Hi all!
I solved SSO trouble after some days hard work.
Infrastructure:
Openfire 3.8.1 on Debian 7.0 "Wheezy" x64 with MySQL.
Openfire server name: openfireserver
AD Server - Windows 2008 Standard (Kerberos crypting RC4-HMAC-NT by default)
Domen: realm.local
Workstations Windows XP Pro and Windows 7 Pro x32/x64.
Jabber-client Spark 2.6.3
Intallation steps (MySQL, Samba, Sun Java already installed):
1) Logging as root.
2) Some checks:
# cat /etc/issue
Debian GNU/Linux 7.0 \n \l
# smbd -V
Version 3.6.6
# mysql -V
mysql Ver 14.14 Distrib 5.5.31, for debian-linux-gnu (x86_64) using readline 6.2
# java -version
java version "1.7.0_21"
Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot(TM) 64-Bit Server VM (build 23.21-b01, mixed mode)
3) Create database "openfire" and MySQL user "openfire":
# mysql -p
Enter password: type_mysql_root_pass
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 49
Server version: 5.5.31-0+wheezy1 (Debian)
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> CREATE DATABASE openfire;
Query OK, 1 row affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON openfire.* TO 'openfire'@'localhost' IDENTIFIED BY 'PasswordGoldFish' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye
4) Download and install Openfire server.
# cd /tmp
# wget http://www.igniterealtime.org/downloadServlet?filename=openfire/openfire_3.8.1_a ll.deb
100%[==================================>] 12 838 026 2,92M/s за 7,6s
2013-05-28 12:58:04 (1,62 MB/s) - «downloadServlet?filename=openfire%2Fopenfire_3.8.1_all.deb» saved [12838026/12838026]
/tmp# cp downloadServlet\?filename\=openfire%2Fopenfire_3.8.1_all.deb openfire_3.8.1_all.deb
/tmp# rm downloadServlet\?filename\=openfire%2Fopenfire_3.8.1_all.deb
/tmp# dpkg -i openfire_3.8.1_all.deb
Warning: /var/lib/openfire
Starting openfire: openfire
# /etc/init.d/openfire stop
Stopping openfire: openfire.
Change owner:
# chown -R openfire:openfire /var/lib/openfire
# /etc/init.d/openfire start
Starting openfire: openfire.
5) Going into browser (f.e. Mozilla Firefox):
Choose language (default English)
Type domain name: openfireserver.realm.local
Choose "Standard Database Conncection"
Pick preset MySQL
Correct [hostname] on localhost and [database-name] on openfire
Type Username: openfire
Type Password: PasswordGoldFish
Press "Continue"
Profile, Step 1:
Choose "Directory Server (LDAP)"
Select Server Type: Active Directory
Type Host: realm.local
Type Base DN: ou=Jabber,ou=Company_Users,dc=realm,dc=local
Type Administrator DN: cn=LDAP,cn=Users,dc=realm,dc=local
Type Password: Password_LDAP
For this step i create in AD user with name LDAP, and infinity password: Password_LDAP
Save&Continue
Steps 2&3 saving without changes.
Add Administrator account, it's any account in Base DN.
Type administrator login and press add.
If all successfully, then press "Continue".
Openfire Setup Complete, login to Openfire Admin Console as administrator.
After it going to User section and see all accounts of Base DN.
All fine and all users from Base DN can use it, but my goal SSO with AD accounts (main problem - locking user's accounts by Spark after password changes).
6) Settings for Samba:
# nano /etc/samba/smb.conf
[global]
workgroup = REALM
realm =REALM.LOCAL
security = ADS
encrypt passwords = true
dns proxy = no
socket options = TCP_NODELAY
kerberos method = secrets and keytab
winbind refresh tickets = yes
password server = realm.local
domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
7) Setting for Kerberos:
# nano /etc/krb5.conf
[libdefaults]
default_realm = REALM.LOCAL
kdc_timesync = 1
forwardable = true
proxiable = true
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
[realms]
REALM.LOCAL = {
kdc = realm.local
admin_server = realm.local
default_domain = REALM.LOCAL
}
[domain_realm]
.realm.local = REALM.LOCAL
realm.local = REALM.LOCAL
8) Restart Samba
# /etc/init.d/samba restart
9) Join Debian server to AD:
# net ads join -U DomainAdminAccount -D REALM.LOCAL
or
# net rpc join -U DomainAdminAccount
10) Join check:
# net ads testjoin
Join is OK
# net rpc testjoin
Join to 'REALM' is OK
11) DNS check:
# nslookup
> openfireserver
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: openfireserver.realm.local
Address: 192.168.1.22
> 192.168.1.22
Server: 192.168.1.1
Address: 192.168.1.1#53
22.1.168.192.in-addr.arpa name = openfireserver.realm.local.
