- "Use Kerberos DES encryption types for this account" - should be checked? -Yes
- "Do not require Kerberos preauthentication" - should be checked? -No
- How many spns should I create? - 2 will be created
-Configure encryption types allowed for Kerberos - which exactly should be checked? DES_CBC_CRC - enabled or disabled? All encrption types BUT DES_CBC_CRC should be checked
- DNS PTR-records - how many records should be in Reverse Lookup Zone? In Jonathan Murch's guide he contrived to put a Host (A) record there. :\
Make sure you have a reverse record that matches your A record.
- DNS - Any additional SRV records needed?
Depends
No, unless you XMPP domain is different than the FQDN of your server. External SRV records are also needed if you want to federate with external xmpp servers.
openfire.xml - Should there be
<authorization>
<classList>org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy</classList>
</authorization>
in it?
Within <provider></provider> or not?
I don't have that in mine...not to say its not needed.
- krb5.ini - Should these records be there?
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
It doesn't hurt anything. I don't have in mine. However you'll want to remove des-cbc-crc since that isn't going to be a supported encryption type
- gss.conf - "isInitiator=false"
I don't have this in mine either
Hope this helps.