Kerberos plugin authentication to Active Directory domain

I've tried following the instructions at http://doc.nuxeo.com/display/public/ADMINDOC/Using+Kerberos a number of times now. FWIW, better headings would do wonders to give the reader some more context.

Here's my basic set up:

  • Active Directory on Windows 2012
  • Tomcat w/ nuxeo running on CentOS

What I've extrapolated from the documentation is that I need to create a new user that will allow the CentOS box to talk to the Active Directory server, thus allowing Nuxeo to forward the client's credentials from the browser through Nuxeo to the Active Directory server. But that's just a guess. Having an overview of what we're actually attempting to do would be really nice.

I created a centos01 user in Active Directory, and registered the service principal names (NOTE: The command to register an SPN takes -s as a parameter, not -a as the nuxeo documentation shows). I exported the http.keytab file and transfered it to my centos server.

On the Nuxeo/CentOS server I configured the krb5.conf file as shown. Afterwards, I can create a ticket with kinit. I didn't get really any output on the screen like the Nuxeo documentation shows, but I found the tgt ticket in /tmp, and confirmed that the Active Directory server had logged some information about creating a ticket for my CentOS server. So I think that much is working. I did not delete this ticket, do I need to?

I installed the kerberos-1.0.0 module from the market place. BTW, we originally had nuxeo 5.7 installed, for which there was no kerberos module that I could get to install. I upgraded to 5.8, but because of some initial login screen issues I switched to 5.9.1-SNAPSHOT, which also had no available kerberos module. I then had to back it back down to 5.8, and sort out the login screen issue with a custom login screen. I don't understand why it's so hard to get a version of Nuxeo that has a valid kerberos module, but I believe the kerberos module is correctly installed now.

I did everything in the “Configuring Java” section of the documentation.

In the “Configuring Nuxeo” section, I'm assuming that “Deploy the bundle” is a subset of installing the kerberos plugin from the market place. If it's not, then I don't know what “Install the bundle” is referring to.

I created the $NUXEO_HOME/nxserver/config/kerberos-config.xml verbatim from the documentation. I don't see anything in there that needs to be customized.

From a Windows computer logged in to our AD domain, I can access two internal apps that support the AD pass-through authentication, so I know I have IE set up to do that correctly (it was not initially set up, I followed the documentation to configure the client).

I've also modified the nuxeo log4j.xml file to have this appender:

<priority value="DEBUG" />

But I'm still not getting much in the logs to help me figure out what's going on. As far as I can tell, the Nuxeo plugin is just not even attempting to do anything. At this point, I'm pretty much grasping at straws. How can I figure out why this isn't working?

1 votes

0 answers

850 views

ANSWER