[31890] in Kerberos
Re: Pending "gss_init_sec_context() failed: Unspecified GSS
daemon@ATHENA.MIT.EDU (Sylvain RICHET)
Fri Jan 8 13:12:38 2010
From: Sylvain RICHET <akamanouche@gmail.com>
Date: Fri, 8 Jan 2010 00:29:18 -0800 (PST)
Message-ID: <68ee2659-9f3b-4494-95a7-5a8787a3f217@m16g2000yqc.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 7 jan, 20:25, Russ Allbery <r...@stanford.edu> wrote:
> Sylvain RICHET <akamanou...@gmail.com> writes:
> > I really don't succeed to solve this error message ! Seems to be a GSS
> > API ? A communication problem between NegotiateAuth (pluggued in
> > Firefox) dans the underlying GSS API library (libgssapi-krb5-2 ?) ?
> > The authentication process succeeds (as configured in "mod_auth_kerb")
> > but...
> > 1) the NegotiateAuth log traces this error "gss_init_sec_context()
> > failed: Unspecified GSS failure...."
>
> Which meansn that SPNEGO failed.
>
> > 2) Using WireShark, i can't find any SPNEGO ticket in the data sent
> > by Firefox to webserver after authentication
>
> Which also supports that SPNEGO failed.
>
> > -1217141024[b742e1c0]: gss_init_sec_context() failed: Unspecified GSS
> > failure. Minor code may provide more information
> > SPNEGO cannot find mechanisms to negotiate
>
> This implies to me that either the server didn't offer Kerberos GSSAPI as
> an SPNEGO mechanism or the client browser didn't have the libraries
> required to do Kerberos GSSAPI.
>
> > [Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1579): [client
> > 192.168.100.237] kerb_authenticate_user entered with user (NULL) and
> > auth_type Kerberos
> > [Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1023): [client
> > 192.168.100.237] Using WEB/kwebapp.beeware....@BEEWARE.ORG as server
> > principal for password verification
>
> The server didn't do GSSAPI -- it did Basic Auth authentication and then
> verified the password with Kerberos. If you're happy with that, nothing
> need change, but you're not actually doing SPNEGO or Negotiate-Auth and
> you're exposing the account password to the web server.
>
> Your KDC log supports that this is what is happening and shows no service
> principal request from the browser, which indicates that it never got far
> enough in the Negotiate-Auth dialog to even attempt authentication.
>
> --
> Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/>
Thanks, Russ !
Your opinion concerning my logs leads me a little.
Probably it is a problem on the Kerberos client (that is: Firefox/
NegotiateAuth/GSS-API lib).
That's why the KDC does not log any GSSAPI request (SPNEGO request)
But i didn't find any workaround...
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
