Openfire ipa
According to the openfire SSO guide, we need to get a keytab with an encryption type of des3-hmac-sha1. Unfortunately, the example they use appears to use another encryption type, so that confused me a bit. Thanks to rcrit (Rob Crittenden?) on the freeipa room on irc.freenode.net, I got the right incantation for ipa-getkeytab:
ipa-getkeytab -s kdc.ipa.asenjo.nx -p xmpp/ipaclient01.ipa.asenjo.nx -k openfire.keytab -e des3-hmac-sha1
Here we dump the keytab for xmpp/ipaclient01.ipa.asenjo.nx to the file openfire.keytab with the right encryption.
[admin@ipaclient01 ~]$ klist -k -t openfire.keytab
Keytab name: WRFILE:openfire.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 06/15/12 18:29:53 xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX
We deviate slightly from documents presented by others here, as there is one small change we need to make. Since the xmpp service principal is only a service principal, and not mapped to an actual user account, we need to ensure that Java never attempts to treat it like a user account. In order to assure that, we have to add an additional line to gss.conf -- isInitiator.
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true keyTab="/opt/openfire/conf/openfire.keytab" doNotPrompt=true useKeyTab=true realm="IPA.ASENJO.NX" principal="xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX" debug=true isInitiator=false;
};