[CalendarServer-dev] calendarserver on linux via NssDirectory

Marco Ghidinelli marco.ghidinelli at turboden.net
Thu Mar 5 06:31:01 PST 2009

On 03/05/2009 09:28 AM, Guido Günther wrote:
> Hi Marco,

hi guido,

the kerberos authentication works:

$ kinit -V -k -t /etc/krb5.keytab HTTP/muttley.domain.local at DOMAIN.LOCAL
Authenticated to Kerberos v5

$ klist
Ticket cache: FILE:/tmp/krb5cc_103
Default principal: HTTP/muttley.domain.local at DOMAIN.LOCAL

Valid starting     Expires            Service principal
03/05/09 12:14:31  03/05/09 22:14:34  krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
	renew until 03/06/09 12:14:31

but the calendarserver doesn't initialize the kerberos things (the 
windows machine try to inizialize the NTLM login and not the GSS).

> And you have enabled kerberos in /etc/caldavd/caldavd.plist:
>      <!-- Kerberos/SPNEGO -->
>      <key>Kerberos</key>
>      <dict>
>        <key>Enabled</key>
>        <true/>
>        <key>ServicePrincipal</key>
>        <string>HTTP/server.example.com at EXAMPLE.COM</string>
>      </dict>

the same as mine.

the strange thing is that it doesn't even try to connect to the kdc 
server when i start the calendar server.

i tried to understand the python-kerberos api, but without documentation 
is not that easy. :-/

> Does the user have a valid HTTP/... ticket after trying to authenticate
> in its keytab? Besides that I'm a bit out of ideas.

i'm sorry, i don't understand:
i try to (give a shell to the caldav user and) kinit with the keytab, 
and then restart the calendarserver, but with no luck.

i didn't apply the patch to use a keytab different from the default 
/etc/krb5.keytab: maybe the python kerberos doesn't look at that file?

More information about the calendarserver-dev mailing list