[zanata-users] Auth with kerberos
Carlos Munoz
camunoz at redhat.com
Tue Sep 22 12:31:47 UTC 2015
Hi Bjorn,
Kerberos authentication is tricky to debug as so many things can go wrong.
I can make a couple of suggestions though:
1. It looks like you are running on Linux, so try looking at your
/etc/krb5.conf file on the server. It should contain your kerberos
authentication information including the locations of KDCs and admin
servers for the Kerberos realms of interest.
2. Since you have debug set to true on the configuration below, take a look
at the Zanata logs when attempting to log in, they usually have some
indication of what might have gone wrong.
Regards,
Carlos
On Tuesday, 22 September 2015, Ramann, Björn <Bjoern.Ramann at governikus.de>
wrote:
> hi at all,
>
> i try to auth users with Kerberos to our windows Active directory and
> configure:
>
> <bindings>
> <!-- <simple
> name="java:global/zanata/security/auth-policy-names/internal"
> value="zanata.internal"/> -->
> <!-- <simple
> name="java:global/zanata/security/auth-policy-names/openid"
> value="zanata.openid"/> à
> <simple name=
> "java:global/zanata/security/auth-policy-names/kerberos" value=
> "zanata.kerberos"/>
> <simple name="java:global/zanata/security/admin-users"
> value="admin"/>
> <simple name=
> "java:global/zanata/files/document-storage-directory" value=
> "${user.home}/zanata/files"/>
> <simple name=
> "java:global/zanata/email/default-from-address" value="noreply at blub.com"/>
> </bindings>
> …
>
> <security-domain name="zanata.kerberos">
> <authentication>
> <login-module code=
> "org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag=
> "sufficient">
> <module-option name="password-stacking" value=
> "useFirstPass"/>
> <module-option name="serverSecurityDomain"
> value="host"/>
> <module-option name="removeRealmFromPrincipal"
> value="true"/>
> <module-option name="usernamePasswordDomain"
> value="krb5"/>
> </login-module>
> </authentication>
> </security-domain>
> <security-domain name="krb5">
> <authentication>
> <login-module code=
> "com.sun.security.auth.module.Krb5LoginModule" flag="sufficient">
> <module-option name="storePass" value="false"
> />
> <module-option name="clearPass" value="true"/>
> <module-option name="debug" value="true"/>
> <module-option name="doNotPrompt" value=
> "false"/>
> </login-module>
> </authentication>
> </security-domain>
> <security-domain name="host">
> <authentication>
> <login-module code=
> "com.sun.security.auth.module.Krb5LoginModule" flag="required">
> <module-option name="storeKey" value="true"/>
> <module-option name="useKeyTab" value="true"/>
> <module-option name="principal" value="HTTP/
> dc01.domain.com at DOMAIN.COM"/>
> <module-option name="keyTab" value=
> "/opt/zanata/wildfly/standalone/configuration/jboss.keytab"/>
> <module-option name="doNotPrompt" value="true"
> />
> <module-option name="debug" value="true"/>
> </login-module>
> </authentication>
>
>
> But on the page, when I press login, I get da 403 and there is no fiel to
> type my credentials in.
>
> Soft:
> 13:25:45,457Z INFO [org.quartz.core.QuartzScheduler] (ServerService
> Thread Pool -- 58) Scheduler DefaultQuartzScheduler_$_NON_CLUSTERED started.
> 13:25:45,755Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) App server release codename: Kenny
> 13:25:45,755Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) App server release version: 1.0.1.Final
> 13:25:45,755Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) WildFly Full version: 9.0.1.Final
> 13:25:45,757Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) ============================================
> 13:25:45,757Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) _____ _
> 13:25:45,757Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) /__ / ____ _____ ____ _/ /_____ _
> 13:25:45,757Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) / / / __ `/ __ \/ __ `/ __/ __ `/
> 13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) / /__/ /_/ / / / / /_/ / /_/ /_/ /
> 13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) /____/\__,_/_/ /_/\__,_/\__/\__,_/
> 13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) Application version: 3.7.2
> 13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) SCM: git-server-3.7.2
> 13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) Red Hat Inc 2008-2015
> 13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) ============================================
> 13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) SPNEGO/Kerberos authentication: enabled
> 13:25:45,759Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) Enable copyTrans: true
>
>
> Please advise!
>
> Thanks
> bjoern
>
>
>
--
Carlos A. Muñoz
Software Engineering Supervisor
Globalization
Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/zanata-users/attachments/20150922/f84892a9/attachment.htm>
More information about the zanata-users
mailing list