> The client should *not* have the keytab, the web server has to have > the keytab with an HTTP/fqdn.of.ser...@realm principal. yes, on my Apache2 (with mod_aut_kerb enabled), there is a keytab with an entry for the requested service (HTTP/fqdn...)
>> 2) The client user has credentials in KDC. On KDC server, kinit >> (user) / klist commands show the user. > What does klist on client show? The user on the client has to > have have tickets, usually by kinit, login (pam_krb5) or ssh delegation. VERY relevant question ! It becomes clear that, with a Linux Client, something has to glue (just like it is in w2k environment, at the session init, in interaction with the domain controler) On linux client, this *something* is precisely : kinit ! So, i have launched a kinit command on my Firefox (Ubuntu) client. And then, sniffing with WireShark shows me that the SPNEGO token is transmitted in headers : [...] Authorization: Negotiate YII.... [...] In Firefox log (easily enabled by command : export NSPR_LOG_MODULES=negotiateauth:5;export NSPR_LOG_FILE=/tmp/ negociateauth.log) no more error like : "gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate..." Everything seems to be ok. > I thought you said you complied FireFox. I was asking does FireFox > use its own Kerberos libraries, of Java versions of Kerberos? No response yet to this question > What "negotiateauth"??? > Do you mean in the about:config page, one of the network.negotiate-auth.* > options? Or is this something else? NegociateAuth is the firefox side extension for GSS-API support. Even if [network.nego*] were visible in "about:config", it wasn't sure that this extension was enabled by default in the Ubuntu Firefox binary. A previous post from Russ suggested me to re-compile Firefox, with this extension enabled. If you donwload Firefox sources, you will find this extension in : ./mozilla-central/extensions/auth. But, finally, no need to do all this stuff. Just a matter of kinit to launch on client side !! Once again, thanks a lot, Douglas. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos