⬆️ ⬇️

Installing an Openfire server on Debian in the AD2008 domain with transparent user authorization

Hello!



I want to share the experience of installing an Openfire server on Debian in the AD Windows Server 2008 domain using SSO by the Spark client.



The installation itself is simple and takes a little time, the main difficulties for me arose when setting up kerberos authorization of the entire software bundle.

')

Infrastructure:

Openfire 3.8.2 is installed on Debian 7.0 "Wheezy" x64 using MySQL DBMS.

Debian server name: openfireserver.

Active Directory is deployed on Windows 2008 Server Standard (Kerberos uses RC4-HMAC-NT encryption by default).

Domain realm.local.

Workstations Windows XP Pro and Windows 7 Pro x32 / x64 with the Spark 2.6.3 client installed.





Installation step by step (MySQL, Samba, Sun / Oracle Java are already preinstalled on Debian):



1) Login as root.



2) Check the pre-installed software:

  # cat / etc / issue 


Debian GNU / Linux 7.0 \ n \ l



  # smbd -V 


Version 3.6.6



  # mysql -V 


mysql Ver 14.14 Distrib 5.5.31, for debian-linux-gnu (x86_64) using readline 6.2



  # java -version 


java version "1.7.0_21"

Java (TM) SE Runtime Environment (build 1.7.0_21-b11)

Java HotSpot (TM) 64-Bit VM Server (build 23.21-b01, mixed mode)



3) Create the database “openfire” and the MySQL user “openfire”:

  # mysql -p 


Enter password: [type root user password in MySQL]

Welcome to the MySQL monitor. Commands end with; or \ g.

Your MySQL connection id is 49

Server version: 5.5.31-0 + wheezy1 (Debian)

Copyright 2000, 2013, Oracle and / or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and / or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\ h' for help. Type '\ c' to clear the current input statement.



  mysql> CREATE DATABASE openfire; 


Query OK, 1 row affected (0.00 sec)



  mysql> GRANT ALL PRIVILEGES ON openfire. * TO 'openfire' @ 'localhost' IDENTIFIED BY 'PasswordGoldFish' WITH GRANT OPTION; 


Query OK, 0 rows affected (0.00 sec)



  mysql> FLUSH PRIVILEGES; 


Query OK, 0 rows affected (0.00 sec)



  mysql> exit 


Bye



4) Download and install the Openfire server.

  # cd / tmp
 # wget http://www.igniterealtime.org/downloadServlet?filename=openfire/openfire_3.8.2_all.deb 


100% [===================================>] 12,838,026 2.92M / s for 7, 6s

2013-05-28 12:58:04 (1.62 MB / s) - “downloadServlet? Filename = openfire% 2Fopenfire_3.8.2_all.deb” saved [12838026/12838026]

  / tmp # cp downloadServlet \? filename \ = openfire% 2Fopenfire_3.8.1_all.deb openfire_3.8.2_all.deb
 / tmp # rm downloadServlet \? filename \ = openfire% 2Fopenfire_3.8.2_all.deb
 / tmp # dpkg -i openfire_3.8.2_all.deb 


Warning: / var / lib / openfire

Starting openfire: openfire



  # /etc/init.d/openfire stop 


Stopping openfire: openfire.



Change the owner:

  # chown -R openfire: openfire / var / lib / openfire

 # /etc/init.d/openfire start 


Starting openfire: openfire.



5) Go to the browser at the address (I use Mozilla Firefox):

http: // openfireserver: 9090

Choose the language (Russian translation of the curve, I left English)

Type in Domain name: openfireserver.realm.local

Next, select "Standard Database Conncection"

Choose Preset MySQL

Fix [hostname] on localhost and [database-name] on openfire

We collect Username: openfire

Type Password: PasswordGoldFish

Click "Continue"

Profile Setup, Step 1:

Choose "Directory Server (LDAP)"

Choose Server Type: Active Directory

We type Host: realm.local

Type Base DN: ou = Jabber, ou = Company_Users, dc = realm, dc = local

We type Administrator DN: cn = LDAP, cn = Users, dc = realm, dc = local

Type Password: Password_LDAP

For this step, I previously created a user in AD with the name LDAP and perpetual password: Password_LDAP

Save and continue.

Steps 2 and 3 remain unchanged.

We add Openfire administrators, it can be any users from Base DN.

Just type their logins and click "Add".

If users are successfully added, click "Continue".



This completes the installation of Openfire, you can go to the administrator console.

If you go to the Users section, you can see that all users from the Base DN are already there.

Everything is already working and the user can authenticate in the usual way, but my goal is SSO (the main problem is to lock accounts in AD after changing the password).

For this we go further ...



