I'm trying to use firefox to authenticate to an internal web site. Like *many* internal web sites, this one doesn't have correct reverse DNS so Kerberos doesn't get the right SPN and fails to get a ticket for it. That doesn't stop it from trying *something*, and screwing up my NTLM auth that would have succeeded.... First it sends a request with no Authorization: header, gets back a 401 with WWW-Authenticate: Negotiate WWW-Authenticate: NTLM Then it sends this:Authorization: Negotiate YIIP1wYGKwYBBQUCoIIPyzCCD8egFjAUBgYrBgEFAgUGCisGAQQBgjcCAgqigg+rBIIPp2CCD6MGBisGAQUCBQUBMBahFAQSR0VSLkNPUlAuSU5URUwuQ09NbIIPfTCCD3mhAwIBBaIDAgEMo4IO/jCCDvowgg4eoQMCAQGigg4VBIIOEW6CDg0wgg4JoAMCAQWhAwIBDqIHAwUAAAAAAKOCDT1hgg05MIINNaADAgEFoRQbEkdFUi5DT1JQLklOVEVMLkNPTaInMCWgAwIBAqEeMBwbBmtyYnRndBsSR0VSLkNPUlAuSU5URUwuQ09No4IM7TCCDOmgAwIBEqEDAgEDooIM2wSCDNfbtGw91WzeppZocKMxPM6j9iV1ywUjWzxqgYrbE+lo/p8ps90ADV7VfCrFV6UJZWJjp8FNVjYpo2MA/Uj+i2jO8nR8RAOOP+iYCrDgWaGKNZsrpZeUdDQo2Iiwf8lGUrz3GG5tG1+ix7qXcngiU5iEr++8T4ArR12LF1SwRePQd0KXGwXALpu1lPg0DwVRlkOHj8RkkSgERb/mIyGzc1CNgLrKFTWqVgEys+LoI7HV/XasehCgrtU/Ep2P/cb3lfa2OYpzu21mEp0XOueEqOcxR3pGo8namZIiLY1glOa5mimJ4rvBC7Y/M9lEiMx3DyDR/ezbeZnHt64O6VoUHRaseYjNPzHFxduwZBgPRQZcplSY+g4lj38zp6TstQ81JfB10w9tMR/x8lw6JjFGXgau+etl7M9wkYx8hVf+YP5JYTiV5p3TTdRAqKSF+0JQQ+qkAGzn4bl7kwT9YzBbzUwx5q4TQKjgtH6Uk1rFFR1J5k+i8qzjptJaymXLYks+fslYEfNjqJsadi6oCji3l0+ZcHQJOYINy7B6TuBdFLe1xwZgzytxOE60znUXE+zEKGX6PUd3aCIU333fc+AcwrEL5KrkW2ieGfck1JGlcgmdI8aIIKG8biJOAWl0YuDuyyIOkSQdTcPpm6VoknUtEGdaaD7hmrlznt9r54DUYkrWdCdtHmlZlRUiNDEJIk6yu4dx1Mypa6WXlUy5N2Y3RUvy6AokMQpzEao8R3k33xskgQVnA/JIR9zAzp3fYVTI+uCQLGwFchLmlOdepXmt297gq0riVHrHIhq9M7rV9mNGuy5gUKiWYR0wSLkBSOovg5V0jigVtaaOUBfsW2mBRPdgyR697vz8GFjxQDc3D7