[zanata-users] Auth with kerberos
Ramann, Björn
Bjoern.Ramann at governikus.de
Wed Sep 23 13:28:45 UTC 2015
Hm, with kinit i get a ticket, so I believe that my /etc/krb5.conf is working
I also create an SPN (HTTP/mercurial-test.dom.lo at DOM.LO) and keytab in my active directory and copy the keytab to the configured location on the server.
When I open the zanata web page and click the logon button, I got an 403er error. I set the loglevel to trace and also “-Dsun.security.krb5.debug=true” but not error is shown in server.log. during logon, I look with tcpdump to traffic, but packets on port 88
Idea?
Thanks
bjoern
Von: Carlos Munoz [mailto:camunoz at redhat.com]
Gesendet: Dienstag, 22. September 2015 23:43
An: Ramann, Björn
Cc: zanata-users at redhat.com
Betreff: Re: [zanata-users] Auth with kerberos
The way it works (when the setup is correct) is that Zanata will try to authenticate using Kerberos tickets first. This involves interaction with the browser. If a ticket is not found, or the authentication is unsuccessful, Zanata will show a login screen that will allow the user to enter a user name and password. I've found that in order for this to work, the aforementioned krb5.conf file is the key. I think in your case the fact that Zanata cannot connect to the authentication server is why you don't see this screen.
As for the format of the principal value, it looks like the format is correct, but the actual value is specific to each server in the end. You can take a look here: https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html for a bit more info.
Regards,
Carlos
On Wednesday, 23 September 2015, Ramann, Björn <Bjoern.Ramann at governikus.de<mailto:Bjoern.Ramann at governikus.de>> wrote:
Two more question:
1. Without kerberos, i have a username and password form in the main page, with enabled Kerberos, there is no user and pass form. Is this correct? When yes, how do I enter my credentials?
2. In the domain-security “host”, I have: <module-option name="principal" value="HTTP/dc01.domain.com at DOMAIN.COM<javascript:_e(%7B%7D,'cvml','dc01.domain.com at DOMAIN.COM');>"/>
Is there a detailed documentation about the syntax of the value?
Thanks!
Von: zanata-users-bounces at redhat.com<javascript:_e(%7B%7D,'cvml','zanata-users-bounces at redhat.com');> [mailto:zanata-users-bounces at redhat.com<javascript:_e(%7B%7D,'cvml','zanata-users-bounces at redhat.com');>] Im Auftrag von Ramann, Björn
Gesendet: Dienstag, 22. September 2015 13:28
An: zanata-users at redhat.com<javascript:_e(%7B%7D,'cvml','zanata-users at redhat.com');>
Betreff: [zanata-users] Auth with kerberos
hi at all,
i try to auth users with Kerberos to our windows Active directory and configure:
<bindings>
<!-- <simple name="java:global/zanata/security/auth-policy-names/internal" value="zanata.internal"/> -->
<!-- <simple name="java:global/zanata/security/auth-policy-names/openid" value="zanata.openid"/> -->
<simple name="java:global/zanata/security/auth-policy-names/kerberos" value="zanata.kerberos"/>
<simple name="java:global/zanata/security/admin-users" value="admin"/>
<simple name="java:global/zanata/files/document-storage-directory" value="${user.home}/zanata/files"/>
<simple name="java:global/zanata/email/default-from-address" value="noreply at blub.com<javascript:_e(%7B%7D,'cvml','noreply at blub.com');>"/>
</bindings>
…
<security-domain name="zanata.kerberos">
<authentication>
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="sufficient">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
<module-option name="removeRealmFromPrincipal" value="true"/>
<module-option name="usernamePasswordDomain" value="krb5"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="krb5">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="sufficient">
<module-option name="storePass" value="false"/>
<module-option name="clearPass" value="true"/>
<module-option name="debug" value="true"/>
<module-option name="doNotPrompt" value="false"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="host">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="MailScanner hat einen möglichen Täuschungsversuch durch "JavaScript" festgestellt. HTTP/dc01.domain.com at DOMAIN.COM<javascript:_e(%7B%7D,'cvml','HTTP/dc01.domain.com at DOMAIN.COM');>"/>
<module-option name="keyTab" value="/opt/zanata/wildfly/standalone/configuration/jboss.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
</login-module>
</authentication>
But on the page, when I press login, I get da 403 and there is no fiel to type my credentials in.
Soft:
13:25:45,457Z INFO [org.quartz.core.QuartzScheduler] (ServerService Thread Pool -- 58) Scheduler DefaultQuartzScheduler_$_NON_CLUSTERED started.
13:25:45,755Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) App server release codename: Kenny
13:25:45,755Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) App server release version: 1.0.1.Final
13:25:45,755Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) WildFly Full version: 9.0.1.Final
13:25:45,757Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) ============================================
13:25:45,757Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) _____ _
13:25:45,757Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) /__ / ____ _____ ____ _/ /_____ _
13:25:45,757Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) / / / __ `/ __ \/ __ `/ __/ __ `/
13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) / /__/ /_/ / / / / /_/ / /_/ /_/ /
13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) /____/\__,_/_/ /_/\__,_/\__/\__,_/
13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) Application version: 3.7.2
13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) SCM: git-server-3.7.2
13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) Red Hat Inc 2008-2015
13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) ============================================
13:25:45,758Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) SPNEGO/Kerberos authentication: enabled
13:25:45,759Z INFO [org.zanata.ZanataInit] (ServerService Thread Pool -- 58) Enable copyTrans: true
Please advise!
Thanks
bjoern
--
Carlos A. Muñoz
Software Engineering Supervisor
Globalization
Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/zanata-users/attachments/20150923/78f0d635/attachment.htm>
More information about the zanata-users
mailing list