[31879] in Kerberos
Pending "gss_init_sec_context() failed: Unspecified GSS failure...."
daemon@ATHENA.MIT.EDU (Sylvain RICHET)
Thu Jan 7 14:16:10 2010
From: Sylvain RICHET <akamanouche@gmail.com>
Date: Thu, 7 Jan 2010 06:06:38 -0800 (PST)
Message-ID: <ceeb9934-a14d-4c50-8796-e3e18c68bb99@s31g2000yqs.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I really don't succeed to solve this error message !
Seems to be a GSS API ?
A communication problem between NegotiateAuth (pluggued in Firefox)
dans the underlying GSS API library (libgssapi-krb5-2 ?) ?
The authentication process succeeds (as configured in "mod_auth_kerb")
but...
1) the NegotiateAuth log traces this error "gss_init_sec_context()
failed: Unspecified GSS failure...."
2) Using WireShark, i can't find any SPNEGO ticket in the data sent
by Firefox to webserver after authentication
I browse a lot, and found many posts relative to gss_init_sec_context
() and the error msg.
But it didn't help me: given workarounds don't match my problem.
# ON BROWSER SIDE
-----------------
> tail -f /tmp/negotiateauth.log
-1217141024[b742e1c0]: service = kwebapp.beeware.org
-1217141024[b742e1c0]: using negotiate-gss
-1217141024[b742e1c0]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1217141024[b742e1c0]: Attempting to load gss functions
-1217141024[b742e1c0]: entering nsAuthGSSAPI::Init()
-1217141024[b742e1c0]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate]
-1217141024[b742e1c0]: entering nsAuthGSSAPI::GetNextToken()
-1217141024[b742e1c0]: gss_init_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information
SPNEGO cannot find mechanisms to negotiate
-1217141024[b742e1c0]: leaving nsAuthGSSAPI::GetNextToken
[rv=80004005]
==>
==> As you can see, the problem is : "gss_init_sec_context() failed:
Unspecified GSS failure...."
==>
# ON APACHE SIDE
-----------------
> tail -f /var/log/apache2/error.log
[Thu Jan 07 11:17:05 2010] [debug] src/mod_auth_kerb.c(1579): [client
192.168.100.237] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jan 07 11:17:05 2010] [debug] mod_deflate.c(615): [client
192.168.100.237] Zlib: Compressed 486 to 328 : URL /
[Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1579): [client
192.168.100.237] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1023): [client
192.168.100.237] Using WEB/kwebapp.beeware.org@BEEWARE.ORG as server
principal for password verification
[Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(691): [client
192.168.100.237] Trying to get TGT for user srichet@BEEWARE.ORG
[Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(605): [client
192.168.100.237] Trying to verify authenticity of KDC using principal
WEB/kwebapp.beeware.org@BEEWARE.ORG
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1105): [client
192.168.100.237] kerb_authenticate_user_krb5pwd ret=0
user=srichet@BEEWARE.ORG authtype=Basic
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1579): [client
192.168.100.237] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1023): [client
192.168.100.237] Using WEB/kwebapp.beeware.org@BEEWARE.ORG as server
principal for password verification
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(691): [client
192.168.100.237] Trying to get TGT for user srichet@BEEWARE.ORG
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(605): [client
192.168.100.237] Trying to verify authenticity of KDC using principal
WEB/kwebapp.beeware.org@BEEWARE.ORG
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1105): [client
192.168.100.237] kerb_authenticate_user_krb5pwd ret=0
user=srichet@BEEWARE.ORG authtype=Basic
[Thu Jan 07 11:17:13 2010] [debug] mod_deflate.c(615): [client
192.168.100.237] Zlib: Compressed 102 to 91 : URL /index.html
==> On Apache side, everything seems to be ok
# ON SERVER SIDE (KDC)
----------------------
> tail -f /var/log/krb5kdc.log
Jan 07 11:19:48 ubuntu krb5kdc[5648](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859588, etypes {rep=18
tkt=18 ses=18}, srichet@BEEWARE.ORG for krbtgt/BEEWARE.ORG@BEEWARE.ORG
Jan 07 11:19:49 ubuntu krb5kdc[5648](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859588, etypes {rep=18
tkt=18 ses=18}, srichet@BEEWARE.ORG for WEB/
kwebapp.beeware.org@BEEWARE.ORG
Jan 07 11:19:49 ubuntu krb5kdc[5648](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859589, etypes {rep=18
tkt=18 ses=18}, srichet@BEEWARE.ORG for krbtgt/BEEWARE.ORG@BEEWARE.ORG
Jan 07 11:19:49 ubuntu krb5kdc[5648](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859589, etypes {rep=18
tkt=18 ses=18}, srichet@BEEWARE.ORG for WEB/
kwebapp.beeware.org@BEEWARE.ORG
==> On KDC side, everything seems to be ok too.
# CONFIGURATION
---------------
# Kerberos Client (Firefox) :
- Firefox 3.5.6 (on Ubuntu 9.10) with NegotiateAuth
- lib GSS : libgssapi-krb5-2
- Apache/2.2.12 with "mod-auth_kerb"
# Kerberos Server (MIT implementation)
- Ubuntu Server 9.10
- krb5-* packages
# "mod-auth_kerb" config on virtual host :
> cat /var/www/kwebapp.beeware.org/.htaccess
<Files "*">
<Limit GET POST>
AuthName "Kerberos Login"
AuthType Kerberos
Krb5Keytab /tmp/krb5.keytab
KrbAuthRealms BEEWARE.ORG
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbVerifyKDC on
KrbServiceName WEB
Require valid-user
</Limit>
</Files>
# Keytab file "/tmp/krb5.keytab" is OK, and readable (good rights)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
