Wednesday, April 15, 2009

Configuring kerberos on Solaris-10 to setup Access Manager

It is a painful task. The document provided by MIT does not help at all.
We need to use Solaris security services admin guide to get this working. Thanks to Kerberos team in Sun.

The kdcmgr utility mentioned in the document is not available on Solaris-10 by default. For simplicity, use same password in all steps to get this thing working.

The step-by-step procedure that I had followed is documented below:
-----------------------------------------------------
bash-3.00# cat krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = /etc/krb5/kadm5.keytab
default_realm = RED.IPLANET.COM
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
kdc_timesync = 0
kdc_default_options = 0x40000010
clockskew = 300
check_delegate = 0
ccache_type = 3
kdc_timeout = 60000

[realms]
RED.IPLANET.COM = {
kdc = avatar.red.iplanet.com:88
admin_server = avatar.red.iplanet.com:749
default_domain = red.iplanet.com
}

[domain_realm]
.red.iplanet.com = RED.IPLANET.COM
red.iplanet.com = RED.IPLANET.COM

[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

bash-3.00# cat kdc.conf
#
# Copyright 1998-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#ident "@(#)kdc.conf 1.2 02/02/14 SMI"

[kdcdefaults]
kdc_ports = 88,750

[realms]
RED.IPLANET.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
sunw_dbprop_enable = true
sunw_dbprop_master_ulogsize = 1000
}


bash-3.00# cat kadm5.acl
#
# Copyright (c) 1998-2000 by Sun Microsystems, Inc.
# All rights reserved.
#
#pragma ident "@(#)kadm5.acl 1.1 01/03/19 SMI"

*/admin@RED.IPLANET.COM *


bash-3.00# ./kdb5_util create -s
Initializing database '/var/krb5/principal' for realm 'RED.IPLANET.COM',
master key name 'K/M@RED.IPLANET.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

bash-3.00# ./kadmin.local
Authenticating as principal root/admin@RED.IPLANET.COM with password.

kadmin.local: addprinc kws/admin
WARNING: no policy specified for kws/admin@RED.IPLANET.COM; defaulting to no policy
Enter password for principal "kws/admin@RED.IPLANET.COM":
Re-enter password for principal "kws/admin@RED.IPLANET.COM":
Principal "kws/admin@RED.IPLANET.COM" created.

kadmin.local: addprinc -randkey kiprop/avatar.red.iplanet.com
WARNING: no policy specified for kiprop/avatar.red.iplanet.com@RED.IPLANET.COM; defaulting to no policy
Principal "kiprop/avatar.red.iplanet.com@RED.IPLANET.COM" created.

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/avatar.red.iplanet.com
Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/avatar.red.iplanet.com
Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/avatar.red.iplanet.com
Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

kadmin.local: quit

bash-3.00# svcadm enable -r network/security/krb5kdc
bash-3.00# svcadm enable -r network/security/kadmin

bash-3.00# /usr/sbin/kadmin -p kws/admin
Authenticating as principal kws/admin@RED.IPLANET.COM with password.
kadmin: Incorrect password while initializing kadmin interface
bash-3.00#

bash-3.00# cat /etc/resolv.conf
domain red.iplanet.com
search red.iplanet.com sfbay.sun.com sun.com
nameserver 129.145.155.55
nameserver 129.145.155.170
nameserver 192.18.120.21
nameserver 192.18.120.24
#nameserver 129.148.9.196
#nameserver 129.148.9.197
#nameserver 129.147.9.5
#nameserver 129.145.155.220

avatar# touch /var/log/kadmind.log /var/log/krb5kdc.log
> /var/log/krb5libs.log
> avatar# svcadm restart krb5kdc
> avatar# svcadm restart kadmin
> avatar# kadmin -p kws/admin
> Authenticating as principal kws/admin@RED.IPLANET.COM with password.
> Password for kws/admin@RED.IPLANET.COM:
> kadmin: listprincs
> K/M@RED.IPLANET.COM
> changepw/avatar.red.iplanet.com@RED.IPLANET.COM
> kadmin/admin@RED.IPLANET.COM
> kadmin/avatar.red.iplanet.com@RED.IPLANET.COM
> kadmin/changepw@RED.IPLANET.COM
> kadmin/history@RED.IPLANET.COM
> kiprop/avatar.red.iplanet.com@RED.IPLANET.COM
> krbtgt/RED.IPLANET.COM@RED.IPLANET.COM
> kws/admin@RED.IPLANET.COM
> kadmin:

bash-3.00# ./kadmin -p kws/admin
Authenticating as principal kws/admin@RED.IPLANET.COM with password.
Password for kws/admin@RED.IPLANET.COM:
kadmin: addprinc -randkey host/avatar.red.iplanet.com
WARNING: no policy specified for host/avatar.red.iplanet.com@RED.IPLANET.COM; defaulting to no policy
Principal "host/avatar.red.iplanet.com@RED.IPLANET.COM" created.

