[CalendarServer-dev] Calendarserver on Debain with Kerberos

Guido Günther agx at sigxcpu.org
Fri Jan 9 08:58:23 PST 2009 

Hi Georg,
On Tue, Jan 06, 2009 at 06:56:54PM +0100, Georg Troska wrote:
> I enabled Kerberos: in caldavd.plist:
>
> ---
>     <!-- Kerberos/SPNEGO -->
>     <key>Kerberos</key>
>     <dict>
>       <key>Enabled</key>
>       <true/>
>       <key>ServicePrincipal</key>
>       
> <string>HTTP/server07.e4.physik.uni-dortmund.de at E4.PHYSIK.UNI-DORTMUND.DE 
> </string>
>     </dict>
This looks correct.

> in accouts.xml I created a user troska:
>
> ---
>   <user>
>     <uid>troska</uid>
>     <guid>troska</guid>
>     <name>Super User</name>
>   </user>
> ---
> without a password, as the authentication should be done by kerberos.
I'm using something similar for testing here.

> I use the kerberos-based logins through http and a non-SSL connection  
> for debugging purposes. So I do not have to care about SSL-keys.
>
>
> When I try to create an account in iCal I get a message:
> "Ihr Kennwort wurde vom Server server07.e4.physik.uni-dortmund.de für  
> die Anmeldung troska abgelehnt."
Do you have a service principal for your user troska afterwards? In this
case "klist" should list your tgt as well as the HTTP/server07...
ticket (which would mean your server succesfully got a service ticket
for that service).

> What means that the password is right, but my login was rejected.
>
> there is no error-message, only:
>
> ---
> 2009-01-06 18:51:58+0100 [-] [caldav-8008]  [HTTPChannel, 
> 0,129.217.167.201] PROPFIND /principals/users/troska/ HTTP/1.1
I'm not seeing any access to /principals/users/... with Lightning. 

> access.log give me:
And I assume error.log is completely empty?

> ---
> 129.217.167.201 - - [06/Jan/2009:18:51:58 +0200] "PROPFIND /principals/ 
> users/troska/ HTTP/1.1" 401 141 "-" "DAVKit/3.0.6 (653); CalendarStore/ 
> 3.0.6 (847); iCal/3.0.6 (1273); Mac OS X/10.5.6 (9G55)" [15.9 ms]
Could you check if accessing calendarserver via firefox works. On a Linux system
just get a ticket via kinit and try to connect to:
	http://server07:8080/calendars/users/troska/calendar/
If this works this, is a calendarserver<->iCal interaction issue and we
can try to dig further there. In order to make firefox try GSSAPI you
need to set to e.g.:
 network.negotiate-auth.trusted-uris="http://"
first in firefox's about:config first, otherwise it won't try GSSAPI.
Cheers,
 -- Guido

More information about the calendarserver-dev mailing list