I really don't succeed to solve this error message ! Seems to be a GSS API ? A communication problem between NegotiateAuth (pluggued in Firefox) dans the underlying GSS API library (libgssapi-krb5-2 ?) ?
The authentication process succeeds (as configured in "mod_auth_kerb") but... 1) the NegotiateAuth log traces this error "gss_init_sec_context() failed: Unspecified GSS failure...." 2) Using WireShark, i can't find any SPNEGO ticket in the data sent by Firefox to webserver after authentication I browse a lot, and found many posts relative to gss_init_sec_context () and the error msg. But it didn't help me: given workarounds don't match my problem. # ON BROWSER SIDE ----------------- > tail -f /tmp/negotiateauth.log -1217141024[b742e1c0]: service = kwebapp.beeware.org -1217141024[b742e1c0]: using negotiate-gss -1217141024[b742e1c0]: entering nsAuthGSSAPI::nsAuthGSSAPI() -1217141024[b742e1c0]: Attempting to load gss functions -1217141024[b742e1c0]: entering nsAuthGSSAPI::Init() -1217141024[b742e1c0]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] -1217141024[b742e1c0]: entering nsAuthGSSAPI::GetNextToken() -1217141024[b742e1c0]: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate -1217141024[b742e1c0]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] ==> ==> As you can see, the problem is : "gss_init_sec_context() failed: Unspecified GSS failure...." ==> # ON APACHE SIDE ----------------- > tail -f /var/log/apache2/error.log [Thu Jan 07 11:17:05 2010] [debug] src/mod_auth_kerb.c(1579): [client 192.168.100.237] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Thu Jan 07 11:17:05 2010] [debug] mod_deflate.c(615): [client 192.168.100.237] Zlib: Compressed 486 to 328 : URL / [Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1579): [client 192.168.100.237] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(1023): [client 192.168.100.237] Using WEB/kwebapp.beeware....@beeware.org as server principal for password verification [Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(691): [client 192.168.100.237] Trying to get TGT for user sric...@beeware.org [Thu Jan 07 11:17:12 2010] [debug] src/mod_auth_kerb.c(605): [client 192.168.100.237] Trying to verify authenticity of KDC using principal WEB/kwebapp.beeware....@beeware.org [Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1105): [client 192.168.100.237] kerb_authenticate_user_krb5pwd ret=0 user=sric...@beeware.org authtype=Basic [Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1579): [client 192.168.100.237] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1023): [client 192.168.100.237] Using WEB/kwebapp.beeware....@beeware.org as server principal for password verification [Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(691): [client 192.168.100.237] Trying to get TGT for user sric...@beeware.org [Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(605): [client 192.168.100.237] Trying to verify authenticity of KDC using principal WEB/kwebapp.beeware....@beeware.org [Thu Jan 07 11:17:13 2010] [debug] src/mod_auth_kerb.c(1105): [client 192.168.100.237] kerb_authenticate_user_krb5pwd ret=0 user=sric...@beeware.org authtype=Basic [Thu Jan 07 11:17:13 2010] [debug] mod_deflate.c(615): [client 192.168.100.237] Zlib: Compressed 102 to 91 : URL /index.html ==> On Apache side, everything seems to be ok # ON SERVER SIDE (KDC) ---------------------- > tail -f /var/log/krb5kdc.log Jan 07 11:19:48 ubuntu krb5kdc[5648](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859588, etypes {rep=18 tkt=18 ses=18}, sric...@beeware.org for krbtgt/beeware....@beeware.org Jan 07 11:19:49 ubuntu krb5kdc[5648](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859588, etypes {rep=18 tkt=18 ses=18}, sric...@beeware.org for WEB/ kwebapp.beeware....@beeware.org Jan 07 11:19:49 ubuntu krb5kdc[5648](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859589, etypes {rep=18 tkt=18 ses=18}, sric...@beeware.org for krbtgt/beeware....@beeware.org Jan 07 11:19:49 ubuntu krb5kdc[5648](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.191.1: ISSUE: authtime 1262859589, etypes {rep=18 tkt=18 ses=18}, sric...@beeware.org for WEB/ kwebapp.beeware....@beeware.org ==> On KDC side, everything seems to be ok too. # CONFIGURATION --------------- # Kerberos Client (Firefox) : - Firefox 3.5.6 (on Ubuntu 9.10) with NegotiateAuth - lib GSS : libgssapi-krb5-2 - Apache/2.2.12 with "mod-auth_kerb" # Kerberos Server (MIT implementation) - Ubuntu Server 9.10 - krb5-* packages # "mod-auth_kerb" config on virtual host : > cat /var/www/kwebapp.beeware.org/.htaccess <Files "*"> <Limit GET POST> AuthName "Kerberos Login" AuthType Kerberos Krb5Keytab /tmp/krb5.keytab KrbAuthRealms BEEWARE.ORG KrbMethodNegotiate on KrbMethodK5Passwd on KrbVerifyKDC on KrbServiceName WEB Require valid-user </Limit> </Files> # Keytab file "/tmp/krb5.keytab" is OK, and readable (good rights) ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos