Mac OSX Safari GSSAPI Bugs?
jhutz at cmu.edu
Tue May 30 00:41:59 EDT 2006
On Tuesday, May 30, 2006 12:19:34 AM -0400 Michael B Allen
<mba2000 at ioplex.com> wrote:
> On Tue, 30 May 2006 12:46:38 +1000
> Luke Howard <lukeh at padl.com> wrote:
>> Apparently this is fixed in 10.4 (the underlying GSS-API implementation
>> is used). So you should probably just upgrade.
>> From looking at the apple website it doesn't look like you can. Safari
> 2 is specific to 10.4 so you have to upgrade the OS which costs $$.
> To add insult to injury, I just downloaded Firefox and discovered it's
> broken in it's own way. If I try to visit http://www1.foo.net/test.html
> I get the following error from gss_accept_sec_context:
> GSS_S_FAILURE: failed to find HTTP/quark.foo.net at FOO.NET(kvno 3)
> in keytab /var/lib/test/test.keytab
> So it's doing a reverse lookup and using an alias for the machine instead
> of just using the server name entered.
That's the underlying GSS implementation. Unfortunately, lots of
implementations currently do that. RFC4120 specfically prohibits this
behavior, but many existing implementations do it, probably in part because
some of the GSS documents used to recommend this behavior.
For now, the workaround is either to give your server multiple keys, so it
will work with both broken and correct implementations, or make the reverse
record point to the name you want it to use.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the krbdev