> exit
Next five steps executing on PDC Windows Server 2008.
12) Create user account xmpp-openfire with infinite password and "Do not require Kerberos preauthentication" option enabled.
13) Create SPN and link with account xmpp-openfire:
Running command prompt as Administrator.
>setspn -A xmpp/openfireserver.realm.local@REALM.LOCAL xmpp-openfire
>ktpass -princ xmpp/openfireserver.realm.local@REALM.LOCAL -mapuser xmpp-openfire@realm.local -pass * -ptype KRB5_NT_PRINCIPAL
14) If you will use JRE6 for creating/checking keytab, you need create on PDC file C:\Windows\krb5.ini with content:
[libdefaults]
default_realm = REALM.LOCAL
[realms]
REALM.LOCAL = {
kdc = realm.local
admin_server = realm.local
default_domain = REALM.LOCAL
}
[domain_realm]
.realm.local = REALM.LOCAL
realm.local = REALM.LOCAL
15) Create keytab-file (need preinstalled JRE6):
cd C:\Program Files (x86)\Java\jre6\bin>
C:\Program Files (x86)\Java\jre6\bin>ktab -k xmpp.keytab -a xmpp/openfireserver.realm.local@REALM.LOCAL
or without JRE:
>ktpass -princ xmpp/openfireserver.realm.local@REALM.LOCAL -mapuser xmpp-openfire@realm.local -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab
16) Check created keytab-file (need preinstalled JRE6):
C:\Program Files (x86)\Java\jre6\bin>kinit -k -t xmpp.keytab xmpp/openfireserver.realm.local@REALM.LOCAL
17) Place checked xmpp.keytab file on Openfire server to /usr/share/openfire/resources
Changing owner:
# chown openfire:openfire xmpp.keytab
18) Check copied xmpp.keytab file on Openfire server
# kinit -V -k -t /usr/share/openfire/resources/xmpp.keytab xmpp/openfireserver.realm.local@REALM.LOCAL
19) Creating file \etc\openfire\gss.conf with content:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="/usr/share/openfire/resources/xmpp.keytab"
doNotPrompt=true
useKeyTab=true
realm="REALM.LOCAL"
principal="xmpp/openfireserver.realm.local@REALM.LOCAL"
isInitiator=false
debug=true;
};
20) Then change/add to system properties in Openfire Admin Console this keys:
sasl.gssapi.config /etc/openfire/gss.conf
sasl.gssapi.debug false
sasl.gssapi.useSubjectCredsOnly false
sasl.mechs GSSAPI
sasl.realm REALM.LOCAL
xmpp.fqdn openfireserver.realm.local
21) Restart Openfire
# /etc/init.d/openfire restart
22) Installing on Windows workstation Spark 2.6.3 with JRE.
23) Change registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
(For XP: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos)
Add key AllowTGTSessionKey, type DWORD, value 1
24) Place to C:\Windows file kbd5.ini with content:
[libdefaults]
default_realm = REALM.LOCAL
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[realms]
REALM.LOCAL = {
kdc = realm.local
admin_server = realm.local
default_domain = REALM.LOCAL
}
[domain_realm]
.realm.local = REALM.LOCAL
realm.local = REALM.LOCAL
25) Reboot workstation.
26) In Spark choose "Use Single Sign-On (SSO) via GSSAPI", type openfireserver into server and login.
On XP all fine, but on W7 SSO in Spark works only with run as Administrator account.
If i find solve for this problem, to be continued...