Pending "gss_init_sec_context() failed: Unspecified GSS failure...."

Douglas E. Engert deengert at anl.gov
Wed Jan 13 15:36:26 EST 2010 


Sylvain RICHET wrote:
> Hi Douglas,
> 
>>   Have you tried Wireshark or other analyzer to see what might be going on?
> Yes, a lot.
> 
>>   Do you have a krb5.conf file?
> Yes of course, there is a krb5.conf file on client machine.
> 
>>   Does the web server support GSS? What is the server?
> Apache/2.2.12 (Ubuntu), with mod_auth_kerb.
> I suppose that, whether Apache2 can plug a kerberos module, then it
> supports GSS ?...
> 
>>   Does the client have user credentials? (klist)
> 1) The client have the keytab with the entry concerning the targeted
> service.

The client should *not* have the keytab, the web server has to have
the keytab with an HTTP/fqdn.of.server at realm principal.


> 2) The client user has credentials in KDC. On KDC server, kinit
> (user) / klist commands show the user.

What does klist on client show? The user on the client has to
have have tickets, usually by kinit, login (pam_krb5) or ssh delegation.


> 
>>   Have you posted the problem on modauthkerb-h... at lists.sourceforge.net
>>   (I expect most of the people are on this list too.)
> I subscribed last week, and  I have already tried to... but i'm "read-
> only" on that list
> (how to get POST authorization ? i don't know...)
> 
>>   Since you built FireFox, what code did it use for the native-gsslib?
>>   Is it Java?
> sorry, I don't understand what you mean because i do not have any
> specific idea on how it works.

I thought you said you complied FireFox. I was asking does FireFox
use its own Kerberos libraries, of Java versions of Kerberos?


> I just noticed there's an "negotiateauth" to enable... (if not yet
> enable in Firefox Ubuntu version !)

What "negotiateauth"???

Do you mean in the about:config page, one of the network.negotiate-auth.*
options? Or is this something else?

> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list