kadmin: addprinc clntconfig/admin
WARNING: no policy specified for clntconfig/admin@RED.IPLANET.COM; defaulting to no policy
Enter password for principal "clntconfig/admin@RED.IPLANET.COM":
Re-enter password for principal "clntconfig/admin@RED.IPLANET.COM":
Principal "clntconfig/admin@RED.IPLANET.COM" created.
kadmin: quit

bash-3.00# kadmin -p kws/admin
Authenticating as principal kws/admin@RED.IPLANET.COM with password.
Password for kws/admin@RED.IPLANET.COM:
kadmin: ktadd host/avatar.red.iplanet.com
kadmin: Cannot write to specified key table while adding key to keytab
kadmin: quit

bash-3.00# ./kadmin.local
Authenticating as principal root/admin@RED.IPLANET.COM with password.
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab host/avatar.red.iplanet.com
Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local: quit

bash-3.00# /usr/sbin/kadmin.local
Authenticating as principal root/admin@RED.IPLANET.COM with password.
kadmin.local: listprincs
1 K/M@RED.IPLANET.COM
2 changepw/avatar.red.iplanet.com@RED.IPLANET.COM
3 clntconfig/admin@RED.IPLANET.COM
4 host/avatar.red.iplanet.com@RED.IPLANET.COM
5 kadmin/admin@RED.IPLANET.COM
6 kadmin/avatar.red.iplanet.com@RED.IPLANET.COM
7 kadmin/changepw@RED.IPLANET.COM
8 kadmin/history@RED.IPLANET.COM
9 kiprop/avatar.red.iplanet.com@RED.IPLANET.COM
10 krbtgt/RED.IPLANET.COM@RED.IPLANET.COM
11 kws/admin@RED.IPLANET.COM
kadmin.local: quit

bash-3.00# svcs -a | grep secur
disabled 20:24:27 svc:/network/security/krb5_prop:default
online 20:24:27 svc:/network/security/ktkt_warn:default
online 10:15:30 svc:/network/security/krb5kdc:default
online 10:15:32 svc:/network/security/kadmin:default

************ Configuration on AM ******************
kadmin.local: addprinc root
kinit root
klist

kadmin.local: addprinc -randkey HTTP/avatar.red.iplanet.com
kadmin.local: ktadd -k /opt/SUNWam/avatar.HTTP.keytab HTTP/avatar.red.iplanet.com
kinit -k -t /opt/SUNWam/avatar.HTTP.keytab HTTP/avatar.red.iplanet.com
klist -k /opt/SUNWam/avatar.HTTP.keytab

mv /opt/SUNWam/avatar.HTTP.keytab /etc/opt/SUNWam/config/

Service Principal: HTTP/avatar.red.iplanet.com@RED.IPLANET.COM
Keytab File Name: /etc/opt/SUNWam/config/avatar.HTTP.keytab
Kerberos Realm: RED.IPLANET.COM
Kerberos Server Name: avatar.red.iplanet.com
Return Principal with Domain Name: Disabled
Authentication Level: 0

