AnsweredAssumed Answered

Openfire on Ubuntu with SSO against AD

Question asked by Bob Brandt on Mar 31, 2017
Latest reply on Jun 6, 2017 by Bob Brandt

How do I enable Openfire to log my users in via Single Sign-On (SSO)  and Username/Password?

 

I'm running Openfire 4.1.1 on Ubuntu 16.04

with Java Version 1.8.0_121 Oracle Corporation -- Java HotSpot(TM) 64-Bit Server VM

Using Server 2012R2 Active Directory for SSO

 

 

Funny enough, I've done this once before and I don't remember it being so damn hard...

 

I've referenced all the following articles:

https://www.leonroy.com/blog/2013/11/openfire-single-sign-on-sso/

https://community.igniterealtime.org/docs/DOC-1060

https://community.igniterealtime.org/thread/57684

https://community.igniterealtime.org/docs/DOC-2706

https://issues.igniterealtime.org/browse/SPARK-1747

https://community.igniterealtime.org/thread/33734

 

 

I have basically followed this procedure (I say basically because I have started from scratch and troubleshooted this problem so much I'm not sure exactly what I did when)

AD Domain              => i.domain.name

NetBIOS Name           => i

IM Domain              => im.domain.name

Kerberos Realm         => I.DOMAIN.NAME

Kerberos KDC           => I.DOMAIN.NAME (I think)

Domain Controller FQDN => dc1.i.domain.name

Openfire FQDN          => server-im.i.domain.name (with CNAMEs im and openfire)

(also all DNS records in i.domain.name also have CNAMEs in domain.name)

Openfire Keytab file   => /etc/openfire/security/openfire.keytab

GSS Principle          =>  xmpp/xmpp-openfire@I.DOMAIN.NAME

 

Create a Domain account and ready Active Directory

 

I created a user: xmpp-openfire with a password PASSWORD

I then made sure that:

User cannot change password is checked

Password never expires is checked

Do not require Kerberos preauthentication is checked

User is a Domain Admin (overkill I think)

User is a Openfire Admin (also overkill)

 

I then created a load of Service Principal Names (SPN) for each and every possible domain name of the openfire server: (again probably overkill, but...) (might be the problem!!!)

setspn -A xmpp/im.i.domain.name@i.domain.name xmpp-openfire
setspn -A xmpp/openfire.i.domain.name@i.domain.name xmpp-openfire
setspn -A xmpp/server-im .i.domain.name@i.domain.name xmpp-openfire
setspn -A xmpp/im.i.domain.name xmpp-openfire
setspn -A xmpp/openfire.i.domain.name xmpp-openfire
setspn -A xmpp/server-im.i.domain.name xmpp-openfire
setspn -A xmpp/im.domain.name@i.domain.name xmpp-openfire
setspn -A xmpp/openfire.domain.name@i.domain.name xmpp-openfire
setspn -A xmpp/server-im.domain.name@i.domain.name xmpp-openfire
setspn -A xmpp/im.domain.name xmpp-openfire
setspn -A xmpp/openfire.domain.name xmpp-openfire
setspn -A xmpp/server-im.domain.name xmpp-openfire
setspn -A xmpp/xmpp-openfire@I.DOMAIN.NAME xmpp-openfire

 

I then mapped every SPN I created above to the account I created earlier:

ktpass -princ xmpp/im.i.domain.name@i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/openfire.i.domain.name@i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/server-im.i.domain.name@i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/im.i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/openfire.i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/server-im.i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/im.domain.name@i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/openfire.domain.name@i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/server-im.domain.name@i.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/im.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/openfire.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/server-im.domain.name -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
ktpass -princ xmpp/xmpp-openfire@I.DOMAIN.NAME -mapuser xmpp-openfire@i.domain.name -SetPass -pass PASSWORD -ptype KRB5_NT_PRINCIPAL

I then verified this all worked (so far) with the command:

C:\Users\username>setspn -L xmpp-openfire
Registered ServicePrincipalNames for CN=xmpp-openfire,CN=Users,DC=i,DC=domain,DC=name:
        xmpp/server-im.domain.name
        xmpp/openfire.domain.name
        xmpp/im.domain.name
        xmpp/server-im.i.domain.name
        xmpp/openfire.i.domain.name
        xmpp/im.i.domain.name
        xmpp/server-im.domain.name@i.domain.name
        xmpp/openfire.domain.name@i.domain.name
        xmpp/im.domain.name@i.domain.name
        xmpp/server-im.i.domain.name@i.domain.name
        xmpp/openfire.i.domain.name@i.domain.name
        xmpp/im.i.domain.name@i.domain.name

Configure the Ubuntu server for Kerberos and Samba

 

Create a keytab file to be used with openfire

On Openfire server, create the keytab file:

ktutil <<EOF
rkt /etc/openfire/security/openfire.keytab
addent -password -p xmpp-openfire@I.DOMAIN.NAME -k 1 -e RC4-HMAC
PASSWORD
wkt /etc/openfire/security/openfire.keytab
q
EOF
chown openfire:openfire /etc/openfire/security/openfire.keytab

