Kerberos with groups on Tomcat 7

To provide Single-SignOn (SSO) to your web service on a linux server in a windows environment (Active Directory) you can add a login filter to tomcat to accept Kerberos tokens. It's really quite simple, if you set it up correctly, which is not simple to figure out.

Ack: Compiled from http://portlandlanguagecraft.com/ and https://pixabay.com/en/chain-gold-power-connection-rights-307886/

I did it using a custom SPNEGO filter to also extract AD groups from the kerberos tokens.

Mostly follow https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but with many additional tweaks.

You will need to create/edit the following files (On Ubuntu):

/etc/tomcat7/web.xml
/etc/tomcat7/login.conf
/etc/tomcat7/krb5.conf
/etc/tomcat7/mykeytab.keytab
/usr/share/tomcat7/libs/spnego-r7.jar

(These files are also found in /var/lib/tomcat7/conf).

Step-by-step (First section just for login and second section for getting groups too):

AUTHENTICATION (Login):

Download the Spnego HTTP filter:
Available from https://sourceforge.net/projects/spnego/. Put the file under /usr/share/tomcat7/libs/spnego-r7.jar to make tomcat load it on startup.

On the Active Directory (AD) / Kerberos Key Distribution Center (KDC) / Windows server:

Add service user:
Add a service user to let you linux server "log in" and validate kerberos tokens.

Link SPN to service user:
SPN (Service Principal Names) are identifiers for users or hosts. We need to add the ones representing our server. NOTE: The SPN is case sensitive and you must use the same case everywhere. The command is on the form:
setspn.exe -A HTTP/<HOSTNAME> DOMAIN\<SERVICE USER>

So on your windows/AD server enter the following

setspn.exe -A HTTP/myserver DOMAIN\myserviceuser

setspn.exe -A HTTP/myserver.domain.local DOMAIN\myserviceuser

to link the SPN HTTP/myserver to the user myserviceuser.

Generate keytab:
The keytab is file which stores SPNs/usernames and password for them.

According to the apache tutorial you should do this on your windos/AD server using the ktpass tool. I found it was better to use the ktab.exe that comes with java on windows:
ktab -a HTTP/<HOSTNAME> <SERVICE USER PASSWORD> -k <OUTPUT FILE> -n 0
e.g.
ktab -a HTTP/myserver.domain.local myservicepassword -k mykeytab.keytab -n 0

Note the n 0 flag which sets key version number, it needs to be 0 for tomcat/Spnego to find the key.

Put the mykeytab.keytab file under /etc/tomcat7/mykeytab.keytab on your linux server.


We also need to make the computers in the windows network trust our server, to do this we can use Group Policy on the AD server. But we'll get back to that later.


On the linux server (as sudo):

Add a filter to /etc/tomcat7/web.xml:

<!-- ======================== SPNEGO filter ==============================-->
  <filter>
    <filter-name>SpnegoHttpFilter</filter-name>
    <filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class>

    <init-param>
        <param-name>spnego.allow.basic</param-name>
        <param-value>true</param-value>
    </init-param>
  
    <init-param>
        <param-name>spnego.allow.localhost</param-name>
        <param-value>false</param-value>
    </init-param>
  
    <init-param>
        <param-name>spnego.allow.unsecure.basic</param-name>
        <param-value>true</param-value>
    </init-param>
  
    <init-param>
        <param-name>spnego.login.client.module</param-name>
        <param-value>com.sun.security.jgss.krb5.initiate</param-value>
    </init-param>
  
    <init-param>
        <param-name>spnego.krb5.conf</param-name>
        <param-value>conf/krb5.conf</param-value>
    </init-param>
  
    <init-param>
        <param-name>spnego.login.conf</param-name>
        <param-value>conf/login.conf</param-value>
    </init-param>
  
    <init-param>
        <param-name>spnego.preauth.username</param-name>
        <param-value>SERVICE_USER_USERNAME</param-value>
    </init-param>
  
    <init-param>
        <param-name>spnego.preauth.password</param-name>
        <param-value>SERVICE_USER_PASSWORD</param-value>
    </init-param>
  
