qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DISPATCH-906) Document Kerberos integration
Date Thu, 11 Jan 2018 09:00:27 GMT

    [ https://issues.apache.org/jira/browse/DISPATCH-906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16321885#comment-16321885

ASF GitHub Bot commented on DISPATCH-906:

Github user enkeys commented on the issue:

    We are trying to setup Kerberos for qpid-dispatch and it looks, that there in /etc/sasl2/qdrouterd.conf
is not mentioned option for keytab.
    `keytab: /tmp/keytabs/server.keytab`
    It is probably not required but it's needed to provide principal somehow. I think that
should be possible do it with external command:
    `kinit -k -t /path/file.keytab myprincipal`
    The next important think what's work for us is providing environment variable KRB5_CONFIG
before qdrouterd.
    Else without set KRB5_CONFIG, qdrouterd get for every connection:
    `SERVER (info) Connection from (to failed: proton:io:sasl_error
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide
more information () (Failed to authenticate client [mech=GSSAPI])`
    (My explanation is that cyrus-sasl/gssapi can't know about realms.)
    So our qdrouterd_krb5.conf wit IPA conf:
    includedir /etc/krb5.conf.d/
    includedir /var/lib/sss/pubconf/krb5.include.d/
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
     default_realm = example
     dns_lookup_realm = false
     dns_lookup_kdc = true
     rdns = false
     ticket_lifetime = 24h
     forwardable = true
     udp_preference_limit = 0
     default_ccache_name = KEYRING:persistent:%{uid}
     example = {
      kdc = ipa-server.example:88
      master_kdc = ipa-server.example:88
      admin_server = ipa-server.example:749
      default_domain = example
      pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
      pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
     .example = example
     example = example
     ipa-server.example = example
      example = {
        db_library = ipadb.so
    Where "example" is TLD so can be used example.com division.example.com etc.
    And we still are not able to provide any msg through (sender -> qdrouterd -> receiver).
But connection/results looks more promising.

> Document Kerberos integration
> -----------------------------
>                 Key: DISPATCH-906
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-906
>             Project: Qpid Dispatch
>          Issue Type: Bug
>          Components: Documentation
>            Reporter: Ben Hardesty
>            Assignee: Ben Hardesty
> Document requirements and for accepting Kerberos authenticated connections.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message