gss_init_sec_context() failed: Unspecified GSS failure (firefox / linux clien)

Peter B. pborky at
Thu Jan 6 16:36:07 EST 2011

Dear all,

I have an issue with accessing web service with kerberos authentication on
linux client , maybe the problem is wrong krb5 configuration.

Distro is Debian squeeze and krb5 is
  Nainštalovaná verzia: 1.8.3+dfsg-4
  Kandidát:             1.8.3+dfsg-4
  Tabuľka verzií:
 *** 1.8.3+dfsg-4 0
        500 squeeze/main amd64 Packages
        100 /var/lib/dpkg/status

Service that I accessing has fqdn`s "" and "",
and the principal is HTTP/ at OLD.CZ. (there are more services
and issue is similar)

We have two domain names because formerly the domain name was different so
now we can use two ( I think one is some kind of alias ) - migration was not
fully completed, kdc is one, realm is one (i think).
Primarily  we use FQDN`s like but realm name is still OLD.CZ

firefox gives me messages like:
entering nsAuthGSSAPI::GetNextToken()
gss_init_sec_context() failed: Unspecified GSS failure.  Minor code may
provide more information
When I try wireshark i can see KRB5 request but there is visible s instead of  in principal.

I don`t know why the FQDN is replaced by another one but I expect that this
can be configured on client side.
I tried to play with [capaths] but noting changed. My complete krb5.conf is
like folows:

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = OLD.CZ
  dns_lookup_realm = false
dns_lookup_kdc = false

kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

fcc-mit-ticketflags = true

kdc =
admin_server =
default_domain =

[domain_realm] = OLD.CZ = OLD.CZ

NEW.CZ = {
OLD.CZ = .
OLD.CZ = {
NEW.CZ = .

pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
addressless = false

krb4_convert = true
krb4_get_tickets = false

Please could anybody help me?

Thanks in advance

Peter Boraros

More information about the Kerberos mailing list