[Calendarserver-maintainers] Bug#514931: calendarserver: iCal.app can't connect with README.Debian Kerberos config
Arthur P Prokosch
arthurp at csail.mit.edu
Wed Feb 11 23:18:33 UTC 2009
Package: calendarserver
Version: 1.2.dfsg-8
Severity: minor
The packaged README.Debian, under "Enabling SPNEGO/Kerberos", implies that adding a key with a service principal name of HTTP/<fqdn>@<REALM> to a keytab is sufficient to enable Kerberos negotiation with CalDAV clients.
When a system is configured as README.Debian describes, iCal.app (after prompting the user to obtain Kerberos credentials if none are precent) returns "Login Failed: Your password was rejected by the server <fqdn> for the login <username>." and /var/log/caldavd/error.log will report "Authentication failed: Authentication System Failure: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)".
I have been able to solve this problem by:
1. Adding a key to the keytab (/etc/krb5.keytab, unless patched as described in http://trac.calendarserver.org/ticket/314) with a service principal name of http/<fqdn>@<REALM>, and
2. Changing the ServicePrincipal in caldavd.plist to a lowercase "http/"
In this configuration, iCal.app connects seamlessly, and access by iceowl, icedove with the iceowl-extension, and other clients is not adversely affected.
I believe README.Debian should be updated with the above information.
-- System Information:
Debian Release: 5.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages calendarserver depends on:
ii adduser 3.110 add and remove users and groups
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii python 2.5.2-3 An interactive high-level object-o
ii python-central 0.6.8 register and build utility for Pyt
ii python-dateutil 1.4.1-2 powerful extensions to the standar
ii python-kerberos 1.0+svn2455-1 A GSSAPI interface module for Pyth
ii python-openssl 0.7-2 Python wrapper around the OpenSSL
ii python-pysqlite2 2.4.1-1 Python interface to SQLite 3
ii python-twisted-calendar 0.2.0.svn19773-5 Twisted components for Apple's Cal
ii python-vobject 0.6.0-1 parse iCalendar and VCards in Pyth
ii python-xattr 0.4-4 module for manipulating filesystem
ii python-xml 0.8.4-10.1 XML tools for Python
ii ssl-cert 1.0.23 simple debconf wrapper for OpenSSL
calendarserver recommends no packages.
Versions of packages calendarserver suggests:
pn python-pydirector <none> (no description available)
-- no debconf information
More information about the Calendarserver-maintainers
mailing list