Hi Etan, Thanks for the reply. I am aware of what you have already mentioned. Like I already said, I have visited that thread where in it is clearly mentioned that for pidgin version >= 2.4.0 if the Connect Server is specified (and yes I have given hostname and not IP address), then that would be considered instead of domain for GSSAPI authentication. But I wonder why in my case it is checking against domain. I think I'll get back to this and test again later as there are a few other pending tasks currently.
Thanks for the support once again. And yeah, Pidgin rocks !!! :). Regards, Rahul. Etan Reisner wrote: > On Sat, Apr 12, 2008 at 03:45:47PM +0530, Rahul Amaram wrote: > >> Hi Etan, >> Thanks for the reply. I am not sure why you have felt that I have not >> tried pidgin (I feel it must have been evident from my mail that I tried >> pidgin). To be frank, I have been trying for about 4 days now to set up >> pidgin + jabberd2 with GSSAPI authentication and TLS and have not >> succeeded yet :). >> > > Then I apologize for my mistake. Generally, at least in my experience, > when one comments on having "doubts" that indicates a lack of real > knowledge (and thus indicates no personal testing). > > >> Anyway, here is what I observed. As already mentioned, my set up is >> something similar as below: >> >> Domain name: company.com >> Connect Server: jabber.example.com (192.168.36.100) >> Connect Port: 5222 >> > > You actually have 'jabber.example.com' in the Connect Server box and not > the IP address, right? They should both work they just are handled > internally by pidgin differently later on. > > >> Initially company.com is not resolvable. >> # ping company.com >> ping: unknown host company.com >> >> Now when, I connect using non-GSSAPI authentication, it works. But when >> I try using GSSAPI I get the error >> GSSAPI Error: An invalid name was supplied (Unknown code krb5 216) >> >> Next I modified /etc/hosts and gave the below mapping to "company.com". >> 192.168.36.1 company.com >> >> Now I observed that when I run pidgin, it was trying to fetch ticket for >> the principal xmpp/company.com (knew this by observing the kdc logs). >> > > This is why I asked about what exactly is in the Connect Server box above, > pidgin 2.4.1 *should* be using the Connect Server if the Connect Server is > a hostname and not an IP address. > > >> Now finally I modified the entry in /etc/hosts as below. >> 192.168.36.100 jabber.example.com company.com >> >> And now when I ran pidgin, it properly got the ticket for >> xmpp/jabber.example.com. >> >> Also when I ran ping company.com it gave me the below response (as >> expected because of the above entry in /etc/hosts). >> # ping company.com >> PING jabber.example.com (192.168.36.100) 56(84) bytes of data. >> 64 bytes from jabber.example.com (192.168.36.100): icmp_seq=1 >> ttl=64 time=4.43 ms >> >> All this has made me to conclude that pidgin is working by resolving the >> domain name "company.com" first and then doing a reverse look-up. But >> this is quite contrary to the behaviour mentioned in >> http://developer.pidgin.im/ticket/5008. >> > > pidgin does resolve the Domain, but it shouldn't be doing that when a > Connect Server is specified. > > >> Therefore I am wondering if the above thread holds good for only >> hostnames got through DNS SRV entires and not for the hostname used in >> "Connect Server" field. >> >> Apart from this, I would also like to know if there is any way I can >> study the certificates which pidgin receives when establishing >> connection to the jabber server. I have been studying the messages in >> the Debug window but couldn't find any useful information there. I have >> also seen that no certificates are saved in >> ~/.purple/certificates/x509/tls_peers/ (I think older versions of pidgin >> used to save the certificates here). >> > > Depending on what you want to see about the certificates and assuming your > server has the old-ssl port (5223) open you can use "openssl s_client > -host jabber.example.com -port 5223" to force an ssl connection at which > point openssl will dump the cert data out at you. > > >> I am running piding on debian etch. The version is 2.4.1 compiled from >> the source. The source compilation command being: >> # ./configure --prefix=/opt/pidgin --enable-cyrus-sasl >> --enable-gnutls=yes >> And I am using openfire as GSSAPI support seems to be bad in jabberd2. >> >> And lastly, are there any other xmpp clients apart from pidgin you are >> aware of which are known to have implemented GSSAPI properly? >> > > No, sorry. > > >> Any help would be appreciated ! >> >> >> Thanks and Regards, >> Rahul. >> > <snip> > > Sorry it took so long to reply. > > -Etan > _______________________________________________ Support mailing list Support@pidgin.im http://pidgin.im/cgi-bin/mailman/listinfo/support