    <init-param>
        <param-name>spnego.login.server.module</param-name>
        <param-value>com.sun.security.jgss.krb5.accept</param-value>
    </init-param>
  
    <init-param>
        <param-name>spnego.prompt.ntlm</param-name>
        <param-value>true</param-value>
    </init-param>
  
    <init-param>
        <param-name>spnego.logger.level</param-name>
        <param-value>1</param-value>
    </init-param>
</filter>

You need to replace SERVICE_USER_NAME and SERVICE_USER_PASSWORD with the ones you use to create your keytab. spnego.allow.basic, spnego.prompt.ntlm are true to let users who haven't logged into windows to log in (WARNING: username and password are sent in cleartext/base64 to the linux server!). spnego.allow.unsecure.basic needs to be true if you don't use https, which you should do.

  <filter-mapping>
    <filter-name>SpnegoHttpFilter</filter-name>
    <url-pattern>*</url-pattern>
  </filter-mapping>

To apply filter to all files.


Create/edit the login.conf:

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required;
};

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    useKeyTab=true
    principal="HTTP/myserver.domain.local@DOMAIN.LOCAL"
    keyTab="/var/lib/tomcat7/conf/mykeytab.keytab"
    storeKey=true
    isInitiator=false;
};

Differently from the apache tutorial, the initate object should only contain the module, otherwise tomcat will throw a parse error on startup.


Create/edit the krb5.conf:

[libdefaults]
default_realm = DOMAIN.LOCAL
default_keytab_name = FILE:/etc/tomcat7/mykeytab.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable = true

[realms]
DOMAIN.LOCAL = {
        kdc = 192.168.1.5:88
}

[domain_realm]
domain.local = DOMAIN.LOCAL
.domain.local = DOMAIN.LOCAL

[login]
        krb4_convert = true
        krb4_get_tickets = false

The kdc parameter should support the hostname of the KDC/AD server e.g. kdc.domain.local, but mine had trouble with DNS lookup for it, luckily IP works fine.

NOTE: Make sure time is within a few minutes of the AD server, consider installing a NTP client to keep in sync.

AUTHORIZATION (roles/groups):

You will need to create/edit the following files (On Ubuntu):

/var/lib/tomcat7/webapps/ROOT/WEB-INF/web.xml
/usr/share/tomcat7/libs/bcprov-jdk15on-147.jar
/usr/share/tomcat7/libs/spnego-pac.jar

Active Directory adds a blob to their kerberos tokens called PAC (Privilege Attribute Certificate), which includes a users roles. We can extract these roles from our ticket so we don't have to do an additional LDAP request (which is the normal way).

To do this we need a custom build of the spnego library by Ricardo Martín Camarero (rickyepoderi) (see http://blogs.nologin.es/rickyepoderi/index.php?/archives/73-SPNEGOKerberos-in-JavaEE-PAC.html) which utilizes JaasLounge and Bouncy Castle ASN1 to extract the PAC roles.
I've added support for fetching a users kerberos token when using Basic Auth as well as adding compressed PAC from another library.

The spnego-pac source code is available from github (https://github.com/asmund1/spnego-pac), and the final binaries used in this project from https://github.com/asmund1/spnego-pac/blob/master/jars/spnego-pac.jar and https://github.com/asmund1/spnego-pac/blob/master/jars/bcprov-jdk15on-147.jar (additional library needed).

On the linux server (as sudo):

Copy spnego-pac.jar and bcprov-jdk15on-147.jar to /usr/share/tomcat7/libs/ so that tomcat loads it on startup. NOTE: Remove the original spnego jar if you have it there already.

The PAC contains only the numerical representation for each role for the user, you can use this directly in your servlets, but I added some aliases for my roles. I did this in the webapp web.xml, but it should work in the global web.xml too (/etc/tomcat7/web.xml):

    <context-param>
        <param-name>myserver_write_role</param-name>
        <param-value>S-1-5-21-123456789-1234567890-1234567890-1234</param-value>
        <description>Alias for write access role</description>
    </context-param>

To get the value for your roles, check your tomcat log (/var/lib/tomcat7/logs/catalina.out) after login using kerberos, the library prints the SIDs found for a user.
You might have to change the log level since they are printed at FINER level. Do this by appending
net.sourceforge.spnego.SpnegoAuthenticator = FINER
to the bottom of /etc/tomcat/logging.properties file and restarting tomcat.

