samba4 & WindowsDesktopSSO
Andrew Bartlett
abartlet at samba.org
Tue Oct 8 20:41:33 MDT 2013
On Wed, 2013-10-02 at 16:28 +0200, miquel wrote:
> we are trying to integrating openam WindowsDesktopSSO module with samba4
> kerberos.
>
> we are creating keytab on samba4 DC following this steps:
>
> samba-tool user create --random-password http-server-hp
> samba-tool spn add HTTP/server-hp.testdomain.local at TESTDOMAIN.LOCAL
> http-server-hp
> samba-tool domain exportkeytab /root/as1_2.keytab
> --principal=HTTP/server-hp.testdomain.local at TESTDOMAIN.LOCAL
> samba-tool domain exportkeytab /root/as1_2.keytab
> --principal=HOST/server-hp.testdomain.local at TESTDOMAIN.LOCAL
>
>
> But we need to change openam source code to configure Krb5LoginModule
> with "isInitiator=false" parameter.
>
>
> 10.1.0-Xpress/openam/openam-authentication/openam-auth-windowsdesktopsso/src/main/java/com/sun/identity/authentication/modules/windowsdesktopsso/WindowsDesktopSSOConfig.java:
>
> } else {
> hashmap.put("storeKey", "true");
> hashmap.put("useKeyTab", "true");
> + hashmap.put("isInitiator", "false");
> hashmap.put("keyTab", keytab);
> hashmap.put("doNotPrompt", "true");
> hashmap.put("refreshKrb5Config", refreshConf);
> }
>
>
> Without "isInitiator" parameter can't login and openam show "Client not
> found in Kerberos database" error.
>
> Is it correct ?
We should behave the same as Windows, but it is correct to say that a
service is generally not an initiator, if using the http/server-hp at REALM
principal form. The initiator form is http-server-hp at REALM.
In general, services accepting tickets shouldn't be initiators, they
don't need to get their own ticket to accept a ticket, and this also
makes it more reliable (no need for KDC at startup).
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
More information about the samba-technical
mailing list