Hi Marco,
it seems that kerberos does not work on your client or on your server
the main interesting things might be:
<!-- XML File Directory Service -->
<key>DirectoryService</key>
<dict>
<key>type</key>
<string>twistedcaldav.directory.xmlfile.XMLDirectoryService</
string>
<key>params</key>
<dict>
<key>xmlFile</key>
<string>/etc/caldavd/accounts.xml</string>
</dict>
</dict>
<!--
Authentication
-->
<key>Authentication</key>
<dict>
<!-- Clear text; best avoided -->
<key>Basic</key>
<dict>
<key>Enabled</key>
<false/>
</dict>
<!-- Digest challenge/response -->
<key>Digest</key>
<dict>
<key>Enabled</key>
<false/>
<key>Algorithm</key>
<string>md5</string>
<key>Qop</key>
<string></string>
</dict>
<!-- Kerberos/SPNEGO -->
<key>Kerberos</key>
<dict>
<key>Enabled</key>
<true/>
<key>ServicePrincipal</key>
<string>http/[email protected]
</string>
</dict>
</dict>
<!--
SSL/TLS
-->
<!-- Public key -->
<key>SSLCertificate</key>
<string>/etc/ssl/certs/server07_crt.pem</string>
<!-- Private key -->
<key>SSLPrivateKey</key>
<string>/etc/ssl/certs/server07_privatekey.pem</string>
The accounts.xml looks like this:
<!DOCTYPE accounts SYSTEM "accounts.dtd">
<accounts realm="E4 Calendars">
<user>
<uid>User1</uid>
<guid>User1</guid>
<name>User1 Bla</name>
</user>
...
</accounts>
r...@server07:/etc/caldavd# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
4 HTTP/[email protected]
4 HTTP/[email protected]
6 host/[email protected]
6 host/[email protected]
3 http/[email protected]
3 http/[email protected]
r...@server07:/etc/caldavd#
You have to create your keytab with the administrative tools from your
kerberos server
I used kadmin for that. You need a hostticket a http and a HTTP ticket
create them with a randkey commands are addprinc an ktadd
Before doing that you should be sure that kerberos ist running well.
Look if single-sign on works e.g.
Georg
Am 04.03.2009 um 13:09 schrieb Marco Ghidinelli:
On 03/04/2009 12:50 PM, Georg Troska wrote:
Hi,
hello georg,
have you tried to disable all other kinds of authorisation than
kerberos?
i tried, but when i do that it complains that:
2009-03-04 12:57:37+0100 [-] [caldav-8008] [HTTPChannel,
0,192.168.0.29] "Client authentication scheme digest is not provided
by server ['negotiate']"
and i got a 403 (forbidden) result.
without the digest it doesn't work, so i have to keep it enabled.
could you send me your configuration files? i fear that i just
forget something around.
how you got your /etc/krb5.keytab?
what is your output of:
klist -k /etc/krb5.keytab
??
now i'm downloading the ubuntu server for replicating your running
environment.
thank you very much.
_______________________________________________
calendarserver-users mailing list
[email protected]
http://lists.macosforge.org/mailman/listinfo.cgi/calendarserver-users