GET USER AND ROLES (CODE):

The username/SPN of the logged in user and his/her roles are added to the request object, so to fetch them in Java servlets / JSP use the following lines of code:

For Java Servlet:
import javax.servlet.http.HttpServletRequest;
import javax.servlet.ServletContext;

public class MyServlet extends HttpServlet {

    @Override
    public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {

        // Fetches username of logged in user
        req.getRemoteUser()

         // Check if user has write access
        ServletContext context = req.getServletContext();
        if (!req.isUserInRole(context.getInitParameter("myserver_write_role"))) {
            resp.sendError(resp.SC_FORBIDDEN);
            return;
        }
    }
}

For JSP:
<%= request.getRemoteUser() %>
and
<%= request.isUserInRole(request.getServletContext().getInitParameter("myserver_write_role")) %>

TRUSTED SERVER:

To get the kerberos token from windows you need to be on the trusted server list. Chrome and IE use a common list while firefox and other browsers have their own.

To add you server as trusted in IE (and Chrome) open Internet Options -> Security -> Local intranet -> Sites button -> Advanced button
Enter the url for your server and press the Add button.

To do the same for firefox do the following:
1. Open Firefox, and type "about:config" in the Address Bar.
2. In the Search field, type "negotiate".
3. Set the following fields:
      network.negotiate-auth.trusted-uris  myserver.domain.local
      network.negotiate-auth.delegation-uris myserver.domain.local

(https://bugzilla.mozilla.org/show_bug.cgi?id=520668)

To add  your server for IE and Chrome for all windows machines in the intranet, you can use Group Policy: https://www.serverknowledge.net/group-policy/adding-trusted-sites-internet-explorer-using-group-policy-gpo/

TEST:

On the linux server (as sudo):
Start/Restart tomcat server to load changes in config and load jars:
service tomcat7 restart

Then tail the log output for any errors:
tail -f /var/lib/tomcat7/logs/catalina.out

Then navigate to your server in IE/Chrome. You should not be prompted for username or password. If you go to the server from a non-windows logged on computer (e.g. mobile phone) you should get a popup asking you to enter username and password. If you enter the incorrect password you should get a white page, with correct credentials you should see your content.

Sources:

http://spnego.sourceforge.net/spnego_tomcat.html
http://spnego.sourceforge.net/pre_flight.html
http://spnego.sourceforge.net/reference_docs.html
http://spnego.sourceforge.net/client_keytab.html
http://spnego.sourceforge.net/ExampleSpnegoAuthenticatorValve.java
http://spnego.sourceforge.net/HelloKeytab.java
https://sourceforge.net/p/spnego/discussion/1003769/thread/98e5ea01/

http://jaaslounge.sourceforge.net/howto/SSO_Tomcat_Howto.pdf
http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-1619890.html
http://stackoverflow.com/questions/20152000/get-ad-groups-with-kerberos-ticket-in-java
https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/lab/part6.html
http://kerberos.996246.n3.nabble.com/kinit-Cannot-contact-any-KDC-for-realm-EXAMPLE-COM-while-getting-initial-credentials-td19145.html
http://serverfault.com/questions/166768/kinit-wont-connect-to-a-domain-server-realm-not-local-to-kdc-while-getting-in
http://stackoverflow.com/questions/31877027/kerberos-cannot-find-key-of-appropriate-type-to-decrypt-ap-rep-rc4-with-hmac

https://docs.google.com/document/d/1G7WAaYEKMzj16PTHT_cIYuKXJG6bBcrQ7QQBQ6ihOcQ/edit#heading=h.yh8m8tkjdx9h
http://stackoverflow.com/questions/3568635/android-authenticating-with-kerberos

http://stackoverflow.com/questions/2518256/override-intranet-compatibility-mode-ie8

Add new user in Linux/Ubuntu

To add a new user using command line on an Ubuntu machine there are at least two commands that may be used: useradd and adduser

Use adduser instead of useradd if you are not totally certain useradd is the tool you want to use because:
1. useradd is a low level tool.
2. useradd will not add home directory for new user.
3. useradd will not add many other defaults for new user.
4. adduser is more user friendly (but uses useradd in backend).
5. adduser will create home directory.
6. manpages of useradd recommends use of adduser.

