Pending "gss_init_sec_context() failed: Unspecified GSS failure...."

Sylvain RICHET akamanouche at gmail.com
Thu Jan 7 09:06:38 EST 2010 

I really don't succeed to solve this error message !
Seems to be a GSS API ?
A communication problem between NegotiateAuth (pluggued in Firefox)
dans the underlying GSS API library (libgssapi-krb5-2 ?) ?


The authentication process succeeds (as configured in "mod_auth_kerb")
but...

	1) the NegotiateAuth log traces this error "gss_init_sec_context()
failed: Unspecified GSS failure...."
	2) Using WireShark, i can't find any SPNEGO ticket in the data sent
by Firefox to webserver after authentication


I browse a lot, and found many posts relative to gss_init_sec_context
() and the error msg.
But it didn't help me: given workarounds don't match my problem.


# ON BROWSER SIDE
-----------------

> tail -f /tmp/negotiateauth.log

-1217141024[b742e1c0]:   service = kwebapp.beeware.org
-1217141024[b742e1c0]:   using negotiate-gss
-1217141024[b742e1c0]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1217141024[b742e1c0]: Attempting to load gss functions
-1217141024[b742e1c0]: entering nsAuthGSSAPI::Init()
-1217141024[b742e1c0]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate]
-1217141024[b742e1c0]: entering nsAuthGSSAPI::GetNextToken()
-1217141024[b742e1c0]: gss_init_sec_context() failed: Unspecified GSS
failure.  Minor code may provide more information
SPNEGO cannot find mechanisms to negotiate
-1217141024[b742e1c0]:   leaving nsAuthGSSAPI::GetNextToken
[rv=80004005]

==>
==> As you can see, the problem is : "gss_init_sec_context() failed:
Unspecified GSS failure...."
==>



# ON APACHE SIDE
-----------------

> tail -f /var/log/apache2/error.log

[Thu Jan 07 11:17:05 2010] [debug] src/mod_auth_kerb.c(1579): [client
192.168.100.237] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jan 07 11:17:05 2010] [debug] mod_deflate.c(615): [client
192.168.100.237] Zlib: Compressed 486 to 328 : URL /
[Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1579): [client
192.168.100.237] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1023): [client
192.168.100.237] Using WEB/kwebapp.beeware.org at BEEWARE.ORG as server
principal for password verification
[Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(691): [client
192.168.100.237] Trying to get TGT for user srichet at BEEWARE.ORG
[Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(605): [client
192.168.100.237] Trying to verify authenticity of KDC using principal
WEB/kwebapp.beeware.org at BEEWARE.ORG
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1105): [client
192.168.100.237] kerb_authenticate_user_krb5pwd ret=0
user=srichet at BEEWARE.ORG authtype=Basic
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1579): [client
192.168.100.237] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1023): [client
192.168.100.237] Using WEB/kwebapp.beeware.org at BEEWARE.ORG as server
principal for password verification
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(691): [client
192.168.100.237] Trying to get TGT for user srichet at BEEWARE.ORG
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(605): [client
192.168.100.237] Trying to verify authenticity of KDC using principal
WEB/kwebapp.beeware.org at BEEWARE.ORG
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1105): [client
192.168.100.237] kerb_authenticate_user_krb5pwd ret=0
user=srichet at BEEWARE.ORG authtype=Basic
[Thu Jan 07 11:17:13 2010] [debug] mod_deflate.c(615): [client
192.168.100.237] Zlib: Compressed 102 to 91 : URL /index.html

==> On Apache side, everything seems to be ok


# ON SERVER SIDE (KDC)
----------------------

> tail -f /var/log/krb5kdc.log

Jan 07 11:19:48 ubuntu krb5kdc[5648](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859588, etypes {rep=18
tkt=18 ses=18}, srichet at BEEWARE.ORG for krbtgt/BEEWARE.ORG at BEEWARE.ORG
Jan 07 11:19:49 ubuntu krb5kdc[5648](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859588, etypes {rep=18
tkt=18 ses=18}, srichet at BEEWARE.ORG for WEB/
kwebapp.beeware.org at BEEWARE.ORG
Jan 07 11:19:49 ubuntu krb5kdc[5648](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859589, etypes {rep=18
tkt=18 ses=18}, srichet at BEEWARE.ORG for krbtgt/BEEWARE.ORG at BEEWARE.ORG
Jan 07 11:19:49 ubuntu krb5kdc[5648](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859589, etypes {rep=18
tkt=18 ses=18}, srichet at BEEWARE.ORG for WEB/
kwebapp.beeware.org at BEEWARE.ORG


==> On KDC side, everything seems to be ok too.



# CONFIGURATION
---------------

# Kerberos Client (Firefox) :
- Firefox 3.5.6 (on Ubuntu 9.10) with NegotiateAuth
- lib GSS : libgssapi-krb5-2
- Apache/2.2.12 with "mod-auth_kerb"

# Kerberos Server (MIT implementation)
- Ubuntu Server 9.10
- krb5-* packages


# "mod-auth_kerb" config on virtual host :

	> cat /var/www/kwebapp.beeware.org/.htaccess

	<Files "*">
		<Limit GET POST>
		        AuthName "Kerberos Login"
		        AuthType Kerberos
		        Krb5Keytab /tmp/krb5.keytab
		        KrbAuthRealms BEEWARE.ORG
		        KrbMethodNegotiate on
		        KrbMethodK5Passwd on
		        KrbVerifyKDC on
			KrbServiceName WEB
		        Require valid-user
		</Limit>
	</Files>


# Keytab file "/tmp/krb5.keytab" is OK, and readable (good rights)

More information about the Kerberos mailing list