6) Configure Samba:

  # nano /etc/samba/smb.conf 


  [global]
    workgroup = REALM
    realm = REALM.LOCAL
    security = ADS
    encrypt passwords = true
    dns proxy = no
    socket options = TCP_NODELAY
    kerberos method = secrets and keytab
    winbind refresh tickets = yes
    password server = realm.local
    domain master = no
    local master = no
    preferred master = no
    os level = 0
    domain logons = no
    load printers = no
    show add printer wizard = no
    printcap name = / dev / null
    disable spoolss = yes 




7) Configure Kerberos:

  # nano /etc/krb5.conf 


  [libdefaults]
         default_realm = REALM.LOCAL
         kdc_timesync = 1
         forwardable = true
         proxiable = true
         default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
         default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
         permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
 [realms]
         REALM.LOCAL = {
                 kdc = realm.local
                 admin_server = realm.local
                 default_domain = REALM.LOCAL
         }
 [domain_realm]
         .realm.local = REALM.LOCAL
         realm.local = REALM.LOCAL




8) Restart Samba

  # /etc/init.d/samba restart 




9) We join the Debian server to AD:

  # net ads join -U DomainAdminAccount -D REALM.LOCAL 


or



  # net rpc join -U DomainAdminAccount 




10) Check how joined:

  # net ads testjoin 


Join is OK



  # net rpc testjoin 


Join to 'REALM' is OK



11) DNS check:

  # nslookup
 > openfireserver 


Server: 192.168.1.1

Address: 192.168.1.1 # 53

Name: openfireserver.realm.local

Address: 192.168.1.22



  > 192.168.1.22 


Server: 192.168.1.1

Address: 192.168.1.1 # 53

22.1.168.192.in-addr.arpa name = openfireserver.realm.local.



  > exit 




The following five steps are performed on a Windows Server 2008 domain controller:



12) Create an xmpp-openfire user in AD with perpetual password and the option “Do not require Kerberos preauthentication” enabled (Without Kerberos pre-authentication).



13) Create an SPN and associate it with the user xmpp-openfire:

Run the command prompt with Administrator privileges.

  > setspn -A xmpp/openfireserver.realm.local@REALM.LOCAL xmpp-openfire
 > ktpass -princ xmpp/openfireserver.realm.local@REALM.LOCAL -mapuser xmpp-openfire@realm.local -pass * -ptype KRB5_NT_PRINCIPAL


Enter the password for the user xmpp-openfire.



14) If we use the JRE to generate the keytab file, then create the file C: \ Windows \ krb5.ini with the contents:

  [libdefaults]
     default_realm = REALM.LOCAL
 [realms]
     REALM.LOCAL = {
         kdc = realm.local
         admin_server = realm.local
         default_domain = REALM.LOCAL
     }
 [domain_realm]
     .realm.local = REALM.LOCAL
     realm.local = REALM.LOCAL 




15) Create a keytab file (Sun / Oracle JRE6 must be installed):

  cd C: \ Program Files (x86) \ Java \ jre6 \ bin>
 C: \ Program Files (x86) \ Java \ jre6 \ bin> ktab -k xmpp.keytab -a xmpp/openfireserver.realm.local@REALM.LOCAL 


Enter the password for the user xmpp-openfire.



Or you can use another way, without JRE

  > ktpass -princ xmpp/openfireserver.realm.local@REALM.LOCAL-mapuser xmpp-openfire@realm.local -pass * -ptype KRB5_NT_PRINCIPAL-out xmpp.keytab 


Enter the password for the user xmpp-openfire.



16) Check the generated keytab file (need JRE):

  C: \ Program Files (x86) \ Java \ jre6 \ bin> kinit -k -t xmpp.keytab xmpp/openfireserver.realm.local@REALM.LOCAL 




17) Transferring the verified xmpp.keytab file to the Debian server in / usr / share / openfire / resources

Change the owner:

  # chown openfire: openfire xmpp.keytab 




18) Check the xmpp.keytab file on the Debian server:

  # kinit -V -k -t /usr/share/openfire/resources/xmpp.keytab xmpp/openfireserver.realm.local@REALM.LOCAL 




19) Create a \ etc \ openfire \ gss.conf file with the contents on the Debian server:

  com.sun.security.jgss.accept {
     com.sun.security.auth.module.Krb5LoginModule
     required
     storeKey = true
     keyTab = "/ usr / share / openfire / resources / xmpp.keytab"
     doNotPrompt = true
     useKeyTab = true
     realm = "REALM.LOCAL"
     principal = "xmpp/openfireserver.realm.local@REALM.LOCAL"
     isInitiator = false
     debug = true;
 }; 




20) Go to the browser in the Openfire admin console and in the System properties section add parameters:

sasl.gssapi.config = /etc/openfire/gss.conf

sasl.gssapi.debug = false

sasl.gssapi.useSubjectCredsOnly = false

sasl.mechs = GSSAPI

sasl.realm = REALM.LOCAL

xmpp.fqdn = openfireserver.realm.local



21) Restart Openfire

  # /etc/init.d/openfire restart 




22) Installing Spark 2.6.3 with JRE on Jabber client workstations.



23) Rule the registry:

In section

HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Lsa \ Kerberos \ Parameters

(For XP: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Lsa \ Kerberos)

add a DWORD value

AllowTGTSessionKey with a value of 1.



24) Create a kbd5.ini file in C: \ Windows with the contents:

  [libdefaults]
     default_realm = REALM.LOCAL
     default_tkt_enctypes = rc4-hmac
     default_tgs_enctypes = rc4-hmac
 [realms]
     REALM.LOCAL = {
         kdc = realm.local
         admin_server = realm.local
         default_domain = REALM.LOCAL
     }
 [domain_realm]
     .realm.local = REALM.LOCAL
     realm.local = REALM.LOCAL 




25) Reboot the workstation.



26) In Spark, select the option “Use Single Sign-On (SSO) via GSSAPI”, type openfireserver in the “Server” field and connect.



There are no problems in Windows XP, but in Windows 7 SSO in Spark works out of the box only with unprivileged users.

If you are working as an administrator, start Spark as Administrator or disable UAC.



Good luck!



As the development of the product should continue ...

Source: https://habr.com/ru/post/181374/



All Articles