Use it like this:
sudo adduser <username>

and to add a system user which has no shell (cannot log in, but just run programs):
sudo adduser --system <username>
 instead of
sudo useradd <username> -s /bin/false
Using adduser, the system user a home directory will be created.

See http://askubuntu.com/questions/374870/home-directory-not-being-created and http://askubuntu.com/questions/345974/what-is-the-difference-between-adduser-and-useradd for good reasons with links to manpages.

Copy all text in a Gnome terminal

Shamelessly copied from arsane on superuser.com (Thanks)

Instead of dragging mouse to select all text:

1. Triple click the last line of current terminal(do not release the mouse).
2. Press SHIFT+HOME key which will lead us to the first line.
3. Drag mouse to the first line.
4. Right click , edit->copy.

See http://superuser.com/a/80175.

Workaround for Ubuntu install hangs on forward button

Have you tried installing Ubuntu using the official guide where you create a Live/Install USB using Universal USB Installer in Windows? Did the install not continue after pressing continue when selecting language or when selecting keyboard layout?

This seems to be because of gparted/parted not being able to start. It affects installing from Ubuntu 10.4-netbook 10.10-netbook, and 10.10-desktop.

A workaround is to create the Live/Install USB in Ubuntu.

You will need two USB drives (including the one you created in windows).

Start the Live session, get a copy of the iso you put on the USB onto the computer (either from a different machine or download it). Open the startup disk creator in you Ubuntu Live session (System->Administration->Startup Disk Creator). Select the iso file and the other USB drive.
Create the startup disk. Shut down, remove the USB created in windows. Start up using the USB created in Ubuntu to boot from. Install from the USB created in Ubuntu. The forward button should now work.

Sources: A Ubuntu bug report that I cannot find again. Please tell me if you have seen it so I can give credit.

Opera icon in ubuntu gone

Did you have a shortcut to launching Opera and have it's icon disappear when upgrading your Opera installation? (e.g. to 10.60).

No worries, just open the shortcut properties (use http://www.herikstad.net/2010/05/setting-ubunutu-menu-item-icon.html if it is a menu or panel shortcut). The location you want to look for the icon is:
/usr/share/opera/styles/images.
Select the Opera_256x256.png file.

Voila. :)

Setting Ubuntu menu item icon

Every tried setting the icon for a menu item on the Ubuntu start menu and discover that ubuntu can't find your icon files?

First of all, to get to the place where you change the icon:
Right click 'Applications' menu on the taskbar -> select 'Edit Menus' -> find your menu item in the list -> click 'Properties' -> click the current icon

When you select Browse... and go to the directory where your icons are located it doesn't show any files there. The key is to press Open when you are in the directory where the files should be. A new window will open showing the files that can be used as icons.

"The image files must be one of the types: PNG, XPM, or SVG, and the extension must be ".png", ".xpm", or ".svg" (lower case)." Source: http://standards.freedesktop.org/icon-theme-spec/icon-theme-spec-0.6.html

Mount Nexus One SD card on PC with Ubuntu Linux

If you are trying to connect the Nexus One to Ubuntu via USB and it keeps disconnecting and you get the following messages when you run dmesg in a terminal:

[14082.844359] sd 23:0:0:0: [sdb] Sense Key : Not Ready [current]
[14082.844371] sd 23:0:0:0: [sdb] Add. Sense: Medium not present
[14082.844386] end_request: I/O error, dev sdb, sector 24
[14082.854502] sd 23:0:0:0: [sdb] Device not ready
[14082.854512] sd 23:0:0:0: [sdb] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE

The fix is turn on USB debugging for the Nexus One:

On the Nexus One, go to Settings -> Applications -> Development and check USB debugging and say OK to the warning. Connect the Nexus One via USB to the Ubuntu machine and it should connect fine.

