Re: [CalendarServer-users] calendarserver on debian via nss and kerberos
On Tue, Mar 24, 2009 at 02:59:37PM +0100, root wrote:
On Mon, Mar 23, 2009 at 07:10:51AM +0100, Guido Günther wrote:
On Tue, Mar 03, 2009 at 12:27:45PM +0100, Marco Ghidinelli wrote:
hello, anyone was able to use calendarserver on debian 5 with users from nssswitch and authentication via SPNEGO/Kerberos?
I followed the README.Debian, but with no results. To verify if NSS really works you can change:
+ def verifyCredentials(self, credentials): + # FIXME: plugin in PAM authentication here if you want to - kerberos works + #return super(NssUserRecord, self).verifyCredentials(credentials) + return False ^^^^^
To:
+ def verifyCredentials(self, credentials): + # FIXME: plugin in PAM authentication here if you want to - kerberos works + #return super(NssUserRecord, self).verifyCredentials(credentials) + return True ^^^^
in twistedcaldav/directory/nss.py. This will disable *all* authentication but the first/lastValUid etc checks will still be in place. Once this works we can try to work out why kerberos fails.
hello guido,
i changed the line above, but with or without the change the result is the same: Did you allow for non kerberos authentication in your configuration? You should can disable kerberos authentication completely for testing. Cheers, -- Guido
On 03/25/2009 03:46 PM, Guido Günther wrote:
i changed the line above, but with or without the change the result is the same:
Did you allow for non kerberos authentication in your configuration? You should can disable kerberos authentication completely for testing. Cheers,
hello guido, sorry for the delay. i disabled the kerberos auth, and (with the verifyCredentials() forced to True) i can now login, and see the collection listing and properties. and now? i reassume the kerberos situation: $ kinit -k -t /etc/krb5.keytab http/muttley.domain.local@TURBODEN.LOCAL $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: http/muttley.domain.local@DOMAIN.LOCAL Valid starting Expires Service principal 03/25/09 18:21:15 03/26/09 04:21:17 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL renew until 03/26/09 18:21:15 03/25/09 18:21:20 03/26/09 04:21:17 http/muttley.domain.local@DOMAIN.LOCAL renew until 03/26/09 18:21:15 Kerberos 4 ticket cache: /tmp/tkt1000 klist: You have no tickets cached $ kvno http/muttley.turboden.local http/muttley.domain.local@DOMAIN.LOCAL: kvno = 6 $
On Wed, Mar 25, 2009 at 06:24:45PM +0100, Marco Ghidinelli wrote:
On 03/25/2009 03:46 PM, Guido Günther wrote:
i changed the line above, but with or without the change the result is the same:
Did you allow for non kerberos authentication in your configuration? You should can disable kerberos authentication completely for testing. Cheers,
hello guido, sorry for the delay. Same here.
i disabled the kerberos auth, and (with the verifyCredentials() forced to True) i can now login, and see the collection listing and properties. O.k. so we're sure the nss directory service works.
and now? Please reenable kerberos (and revert the always auth hack e.g. by doing "apt-get install --reinstall calendarserver), then Let's have a look at your configs and logs. You can send them in private mail if you don't want to post them to the list.
i reassume the kerberos situation:
$ kinit -k -t /etc/krb5.keytab http/muttley.domain.local@TURBODEN.LOCAL $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: http/muttley.domain.local@DOMAIN.LOCAL
Valid starting Expires Service principal 03/25/09 18:21:15 03/26/09 04:21:17 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL renew until 03/26/09 18:21:15 03/25/09 18:21:20 03/26/09 04:21:17 http/muttley.domain.local@DOMAIN.LOCAL renew until 03/26/09 18:21:15
Kerberos 4 ticket cache: /tmp/tkt1000 klist: You have no tickets cached
$ kvno http/muttley.turboden.local http/muttley.domain.local@DOMAIN.LOCAL: kvno = 6 There seems to be a mix of TURBODEN and DOMAIN here. Is that a c'n'p error? Cheers, -- Guido
participants (2)
-
Guido Günther
-
Marco Ghidinelli