Hello!
I want to share the experience of installing an
Openfire server on
Debian in the AD Windows Server 2008 domain using SSO by the Spark client.
The installation itself is simple and takes a little time, the main difficulties for me arose when setting up kerberos authorization of the entire software bundle.
')
Infrastructure:
Openfire 3.8.2 is installed on Debian 7.0 "Wheezy" x64 using MySQL DBMS.
Debian server name: openfireserver.
Active Directory is deployed on Windows 2008 Server Standard (Kerberos uses RC4-HMAC-NT encryption by default).
Domain realm.local.
Workstations Windows XP Pro and Windows 7 Pro x32 / x64 with the Spark 2.6.3 client installed.
Installation step by step (MySQL, Samba, Sun / Oracle Java are already preinstalled on Debian):
1) Login as root.
2) Check the pre-installed software:
# cat / etc / issue
Debian GNU / Linux 7.0 \ n \ l
# smbd -V
Version 3.6.6
# mysql -V
mysql Ver 14.14 Distrib 5.5.31, for debian-linux-gnu (x86_64) using readline 6.2
# java -version
java version "1.7.0_21"
Java (TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot (TM) 64-Bit VM Server (build 23.21-b01, mixed mode)
3) Create the database “openfire” and the MySQL user “openfire”:
# mysql -p
Enter password: [type root user password in MySQL]
Welcome to the MySQL monitor. Commands end with; or \ g.
Your MySQL connection id is 49
Server version: 5.5.31-0 + wheezy1 (Debian)
Copyright 2000, 2013, Oracle and / or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and / or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\ h' for help. Type '\ c' to clear the current input statement.
mysql> CREATE DATABASE openfire;
Query OK, 1 row affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON openfire. * TO 'openfire' @ 'localhost' IDENTIFIED BY 'PasswordGoldFish' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye
4) Download and install the Openfire server.
# cd / tmp
# wget http://www.igniterealtime.org/downloadServlet?filename=openfire/openfire_3.8.2_all.deb
100% [===================================>] 12,838,026 2.92M / s for 7, 6s
2013-05-28 12:58:04 (1.62 MB / s) - “downloadServlet? Filename = openfire% 2Fopenfire_3.8.2_all.deb” saved [12838026/12838026]
/ tmp # cp downloadServlet \? filename \ = openfire% 2Fopenfire_3.8.1_all.deb openfire_3.8.2_all.deb
/ tmp # rm downloadServlet \? filename \ = openfire% 2Fopenfire_3.8.2_all.deb
/ tmp # dpkg -i openfire_3.8.2_all.deb
Warning: / var / lib / openfire
Starting openfire: openfire
# /etc/init.d/openfire stop
Stopping openfire: openfire.
Change the owner:
# chown -R openfire: openfire / var / lib / openfire
# /etc/init.d/openfire start
Starting openfire: openfire.
5) Go to the browser at the address (I use Mozilla Firefox):
http: // openfireserver: 9090
Choose the language (Russian translation of the curve, I left English)
Type in Domain name: openfireserver.realm.local
Next, select "Standard Database Conncection"
Choose Preset MySQL
Fix [hostname] on localhost and [database-name] on openfire
We collect Username: openfire
Type Password: PasswordGoldFish
Click "Continue"
Profile Setup, Step 1:
Choose "Directory Server (LDAP)"
Choose Server Type: Active Directory
We type Host: realm.local
Type Base DN: ou = Jabber, ou = Company_Users, dc = realm, dc = local
We type Administrator DN: cn = LDAP, cn = Users, dc = realm, dc = local
Type Password: Password_LDAP
For this step, I previously created a user in AD with the name LDAP and perpetual password: Password_LDAP
Save and continue.
Steps 2 and 3 remain unchanged.
We add Openfire administrators, it can be any users from Base DN.
Just type their logins and click "Add".
If users are successfully added, click "Continue".
This completes the installation of Openfire, you can go to the administrator console.
If you go to the Users section, you can see that all users from the Base DN are already there.
Everything is already working and the user can authenticate in the usual way, but my goal is SSO (the main problem is to lock accounts in AD after changing the password).
For this we go further ...
