iCal Server でKerberos認証ができない件を追跡する.
2008-12-20 09:51:06+0900 [-] [caldav-8009] [startup] Setting up scheme: kerberos 2008-12-20 09:51:06+0900 [-] [caldav-8009] [KerberosCredentialFactoryBase] getServerPrincipalDetails: ('Principal not found in keytab', -1) 2008-12-20 09:51:06+0900 [-] [caldav-8009] [startup] Could not start Kerberos 2008-12-20 09:51:06+0900 [-] [caldav-8009] [startup] Setting up scheme: digest 2008-12-20 09:51:06+0900 [-] [caldav-8010] [KerberosCredentialFactoryBase] getServerPrincipalDetails: ('Principal not found in keytab', -1) 2008-12-20 09:51:06+0900 [-] [caldav-8010] [startup] Could not start Kerberos
むむ.
bash-3.2# kadmin.local
Authenticating as principal root/admin@LDAP.MONAMI-SOFTWARE.COM with password.
kadmin.local: addprinc -randkey http/ldap.monami-software.com@LDAP.MONAMI-SOFTWARE.COM
AppleのCalenderServerの場合,CalDAVはhttpの亜種という考えなのか,httpを流用している*1.AppleのDiscussion list辺りでは「管理ガイド見ると,iCalはKerberizedのリストにないんだけどー」という声を稀に見かけるけれど,んなもんソースコード見りゃ判る話*2.
ちなみに,いつか騒いでいたかもしれない"ワークグループマネージャで「スケジュール管理を有効にするメンバー」のチェックボックスが何度設定しても有効にならない件"
…は,上記,のaddprincで治るらしい.理由? ……………. Appleに聞いて….
2008-12-20 09:57:04+0900 [-] [caldav-8010] [startup] Setting up scheme: kerberos 2008-12-20 09:57:04+0900 [-] [caldav-8010] [KerberosCredentialFactoryBase] getServerPrincipalDetails: ('Principal not found in keytab', -1) 2008-12-20 09:57:04+0900 [-] [caldav-8010] [startup] Could not start Kerberos
1つ減ったけれど,まだ残ってるなぁ….
ああ,そうか,ktadd を忘れていたか.
kadmin.local: ktadd http/ldap.monami-software.com@LDAP.MONAMI-SOFTWARE.COM Entry for principal http/ldap.monami-software.com@LDAP.MONAMI-SOFTWARE.COM with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal http/ldap.monami-software.com@LDAP.MONAMI-SOFTWARE.COM with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal http/ldap.monami-software.com@LDAP.MONAMI-SOFTWARE.COM with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
で,calendarsrever再起動.
2008-12-20 13:25:59+0900 [-] [caldav-8009] [startup] Configuring authentication for realm: /Search 2008-12-20 13:25:59+0900 [-] [caldav-8009] [startup] Setting up scheme: kerberos 2008-12-20 13:25:59+0900 [-] [caldav-8009] [foo] http ldap.monami-software.com 2008-12-20 13:25:59+0900 [-] [caldav-8010] [-] twisted.web2.channel.http.HTTPFactory starting on 8010
よしよし.iCalで「認証に Kerberos V5 を使用」のチェックを入れても「プリンシパルが無い」云々のエラーは出なくなった.しかし,カレンダーサーバにログインしようとすると,認証できませーんと言われる.
2008-12-20 13:30:43+0900 [-] [caldav-8009] [AMP,client] Unauthenticated users not enabled with the 'calendar' SACL 2008-12-20 13:30:43+0900 [-] [caldav-8009] [NegotiateCredentialFactory] authGSSServerInit: Unspecified GSS failure. Minor code may provide more information(Permission denied)
うむー.