Kerberos Issue / Principals / Authentication
Hello, I'm having trouble getting Kerberos to run, it breaks when I do the ./ run script (could not start kerberos). All the directories under the XML service seem to set up okay, but access is denied even to admin/ admin logons from iCal 3.0 and anything else, and I suspect the Kerberos failure to be the issue. Please advise? BTW, logging in using Firefox to browse the directories works fine, it accepts the account uid/pwds from the accounts.xml file (which I've configured for use in the caldavd-dev.plist) in a pull-down dialogue box. It's using WebDAV/CalDAV clients that won't work for authentication. I get any mode of access denied or error 403 messages. When I check the server log output, it can't find principals for even "admin." After "No principal found for admin" it attempts to clone the __uids__/admin of resource <DirectoryPrincipalUIDPrivisioningResources....>. I tried manually building PyKerberos, and it referred me to do things in the kerberos.app that didn't work for me. The Edit-->Edit Realms didn't do anything, which means that Kerberos app isn't running right either. I could be wildly confused on this whole thing, so I apologize if I'm missing anything obvious here. The important thing is that I can't get anybody to authenticate when using a WebDAV/CalDAV client. Thanks, Doug O'Connor 111 East Avenue, Apt. 331 Rochester, NY 14604 301.437.8715 music@dougoconnor.com http://www.dougoconnor.com
Hi Doug, --On October 31, 2007 5:44:30 PM -0400 Doug O'Connor <business@dougoconnor.com> wrote:
I'm having trouble getting Kerberos to run, it breaks when I do the ./run script (could not start kerberos). All the directories under the XML service seem to set up okay, but access is denied even to admin/admin logons from iCal 3.0 and anything else, and I suspect the Kerberos failure to be the issue.
Please advise?
To run Kerberos you must have a fully functioning Kerberos infrastructure setup and you must have the appropriate service key in the local keytab file. Do you have an existing Kerberos infrastructre with a KDC running? Does you calendar server have a service key entry in the local keytab file (do 'sudo klist -k' to see what is there - you will need an http/<<hostname>>@<<realm name>> entry present). -- Cyrus Daboo
Cyrus Daboo-3 wrote:
Hi Doug,
--On October 31, 2007 5:44:30 PM -0400 Doug O'Connor <business@dougoconnor.com> wrote:
I'm having trouble getting Kerberos to run, it breaks when I do the ./run script (could not start kerberos). All the directories under the XML service seem to set up okay, but access is denied even to admin/admin logons from iCal 3.0 and anything else, and I suspect the Kerberos failure to be the issue.
Please advise?
To run Kerberos you must have a fully functioning Kerberos infrastructure setup and you must have the appropriate service key in the local keytab file. Do you have an existing Kerberos infrastructre with a KDC running? Does you calendar server have a service key entry in the local keytab file (do 'sudo klist -k' to see what is there - you will need an http/<<hostname>>@<<realm name>> entry present).
-- Cyrus Daboo
_______________________________________________ calendarserver-users mailing list calendarserver-users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo/calendarserver-users
I got same "could not start Kerberos" error on my Redhat EL5 server. Does that mean I need to install the krb5-server package? The original installation only has krb5-libs and krb5-workstation. I actually have already installed the krb5-server package, and I am pulling my hair on get it up. Since my original purpose was merely to set up the CalDAV service, so I am just wondering if I could just skip that part. Thanks for enlightenments! Jindan -- View this message in context: http://www.nabble.com/Kerberos-Issue---Principals---Authentication-tf4728163... Sent from the Calendar Server - Users mailing list archive at Nabble.com.
Hi Jindan, --On November 5, 2007 5:54:51 PM -0800 Jindan Zhou <jindan@gmail.com> wrote:
I actually have already installed the krb5-server package, and I am pulling my hair on get it up. Since my original purpose was merely to set up the CalDAV service, so I am just wondering if I could just skip that part.