Solution source: http://code.google.com/p/android/issues/detail?id=5880

Setting up environment for J2ME programming in Ubuntu

To program for JAVA J2ME using Eclipse under Ubuntu following the guides in the following links should help with any problems encountered. This assumes you have already installed Eclipse. (can't remember the exact problems I encountered, but you have to edit a settings file somewhere or making a symlink (Se the ProGuard links))

http://www.autexier.de/jmau/dev/j2me/j2me.html
http://eclipseme.org/docs/refPrefJ2ME.html
http://blogninja.com/doc/libproguard-java/manual/wtk.html
http://dev.eclipse.org/newslists/news.eclipse.dsdp.mtj/msg00507.html

Creating a symlink in Ubuntu

Linking to a directory is a great way to access files and even trick programs to access files that are placed in a totally different place than it expects. What one is doing is creating a link which will list the content of a different directory when accessed.

So if I want a folder in my home area to point the my external harddrive mount point I could create a symbolic link, a symlink, to the external harddrive and its content would be shown when I accessed my symlink as a directory. The original location would also still be available.

To create a symlink one uses the program ln. In a console window, navigate to the directory where you want to create a symlink directory and type the following:
ln -s 'location to link to' 'name of symlink'

For example:
ln -s /media/ExternDrive moreFilesLink

Solution found at http://www.linuxforums.org/forum/linux-newbie/65415-creating-symlink.html

Update: To update/change where a symlink is pointing, use the flags sfn instead of just s:
ln -sfn 'location to link to' 'name of symlink'

For example:
ln -sfn /media/ExternDrive2 moreFilesLink

Solution: http://www.programmersparadox.com/2010/10/09/updating-a-symlink/

Cleaning up Ubuntu

I've been going through my ubuntu install and trying to free up some diskspace. Came across quite a few neat tools to clean up the Ubuntu install, especially unused packages installed using aptitude.

The following have easy to follow instructions:
http://ubuntuforums.org/showthread.php?t=140920

http://benhodge.wordpress.com/2008/02/17/cleaning-up-a-ubuntu-gnulinux-system/

I haven't tried to remove orphaned packages because I read that this could mess up your system, so use at your own risk.

Also try xdiskusage, its available through aptitude and gives you a good overview over what folders take up the most space.

Setting up a CUDA environment in Ubuntu Jaunty

To write code for CUDA devices you need to set up your system properly. The following explanation is taken from Life of a Programmer Geek. First of all make sure you have a CUDA enabled graphics device, Wikipedia has a list of supported devices.

Install the build tools we need
Open a console window and type the following:
sudo apt-get install build-essential libglut3-dev

Install the NVIDIA drivers
Go to the CUDA ZONE download page and download the CUDA driver. (The Ubuntu 8.04 will work for Ubuntu 9.04 Jaunty).
Press CTRL+ALT+F1 to go to a terminal, log in with your username and password.

Navigate to the folder that you placed the driver file in and type the following:
chmod +x NVIDIA-Linux-x86_64-180.22-pkg2.run
This will first make the driver installer runnable. We then need to stop Xwindows (remember to save any open files). (if you are using KDE use kdm instead of gdm (which is for gnome)):
sudo /etc/init.d/gdm stop
Next we run the driver installation (Usually selecting yes to all questions is ok):
sudo ./NVIDIA-Linux-x86_64-180.22-pkg2.run
Finally we restart the Xwindows session.
sudo /etc/init.d/gdm start

A new error for Ubuntu Jaunty is that upon reboot you might get a message similar to:
(EE)Failed to load module "type1" (module does not exist,0)
(EE)Failed to load module "freetype" (module does not exist,0)
(EE) NVIDIA(0) Failed to load the NVIDIA Kernel Module
(EE) NVIDIA ***Aborting***
(EE) Screen(s) found, but none have a usable configuration.

To fix this problem edit the file /etc/modprobe.d/lrm-video and comment out the line install nvidia /sbin/lrm-video nvidia $CMDLINE_OPTS by putting a # in front of it.
Solution found from: http://ubuntuforums.org/showthread.php?t=950777

Install the CUDA Toolkit
Go to the CUDA ZONE download page again and download the CUDA Toolkit. Open a console window and navigate to the directory containing the file, type the following:
chmod +x cudatoolkit_2.1_linux64_rhel5.2.run
sudo ./cudatoolkit_2.1_linux64_rhel5.2.run
Use the default options suggested by the installer (press enter).

Note: The following steps need to be taken by all users

Add environment variables
This is very important step.
Open a console window to your home directory and edit the file .bashrc, this is the settings file for your console window. Add the following lines to the bottom of the file:
PATH=$PATH:/usr/local/cuda/bin
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/cuda/lib
export PATH
export LD_LIBRARY_PATH
These settings will not take effect before you open a new window so remember to do that.

Install the CUDA SDK
download the CUDA SDK from the CUDA ZONE download page. As with the Toolkit, open a console window, navigate to the directory with the files and type the following:
chmod +x cuda-sdk-linux-2.10.1215.2015-3233425.run
./cuda-sdk-linux-2.10.1215.2015-3233425.run
Accept the default options. The installer will create a folder called NVIDIA_CUDA_SDK in your home directory.

Compile and run an example
Open a console window, navigate to the NVIDIA_CUDA_SDK folder in your home directory, type:
make
./bin/linux/release/fluidsGL
This should open a window with a fluid dynamics simulation.

Writing code for CUDA devices
When writing code for CUDA GPUs its is useful to begin from the examples included in the SDK, the source code can be found in ~/NVIDIA_CUDA_SDK/projects/ (the directory in your home directory). Copy one of the directories and start editing the files in it. To compile the program type make.

If you want to put the files in a different directory or rename or add files to your project, you need to edit the Makefile file in your project directory and possibly also the common.mk file located in ~/NVIDIA_CUDA_SDK/common/ folder.

Dosbox and Ubuntu 9.04 Jaunty

I've been having problems with my DOSBox after upgrading to Jaunty. Here's problems and the fix for one of them at least:

1. The arrow keys are not responding. (actually they are mapped to totally different keys)
For Ubuntu Jaunty the 'usescancodes' option for SDL must be disabled. To do this you edit the DOSBox config file (dosbox.conf or .dosboxrc), go to the [sdl] section and edit the line to say:

usescancodes=false

This should do the trick.

The following sites are where I found the solution:
http://ubuntuforums.org/showthread.php?p=5963381
http://vogons.zetafleet.com/viewtopic.php?t=19851

If you haven't got a dosbox.conf or .dosboxrc file in your home directory you can create it by doing the following:

• Open DOSBox
• Type 'config -writeconf dosbox.conf'
• The file dosbox.conf will be created in your home directory
• Rename the file to .dosboxrc if you want it to be hidden 
  
  

2. The sound is either totally gone or stuttering.

UPDATE: Use export SDL_AUDIODRIVER=esd instead, you will also need to have the package libsdl1.2debian-esd installed. See comments, thanks to mgedmin and Alex for the solution.

I haven't found the solution to this problem yet, noone seems to have (So if you have please tell me). But one can try the following: The problem is apparently caused by the change from ALSA sound server to PulseAudio.
Download the PulseAudio plugin, libsdl1.2debian-pulseaudio using synaptic or by typing:

sudo aptitude install libsdl1.2debian-pulseaudio

You will be asked to uninstall libsdl1.2debian-alsa. alternatively you can install libsdl1.2debian-all if you want to keep the ALSA plugin.
Now you need to tell SDL (which is what DOSBox is built on) to use PulseAudio, type export SDL_AUDIODRIVER=pulse in a console window, then start dosbox from the same window by typing dosbox. 

You might also be getting errors like

ALSA:Can't subscribe to MIDI port (65:0) nor (17:0)
MIDI:Opened device:oss

then go to the dosbox.conf file, find the MIDI section and change the settings in there to:

mpu401=intelligent
device=default
config=128:0

Hope some of this is of any help to you.