- Restart AM WebServer

The debug file amAuthWindowsDesktopSSO should show the following debug messages if auth succeeded:
04/18/2009 11:56:39:944 PM PDT: Thread[service-j2ee-3,5,main]
**********************************************
04/18/2009 11:56:39:944 PM PDT: Thread[service-j2ee-3,5,main]
WindowsDesktopSSO params:
principal: HTTP/avatar.red.iplanet.com@RED.IPLANET.COM
keytab file: /etc/opt/SUNWam/config/avatar.HTTP.keytab
realm : RED.IPLANET.COM
kdc server: avatar.red.iplanet.com
domain principal: false
auth level: 0
04/18/2009 11:56:39:944 PM PDT: Thread[service-j2ee-3,5,main]
Init WindowsDesktopSSO. This should not happen often.
04/18/2009 11:56:39:945 PM PDT: Thread[service-j2ee-3,5,main]
New Service Login ...
04/18/2009 11:56:40:586 PM PDT: Thread[service-j2ee-3,5,main]
Service login succeeded.
04/18/2009 11:56:40:704 PM PDT: Thread[service-j2ee-3,5,main]
SPNEGO token:
60 82 02 79 06 06 2b 06 01 05 05 02 a0 82 02 6d
30 82 02 69 a0 0d 30 0b 06 09 2a 86 48 86 f7 12
01 02 02 a1 04 03 02 01 02 a2 82 02 50 04 82 02
4c 60 82 02 48 06 09 2a 86 48 86 f7 12 01 02 02
01 00 6e 82 02 37 30 82 02 33 a0 03 02 01 05 a1
03 02 01 0e a2 07 03 05 00 00 00 00 00 a3 82 01
4b 61 82 01 47 30 82 01 43 a0 03 02 01 05 a1 11
1b 0f 52 45 44 2e 49 50 4c 41 4e 45 54 2e 43 4f
4d a2 29 30 27 a0 03 02 01 03 a1 20 30 1e 1b 04
48 54 54 50 1b 16 61 76 61 74 61 72 2e 72 65 64
2e 69 70 6c 61 6e 65 74 2e 63 6f 6d a3 81 fd 30
81 fa a0 03 02 01 11 a1 03 02 01 05 a2 81 ed 04
81 ea 8e 55 1d 11 a8 8d 23 ed 34 b5 87 f9 97 0c
bb ef ed 30 ee be c7 95 33 77 84 06 97 a5 da 3e
b8 8d 25 a0 0c dd 06 b3 b4 02 ba ea 50 22 37 b8
29 db 00 40 d3 74 f1 f6 80 1f c9 ff 62 ab 5b 02
4a ed be 75 dd 3c d6 cf 63 3a 49 5c d7 24 74 1d
2c 3d 3b 2d 7d 94 9e b2 2d 05 3b 8a e1 94 30 9d
14 42 9f a1 b4 c4 e7 16 ff 9f c7 3e 89 24 db 13
e4 18 fb 8d f5 50 f7 47 59 6e 86 26 a3 3b 33 0c
a3 89 de 54 77 e2 fd 99 ba 16 cb 1b f2 5f 31 f1
c5 dd 6b 5a e2 d4 d6 23 6e e1 32 a8 ab 83 70 be
f6 ef 50 cb fe cd 20 b3 1a 9f 76 fd 55 59 a1 48
40 38 87 8e 17 96 18 8e 46 44 18 e9 af 1c 23 9e
09 d1 6a b3 55 2e 17 38 1b 9c ae 22 83 04 46 7b
92 ed cc d5 df 28 31 1e 15 00 fc 1b 9d 9d a5 64
1b b0 3c c8 79 3a 85 45 dc 7c e6 80 a4 81 ce 30
81 cb a0 03 02 01 03 a2 81 c3 04 81 c0 51 af 58
86 db 73 b8 8b ba 07 cf 8c 40 46 0b b6 46 8c d0
6b 4c ad 3f 2a 0d a6 ec e8 8c 29 f6 3c ac a5 27
ac 34 95 1f cd d3 cf 78 5b b7 40 2a c3 d4 f8 fb
e5 7e d0 f2 d9 41 c3 b6 48 6f fa 8d ee de d0 fc
76 d4 48 55 a2 98 9c 88 07 7a 87 18 37 bb ac 16
89 17 ee 04 95 5f 58 2d 4e 2f ff da b7 12 2c 2a
2a a0 82 ef c6 43 ae 67 f3 e3 31 9a 77 b2 64 51
5f f4 28 84 0c be 8a 08 da 2e df 0b 77 33 c7 6a
1a 70 8f bd 56 10 bc 5a 6c 8d 82 21 8c be d5 88
69 7b 60 81 a1 31 02 60 73 ed a3 bb 5d b1 fc cc
86 2f 33 96 a1 6d bb 4a 10 94 07 ff 62 9f c6 7c
2c e7 66 89 99 ed 74 69 e8 a3 62 01 14
04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]
token tag:60
04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]
SPNEGO OID found in the Auth Token
04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]
DerValue: found init token
04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]
DerValue: 0x30 constructed token found
04/18/2009 11:56:40:712 PM PDT: Thread[service-j2ee-3,5,main]
Kerberos token retrieved from SPNEGO token:
60 82 02 48 06 09 2a 86 48 86 f7 12 01 02 02 01
00 6e 82 02 37 30 82 02 33 a0 03 02 01 05 a1 03
02 01 0e a2 07 03 05 00 00 00 00 00 a3 82 01 4b
61 82 01 47 30 82 01 43 a0 03 02 01 05 a1 11 1b
0f 52 45 44 2e 49 50 4c 41 4e 45 54 2e 43 4f 4d
a2 29 30 27 a0 03 02 01 03 a1 20 30 1e 1b 04 48
54 54 50 1b 16 61 76 61 74 61 72 2e 72 65 64 2e
69 70 6c 61 6e 65 74 2e 63 6f 6d a3 81 fd 30 81
fa a0 03 02 01 11 a1 03 02 01 05 a2 81 ed 04 81
ea 8e 55 1d 11 a8 8d 23 ed 34 b5 87 f9 97 0c bb
ef ed 30 ee be c7 95 33 77 84 06 97 a5 da 3e b8
8d 25 a0 0c dd 06 b3 b4 02 ba ea 50 22 37 b8 29
db 00 40 d3 74 f1 f6 80 1f c9 ff 62 ab 5b 02 4a
ed be 75 dd 3c d6 cf 63 3a 49 5c d7 24 74 1d 2c
3d 3b 2d 7d 94 9e b2 2d 05 3b 8a e1 94 30 9d 14
42 9f a1 b4 c4 e7 16 ff 9f c7 3e 89 24 db 13 e4
18 fb 8d f5 50 f7 47 59 6e 86 26 a3 3b 33 0c a3
89 de 54 77 e2 fd 99 ba 16 cb 1b f2 5f 31 f1 c5
dd 6b 5a e2 d4 d6 23 6e e1 32 a8 ab 83 70 be f6
ef 50 cb fe cd 20 b3 1a 9f 76 fd 55 59 a1 48 40
38 87 8e 17 96 18 8e 46 44 18 e9 af 1c 23 9e 09
d1 6a b3 55 2e 17 38 1b 9c ae 22 83 04 46 7b 92
ed cc d5 df 28 31 1e 15 00 fc 1b 9d 9d a5 64 1b
b0 3c c8 79 3a 85 45 dc 7c e6 80 a4 81 ce 30 81
cb a0 03 02 01 03 a2 81 c3 04 81 c0 51 af 58 86
db 73 b8 8b ba 07 cf 8c 40 46 0b b6 46 8c d0 6b
4c ad 3f 2a 0d a6 ec e8 8c 29 f6 3c ac a5 27 ac
34 95 1f cd d3 cf 78 5b b7 40 2a c3 d4 f8 fb e5
7e d0 f2 d9 41 c3 b6 48 6f fa 8d ee de d0 fc 76
d4 48 55 a2 98 9c 88 07 7a 87 18 37 bb ac 16 89
17 ee 04 95 5f 58 2d 4e 2f ff da b7 12 2c 2a 2a
a0 82 ef c6 43 ae 67 f3 e3 31 9a 77 b2 64 51 5f
f4 28 84 0c be 8a 08 da 2e df 0b 77 33 c7 6a 1a
70 8f bd 56 10 bc 5a 6c 8d 82 21 8c be d5 88 69
7b 60 81 a1 31 02 60 73 ed a3 bb 5d b1 fc cc 86
2f 33 96 a1 6d bb 4a 10 94 07 ff 62 9f c6 7c 2c
e7 66 89 99 ed 74 69 e8 a3 62 01 14
04/18/2009 11:56:40:712 PM PDT: Thread[service-j2ee-3,5,main]
In authenticationToken ...
04/18/2009 11:56:40:724 PM PDT: Thread[service-j2ee-3,5,main]
Context created.
04/18/2009 11:56:41:124 PM PDT: Thread[service-j2ee-3,5,main]
Token returned from acceptSecContext:

