AMPLoggingFactory] AMPLoggingProtocol connection established (HOST:UNIXSocket('/var/run/caldavd/caldavd.socket') PEER:UNIXSocket('')) 2009-03-04 11:45:48+0100 [-] [caldav-8008] [-] AMP connection established (HOST:UNIXSocket(None) PEER:UNIXSocket('/var/run/caldavd/caldavd.socket')) 2009-03-04 10:47:39+0100 [-] [caldav-8008] [HTTPChannel,0,192.168.0.29] "Directory service <XMLDirectoryService 'DOMAIN.LOCAL': FilePath('/etc/caldavd/accounts.xml')> has no GUID; generating service GUID from realm name." 2009-03-04 10:47:39+0100 [-] [caldav-8008] [HTTPChannel,0,192.168.0.29] "Directory service <SudoDirectoryService 'DOMAIN.LOCAL': FilePath('/etc/caldavd/sudoers.plist')> has no GUID; generating service GUID from realm name." 2009-03-04 10:47:39+0100 [-] [caldav-8008] [HTTPChannel,0,192.168.0.29] GET /calendars/users/marco.ghidinelli/ HTTP/1.1 2009-03-04 10:47:39+0100 [-] [caldav-8008] [HTTPChannel,0,192.168.0.29] 'Authentication failed: Invalid nonce value: 6152332 -- a lot of numbers here (ndr)-- 554623523' 2009-03-04 10:47:45+0100 [-] [caldav-8008] [HTTPChannel,0,192.168.0.29] GET /calendars/users/marco.ghidinelli/ HTTP/1.1 2009-03-04 10:47:45+0100 [-] [caldav-8008] [HTTPChannel,0,192.168.0.29] Exception rendering: 2009-03-04 10:47:45+0100 [-] [caldav-8008] [HTTPChannel,0,192.168.0.29] Unhandled Error 2009-03-04 10:47:45+0100 [-] [caldav-8008] Traceback (most recent call last): 2009-03-04 10:47:45+0100 [-] [caldav-8008] File "/usr/lib/python2.5/site-packages/twisted/internet/defer.py", line 186, in addCallbacks 2009-03-04 10:47:45+0100 [-] [caldav-8008] self._runCallbacks() 2009-03-04 10:47:45+0100 [-] [caldav-8008] File "/usr/lib/python2.5/site-packages/twisted/internet/defer.py", line 328, in _runCallbacks 2009-03-04 10:47:45+0100 [-] [caldav-8008] self.result = callback(self.result, *args, **kw) 2009-03-04 10:47:45+0100 [-] [caldav-8008] File "/usr/lib/python2.5/site-packages/twisted/web2/dav/resource.py", line 722, in login 2009-03-04 10:47:45+0100 [-] [caldav-8008] d = request.portal.login(pcreds, None, *request.loginInterfaces) 2009-03-04 10:47:45+0100 [-] [caldav-8008] File "/usr/lib/python2.5/site-packages/twisted/cred/portal.py", line 114, in login 2009-03-04 10:47:45+0100 [-] [caldav-8008] return maybeDeferred(self.checkers[i].requestAvatarId, credentials 2009-03-04 10:47:45+0100 [-] [caldav-8008] --- <exception caught here> --- 2009-03-04 10:47:45+0100 [-] [caldav-8008] File "/usr/lib/python2.5/site-packages/twisted/internet/defer.py", line 106, in maybeDeferred 2009-03-04 10:47:45+0100 [-] [caldav-8008] result = f(*args, **kw) 2009-03-04 10:47:45+0100 [-] [caldav-8008] File "/usr/lib/python2.5/site-packages/twistedcaldav/directory/aggregate.py", line 135, in requestAvatarId 2009-03-04 10:47:45+0100 [-] [caldav-8008] type).requestAvatarId(credentials) 2009-03-04 10:47:45+0100 [-] [caldav-8008] File "/usr/lib/python2.5/site-packages/twistedcaldav/directory/directory.py", line 109, in requestAvatarId 2009-03-04 10:47:45+0100 [-] [caldav-8008] if user.verifyCredentials(credentials.credentials): 2009-03-04 10:47:45+0100 [-] [caldav-8008] File "/usr/lib/python2.5/site-packages/twistedcaldav/directory/xmlfile.py", line 144, in verifyCredentials 2009-03-04 10:47:45+0100 [-] [caldav-8008] return credentials.checkPassword(self.password) 2009-03-04 10:47:45+0100 [-] [caldav-8008] File "/usr/lib/python2.5/site-packages/twisted/web2/auth/digest.py", line 153, in checkPassword 2009-03-04 10:47:45+0100 [-] [caldav-8008] calcHA1(algo, self.username, self.realm, password, nonce, cnonce), 2009-03-04 10:47:45+0100 [-] [caldav-8008] File "/usr/lib/python2.5/site-packages/twisted/web2/auth/digest.py", line 62, in calcHA1 2009-03-04 10:47:45+0100 [-] [caldav-8008] m.update(pszPassword) 2009-03-04 10:47:45+0100 [-] [caldav-8008] exceptions.TypeError: update() argument 1 must be string or read-only buffer, not None the account.xml is: <!DOCTYPE accounts SYSTEM "accounts.dtd"> <accounts realm="DOMAIN.LOCAL"> <user> <uid>admin</uid> <name>Super User</name> </user> <user> <uid>marco.ghidinelli</uid> <name>Marco Ghidinelli</name> <cuaddr>mailto:marco.ghidinelli@domain.net</cuaddr> </user> </accounts>
On Tue, Mar 03, 2009 at 12:27:45PM +0100, Marco Ghidinelli wrote:
hello, anyone was able to use calendarserver on debian 5 with users from nssswitch and authentication via SPNEGO/Kerberos?
