[31920] in Kerberos
Re: Pending "gss_init_sec_context() failed: Unspecified GSS
daemon@ATHENA.MIT.EDU (Sylvain RICHET)
Thu Jan 14 14:16:44 2010
From: Sylvain RICHET <akamanouche@gmail.com>
Date: Thu, 14 Jan 2010 01:58:52 -0800 (PST)
Message-ID: <72a4dfce-fd3f-4dd8-afba-48b3c29275a3@z41g2000yqz.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> The client should *not* have the keytab, the web server has to have
> the keytab with an HTTP/fqdn.of.server@realm principal.
yes, on my Apache2 (with mod_aut_kerb enabled), there is a keytab
with an entry for the requested service (HTTP/fqdn...)
>> 2) The client user has credentials in KDC. On KDC server, kinit
>> (user) / klist commands show the user.
> What does klist on client show? The user on the client has to
> have have tickets, usually by kinit, login (pam_krb5) or ssh delegation.
VERY relevant question !
It becomes clear that, with a Linux Client, something has to glue
(just like it is in w2k environment, at the session init, in
interaction with the domain controler)
On linux client, this *something* is precisely : kinit !
So, i have launched a kinit command on my Firefox (Ubuntu) client.
And then, sniffing with WireShark shows me that the SPNEGO token is
transmitted in headers :
[...]
Authorization: Negotiate YII....
[...]
In Firefox log (easily enabled by command : export
NSPR_LOG_MODULES=negotiateauth:5;export NSPR_LOG_FILE=/tmp/
negociateauth.log)
no more error like :
"gss_init_sec_context() failed: Unspecified GSS failure. Minor code
may provide more information SPNEGO cannot find mechanisms to
negotiate..."
Everything seems to be ok.
> I thought you said you complied FireFox. I was asking does FireFox
> use its own Kerberos libraries, of Java versions of Kerberos?
No response yet to this question
> What "negotiateauth"???
> Do you mean in the about:config page, one of the network.negotiate-auth.*
> options? Or is this something else?
NegociateAuth is the firefox side extension for GSS-API support.
Even if [network.nego*] were visible in "about:config",
it wasn't sure that this extension was enabled by default in the
Ubuntu Firefox binary.
A previous post from Russ suggested me to re-compile Firefox, with
this extension enabled.
If you donwload Firefox sources, you will find this extension in :
./mozilla-central/extensions/auth.
But, finally, no need to do all this stuff.
Just a matter of kinit to launch on client side !!
Once again, thanks a lot, Douglas.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
