📜 ⬆️ ⬇️

Installing an Openfire server on Debian in the AD2008 domain with transparent user authorization

Hello!

I want to share the experience of installing an Openfire server on Debian in the AD Windows Server 2008 domain using SSO by the Spark client.

The installation itself is simple and takes a little time, the main difficulties for me arose when setting up kerberos authorization of the entire software bundle.
')
Infrastructure:
Openfire 3.8.2 is installed on Debian 7.0 "Wheezy" x64 using MySQL DBMS.
Debian server name: openfireserver.
Active Directory is deployed on Windows 2008 Server Standard (Kerberos uses RC4-HMAC-NT encryption by default).
Domain realm.local.
Workstations Windows XP Pro and Windows 7 Pro x32 / x64 with the Spark 2.6.3 client installed.


Installation step by step (MySQL, Samba, Sun / Oracle Java are already preinstalled on Debian):

1) Login as root.

2) Check the pre-installed software:
  # cat / etc / issue 

Debian GNU / Linux 7.0 \ n \ l

  # smbd -V 

Version 3.6.6

  # mysql -V 

mysql Ver 14.14 Distrib 5.5.31, for debian-linux-gnu (x86_64) using readline 6.2

  # java -version 

java version "1.7.0_21"
Java (TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot (TM) 64-Bit VM Server (build 23.21-b01, mixed mode)

3) Create the database “openfire” and the MySQL user “openfire”:
  # mysql -p 

Enter password: [type root user password in MySQL]
Welcome to the MySQL monitor. Commands end with; or \ g.
Your MySQL connection id is 49
Server version: 5.5.31-0 + wheezy1 (Debian)
Copyright 2000, 2013, Oracle and / or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and / or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\ h' for help. Type '\ c' to clear the current input statement.

  mysql> CREATE DATABASE openfire; 

Query OK, 1 row affected (0.00 sec)

  mysql> GRANT ALL PRIVILEGES ON openfire. * TO 'openfire' @ 'localhost' IDENTIFIED BY 'PasswordGoldFish' WITH GRANT OPTION; 

Query OK, 0 rows affected (0.00 sec)

  mysql> FLUSH PRIVILEGES; 

Query OK, 0 rows affected (0.00 sec)

  mysql> exit 

Bye

4) Download and install the Openfire server.
  # cd / tmp
 # wget http://www.igniterealtime.org/downloadServlet?filename=openfire/openfire_3.8.2_all.deb 

100% [===================================>] 12,838,026 2.92M / s for 7, 6s
2013-05-28 12:58:04 (1.62 MB / s) - “downloadServlet? Filename = openfire% 2Fopenfire_3.8.2_all.deb” saved [12838026/12838026]
  / tmp # cp downloadServlet \? filename \ = openfire% 2Fopenfire_3.8.1_all.deb openfire_3.8.2_all.deb
 / tmp # rm downloadServlet \? filename \ = openfire% 2Fopenfire_3.8.2_all.deb
 / tmp # dpkg -i openfire_3.8.2_all.deb 

Warning: / var / lib / openfire
Starting openfire: openfire

  # /etc/init.d/openfire stop 

Stopping openfire: openfire.

Change the owner:
  # chown -R openfire: openfire / var / lib / openfire

 # /etc/init.d/openfire start 

Starting openfire: openfire.

5) Go to the browser at the address (I use Mozilla Firefox):
http: // openfireserver: 9090
Choose the language (Russian translation of the curve, I left English)
Type in Domain name: openfireserver.realm.local
Next, select "Standard Database Conncection"
Choose Preset MySQL
Fix [hostname] on localhost and [database-name] on openfire
We collect Username: openfire
Type Password: PasswordGoldFish
Click "Continue"
Profile Setup, Step 1:
Choose "Directory Server (LDAP)"
Choose Server Type: Active Directory
We type Host: realm.local
Type Base DN: ou = Jabber, ou = Company_Users, dc = realm, dc = local
We type Administrator DN: cn = LDAP, cn = Users, dc = realm, dc = local
Type Password: Password_LDAP
For this step, I previously created a user in AD with the name LDAP and perpetual password: Password_LDAP
Save and continue.
Steps 2 and 3 remain unchanged.
We add Openfire administrators, it can be any users from Base DN.
Just type their logins and click "Add".
If users are successfully added, click "Continue".

This completes the installation of Openfire, you can go to the administrator console.
If you go to the Users section, you can see that all users from the Base DN are already there.
Everything is already working and the user can authenticate in the usual way, but my goal is SSO (the main problem is to lock accounts in AD after changing the password).
For this we go further ...

6) Configure Samba:
  # nano /etc/samba/smb.conf 

  [global]
    workgroup = REALM
    realm = REALM.LOCAL
    security = ADS
    encrypt passwords = true
    dns proxy = no
    socket options = TCP_NODELAY
    kerberos method = secrets and keytab
    winbind refresh tickets = yes
    password server = realm.local
    domain master = no
    local master = no
    preferred master = no
    os level = 0
    domain logons = no
    load printers = no
    show add printer wizard = no
    printcap name = / dev / null
    disable spoolss = yes 


7) Configure Kerberos:
  # nano /etc/krb5.conf 

  [libdefaults]
         default_realm = REALM.LOCAL
         kdc_timesync = 1
         forwardable = true
         proxiable = true
         default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
         default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
         permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
 [realms]
         REALM.LOCAL = {
                 kdc = realm.local
                 admin_server = realm.local
                 default_domain = REALM.LOCAL
         }
 [domain_realm]
         .realm.local = REALM.LOCAL
         realm.local = REALM.LOCAL


