воскресенье, 30 октября 2016 г.

enable automount for RHEL 7 and FreeIPA

  sudo ipa-client-automount --server=ipasrv01.mydomain.com
  sudo authconfig --enablemkhomedir --update

среда, 26 октября 2016 г.

clojure remote repl

In order to debug remote app we can start it with remote repl, if version of clojure 1.8+

java -Dclojure.server.repl="{:address \"\" :port 5555 :accept clojure.core.server/repl}" -jar mywebapp.jar

вторник, 25 октября 2016 г.

Kerberos SPNEGO Checksum failed problem

I made SPNEGO authentication for my web apps. During development I met a problem authenticating users using keytab file for HTTP services:

Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

I've found solution how to resolve a problem. I've used RHEL 7 on servers and clients, and FreeIPA as a KDC/LDAP server:

1. Open /etc/krb5.conf on web app server and add into section [libdefaults] one line

default_tkt_​enctypes = arcfour-hmac-md5

This is most important thing. This line resolves "Checksum failed" problem

2. On a client:
kinit username
Password for username@MYSERVICE.COM: 

after successful authentication in Kerberos domain we can access Kerberized web apps using curl:
curl -v -k --negotiate -u :  --cacert /etc/ipa/ca.crt  https://myservice.com:8090/krb

3. In FireFox, print about:config in address bar -> I promise -> then find
network.negotiate-auth.delegation-uris​     value     http://,https://
network.negotiate-auth.trusted-uris           value     .myservice.com​