gss_init_sec_context() failed: Unspecified GSS failure (firefox / linux clien)

Peter B. pborky at gmail.com
Thu Jan 6 16:36:07 EST 2011 

Dear all,

I have an issue with accessing web service with kerberos authentication on
linux client , maybe the problem is wrong krb5 configuration.

Distro is Debian squeeze and krb5 is
libgssapi-krb5-2:
  Nainštalovaná verzia: 1.8.3+dfsg-4
  Kandidát:             1.8.3+dfsg-4
  Tabuľka verzií:
 *** 1.8.3+dfsg-4 0
        500 http://ftp.cz.debian.org/debian/ squeeze/main amd64 Packages
        100 /var/lib/dpkg/status

Service that I accessing has fqdn`s "service.new.cz" and "service.old.cz",
and the principal is HTTP/service.new.cz at OLD.CZ. (there are more services
and issue is similar)

We have two domain names because formerly the domain name was different so
now we can use two ( I think one is some kind of alias ) - migration was not
fully completed, kdc is one, realm is one (i think).
Primarily  we use FQDN`s like servicex.new.cz but realm name is still OLD.CZ
.

firefox gives me messages like:
...
entering nsAuthGSSAPI::GetNextToken()
gss_init_sec_context() failed: Unspecified GSS failure.  Minor code may
provide more information
...
When I try wireshark i can see KRB5 request but there is visible s
ervice.old.cz instead of service.new.cz  in principal.

I don`t know why the FQDN is replaced by another one but I expect that this
can be configured on client side.
I tried to play with [capaths] but noting changed. My complete krb5.conf is
like folows:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = OLD.CZ
  dns_lookup_realm = false
dns_lookup_kdc = false

kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

fcc-mit-ticketflags = true


[realms]
CSST.CZ = {
kdc = dc1.new.cz
admin_server = dc1.new.cz
default_domain = new.cz
}

[domain_realm]
.new.cz = OLD.CZ
new.cz = OLD.CZ

[capaths]
NEW.CZ = {
OLD.CZ = .
}
OLD.CZ = {
NEW.CZ = .
}


[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
addressless = false
}

[login]
krb4_convert = true
krb4_get_tickets = false



Please could anybody help me?

Thanks in advance

Sincerely
Peter Boraros

More information about the Kerberos mailing list