SSO for Openfire 3.8.1 on Debian 7.0 “Wheezy” x64 + Spark 2.6.3 + AD W2k8 (not R2)

https://community.igniterealtime.org/thread/50230

Hi all!

I solved SSO trouble after some days hard work.

 

Infrastructure:

Openfire 3.8.1 on Debian 7.0 “Wheezy” x64 with MySQL.

Openfire server name: openfireserver

AD Server – Windows 2008 Standard (Kerberos crypting RC4-HMAC-NT by default)

Domen: realm.local

Workstations Windows XP Pro and Windows 7 Pro x32/x64.

Jabber-client Spark 2.6.3

 

Intallation steps (MySQL, Samba, Sun Java already installed):

1) Logging as root.

 

2) Some checks:

# cat /etc/issue

Debian GNU/Linux 7.0 \n \l

 

# smbd -V

Version 3.6.6

 

# mysql -V

mysql  Ver 14.14 Distrib 5.5.31, for debian-linux-gnu (x86_64) using readline 6.2

 

# java -version

java version “1.7.0_21”

Java(TM) SE Runtime Environment (build 1.7.0_21-b11)

Java HotSpot(TM) 64-Bit Server VM (build 23.21-b01, mixed mode)

 

3) Create database “openfire” and MySQL user “openfire”:

# mysql -p

Enter password: type_mysql_root_pass

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 49

Server version: 5.5.31-0+wheezy1 (Debian)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

 

mysql> CREATE DATABASE openfire;

Query OK, 1 row affected (0.00 sec)

 

mysql> GRANT ALL PRIVILEGES ON openfire.* TO ‘openfire’@’localhost’ IDENTIFIED BY ‘PasswordGoldFish’ WITH GRANT OPTION;

Query OK, 0 rows affected (0.00 sec)

 

mysql> FLUSH PRIVILEGES;

Query OK, 0 rows affected (0.00 sec)

 

mysql> exit

Bye

 

4) Download and install Openfire server.

# cd /tmp

# wget http://www.igniterealtime.org/downloadServlet?filename=openfire/openfire_3.8.1_a ll.deb

100%[==================================>] 12 838 026  2,92M/s   за 7,6s

2013-05-28 12:58:04 (1,62 MB/s) – «downloadServlet?filename=openfire%2Fopenfire_3.8.1_all.deb» saved [12838026/12838026]

/tmp# cp downloadServlet\?filename\=openfire%2Fopenfire_3.8.1_all.deb openfire_3.8.1_all.deb

/tmp# rm downloadServlet\?filename\=openfire%2Fopenfire_3.8.1_all.deb

/tmp# dpkg -i openfire_3.8.1_all.deb

Warning: /var/lib/openfire

Starting openfire: openfire

# /etc/init.d/openfire stop

Stopping openfire: openfire.

Change owner:

# chown -R openfire:openfire /var/lib/openfire

# /etc/init.d/openfire start

Starting openfire: openfire.

 

5) Going into browser (f.e. Mozilla Firefox):

http://openfireserver:9090

Choose language (default English)

 

Type domain name: openfireserver.realm.local

 

Choose “Standard Database Conncection”

Pick preset MySQL

Correct [hostname] on localhost and [database-name] on openfire

Type Username: openfire

Type Password: PasswordGoldFish

Press “Continue”

 

Profile, Step 1:

Choose “Directory Server (LDAP)”

Select Server Type: Active Directory

Type Host: realm.local

Type Base DN: ou=Jabber,ou=Company_Users,dc=realm,dc=local

Type Administrator DN: cn=LDAP,cn=Users,dc=realm,dc=local

Type Password: Password_LDAP

For this step i create in AD user with name LDAP, and infinity password: Password_LDAP

Save&Continue

Steps 2&3 saving without changes.

 

Add Administrator account, it’s any account in Base DN.

Type administrator login and press add.

If all successfully, then press “Continue”.

 

Openfire Setup Complete, login to Openfire Admin Console as administrator.

After it going to User section and see all accounts of Base DN.

 

All fine and all users from Base DN can use it, but my goal SSO with AD accounts (main problem – locking user’s accounts by Spark after password changes).

 

6) Settings for Samba:

# nano /etc/samba/smb.conf

[global]

workgroup = REALM

realm =REALM.LOCAL

security = ADS

encrypt passwords = true

dns proxy = no

socket options = TCP_NODELAY

kerberos method = secrets and keytab

winbind refresh tickets = yes

password server = realm.local

domain master = no

local master = no

preferred master = no

os level = 0

domain logons = no

load printers = no

show add printer wizard = no

printcap name = /dev/null

disable spoolss = yes

 

7) Setting for Kerberos:

# nano /etc/krb5.conf

[libdefaults]

default_realm = REALM.LOCAL

kdc_timesync = 1

forwardable = true

proxiable = true

default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

[realms]

