[zanata-users] Auth with kerberos

Carlos Munoz camunoz at redhat.com
Tue Sep 22 21:42:54 UTC 2015 

The way it works (when the setup is correct) is that Zanata will try to
authenticate using Kerberos tickets first. This involves interaction with
the browser. If a ticket is not found, or the authentication is
unsuccessful, Zanata will show a login screen that will allow the user to
enter a user name and password. I've found that in order for this to work,
the aforementioned krb5.conf file is the key. I think in your case the fact
that Zanata cannot connect to the authentication server is why you don't
see this screen.

As for the format of the principal value, it looks like the format is
correct, but the actual value is specific to each server in the end. You
can take a look here:
https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
for a bit more info.

Regards,

Carlos



On Wednesday, 23 September 2015, Ramann, Björn <Bjoern.Ramann at governikus.de>
wrote:

> Two more question:
>
>
>
> 1.      Without kerberos, i have a username and password form in the main
> page, with enabled Kerberos, there is no user and pass form. Is this
> correct? When yes, how do I enter my credentials?
>
> 2.      In the domain-security “host”,  I have:
>                             <module-option name="principal" value="HTTP/
> dc01.domain.com at DOMAIN.COM
> <javascript:_e(%7B%7D,'cvml','dc01.domain.com at DOMAIN.COM');>"/>
> Is there a detailed documentation about the syntax of the value?
>
>
>
> Thanks!
>
>
>
>
>
>
>
> *Von:* zanata-users-bounces at redhat.com
> <javascript:_e(%7B%7D,'cvml','zanata-users-bounces at redhat.com');> [mailto:
> zanata-users-bounces at redhat.com
> <javascript:_e(%7B%7D,'cvml','zanata-users-bounces at redhat.com');>] *Im
> Auftrag von *Ramann, Björn
> *Gesendet:* Dienstag, 22. September 2015 13:28
> *An:* zanata-users at redhat.com
> <javascript:_e(%7B%7D,'cvml','zanata-users at redhat.com');>
> *Betreff:* [zanata-users] Auth with kerberos
>
>
>
> hi at all,
>
>
>
> i try to auth users with Kerberos to our windows Active directory and
> configure:
>
>
>
> <bindings>
>
>                 <!-- <simple
> name="java:global/zanata/security/auth-policy-names/internal"
> value="zanata.internal"/> -->
>
>                 <!-- <simple
> name="java:global/zanata/security/auth-policy-names/openid"
> value="zanata.openid"/> à
>
>                 <simple name=
> "java:global/zanata/security/auth-policy-names/kerberos" value=
> "zanata.kerberos"/>
>
>                 <simple name="java:global/zanata/security/admin-users"
> value="admin"/>
>
>                 <simple name=
> "java:global/zanata/files/document-storage-directory" value=
> "${user.home}/zanata/files"/>
>
>                 <simple name=
> "java:global/zanata/email/default-from-address" value="noreply at blub.com
> <javascript:_e(%7B%7D,'cvml','noreply at blub.com');>"/>
>
>             </bindings>
>
>>
>
>
> <security-domain name="zanata.kerberos">
>
>                     <authentication>
>
>                         <login-module code=
> "org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag=
> "sufficient">
>
>                             <module-option name="password-stacking" value=
> "useFirstPass"/>
>
>                             <module-option name="serverSecurityDomain"
> value="host"/>
>
>                             <module-option name="removeRealmFromPrincipal"
> value="true"/>
>
>                             <module-option name="usernamePasswordDomain"
> value="krb5"/>
>
>                         </login-module>
>
>                     </authentication>
>
>                 </security-domain>
>
>                 <security-domain name="krb5">
>
>                     <authentication>
>
>                         <login-module code=
> "com.sun.security.auth.module.Krb5LoginModule" flag="sufficient">
>
>                             <module-option name="storePass" value="false"
> />
>
>                             <module-option name="clearPass" value="true"/>
>
>                             <module-option name="debug" value="true"/>
>
>                             <module-option name="doNotPrompt" value=
> "false"/>
>
>                         </login-module>
>
>                     </authentication>
>
>                 </security-domain>
>
>                 <security-domain name="host">
>
>                     <authentication>
>
>                         <login-module code=
> "com.sun.security.auth.module.Krb5LoginModule" flag="required">
>
>                             <module-option name="storeKey" value="true"/>
>
>                             <module-option name="useKeyTab" value="true"/>
>
>                             <module-option name="principal" value="
> HTTP/dc01.domain.com at DOMAIN.COM
> <javascript:_e(%7B%7D,'cvml','HTTP/dc01.domain.com at DOMAIN.COM');>"/>
>
>                             <module-option name="keyTab" value=
> "/opt/zanata/wildfly/standalone/configuration/jboss.keytab"/>
>
>                             <module-option name="doNotPrompt" value="true"
> />
>
>                             <module-option name="debug" value="true"/>
>
>                         </login-module>
>
>                     </authentication>
>
>
>
>
>
> But on the page, when I press login, I get da 403 and there is no fiel to
> type my credentials in.
>
>
>
> Soft:
>
> 13:25:45,457Z INFO  [org.quartz.core.QuartzScheduler] (ServerService
> Thread Pool -- 58) Scheduler DefaultQuartzScheduler_$_NON_CLUSTERED started.
>
> 13:25:45,755Z INFO  [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) App server release codename: Kenny
>
> 13:25:45,755Z INFO  [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) App server release version: 1.0.1.Final
>
> 13:25:45,755Z INFO  [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) WildFly Full version: 9.0.1.Final
>
> 13:25:45,757Z INFO  [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) ============================================
>
> 13:25:45,757Z INFO  [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58)    _____                     _
>
> 13:25:45,757Z INFO  [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58)   /__  /  ____ _____  ____ _/ /_____ _
>
> 13:25:45,757Z INFO  [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58)     / /  / __ `/ __ \/ __ `/ __/ __ `/
>
> 13:25:45,758Z INFO  [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58)    / /__/ /_/ / / / / /_/ / /_/ /_/ /
>
> 13:25:45,758Z INFO  [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58)   /____/\__,_/_/ /_/\__,_/\__/\__,_/
>
> 13:25:45,758Z INFO  [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58)   Application version: 3.7.2
>
> 13:25:45,758Z INFO  [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58)   SCM: git-server-3.7.2
>
> 13:25:45,758Z INFO  [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58)   Red Hat Inc 2008-2015
>
> 13:25:45,758Z INFO  [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) ============================================
>
> 13:25:45,758Z INFO  [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) SPNEGO/Kerberos authentication: enabled
>
> 13:25:45,759Z INFO  [org.zanata.ZanataInit] (ServerService Thread Pool --
> 58) Enable copyTrans: true
>
>
>
>
>
> Please advise!
>
>
>
> Thanks
>
> bjoern
>
>
>
>
>


-- 
Carlos A. Muñoz
Software Engineering Supervisor
Globalization
Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/zanata-users/attachments/20150923/84bd95f0/attachment.htm>

More information about the zanata-users mailing list