Well, Kerberos is not required. By default in the caldavd-test.plist we have Kerberos Digest and Basic authentication enabled. If the Kerberos subsystem is not properly setup, the calendar server will start, but Kerberos will not be offered as an authentication option - Digest and Basic will still be available. If you want, you can disable Kerberos in the caldavd.plist file until such a time as you have the necessary service principal keytab entries etc. -- Cyrus Daboo
Hi Cyrus, Thanks for being here to help the rest of us;-) Okay, my original problem was: I could not connect to the calendar server other than from the localhost, then I saw the line "Could not start kerberos" and I figure that was the problem, apparently I was wrong. Now the problem still exist here, I have tried various setting in caldavd-dev.plist, including: <key>BindAddresses</key> <array> <string>the.real.ip.caldav</string> </array> and <key>BindAddresses</key> <array> <string>127.0.0.1</string> <string>the.real.ip.caldav</string> </array> With all combinations of <key>ServerHostName</key> <string>localhost</string> and <key>ServerHostName</key> <string>the.real.host.name</string> With all these tricks, however, I can only browse the calendar server from the localhost, for example, start a firefox session from the server. If I try to connect remotely, the browser shows connecting to the caldav server forever. What else should I take care of? The firewall is shut down completely when I experiment this. Thanks, Jindan Cyrus Daboo-3 wrote:
Hi Jindan,
--On November 5, 2007 5:54:51 PM -0800 Jindan Zhou <jindan@gmail.com> wrote:
Well, Kerberos is not required. By default in the caldavd-test.plist we have Kerberos Digest and Basic authentication enabled. If the Kerberos subsystem is not properly setup, the calendar server will start, but Kerberos will not be offered as an authentication option - Digest and Basic will still be available.
If you want, you can disable Kerberos in the caldavd.plist file until such a time as you have the necessary service principal keytab entries etc.
-- Cyrus Daboo
-- View this message in context: http://www.nabble.com/Kerberos-Issue---Principals---Authentication-tf4728163... Sent from the Calendar Server - Users mailing list archive at Nabble.com.
Jindan Zhou wrote:
Hi Cyrus,
Thanks for being here to help the rest of us;-)
What else should I take care of? The firewall is shut down completely when I experiment this.
Thanks,
Jindan
Okay, I apologize for the misinformation: my firewall was not shut down. Once I did shut it down, I have no problem access the server. Now a side question: with iptables do I only open port 8008 and 8443? or should I instead open a range of ports? if so what range should I open? Thanks, Jindan -- View this message in context: http://www.nabble.com/Kerberos-Issue---Principals---Authentication-tf4728163... Sent from the Calendar Server - Users mailing list archive at Nabble.com.
Hi Jindan, --On November 5, 2007 8:29:03 PM -0800 Jindan Zhou <jindan@gmail.com> wrote:
Okay, I apologize for the misinformation: my firewall was not shut down. Once I did shut it down, I have no problem access the server. Now a side question: with iptables do I only open port 8008 and 8443? or should I instead open a range of ports? if so what range should I open?
You need only open those two ports. The server does internally communicate on some other ports when its running on a multi-cpu/multi-core machine with its load balancer option, but those are all on the localhost interface and should not be impacted by the firewall. -- Cyrus Daboo
Cyrus Daboo-3 wrote:
Hi Jindan,
--On November 5, 2007 8:29:03 PM -0800 Jindan Zhou <jindan@gmail.com> wrote:
Okay, I apologize for the misinformation: my firewall was not shut down. Once I did shut it down, I have no problem access the server. Now a side question: with iptables do I only open port 8008 and 8443? or should I instead open a range of ports? if so what range should I open?
You need only open those two ports. The server does internally communicate on some other ports when its running on a multi-cpu/multi-core machine with its load balancer option, but those are all on the localhost interface and should not be impacted by the firewall.
-- Cyrus Daboo
_______________________________________________ calendarserver-users mailing list calendarserver-users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo/calendarserver-users
I was just reviewing this post and it looks like you got a bit off track because the original post is a request for a Kerberos issue fix but refers to an error: "No principal found for admin". This error is unrelated to the problem at hand as disabling kerberos (as noted above) in caldavd.plist doesn't fix this problem. This problem is related to the following block in caldavd.plist: <!-- Principals with "DAV:all" access (relative URLs)--> <key>AdminPrincipals</key> <array> <string>/principals/__uids__/admin/</string> </array> Commenting out this code will stop the "No principal found for admin" error from occurring and doesn't seem to affect the server. -- View this message in context: http://www.nabble.com/Kerberos-Issue---Principals---Authentication-tp1351940... Sent from the Calendar Server - Users mailing list archive at Nabble.com.
participants (4)
-
Cyrus Daboo
-
Doug O'Connor
-
Jindan Zhou
-
toddinsb