Pending "gss_init_sec_context() failed: Unspecified GSS failure...."

Sylvain RICHET akamanouche at gmail.com
Thu Jan 14 04:58:52 EST 2010


> The client should *not* have the keytab, the web server has to have
> the keytab with an HTTP/fqdn.of.server at realm principal.
yes, on my Apache2 (with mod_aut_kerb enabled), there is a keytab
with an entry for the requested service (HTTP/fqdn...)

>> 2) The client user has credentials in KDC. On KDC server, kinit
>> (user) / klist commands show the user.
> What does klist on client show? The user on the client has to
> have have tickets, usually by kinit, login (pam_krb5) or ssh delegation.

VERY relevant question !
It becomes clear that, with a Linux Client, something has to glue
(just like it is in w2k environment, at the session init, in
interaction with the domain controler)
On linux client, this *something* is precisely : kinit !

So, i have launched a kinit command on my Firefox (Ubuntu) client.
And then, sniffing with WireShark shows me that the SPNEGO token is
transmitted in headers :
[...]
Authorization: Negotiate YII....
[...]

In Firefox log (easily enabled by command : export
NSPR_LOG_MODULES=negotiateauth:5;export NSPR_LOG_FILE=/tmp/
negociateauth.log)
no more error like :
"gss_init_sec_context() failed: Unspecified GSS failure.  Minor code
may provide more information SPNEGO cannot find mechanisms to
negotiate..."

Everything seems to be ok.


> I thought you said you complied FireFox. I was asking does FireFox
> use its own Kerberos libraries, of Java versions of Kerberos?
No response yet to this question


> What "negotiateauth"???
> Do you mean in the about:config page, one of the network.negotiate-auth.*
> options? Or is this something else?

NegociateAuth is the firefox side extension for GSS-API support.
Even if [network.nego*] were visible in "about:config",
it wasn't sure that this extension was enabled by default in the
Ubuntu Firefox binary.
A previous post from Russ suggested me to re-compile Firefox, with
this extension enabled.
If you donwload Firefox sources, you will find this extension in :
./mozilla-central/extensions/auth.

But, finally, no need to do all this stuff.
Just a matter of kinit to launch on client side !!

Once again, thanks a lot, Douglas.



More information about the Kerberos mailing list