8) Restart Samba
  # /etc/init.d/samba restart 


9) We join the Debian server to AD:
  # net ads join -U DomainAdminAccount -D REALM.LOCAL 

or

  # net rpc join -U DomainAdminAccount 


10) Check how joined:
  # net ads testjoin 

Join is OK

  # net rpc testjoin 

Join to 'REALM' is OK

11) DNS check:
  # nslookup
 > openfireserver 

Server: 192.168.1.1
Address: 192.168.1.1 # 53
Name: openfireserver.realm.local
Address: 192.168.1.22

  > 192.168.1.22 

Server: 192.168.1.1
Address: 192.168.1.1 # 53
22.1.168.192.in-addr.arpa name = openfireserver.realm.local.

  > exit 


The following five steps are performed on a Windows Server 2008 domain controller:

12) Create an xmpp-openfire user in AD with perpetual password and the option “Do not require Kerberos preauthentication” enabled (Without Kerberos pre-authentication).

13) Create an SPN and associate it with the user xmpp-openfire:
Run the command prompt with Administrator privileges.
  > setspn -A xmpp/openfireserver.realm.local@REALM.LOCAL xmpp-openfire
 > ktpass -princ xmpp/openfireserver.realm.local@REALM.LOCAL -mapuser xmpp-openfire@realm.local -pass * -ptype KRB5_NT_PRINCIPAL

Enter the password for the user xmpp-openfire.

14) If we use the JRE to generate the keytab file, then create the file C: \ Windows \ krb5.ini with the contents:
  [libdefaults]
     default_realm = REALM.LOCAL
 [realms]
     REALM.LOCAL = {
         kdc = realm.local
         admin_server = realm.local
         default_domain = REALM.LOCAL
     }
 [domain_realm]
     .realm.local = REALM.LOCAL
     realm.local = REALM.LOCAL 


15) Create a keytab file (Sun / Oracle JRE6 must be installed):
  cd C: \ Program Files (x86) \ Java \ jre6 \ bin>
 C: \ Program Files (x86) \ Java \ jre6 \ bin> ktab -k xmpp.keytab -a xmpp/openfireserver.realm.local@REALM.LOCAL 

Enter the password for the user xmpp-openfire.

Or you can use another way, without JRE
  > ktpass -princ xmpp/openfireserver.realm.local@REALM.LOCAL-mapuser xmpp-openfire@realm.local -pass * -ptype KRB5_NT_PRINCIPAL-out xmpp.keytab 

Enter the password for the user xmpp-openfire.

16) Check the generated keytab file (need JRE):
  C: \ Program Files (x86) \ Java \ jre6 \ bin> kinit -k -t xmpp.keytab xmpp/openfireserver.realm.local@REALM.LOCAL 


17) Transferring the verified xmpp.keytab file to the Debian server in / usr / share / openfire / resources
Change the owner:
  # chown openfire: openfire xmpp.keytab 


18) Check the xmpp.keytab file on the Debian server:
  # kinit -V -k -t /usr/share/openfire/resources/xmpp.keytab xmpp/openfireserver.realm.local@REALM.LOCAL 


19) Create a \ etc \ openfire \ gss.conf file with the contents on the Debian server:
  com.sun.security.jgss.accept {
     com.sun.security.auth.module.Krb5LoginModule
     required
     storeKey = true
     keyTab = "/ usr / share / openfire / resources / xmpp.keytab"
     doNotPrompt = true
     useKeyTab = true
     realm = "REALM.LOCAL"
     principal = "xmpp/openfireserver.realm.local@REALM.LOCAL"
     isInitiator = false
     debug = true;
 }; 


20) Go to the browser in the Openfire admin console and in the System properties section add parameters:
sasl.gssapi.config = /etc/openfire/gss.conf
sasl.gssapi.debug = false
sasl.gssapi.useSubjectCredsOnly = false
sasl.mechs = GSSAPI
sasl.realm = REALM.LOCAL
xmpp.fqdn = openfireserver.realm.local

21) Restart Openfire
  # /etc/init.d/openfire restart 


22) Installing Spark 2.6.3 with JRE on Jabber client workstations.

23) Rule the registry:
In section
HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Lsa \ Kerberos \ Parameters
(For XP: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Lsa \ Kerberos)
add a DWORD value
AllowTGTSessionKey with a value of 1.

24) Create a kbd5.ini file in C: \ Windows with the contents:
  [libdefaults]
     default_realm = REALM.LOCAL
     default_tkt_enctypes = rc4-hmac
     default_tgs_enctypes = rc4-hmac
 [realms]
     REALM.LOCAL = {
         kdc = realm.local
         admin_server = realm.local
         default_domain = REALM.LOCAL
     }
 [domain_realm]
     .realm.local = REALM.LOCAL
     realm.local = REALM.LOCAL 


25) Reboot the workstation.

26) In Spark, select the option “Use Single Sign-On (SSO) via GSSAPI”, type openfireserver in the “Server” field and connect.

There are no problems in Windows XP, but in Windows 7 SSO in Spark works out of the box only with unprivileged users.
If you are working as an administrator, start Spark as Administrator or disable UAC.

Good luck!

As the development of the product should continue ...

Source: https://habr.com/ru/post/181374/


All Articles