Pending "gss_init_sec_context() failed: Unspecified GSS failure...."

[Russ Allbery]

Sylvain RICHET <akamanouche at gmail.com> writes:

> I really don't succeed to solve this error message !  Seems to be a GSS
> API ?  A communication problem between NegotiateAuth (pluggued in
> Firefox) dans the underlying GSS API library (libgssapi-krb5-2 ?) ?

> The authentication process succeeds (as configured in "mod_auth_kerb")
> but...

> 	1) the NegotiateAuth log traces this error "gss_init_sec_context()
> failed: Unspecified GSS failure...."

Which meansn that SPNEGO failed.

> 	2) Using WireShark, i can't find any SPNEGO ticket in the data sent
> by Firefox to webserver after authentication

Which also supports that SPNEGO failed.

> -1217141024[b742e1c0]: gss_init_sec_context() failed: Unspecified GSS
> failure.  Minor code may provide more information
> SPNEGO cannot find mechanisms to negotiate

This implies to me that either the server didn't offer Kerberos GSSAPI as
an SPNEGO mechanism or the client browser didn't have the libraries
required to do Kerberos GSSAPI.

> [Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1579): [client
> 192.168.100.237] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1023): [client
> 192.168.100.237] Using WEB/kwebapp.beeware.org at BEEWARE.ORG as server
> principal for password verification

The server didn't do GSSAPI -- it did Basic Auth authentication and then
verified the password with Kerberos.  If you're happy with that, nothing
need change, but you're not actually doing SPNEGO or Negotiate-Auth and
you're exposing the account password to the web server.

Your KDC log supports that this is what is happening and shows no service
principal request from the browser, which indicates that it never got far
enough in the Negotiate-Auth dialog to even attempt authentication.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>