[CalendarServer-users] calendarserver on debian via nss and kerberos
Georg Troska
georg.troska at uni-dortmund.de
Wed Mar 4 04:24:48 PST 2009
Hi Marco,
it seems that kerberos does not work on your client or on your server
the main interesting things might be:
<!-- XML File Directory Service -->
<key>DirectoryService</key>
<dict>
<key>type</key>
<string>twistedcaldav.directory.xmlfile.XMLDirectoryService</
string>
<key>params</key>
<dict>
<key>xmlFile</key>
<string>/etc/caldavd/accounts.xml</string>
</dict>
</dict>
<!--
Authentication
-->
<key>Authentication</key>
<dict>
<!-- Clear text; best avoided -->
<key>Basic</key>
<dict>
<key>Enabled</key>
<false/>
</dict>
<!-- Digest challenge/response -->
<key>Digest</key>
<dict>
<key>Enabled</key>
<false/>
<key>Algorithm</key>
<string>md5</string>
<key>Qop</key>
<string></string>
</dict>
<!-- Kerberos/SPNEGO -->
<key>Kerberos</key>
<dict>
<key>Enabled</key>
<true/>
<key>ServicePrincipal</key>
<string>http/server07.e4.physik.uni-dortmund.de at E4.PHYSIK.UNI-DORTMUND.DE
</string>
</dict>
</dict>
<!--
SSL/TLS
-->
<!-- Public key -->
<key>SSLCertificate</key>
<string>/etc/ssl/certs/server07_crt.pem</string>
<!-- Private key -->
<key>SSLPrivateKey</key>
<string>/etc/ssl/certs/server07_privatekey.pem</string>
The accounts.xml looks like this:
<!DOCTYPE accounts SYSTEM "accounts.dtd">
<accounts realm="E4 Calendars">
<user>
<uid>User1</uid>
<guid>User1</guid>
<name>User1 Bla</name>
</user>
...
</accounts>
root at server07:/etc/caldavd# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
4 HTTP/server07.e4.physik.uni-dortmund.de at E4.PHYSIK.UNI-DORTMUND.DE
4 HTTP/server07.e4.physik.uni-dortmund.de at E4.PHYSIK.UNI-DORTMUND.DE
6 host/server07.e4.physik.uni-dortmund.de at E4.PHYSIK.UNI-DORTMUND.DE
6 host/server07.e4.physik.uni-dortmund.de at E4.PHYSIK.UNI-DORTMUND.DE
3 http/server07.e4.physik.uni-dortmund.de at E4.PHYSIK.UNI-DORTMUND.DE
3 http/server07.e4.physik.uni-dortmund.de at E4.PHYSIK.UNI-DORTMUND.DE
root at server07:/etc/caldavd#
You have to create your keytab with the administrative tools from your
kerberos server
I used kadmin for that. You need a hostticket a http and a HTTP ticket
create them with a randkey commands are addprinc an ktadd
Before doing that you should be sure that kerberos ist running well.
Look if single-sign on works e.g.
Georg
Am 04.03.2009 um 13:09 schrieb Marco Ghidinelli:
> On 03/04/2009 12:50 PM, Georg Troska wrote:
>> Hi,
>
> hello georg,
>
>> have you tried to disable all other kinds of authorisation than
>> kerberos?
>
> i tried, but when i do that it complains that:
>
> 2009-03-04 12:57:37+0100 [-] [caldav-8008] [HTTPChannel,
> 0,192.168.0.29] "Client authentication scheme digest is not provided
> by server ['negotiate']"
>
> and i got a 403 (forbidden) result.
>
> without the digest it doesn't work, so i have to keep it enabled.
>
> could you send me your configuration files? i fear that i just
> forget something around.
>
> how you got your /etc/krb5.keytab?
>
> what is your output of:
> klist -k /etc/krb5.keytab
> ??
>
> now i'm downloading the ubuntu server for replicating your running
> environment.
>
> thank you very much.
More information about the calendarserver-users
mailing list