REALM.LOCAL = {

kdc = realm.local

admin_server = realm.local

default_domain = REALM.LOCAL

}

[domain_realm]

.realm.local = REALM.LOCAL

realm.local = REALM.LOCAL

 

8) Restart Samba

# /etc/init.d/samba restart

 

9) Join Debian server to AD:

# net ads join -U DomainAdminAccount -D REALM.LOCAL

or

# net rpc join -U DomainAdminAccount

 

10) Join check:

# net ads testjoin

Join is OK

# net rpc testjoin

Join to ‘REALM’ is OK

 

11) DNS check:

# nslookup

> openfireserver

Server:         192.168.1.1

Address:        192.168.1.1#53

Name:   openfireserver.realm.local

Address: 192.168.1.22

> 192.168.1.22

Server:         192.168.1.1

Address:        192.168.1.1#53

22.1.168.192.in-addr.arpa       name = openfireserver.realm.local.

> exit

 

Next five steps executing on PDC Windows Server 2008.

 

12) Create user account xmpp-openfire with infinite password and “Do not require Kerberos preauthentication” option enabled.

 

13) Create SPN and link with account xmpp-openfire:

Running command prompt as Administrator.

>setspn -A xmpp/openfireserver.realm.local@REALM.LOCAL xmpp-openfire

>ktpass -princ xmpp/openfireserver.realm.local@REALM.LOCAL -mapuser xmpp-openfire@realm.local -pass * -ptype KRB5_NT_PRINCIPAL

 

14) If you will use JRE6 for creating/checking keytab, you need create on PDC file C:\Windows\krb5.ini with content:

[libdefaults]

default_realm = REALM.LOCAL

[realms]

REALM.LOCAL = {

kdc = realm.local

admin_server = realm.local

default_domain = REALM.LOCAL

}

[domain_realm]

.realm.local = REALM.LOCAL

realm.local = REALM.LOCAL

 

15) Create keytab-file (need preinstalled JRE6):

cd C:\Program Files (x86)\Java\jre6\bin>

C:\Program Files (x86)\Java\jre6\bin>ktab -k xmpp.keytab -a xmpp/openfireserver.realm.local@REALM.LOCAL

or without JRE:

>ktpass -princ xmpp/openfireserver.realm.local@REALM.LOCAL -mapuser xmpp-openfire@realm.local -pass * -ptype KRB5_NT_PRINCIPAL -out xmpp.keytab

 

16) Check created keytab-file (need preinstalled JRE6):

C:\Program Files (x86)\Java\jre6\bin>kinit -k -t xmpp.keytab xmpp/openfireserver.realm.local@REALM.LOCAL

 

17) Place checked xmpp.keytab file on Openfire server to /usr/share/openfire/resources

Changing owner:

# chown openfire:openfire xmpp.keytab

 

18) Check copied xmpp.keytab file on Openfire server

# kinit -V -k -t /usr/share/openfire/resources/xmpp.keytab xmpp/openfireserver.realm.local@REALM.LOCAL

 

19) Creating file \etc\openfire\gss.conf with content:

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab=”/usr/share/openfire/resources/xmpp.keytab”

doNotPrompt=true

useKeyTab=true

realm=”REALM.LOCAL”

principal=”xmpp/openfireserver.realm.local@REALM.LOCAL”

isInitiator=false

debug=true;

};

 

20) Then change/add to system properties in Openfire Admin Console this keys:

sasl.gssapi.config /etc/openfire/gss.conf

sasl.gssapi.debug false

sasl.gssapi.useSubjectCredsOnly false

sasl.mechs GSSAPI

sasl.realm REALM.LOCAL

xmpp.fqdn openfireserver.realm.local

 

21) Restart Openfire

# /etc/init.d/openfire restart

 

22) Installing on Windows workstation Spark 2.6.3 with JRE.

 

23) Change registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

(For XP: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos)

Add key AllowTGTSessionKey, type DWORD, value 1

 

24) Place to C:\Windows file kbd5.ini with content:

[libdefaults]

default_realm = REALM.LOCAL

default_tkt_enctypes = rc4-hmac

default_tgs_enctypes = rc4-hmac

[realms]

REALM.LOCAL = {

kdc = realm.local

admin_server = realm.local

default_domain = REALM.LOCAL

}

[domain_realm]

.realm.local = REALM.LOCAL

realm.local = REALM.LOCAL

 

25) Reboot workstation.

 

26) In Spark choose “Use Single Sign-On (SSO) via GSSAPI”, type openfireserver into server and login.

 

On XP all fine, but on W7 SSO in Spark works only with run as Administrator account.

 

If i find solve for this problem, to be continued…

 

Note:

The reason why Spark SSO doesn’t work on Windows 7 without elevated privileges it’s because of UAC.

 

If the user has limited privilegues, it works fine.

 

But if the user is a local admin, you need to either elevate always, or deactivate UAC.

 

Also, you can run Spark as a programmed task with elevated privilegues to sidestep UAC.