04/18/2009 11:56:41:124 PM PDT: Thread[service-j2ee-3,5,main]
Context establised !
04/18/2009 11:56:41:125 PM PDT: Thread[service-j2ee-3,5,main]
User authenticated: HTTP/avatar.red.iplanet.com@RED.IPLANET.COM
04/18/2009 11:56:41:127 PM PDT: Thread[service-j2ee-3,5,main]
WindowsDesktopSSO authentication succeeded.

***********************************************************************

bash-3.00# /usr/sbin/kadmin.local
Authenticating as principal HTTP/admin@RED.IPLANET.COM with password.
kadmin.local: listprincs
1 HTTP/avatar.red.iplanet.com@RED.IPLANET.COM
2 K/M@RED.IPLANET.COM
3 changepw/avatar.red.iplanet.com@RED.IPLANET.COM
4 clntconfig/admin@RED.IPLANET.COM
5 demo1@RED.IPLANET.COM
6 demouser1@RED.IPLANET.COM
7 host/avatar.red.iplanet.com@RED.IPLANET.COM
8 kadmin/admin@RED.IPLANET.COM
9 kadmin/avatar.red.iplanet.com@RED.IPLANET.COM
10 kadmin/changepw@RED.IPLANET.COM
11 kadmin/history@RED.IPLANET.COM
12 kiprop/avatar.red.iplanet.com@RED.IPLANET.COM
13 krbtgt/RED.IPLANET.COM@RED.IPLANET.COM
14 kws/admin@RED.IPLANET.COM
15 root@RED.IPLANET.COM
kadmin.local: