Skip to content


Subversion checkout URL

You can clone with
Download ZIP


smokku edited this page · 2 revisions

Matthew Koch, 1.6.2012

Would like to report a successful installation with jabberd-2.2.16 on Debian Squeeze with mysql on a Windows 2008 R2 AD domain with GSSAPI (Single Sign On). We're using Pandion as the client.

Table of Contents

Collect Info

  • domain part of your jabber users - usually the same as your AD domain. We'll use @windows.local
  • Kerberos realm - usually the same as your AD domain, but IN ALL UPPERCASE. We'll use @WINDOWS.LOCAL
  • host name of the jabber server - doesn't have to be in your AD domain, we're not "joining" this machine to the domain. We'll use
  • FQDN of your AD domain controllers. We'll use


apt-get install packages:

Dev Tools: gcc g++ make file

Environment/Tools: mysql-server gsasl openssl krb5-user ldap-utils dig

Libraries: libcppunit-dev libidn11-dev zlib1g-dev libexpat1-dev libssl-dev libldap2-dev libmysqlclient-dev libgsasl7-dev

Network, hostname & DNS

A few things to check now before you pull your hair out at some later time trying to figure out why things aren't working.

Make sure this is a proper fully-qualified host name - this is the host name you must use to create your keys and put in the SRV records. Don't try to get fancy and use CNAMES, Kerberos won't like you if you do.

 $ hostname -f

Make sure your DCs can resolve your hostname.

 $ host hostname -f

Reverse DNS on IPv4 and IPv6 working correctly is nice, but not always necessary. However, if these resolve, make sure they resolve to `hostname -f` or you're going to have a bad time.

 $ host
 $ host my::ip6:addr:ess

Check that your AD domain controllers can resolve from here.

 $ host -tsrv
 $ host -tsrv
 $ host -tsrv
 $ host -tsrv

You may want to ping AND ping6 these hosts (if they have IPv6 addresses).

You can setup DNS for jabber after installation/testing, but here are the DNS tests (these should return `hostname -f` above when you're all done):

 $ host -tsrv
 $ host -tsrv
 $ host -tsrv

Create jabberd user/group

You can use a different user name, if you want (like jabberd or jabberd2)

 % adduser --system --no-create-home jabber

Make an AD account & .keytab

On Windows AD domain controller:

  • Create AD account (e.g. xmppservice)
(as admin)
 c:\somedir> ktpass /out xmpp.keytab /princ xmpp/ /mapuser xmppservice@WINDOWS.LOCAL /pass R3@lly_G0od_P@s$wrd /crypto All /ptype KRB5_NT_PRINCIPAL

see these for more help:

Copy xmpp.keytab to

 # chown root:jabber xmpp.keytab
 # chmod 0640 xmpp.keytab

Configure Kerberos

 # apt-get install krb5-config

(setup your REALM)

 # su jabber
 $ kinit user@WINDOWS.LOCAL
 (will ask for password)
 $ kinit -k -t /path/to/xmpp.keytab xmpp/
 (won't ask for password)
 $ klist -e

(you should see valid keys!)

Clear it out

 $ kdestroy

Build non-squeeze lib (udns)

See Building-udns-Debian-packages or build from source:


Unpack, ./configure && make

 No `make install` - copy to system by hand, if desired, but not necessary

Build & install jabberd2

Download jabberd-2.2.XX

unpack, cd jabberd-2.2.XX

 $ CFLAGS="-I/path/to/udns-0.2" LDFLAGS="-L/path/to/udns-0.2" ./configure --enable-mysql --enable-ldap --with-zlib --enable-ssl --enable-debug

Adjust ./configure paths to suite your needs, if desired, (--enable-debug required, or apply patch to fix build error)

 # make
 # make install
 # cd /path/to/jabberd2/config
 # chown root:jabber router.xml router-filter.xml router-users.xml s2s.xml sm.xml c2s.xml 
 # chmod 0640 router.xml router-filter.xml router-users.xml s2s.xml sm.xml c2s.xml

Generate an SSL certificate

If you have a PKI already in place, create a real, CA-signed certificate. Otherwise, make a snake oil (self-signed):

 $ openssl req -new -x509 -nodes -out server.crt -keyout server.key
 $ cat server.crt server.key > server.pem
 # chown root:jabber server.pem
 # chmod 0640 server.pem
 # copy server.pem to /path/to/jabberd2/config/server.pem

Configure mysql

 $ mysql -u root -p
 \. /path/to/jabberd2/source/tools/db-setup.mysql
 GRANT ALL ON jabberd2.* TO 'jabberd2'@'localhost' IDENTIFIED BY PASSWORD 'D1ff3r3ntP@s$wrd'

Configure router

Change the <secret>.....</secret> to something else.

