Pending "gss_init_sec_context() failed: Unspecified GSS failure...."

Thu, 07 Jan 2010 11:18:21 -0800 

I really don't succeed to solve this error message !
Seems to be a GSS API ?
A communication problem between NegotiateAuth (pluggued in Firefox)
dans the underlying GSS API library (libgssapi-krb5-2 ?) ?


The authentication process succeeds (as configured in "mod_auth_kerb")
but...

        1) the NegotiateAuth log traces this error "gss_init_sec_context()
failed: Unspecified GSS failure...."
        2) Using WireShark, i can't find any SPNEGO ticket in the data sent
by Firefox to webserver after authentication


I browse a lot, and found many posts relative to gss_init_sec_context
() and the error msg.
But it didn't help me: given workarounds don't match my problem.


# ON BROWSER SIDE
-----------------

> tail -f /tmp/negotiateauth.log

-1217141024[b742e1c0]:   service = kwebapp.beeware.org
-1217141024[b742e1c0]:   using negotiate-gss
-1217141024[b742e1c0]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1217141024[b742e1c0]: Attempting to load gss functions
-1217141024[b742e1c0]: entering nsAuthGSSAPI::Init()
-1217141024[b742e1c0]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate]
-1217141024[b742e1c0]: entering nsAuthGSSAPI::GetNextToken()
-1217141024[b742e1c0]: gss_init_sec_context() failed: Unspecified GSS
failure.  Minor code may provide more information
SPNEGO cannot find mechanisms to negotiate
-1217141024[b742e1c0]:   leaving nsAuthGSSAPI::GetNextToken
[rv=80004005]

==>
==> As you can see, the problem is : "gss_init_sec_context() failed:
Unspecified GSS failure...."
==>



# ON APACHE SIDE
-----------------

> tail -f /var/log/apache2/error.log

[Thu Jan 07 11:17:05 2010] [debug] src/mod_auth_kerb.c(1579): [client
192.168.100.237] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jan 07 11:17:05 2010] [debug] mod_deflate.c(615): [client
192.168.100.237] Zlib: Compressed 486 to 328 : URL /
[Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1579): [client
192.168.100.237] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1023): [client
192.168.100.237] Using WEB/kwebapp.beeware....@beeware.org as server
principal for password verification
[Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(691): [client
192.168.100.237] Trying to get TGT for user sric...@beeware.org
[Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(605): [client
192.168.100.237] Trying to verify authenticity of KDC using principal
WEB/kwebapp.beeware....@beeware.org
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1105): [client
192.168.100.237] kerb_authenticate_user_krb5pwd ret=0
user=sric...@beeware.org authtype=Basic
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1579): [client
192.168.100.237] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1023): [client
192.168.100.237] Using WEB/kwebapp.beeware....@beeware.org as server
principal for password verification
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(691): [client
192.168.100.237] Trying to get TGT for user sric...@beeware.org
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(605): [client
192.168.100.237] Trying to verify authenticity of KDC using principal
WEB/kwebapp.beeware....@beeware.org
[Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1105): [client
192.168.100.237] kerb_authenticate_user_krb5pwd ret=0
user=sric...@beeware.org authtype=Basic
[Thu Jan 07 11:17:13 2010] [debug] mod_deflate.c(615): [client
192.168.100.237] Zlib: Compressed 102 to 91 : URL /index.html

==> On Apache side, everything seems to be ok


# ON SERVER SIDE (KDC)
----------------------

> tail -f /var/log/krb5kdc.log

Jan 07 11:19:48 ubuntu krb5kdc[5648](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859588, etypes {rep=18
tkt=18 ses=18}, sric...@beeware.org for krbtgt/beeware....@beeware.org
Jan 07 11:19:49 ubuntu krb5kdc[5648](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859588, etypes {rep=18
tkt=18 ses=18}, sric...@beeware.org for WEB/
kwebapp.beeware....@beeware.org
Jan 07 11:19:49 ubuntu krb5kdc[5648](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859589, etypes {rep=18
tkt=18 ses=18}, sric...@beeware.org for krbtgt/beeware....@beeware.org
Jan 07 11:19:49 ubuntu krb5kdc[5648](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859589, etypes {rep=18
tkt=18 ses=18}, sric...@beeware.org for WEB/
kwebapp.beeware....@beeware.org


==> On KDC side, everything seems to be ok too.



# CONFIGURATION
---------------

# Kerberos Client (Firefox) :
- Firefox 3.5.6 (on Ubuntu 9.10) with NegotiateAuth
- lib GSS : libgssapi-krb5-2
- Apache/2.2.12 with "mod-auth_kerb"

# Kerberos Server (MIT implementation)
- Ubuntu Server 9.10
- krb5-* packages


# "mod-auth_kerb" config on virtual host :

        > cat /var/www/kwebapp.beeware.org/.htaccess

        <Files "*">
                <Limit GET POST>
                        AuthName "Kerberos Login"
                        AuthType Kerberos
                        Krb5Keytab /tmp/krb5.keytab
                        KrbAuthRealms BEEWARE.ORG
                        KrbMethodNegotiate on
                        KrbMethodK5Passwd on
                        KrbVerifyKDC on
                        KrbServiceName WEB
                        Require valid-user
                </Limit>
        </Files>


# Keytab file "/tmp/krb5.keytab" is OK, and readable (good rights)
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to