iDok user discussion

[Florian Hübner <florian.huebner AT psi.ch>]

The jaas.conf file should stay where it is and you have to make sure 
that the correct entry in the jaas.conf file is used when starting up 
the server.
The parameter looks something like this:

-Dch.idok.service.server.login.config=DmsServerProd \

that would use your entry:
> DmsServerProd {
>     com.sun.security.auth.module.Krb5LoginModule required
>     storeKey=true
>     principal="HTTP/dms.psi.ch AT TEST.LAN"
>     useKeyTab=true
>     keyTab="/vol/idokdata_00/app/idok-1.0.0-beta2/etc/dms.keytab"
>    useTicketCache=false
>     debug=false;
> };
so the problem is probably your principal: dms.psi.ch AT TEST.LAN
you still have to change the address to your own server.


best regards
Florian



PS: Please add the idok-users AT lists.psi.ch address to your replies 
(usually trough "reply-to-all") so everyone can read them and they wont 
get lost somewhere in my personal mailbag :)






Martin Richter wrote:
> Hello,
>
> there's one little question left: Where should i put the changed 
> jaas.conf - or should it stay where it is? I set up jaas.conf and 
> krb5.conf to match my configuration and iDok don't query the krb server 
> at all.
>
> jaas.config:
> // "storeKey" cannot be used to create a new credentials cache file
> // The file name for "ticketCache" must be quoted, e.g. 
> ticketCache="/tmp/tickets"
> // forwardable=true is only supported by IBM Java, use krb5.conf file 
> for Sun Java
> Dms {
>     ch.psi.idok.common.util.MyKrb5LoginModule required
>     useTicketCache=true
>     doNotPrompt=false
>    debug=false;
> };
>
> DmsCacheOnly {
>     ch.psi.idok.common.util.MyKrb5LoginModule required
>     useTicketCache=true
>     doNotPrompt=true
>    debug=false;
> };
>
> DmsNoCache {
>    com.sun.security.auth.module.Krb5LoginModule required
>    useTicketCache=false
>    doNotPrompt=false
>    debug=false;
> };
>
> DmsServerProd {
>     com.sun.security.auth.module.Krb5LoginModule required
>     storeKey=true
>     principal="HTTP/dms.psi.ch AT TEST.LAN"
>     useKeyTab=true
>     keyTab="/vol/idokdata_00/app/idok-1.0.0-beta2/etc/dms.keytab"
>    useTicketCache=false
>     debug=false;
> };
>
> DmsServerDevel {
>     com.sun.security.auth.module.Krb5LoginModule required
>     storeKey=true
>     principal="HTTP/dms02.psi.ch AT TEST.LAN"
>     useKeyTab=true
>     keyTab="/vol/idokdata_00/app/idok-1.0.0-beta2/etc/dms.keytab"
>    useTicketCache=false
>     debug=false;
> };
>
> DmsServerQA {
>     com.sun.security.auth.module.Krb5LoginModule required
>     storeKey=true
>     principal="HTTP/dms03.psi.ch AT TEST.LAN"
>     useKeyTab=true
>     keyTab="/vol/idokdata_00/app/idok-1.0.0-beta2/etc/dms.keytab"
>    useTicketCache=false
>     debug=false;
> };
>
> krb5.config:
> [logging]
> default = FILE:/var/log/krb/logfile.log
> kdc = FILE:/var/log/krb/kdc.log
> admin_server = FILE:/var/log/krb/admin.log
>
> [libdefaults]
> default_realm = TEST.LAN
>
> [realms]
> TEST.LAN = {
>    default_domain = test.lan
>    kdc = lxa001.test.lan
>    admin_server = lxa001.test.lan
> }
>
> [domain_realm]
> .test.lan = TEST.LAN
>
> Gathering tickets with kinit etc is working.
>
> Regards,
>
> Martin
>
>
>
>
> -----Original Message-----
> *From: *"Florian Hbner" [florian.huebner AT psi.ch]
> *Date: *07/23/2009 04:37 PM
> *To: *"Martin Richter"
> *CC: *idok-users AT lists.psi.ch
> *Subject: *Re: [idok-users] iDok Kerberos Configuration
>
> Hello,
> You probably have to make changes in the krb5.conf, jaas.conf and
> auth_kerb.conf files.
>
> You can find the first two under
> "/sites/psi/java/ch/psi/idok/common/config/". Just add your machine to
> the jaas.conf and put the modified krb5.conf where your Kerberos expects
> it. After that only the Apache configuration file needs adjustment and
> you should be set.
> Hope this works for you.
>
> best regards
> Florian
>
>
> Martin Richter wrote:
>  > Hello,
>  >
>  >
>  > I'd like to ask how I havo to configure iDok to make use of a local krb5
>  > server instead of using AD tickets. How I have to do the initial
>  > configuration of iDok/kerberos?
>  >
>  > Regards,
>  >
>  > Martin
>
>
> ------------------------------------------------------------------------
>    	International Movers 
> <http://216.21.215.31/fc/FgElN1mFU5sQyiiR4UMOubGYfTKtVscKO5ARjHXgvLxhYyQDkYNEMhb71Wg/> 
>
> Click here for great quotes from top international movers! 
> <http://216.21.215.31/fc/FgElN1mFU5sQyiiR4UMOubGYfTKtVscKO5ARjHXgvLxhYyQDkYNEMhb71Wg/> 
>
> Click Here For More Information 
> <http://216.21.215.31/fc/FgElN1mFU5sQyiiR4UMOubGYfTKtVscKO5ARjHXgvLxhYyQDkYNEMhb71Wg/> 
>
>
>