Mac OSX Safari GSSAPI Bugs?

Jeffrey Hutzelman jhutz at
Tue May 30 00:41:59 EDT 2006

On Tuesday, May 30, 2006 12:19:34 AM -0400 Michael B Allen 
<mba2000 at> wrote:

> On Tue, 30 May 2006 12:46:38 +1000
> Luke Howard <lukeh at> wrote:
>> Apparently this is fixed in 10.4 (the underlying GSS-API implementation
>> is used). So you should probably just upgrade.
>> From looking at the apple website it doesn't look like you can. Safari
> 2 is specific to 10.4 so you have to upgrade the OS which costs $$.
> To add insult to injury, I just downloaded Firefox and discovered it's
> broken in it's own way. If I try to visit
> I get the following error from gss_accept_sec_context:
>  GSS_S_FAILURE: failed to find HTTP/ at FOO.NET(kvno 3)
>        in keytab /var/lib/test/test.keytab
> So it's doing a reverse lookup and using an alias for the machine instead
> of just using the server name entered.

That's the underlying GSS implementation.  Unfortunately, lots of 
implementations currently do that.  RFC4120 specfically prohibits this 
behavior, but many existing implementations do it, probably in part because 
some of the GSS documents used to recommend this behavior.

For now, the workaround is either to give your server multiple keys, so it 
will work with both broken and correct implementations, or make the reverse 
record point to the name you want it to use.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

More information about the krbdev mailing list