[Calendarserver-maintainers] Bug#514931: calendarserver: iCal.app can't connect with README.Debian Kerberos config

Arthur P Prokosch arthurp at csail.mit.edu
Wed Feb 11 23:18:33 UTC 2009 

Package: calendarserver
Version: 1.2.dfsg-8
Severity: minor

The packaged README.Debian, under "Enabling SPNEGO/Kerberos", implies that adding a key with a service principal name of HTTP/<fqdn>@<REALM> to a keytab is sufficient to enable Kerberos negotiation with CalDAV clients.

When a system is configured as README.Debian describes, iCal.app (after prompting the user to obtain Kerberos credentials if none are precent) returns "Login Failed: Your password was rejected by the server <fqdn> for the login <username>." and /var/log/caldavd/error.log will report "Authentication failed: Authentication System Failure: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)".

I have been able to solve this problem by:
1. Adding a key to the keytab (/etc/krb5.keytab, unless patched as described in http://trac.calendarserver.org/ticket/314) with a service principal name of http/<fqdn>@<REALM>, and
2. Changing the ServicePrincipal in caldavd.plist to a lowercase "http/"
In this configuration, iCal.app connects seamlessly, and access by iceowl, icedove with the iceowl-extension, and other clients is not adversely affected.

I believe README.Debian should be updated with the above information.

-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages calendarserver depends on:
ii  adduser                 3.110            add and remove users and groups
ii  lsb-base                3.2-20           Linux Standard Base 3.2 init scrip
ii  python                  2.5.2-3          An interactive high-level object-o
ii  python-central          0.6.8            register and build utility for Pyt
ii  python-dateutil         1.4.1-2          powerful extensions to the standar
ii  python-kerberos         1.0+svn2455-1    A GSSAPI interface module for Pyth
ii  python-openssl          0.7-2            Python wrapper around the OpenSSL 
ii  python-pysqlite2        2.4.1-1          Python interface to SQLite 3
ii  python-twisted-calendar 0.2.0.svn19773-5 Twisted components for Apple's Cal
ii  python-vobject          0.6.0-1          parse iCalendar and VCards in Pyth
ii  python-xattr            0.4-4            module for manipulating filesystem
ii  python-xml              0.8.4-10.1       XML tools for Python
ii  ssl-cert                1.0.23           simple debconf wrapper for OpenSSL

calendarserver recommends no packages.

Versions of packages calendarserver suggests:
pn  python-pydirector             <none>     (no description available)

-- no debconf information

More information about the Calendarserver-maintainers mailing list