I followed the README.Debian, but with no results. To verify if NSS really works you can change:
+ def verifyCredentials(self, credentials): + # FIXME: plugin in PAM authentication here if you want to - kerberos works + #return super(NssUserRecord, self).verifyCredentials(credentials) + return False ^^^^^ To: + def verifyCredentials(self, credentials): + # FIXME: plugin in PAM authentication here if you want to - kerberos works + #return super(NssUserRecord, self).verifyCredentials(credentials) + return True ^^^^ in twistedcaldav/directory/nss.py. This will disable *all* authentication but the first/lastValUid etc checks will still be in place. Once this works we can try to work out why kerberos fails. Cheers, -- Guido
On Mon, Mar 23, 2009 at 07:10:51AM +0100, Guido Günther wrote:
On Tue, Mar 03, 2009 at 12:27:45PM +0100, Marco Ghidinelli wrote:
hello, anyone was able to use calendarserver on debian 5 with users from nssswitch and authentication via SPNEGO/Kerberos?
I followed the README.Debian, but with no results. To verify if NSS really works you can change:
[...]
in twistedcaldav/directory/nss.py. This will disable *all* authentication but the first/lastValUid etc checks will still be in place. Once this works we can try to work out why kerberos fails.
hello guido, i changed the line above, but with or without the change the result is the same: i always get an 2009-03-24 14:33:46+0100 [-] [caldav-8008] [NegotiateCredentialFactory] 'authGSSServerStep: Unspecified GSS failure. Minor code may provide more information(No error)' so i changed the twistedcalendar/authkerb.py at about the line 231 to print the base64data associated to the failed request. when i connect from internetexplorer i get an ntlm base64data, when i connect from firefox (from a kerberos authenticated linux machine) i get a long message, that i'll send you in a private mail. thanks for the help!
On 03/24/2009 03:03 PM, Marco Ghidinelli wrote:
On Mon, Mar 23, 2009 at 07:10:51AM +0100, Guido Günther wrote:
On Tue, Mar 03, 2009 at 12:27:45PM +0100, Marco Ghidinelli wrote:
hello, anyone was able to use calendarserver on debian 5 with users from nssswitch and authentication via SPNEGO/Kerberos?
I followed the README.Debian, but with no results. To verify if NSS really works you can change:
[...]
in twistedcaldav/directory/nss.py. This will disable *all* authentication but the first/lastValUid etc checks will still be in place. Once this works we can try to work out why kerberos fails.
hello guido,
i changed the line above, but with or without the change the result is the same:
i always get an 2009-03-24 14:33:46+0100 [-] [caldav-8008] [NegotiateCredentialFactory] 'authGSSServerStep: Unspecified GSS failure. Minor code may provide more information(No error)'
so i changed the twistedcalendar/authkerb.py at about the line 231 to print the base64data associated to the failed request.
when i connect from internetexplorer i get an ntlm base64data, when i connect from firefox (from a kerberos authenticated linux machine) i get a long message, that i'll send you in a private mail.
from the firefox machine, i tried to export NSPR_LOG_MODULES=negotiateauth:5 export NSPR_LOG_FILE=/tmp/moz.log and i got those error messages: -1211647776[9878060]: using REQ_DELEGATE -1211647776[9878060]: service = muttley.domain.local -1211647776[9878060]: using negotiate-gss -1211647776[9878060]: entering nsAuthGSSAPI::nsAuthGSSAPI() -1211647776[9878060]: entering nsAuthGSSAPI::Init() -1211647776[9878060]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=negotiate] -1211647776[9878060]: entering nsAuthGSSAPI::GetNextToken() -1211647776[9878060]: leaving nsAuthGSSAPI::GetNextToken [rv=0] -1211647776[9878060]: Sending a token of length 1376 -1211647776[9878060]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=negotiate] -1211647776[9878060]: entering nsAuthGSSAPI::GetNextToken() -1211647776[9878060]: Cannot restart authentication sequence! but i don't know hot to use this informations.
participants (4)
-
Georg Troska
-
Guido Günther
-
marco ghidinelli
-
Marco Ghidinelli