[31881] in Kerberos
Re: Pending "gss_init_sec_context() failed: Unspecified GSS
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu Jan 7 14:25:27 2010
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <ceeb9934-a14d-4c50-8796-e3e18c68bb99@s31g2000yqs.googlegroups.com>
(Sylvain RICHET's message of "Thu, 7 Jan 2010 06:06:38 -0800 (PST)")
Date: Thu, 07 Jan 2010 11:25:15 -0800
Message-ID: <87pr5lg1k4.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Sylvain RICHET <akamanouche@gmail.com> writes:
> I really don't succeed to solve this error message ! Seems to be a GSS
> API ? A communication problem between NegotiateAuth (pluggued in
> Firefox) dans the underlying GSS API library (libgssapi-krb5-2 ?) ?
> The authentication process succeeds (as configured in "mod_auth_kerb")
> but...
> 1) the NegotiateAuth log traces this error "gss_init_sec_context()
> failed: Unspecified GSS failure...."
Which meansn that SPNEGO failed.
> 2) Using WireShark, i can't find any SPNEGO ticket in the data sent
> by Firefox to webserver after authentication
Which also supports that SPNEGO failed.
> -1217141024[b742e1c0]: gss_init_sec_context() failed: Unspecified GSS
> failure. Minor code may provide more information
> SPNEGO cannot find mechanisms to negotiate
This implies to me that either the server didn't offer Kerberos GSSAPI as
an SPNEGO mechanism or the client browser didn't have the libraries
required to do Kerberos GSSAPI.
> [Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1579): [client
> 192.168.100.237] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1023): [client
> 192.168.100.237] Using WEB/kwebapp.beeware.org@BEEWARE.ORG as server
> principal for password verification
The server didn't do GSSAPI -- it did Basic Auth authentication and then
verified the password with Kerberos. If you're happy with that, nothing
need change, but you're not actually doing SPNEGO or Negotiate-Auth and
you're exposing the account password to the web server.
Your KDC log supports that this is what is happening and shows no service
principal request from the browser, which indicates that it never got far
enough in the Negotiate-Auth dialog to even attempt authentication.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
