Bug 335571

Summary: Kerberos library bug preventing negotiate authentication via GSSAPI.
Product: Red Hat Enterprise Linux 5 Reporter: Rob <rob>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED DUPLICATE QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: low    
Version: 5.0CC: jplans
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-17 14:19:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob 2007-10-17 03:30:06 UTC 
Description of problem:
Kerberos authentication via the negotiate method/GSSAPI fails.
Kerberos single sign on, at least via a browser and Apache, is broken.

Version-Release number of selected component (if applicable):
krb5-libs-1.5-29

How reproducible:
Every time.

Steps to Reproduce:
1. Assume a correctly configured krb5.conf and keytab for Apache.
2. Configure Apache to use Kerberos authentication using mod_auth_kerb.
3. Specify 'KrbMethodNegotiate on' in your conf.
4. Access a protected page via a negotiate enabled browser.
(IE or Firefox with network.negotiate-auth.trusted-uris configured)
  
Actual results:
kerb_authenticate_user entered with user (NULL) and auth_type KerberosV5
kerb_authenticate_user entered with user (NULL) and auth_type KerberosV5
Acquiring creds for HTTP/servername@REALM
Verifying client data using KRB5 GSS-API
Verification returned code 851968
gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may
provide more information (Cannot allocate memory)


Expected results:
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
Acquiring creds for HTTP/servername@REALM
Verifying client data using KRB5 GSS-API
Verification returned code 0
GSS-API token of length 162 bytes will be sent back


Additional info:
Solution found from:
http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help
Removing one ! in src/lib/gssapi/krb5/indicate_mechs.c does the trick.
Validated by rebuilding src rpm.

---SNIP---
--- src/lib/gssapi/krb5/indicate_mechs.c 2006-06-14
17:27:54.000000000 -0500
+++ src/lib/gssapi/krb5/indicate_mechs.fixed.c 2007-07-02
16:41:40.000000000 -0500
@@ -33,12 +33,11 @@
gss_OID_set *mech_set;
{
*minor_status = 0;
-
- if (! gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both,
mech_set)) {
+ if (gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both,
+mech_set)) {
*mech_set = GSS_C_NO_OID_SET;
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
}
-
return(GSS_S_COMPLETE);
}
---SNIP---

Thank you Ian Goodacre.
Comment 1 Nalin Dahyabhai 2007-10-17 14:19:39 UTC 
Marking this as a duplicate of #238847, which is fixed in the 5.1 beta by the
upgrade to a later version which included this fix.  Thanks!

*** This bug has been marked as a duplicate of 238847 ***