qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DISPATCH-906) Document Kerberos integration
Date Thu, 11 Jan 2018 09:00:27 GMT

    [ https://issues.apache.org/jira/browse/DISPATCH-906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16321885#comment-16321885
] 

ASF GitHub Bot commented on DISPATCH-906:
-----------------------------------------

Github user enkeys commented on the issue:

    https://github.com/apache/qpid-dispatch/pull/241
  
    We are trying to setup Kerberos for qpid-dispatch and it looks, that there in /etc/sasl2/qdrouterd.conf
is not mentioned option for keytab.
    `keytab: /tmp/keytabs/server.keytab`
    
    It is probably not required but it's needed to provide principal somehow. I think that
should be possible do it with external command:
    `kinit -k -t /path/file.keytab myprincipal`
    
    The next important think what's work for us is providing environment variable KRB5_CONFIG
before qdrouterd.
    `KRB5_CONFIG=/tmp/qdrouterd_krb5.conf`
    
    Else without set KRB5_CONFIG, qdrouterd get for every connection:
    `SERVER (info) Connection from 1.2.3.4:56468 (to 0.0.0.0:amqp) failed: proton:io:sasl_error
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide
more information () (Failed to authenticate client [mech=GSSAPI])`
    (My explanation is that cyrus-sasl/gssapi can't know about realms.)
    
    So our qdrouterd_krb5.conf wit IPA conf:
    ```
    includedir /etc/krb5.conf.d/
    includedir /var/lib/sss/pubconf/krb5.include.d/
    
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     default_realm = example
     dns_lookup_realm = false
     dns_lookup_kdc = true
     rdns = false
     ticket_lifetime = 24h
     forwardable = true
     udp_preference_limit = 0
     default_ccache_name = KEYRING:persistent:%{uid}
    
    [realms]
     example = {
      kdc = ipa-server.example:88
      master_kdc = ipa-server.example:88
      admin_server = ipa-server.example:749
      default_domain = example
      pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
      pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
    }
    
    [domain_realm]
     .example = example
     example = example
     ipa-server.example = example
    
    [dbmodules]
      example = {
        db_library = ipadb.so
    }
    ```
    Where "example" is TLD so can be used example.com division.example.com etc.
    
    And we still are not able to provide any msg through (sender -> qdrouterd -> receiver).
But connection/results looks more promising.


> Document Kerberos integration
> -----------------------------
>
>                 Key: DISPATCH-906
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-906
>             Project: Qpid Dispatch
>          Issue Type: Bug
>          Components: Documentation
>            Reporter: Ben Hardesty
>            Assignee: Ben Hardesty
>
> Document requirements and for accepting Kerberos authenticated connections.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message