Pending "gss_init_sec_context() failed: Unspecified GSS failure...."
Sylvain RICHET
akamanouche at gmail.com
Thu Jan 14 04:58:52 EST 2010
> The client should *not* have the keytab, the web server has to have
> the keytab with an HTTP/fqdn.of.server at realm principal.
yes, on my Apache2 (with mod_aut_kerb enabled), there is a keytab
with an entry for the requested service (HTTP/fqdn...)
>> 2) The client user has credentials in KDC. On KDC server, kinit
>> (user) / klist commands show the user.
> What does klist on client show? The user on the client has to
> have have tickets, usually by kinit, login (pam_krb5) or ssh delegation.
VERY relevant question !
It becomes clear that, with a Linux Client, something has to glue
(just like it is in w2k environment, at the session init, in
interaction with the domain controler)
On linux client, this *something* is precisely : kinit !
So, i have launched a kinit command on my Firefox (Ubuntu) client.
And then, sniffing with WireShark shows me that the SPNEGO token is
transmitted in headers :
[...]
Authorization: Negotiate YII....
[...]
In Firefox log (easily enabled by command : export
NSPR_LOG_MODULES=negotiateauth:5;export NSPR_LOG_FILE=/tmp/
negociateauth.log)
no more error like :
"gss_init_sec_context() failed: Unspecified GSS failure. Minor code
may provide more information SPNEGO cannot find mechanisms to
negotiate..."
Everything seems to be ok.
> I thought you said you complied FireFox. I was asking does FireFox
> use its own Kerberos libraries, of Java versions of Kerberos?
No response yet to this question
> What "negotiateauth"???
> Do you mean in the about:config page, one of the network.negotiate-auth.*
> options? Or is this something else?
NegociateAuth is the firefox side extension for GSS-API support.
Even if [network.nego*] were visible in "about:config",
it wasn't sure that this extension was enabled by default in the
Ubuntu Firefox binary.
A previous post from Russ suggested me to re-compile Firefox, with
this extension enabled.
If you donwload Firefox sources, you will find this extension in :
./mozilla-central/extensions/auth.
But, finally, no need to do all this stuff.
Just a matter of kinit to launch on client side !!
Once again, thanks a lot, Douglas.
More information about the Kerberos
mailing list