Pending "gss_init_sec_context() failed: Unspecified GSS failure...."
Sylvain RICHET
akamanouche at gmail.com
Fri Jan 8 03:29:18 EST 2010
On 7 jan, 20:25, Russ Allbery <r... at stanford.edu> wrote:
> Sylvain RICHET <akamanou... at gmail.com> writes:
> > I really don't succeed to solve this error message ! Seems to be a GSS
> > API ? A communication problem between NegotiateAuth (pluggued in
> > Firefox) dans the underlying GSS API library (libgssapi-krb5-2 ?) ?
> > The authentication process succeeds (as configured in "mod_auth_kerb")
> > but...
> > 1) the NegotiateAuth log traces this error "gss_init_sec_context()
> > failed: Unspecified GSS failure...."
>
> Which meansn that SPNEGO failed.
>
> > 2) Using WireShark, i can't find any SPNEGO ticket in the data sent
> > by Firefox to webserver after authentication
>
> Which also supports that SPNEGO failed.
>
> > -1217141024[b742e1c0]: gss_init_sec_context() failed: Unspecified GSS
> > failure. Minor code may provide more information
> > SPNEGO cannot find mechanisms to negotiate
>
> This implies to me that either the server didn't offer Kerberos GSSAPI as
> an SPNEGO mechanism or the client browser didn't have the libraries
> required to do Kerberos GSSAPI.
>
> > [Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1579): [client
> > 192.168.100.237] kerb_authenticate_user entered with user (NULL) and
> > auth_type Kerberos
> > [Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1023): [client
> > 192.168.100.237] Using WEB/kwebapp.beeware.... at BEEWARE.ORG as server
> > principal for password verification
>
> The server didn't do GSSAPI -- it did Basic Auth authentication and then
> verified the password with Kerberos. If you're happy with that, nothing
> need change, but you're not actually doing SPNEGO or Negotiate-Auth and
> you're exposing the account password to the web server.
>
> Your KDC log supports that this is what is happening and shows no service
> principal request from the browser, which indicates that it never got far
> enough in the Negotiate-Auth dialog to even attempt authentication.
>
> --
> Russ Allbery (r... at stanford.edu) <http://www.eyrie.org/~eagle/>
Thanks, Russ !
Your opinion concerning my logs leads me a little.
Probably it is a problem on the Kerberos client (that is: Firefox/
NegotiateAuth/GSS-API lib).
That's why the KDC does not log any GSSAPI request (SPNEGO request)
But i didn't find any workaround...
More information about the Kerberos
mailing list