Verify that the above was added properly:

root@server-im:~# klist -k /etc/openfire/security/openfire.keytab 
Keytab name: FILE:/etc/openfire/security/openfire.keytab 
KVNO Principal 
---- -------------------------------------------------------------------------- 
   1 xmpp-openfire@I.DOMAIN.NAME 

Modify /etc/krb5.conf file:

root@server-im:~# echo """
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = I.DOMAIN.NAME
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
kdc_timesync = 1
ccache_type = 4
proxiable = true
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

[realms]
I.DOMAIN.NAME = {
kdc = dc1.i.domain.name:88
admin_server = i.domain.name
default_domain = i.domain.name
}

[domain_realm]
.i.domain.name = I.DOMAIN.NAME
i.domain.name = I.DOMAIN.NAME
.domain.name = I.DOMAIN.NAME
domain.name = I.DOMAIN.NAME

[login]
krb4_convert = true
krb4_get_tickets = false
""" > /etc/krb5.conf

Verify that the server can log in via kerberos using the keytab file:

root@server-im:~# kinit -kt /etc/openfire/security/openfire.keytab xmpp-openfire@I.DOMAIN.NAME -V 
Using default cache: /tmp/krb5cc_0 
Using principal: xmpp-openfire@I.DOMAIN.NAME
Using keytab: /etc/openfire/security/openfire.keytab 
Authenticated to Kerberos v5 
root@server-im:~# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: xmpp-openfire@I.DOMAIN.NAME
  
Valid starting     Expires            Service principal 
30/03/17 12:33:54  30/03/17 22:33:54  krbtgt/I.DOMAIN.NAME@I.DOMAIN.NAME
    renew until 30/03/17 22:33:54 

Modify /etc/samba/smb.conf file:

echo """
[global]
workgroup = i
realm = I.DOMAIN.NAME
preferred master = no
server string = Openfire Instant Messaging Server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
#winbind enum users = Yes
#winbind enum groups = Yes
#winbind use default domain = Yes
#winbind nested groups = Yes
#winbind separator = +
#idmap uid = 600-20000
#idmap gid = 600-20000
template shell = /bin/bash
dns proxy = no
max log size = 10000
""" > /etc/samba/smb.conf

Setup Samba and join the Domain:

service smbd stop
service nmbd stop
service winbind stop
net ads join -U administrator
service smbd start
service nmbd start
service winbind start

Verify that Samba is working properly:

wbinfo -u
wbinfo -g
net ads info
net ads user
net ads group

Configure the Openfire server for Kerberos and GSSAPI

 

Modify the Openfire GSS config file

echo """com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule
    required
    storeKey=true
    keyTab="/etc/openfire/security/openfire.keytab"
    doNotPrompt=true
    useKeyTab=true
    realm="I.DOMAIN.NAME"
    principal="xmpp/xmpp-openfire@I.DOMAIN.NAME"
    debug=true
    isInitiator=false;
};""" > /etc/openfire/gss.conf 
chown openfire:openfire /etc/openfire/gss.conf 

Within Openfire Admin Console, modify the following System Properties:

sasl.gssapi.config                /etc/openfire/gss.conf

sasl.gssapi.debug                 true

sasl.gssapi.useSubjectCredsOnly   false

sasl.mechs                        CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL,ANONYMOUS,GSSAPI

sasl.realm                        I.DOMAIN.NAME

 

Modify /etc/openfire/openfire.xml within <Provider></Provider> add: (maybe provider.auth.className)

    <authorization> 
      <classList>org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider</classList>  
      <!-- other options: null, LdapAuthorizationProvider, UnixK5LoginProvider, Strict and Lazy--> 
    </authorization>

 

 

Kerberos will not work unless the client is within 5 minutes of the server.  This also means the Time Zones must be correct as well!

echo "Europe/Dublin" > /etc/timezone

And within Openfire Admin Console, modify the following System Property:

locale.timeZone                Europe/Dublin

It is VERY important to get the right Time Zone and it might not be straight-forward as Microsoft uses COMPLETELY different names!

 

Configure DNS Service Records (SRV)

Setup the following DNS Records

_xmpp-server.tcp.i.domain.name. IN SRV 0 0 5269  server-im.i.domain.name.

_xmpp-client.tcp.i.domain.name. IN SRV 0 0 5222  server-im.i.domain.name.

_jabber.tcp.i.domain.name. IN SRV 0 0 5222  server-im.i.domain.name.

_jabber-client.tcp.i.domain.name. IN SRV 0 0 5222  server-im.i.domain.name.

 

_xmpp-server.tcp.domain.name. IN SRV 0 0 5269  server-im.i.domain.name.

_xmpp-client.tcp.domain.name. IN SRV 0 0 5222  server-im.i.domain.name.

_jabber.tcp.domain.name. IN SRV 0 0 5222  server-im.i.domain.name.

_jabber-client.tcp.domain.name. IN SRV 0 0 5222  server-im.i.domain.name.

 

 

From what I'm read and seen, this should be working!!!  But it is not!!!

I've tried every variation I can think of and NOTHING!!!

 

Please help!

Bob

Outcomes