Uncomment the path to your SSL key & cert

I also enabled message logging. Not that I care what people are doing on the IM system, but by telling them we log everything they are far less likely to misbehave. If you setup message logging, create a file in /etc/logrotate.d/ with something like:

/path/to/message.log {

        rotate 5
        size 5M


Configure sm.xml

  • Fixup <pass>....</pass>
  • Uncomment the path to your server.pem
  • Change <id>....</id> to your domain part of your user's domain (windows.local)
  • Change <driver>....</driver> to mysql
  • Uncomment <driver type="vcard">ldapvcard</driver>
  • Setup <mysql> &lt;user&gt;...&lt;/user&gt;&lt;pass&gt;...&lt;/pass&gt;</mysql>
  • Setup <ldapvcard></ldapvcard>

(I haven't yet been able to get the published groups to work.)

  • Add yourself (your domain login) to the acl
     &lt;acl type=&quot;all&quot;&gt;
  • Uncomment <auto-create></auto-create>
I also created a template roster with the IT support people for new users. Maybe then they'll quit ringing our phones

Configure s2s

You probably don't even needs this process if you're not putting your IM system on the Interweb, but add the router secret anyhow and uncomment the SSL certificate. I fire it up with debug logging just to see if it gets used for anything. I don't know what the router would do if there were no default route.

Configure c2s

  • Change router password
  • Uncomment <pemfile>...</pemfile>
  • Fixup <local>....</local>:
(If you want to "do it right", don't use snake oil certs and set verify-mode='7')
  • Configure <mysql>...</mysql>

Test startup

 # su -c "/prefix/bin/router -D" jabber &
 # su -c "/prefix/bin/sm -D" jabber &
 # su -c "/prefix/bin/s2s -D" jabber &
 # KRB5_KTNAME="/path/to/jabberd2/config/xmpp.keytab" su -c "/prefix/bin/c2s -D" jabber &

If you didn't build with debug support, don't include -D

Using a GSSAPI-capable client (we use Pandion) from a windows box, login with Single-Sign-On goodness!

Kill the four processes, read your logs, etc.

Fixup init scripts

These are modified versions I found in the sid package for jabberd2-2.2.8, but they need a little fixin.

  1. /etc/default/jabberd2 - default values for jabberd2
 # user and group
 # run router
 # run resolver
 # run sm
 # run s2s
 # run c2s
 # keytab


 set -e
 test -f /etc/default/jabberd2 && . /etc/default/jabberd2
 test -d ${COMPONENTDPATH} || exit 0
 case "$1" in
      echo -n "Starting Jabber services:"
      if [-z]; then
         run-parts --arg=start ${COMPONENTDPATH}
         ${COMPONENTDPATH}/??$2 start
      echo "."
      echo -n "Stopping Jabber services:"
      if [-z]; then
         run-parts --reverse --arg=stop ${COMPONENTDPATH}
         ${COMPONENTDPATH}/??$2 stop
      echo "."
      echo "Restarting Jabber services:"
      $0 stop $2
      sleep 1
      $0 start $2
      # echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
      echo "Usage: $0 {action} [component]" >&2
      echo "   action = start|stop|restart|force-reload" >&2
      echo "   component = router|resolver|sm|s2s|c2s" >&2
      exit 1
 exit 0

/etc/jabberd2/component.d/ 10router, 30sm, 40s2s and 50c2s (just change @name@ to router/sm/s2s/c2s and @NAME@ to the same, but uppercase)

This could be hacked further to start any of them by parsing $0. Also, it's a little flimsy not checking variables and whatnot.

 set -e
 test -f /etc/default/jabberd2 && . /etc/default/jabberd2
 # check for executable
 test -f ${COMMAND} || exit 0
 exit 0
Something went wrong with that request. Please try again.