<div class="gmail_quote">On Sun, Jun 17, 2012 at 3:27 PM, Simo Sorce <<a href="mailto:simo@redhat.com" target="_blank">simo@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div class="HOEnZb"><div class="h5">On Sat, 2012-06-16 at 23:45 +0200, Natxo Asenjo wrote: > hi, > > After some initial troubles (thanks rcrit on irc) I got this to work > nicely. I have used the openfire > <a href="http://www.igniterealtime.org/projects/openfire/index.jsp" target="_blank">http://www.igniterealtime.org/projects/openfire/index.jsp</a> xmpp/jabber > server. > > Instructions here: > > <a href="http://test.asenjo.nl/index.php/Openfire_ipa" target="_blank">http://test.asenjo.nl/index.php/Openfire_ipa</a> </div></div>Nice writeup Natxo, I am curious about the SSO setup. Why did you need to restrict the keytab to des3 ? Using the default settings (that include AES keys would be normally better). If it is due to restrictions in the java security library, you should be able to download a library with full support for AES from Oracle (they have a separate build due to some export control stuff that is available for download). </blockquote><div> Apparently this is the recommended setting by openfire. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> I am also curious about the need to set isInitiator to false. Service keys in IPA can be used to init security contexts, what kind of failure did you see setting it to true ? The 'isInitiator=false' may be necessary in AD where servicePrincipals and userPrincipals are considered distinct entities and AD forbids servicePrincipals to perform AS Requests, but this is not limited in IPA, by default you should be able to initiate just fine. </blockquote><div> when I set isInitiator=true; and reload openfire I get this error in the logifle: Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/openfire/conf/openfire.keytab refreshKrb5Config is false principal is xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX tryFirstPass is false useFirstPass is false storePass is false clearPass is false principal's key obtained from the keytab Acquire TGT using AS Exchange [Krb5LoginModule] authentication failed Cannot get kdc for realm IPA.ASENJO.NX I am not sure why it does not work, but it doesn't. Believe me, I tried :-) According to the person who wrote this community doc <a href="http://community.igniterealtime.org/docs/DOC-1522">http://community.igniterealtime.org/docs/DOC-1522</a>: " Since the xmpp service principal is only a service principal, and not mapped to an actual user account, we need to ensure that Java never attempts to treat it like a user account. In order to assure that, we have to add an additional line to gss.conf -- isInitiator.". In the AD setups, the isInitiator directive is not necessary, apparently. That is why I could not get it to work with the instructions on their site until I found that clue. -- groet, natxo </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York </blockquote></div>