6) Configure Samba:
# nano /etc/samba/smb.conf
[global]
workgroup = REALM
realm = REALM.LOCAL
security = ADS
encrypt passwords = true
dns proxy = no
socket options = TCP_NODELAY
kerberos method = secrets and keytab
winbind refresh tickets = yes
password server = realm.local
domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no
load printers = no
show add printer wizard = no
printcap name = / dev / null
disable spoolss = yes
7) Configure Kerberos:
# nano /etc/krb5.conf
[libdefaults]
default_realm = REALM.LOCAL
kdc_timesync = 1
forwardable = true
proxiable = true
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
[realms]
REALM.LOCAL = {
kdc = realm.local
admin_server = realm.local
default_domain = REALM.LOCAL
}
[domain_realm]
.realm.local = REALM.LOCAL
realm.local = REALM.LOCAL
8) Restart Samba
# /etc/init.d/samba restart
9) We join the Debian server to AD:
# net ads join -U DomainAdminAccount -D REALM.LOCAL
or
# net rpc join -U DomainAdminAccount
10) Check how joined:
# net ads testjoin
Join is OK
# net rpc testjoin
Join to 'REALM' is OK
11) DNS check:
# nslookup
> openfireserver
Server: 192.168.1.1
Address: 192.168.1.1 # 53
Name: openfireserver.realm.local
Address: 192.168.1.22
> 192.168.1.22
Server: 192.168.1.1
Address: 192.168.1.1 # 53
22.1.168.192.in-addr.arpa name = openfireserver.realm.local.
> exit
The following five steps are performed on a Windows Server 2008 domain controller:
12) Create an xmpp-openfire user in AD with perpetual password and the option “Do not require Kerberos preauthentication” enabled (Without Kerberos pre-authentication).
13) Create an SPN and associate it with the user xmpp-openfire:
Run the command prompt with Administrator privileges.
> setspn -A xmpp/openfireserver.realm.local@REALM.LOCAL xmpp-openfire
> ktpass -princ xmpp/openfireserver.realm.local@REALM.LOCAL -mapuser xmpp-openfire@realm.local -pass * -ptype KRB5_NT_PRINCIPAL
Enter the password for the user xmpp-openfire.
14) If we use the JRE to generate the keytab file, then create the file C: \ Windows \ krb5.ini with the contents:
[libdefaults]
default_realm = REALM.LOCAL
[realms]
REALM.LOCAL = {
kdc = realm.local
admin_server = realm.local
default_domain = REALM.LOCAL
}
[domain_realm]
.realm.local = REALM.LOCAL
realm.local = REALM.LOCAL
15) Create a keytab file (Sun / Oracle JRE6 must be installed):
cd C: \ Program Files (x86) \ Java \ jre6 \ bin>
C: \ Program Files (x86) \ Java \ jre6 \ bin> ktab -k xmpp.keytab -a xmpp/openfireserver.realm.local@REALM.LOCAL
Enter the password for the user xmpp-openfire.
Or you can use another way, without JRE
> ktpass -princ xmpp/openfireserver.realm.local@REALM.LOCAL-mapuser xmpp-openfire@realm.local -pass * -ptype KRB5_NT_PRINCIPAL-out xmpp.keytab
Enter the password for the user xmpp-openfire.
16) Check the generated keytab file (need JRE):
C: \ Program Files (x86) \ Java \ jre6 \ bin> kinit -k -t xmpp.keytab xmpp/openfireserver.realm.local@REALM.LOCAL
17) Transferring the verified xmpp.keytab file to the Debian server in / usr / share / openfire / resources
Change the owner:
# chown openfire: openfire xmpp.keytab
18) Check the xmpp.keytab file on the Debian server:
# kinit -V -k -t /usr/share/openfire/resources/xmpp.keytab xmpp/openfireserver.realm.local@REALM.LOCAL
19) Create a \ etc \ openfire \ gss.conf file with the contents on the Debian server:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey = true
keyTab = "/ usr / share / openfire / resources / xmpp.keytab"
doNotPrompt = true
useKeyTab = true
realm = "REALM.LOCAL"
principal = "xmpp/openfireserver.realm.local@REALM.LOCAL"
isInitiator = false
debug = true;
};
20) Go to the browser in the Openfire admin console and in the System properties section add parameters:
sasl.gssapi.config = /etc/openfire/gss.conf
sasl.gssapi.debug = false
sasl.gssapi.useSubjectCredsOnly = false
sasl.mechs = GSSAPI
sasl.realm = REALM.LOCAL
xmpp.fqdn = openfireserver.realm.local
21) Restart Openfire
# /etc/init.d/openfire restart
22) Installing Spark 2.6.3 with JRE on Jabber client workstations.
23) Rule the registry:
In section
HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Lsa \ Kerberos \ Parameters
(For XP: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Lsa \ Kerberos)
add a DWORD value
AllowTGTSessionKey with a value of 1.
24) Create a kbd5.ini file in C: \ Windows with the contents:
[libdefaults]
default_realm = REALM.LOCAL
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[realms]
REALM.LOCAL = {
kdc = realm.local
admin_server = realm.local
default_domain = REALM.LOCAL
}
[domain_realm]
.realm.local = REALM.LOCAL
realm.local = REALM.LOCAL
25) Reboot the workstation.
26) In Spark, select the option “Use Single Sign-On (SSO) via GSSAPI”, type openfireserver in the “Server” field and connect.
There are no problems in Windows XP, but in Windows 7 SSO in Spark works out of the box only with unprivileged users.
If you are working as an administrator, start Spark as Administrator or disable UAC.
Good luck!
As the development of the product should continue ...