KrK/IdaxNOe74t1oUl6VNXwGLtTAFvnn91WWnaxI2mEJkWXx7X0JlXk5LMIKOyFh0P5bcBCv17Q154q6YNHiLYrEhqMGILdprk+p/a04PDQOwxZisIhGbgamfEHOqWbxU/sPjPaip/EgOtEQrFzvaZ4w75EMFjjN4r9Lqp2yYfOftlWp+jXuHsEiV7bZT+QVsk8/SqYJIt/SKvxRVz04fzljjDgUokK7Ot6EuQrYUpQKR+AZ6KlWpx5mVCOpvvUOkaxrf0F1VvuM1cPdHTROl4quBOvKvGKagWCCfoqdpHDb7M6JM6ORjlzPXDOP6iHjd2Eo2CRYBcq0TZ5tS7Cih8Hy6Hr9S1KQa1ZFTiI0gCGxKJfBtD3W61NYVAP0PPZsNm+ecQlKDNHhO9Gyj2ub06d1PNaE2a1DCONvHvvFYi+lpW4dfX5NDt/udBVxkWmuh1iw2jHuh7u4MQmXNSglUb3CySZGDx7vf/uEZ4M+TRx8sQG1tlLItFiIEC9RC2CWAJHohOK4PykwvFS1/mWagwNRqFCXoC5294Z8ZackvWvsw8vfy0X4HVNP1G3zSt62cQ3PteWuiTJmRe/687xMbsxkiElk9p1PMQYkQ7093CU7OLV/Zp7eh4QoM+/QajOVJRZ+y9VlOLO3GiU0Lt5gEdwa0ewFW/NnvpdxSBEpihAk0jAFCiTjYQRkxKzsynpeZ3VchknuicI62wGiH2SlNgtaGdmByoahWdEQQ6725IcTGvoJh1H/lzwWlDh3QSHXVxf0Km8bOQas35a9Vk7bLObW0kiaKchZgkeVjbpHWNzdNmqYFElj4Itokhtp8yLBdVavRHk0H3tuKUjDMceRruRlCH8d0o48G/C8dsv9uUoWy/jF2/0HxIOelJKtAPDwasUMa+hfbW0aoUBOuco4DkBgzH8YqygBcyCfnp0+NLGqGoe8PWLfV2HDU9DS+22O9oEZ7Zu3sddkS3QhE4B1cTimUFWtfgRGRv3EJj+0U/MKmSBkjh/uZHkQEdcva6dNqXG776qb1i5nTMcmtmdWpquUUzdeTcLtuf+e/+Zl3+oHNcv0+3OuYqtNg6GwsMxu45YdsEQs2F5Q0k2A2uIRwJ0Mh4bT+bP/KaA+lOBspUQc2j3q1UVCoVAL/4QieKEeMcg29sWm7YsQ2k5HEyzC4MhDE5idwTsMcTGf8wyqAXnMmf8i7dDtraYSuUUqogKAdowOyzVtQaBoz2XuiGQ2hhwoo9fjV9oKP6JAyhRC64xQCLeNGDvk0iR7zosaCIE+mz2nbDSCn8YOKmomkBxPVCSnqlqrqItdD2z+ZzhoeQhckkfYMk1jWgnZ6ROnxLnCqj8kIyb2M50igMwq7YMvDIBJWAJAHXoXlSkyUv97YnsfGchD9aJmf9o0Yky35/1cxWaWVk3Bj1nKQVm4Vt8KcaDtIxZ7xAZCx7OlTIJph/d5DLCIeYLuXHRVoMNTqwdoWATjbmY/Ww+DDKCCZuEJ6JocD5IEXrOJADYF5VsClZZQr1UnAtYPNXhyW7eZg6IKcEzE470/daY9TZ3m+1sOMdqOdOActopZ2XS33KLJltIx7WcSJm5BaBVq1PeswB9M8NrHr7jKfyv7jQltR2m3s8XcQpUYdvaO9gAvMqrRbYsu3Lb2abj7TcLo8b44MNYO4YX0kdsIzyxJ6KJczMg4QEch59eOfRRy2IWjHJcBcji58O5hlPIcdKP+WA+THN+GPMhFFa7XGBw/TrVjeAkn1yDoeKkwM2+eeNNj7pOw6tT3Hib1A/EKhkSJoAkKp0RB4tNNYwekEfuDsbvG4EUhk2hGsgXzyuSF1TJu9mKxopBMI/oS1CjzwQPhCMfgNXGFGbfqVSkWeDEYBovsj6+NbJUUJOUXn663P9i45Mg3MAMTAIjyHXBzYd1sZIIqypbFPfzpovA8vKWPkNdKf6wGuEYLY7VVSnNaVzsCtzuL/x2l6thtbIRkrSFlRP1JWoIaw4X7Hj1GTGeoCOZBfnQZT8AnkLVWI0Osj+rRAnxKQVNy6DWPhADrsjA6G+u7ZSCPmRqgC3YBLNq/A2nEjISCcVE9rEW/wTctUJqk3OU0quexffElIyWPSNLvUC3J2xPkBCVSxlCTdpefZzWkU/HAmSKMD+8HbKSVwp+tjSyohUjEEBZ+7yg/3gFZ6cfPcsqp9ScLwNlmbFR3OWJWrhTQpGH8NeanL4cxE7axnlA03Ds5Kw8696vPjI3umsPIdgzds8kNtOlCaN2R58yQ1f+NRQ6Huad3q77shBDgzVIGJyC1RjWrVm2eurVMxfhGe9dKKEizw9w5hYRI8zRfJhR27YA+8nle4ho980BgWQvjXC/lW1IswG4s4GWxN2aR76sBdUUeE1bFwUtfgo5ni2dOcjJttGk0G8T3Ne8oIAoLqhp470P0ny1Ji+WkeEYHE3quFlyT0YsPDAuBmUb265fZFM68+UDNCg6n2GhAPA3Mdf5xbCuzkTWlkqIxQYFf0HUnprH/9c91r9snhnIjx0/YU0LJ/Zqw9yWSPtzC/+KV4yx+K/oEAMoPiFDbdQw3L/KU4VgxeS4dF6+n1ZkzqLUaT1vXFMvXSlvH0yS8YGltFcX5sH9/ng/SgVC5dU+PXnl/VQvwSgH3RksPY/58O8INqsK7KvU/l0B8W06oXg5YatKtJLWUvcTa2ydKbD/gGRLiU6WYMSc8uNG5raPpbs7Zw1w5uJIH8ww+SvAW3SX9LLrm1dfiO4Nyabt9L0680DQlFTAFTJ4k2KewFRI5W2GrlGdPJ4oW8M7ybcdAi99thHuAaTNAuUnJPzjjGJPVWbYw+hIIX/1ss9xVhDdABuwO665feNTQF1PsTLjgdyEyo9gi7hGfNxIu8kYwlTrfH/VEzNQ4jEE0oRQ003Ndytl8T8HcKBwNGLozHiKAozvoJ+bJXqLK4uIAyFB9HkEIk4yxO00NKtL9GyiSgJncT5ZOQwHO27u5WWj6iMrnIEUn00mLM81+Qy9IxVuceI0UMnnYoiv0cLCFkaE9ymt2jYbxK55Oezu0WAAp2QgfNkSJtduTMOOf3l7xLRhbL58MOPJSWCKIk99pZdk4rszh4vtS7MhJRTAf/hVT6c91fIese8eUdRQyk3L4LiBf99Y77cJq7/GmZY/uyJrTpARsQITqgNDYC4pRVUT6pD/sDz1rkGQ/Q5VB0ZdfMmVgeXNO2iPXKe4luj+TK+yfGxCu/AynLjMjFHVFoJvox9G/l1yPXJb74YKJ8CYgJNSD9TrZ6RDlcep7maPdoSpM0UD5q5jsek7tMkmelwf0cnkpIFXg4II7Kt7DTaJBzR9Une8fXnTA58qn20d1QBn7Ss195Q4XvvAbUKn8praovJ4Vg5fAtQCMUkjT6pF3Ro7sD1d4n6TL11c0XrByZWHBqZKrPq+Id3PD1SV1yeFr6x1Z4UNa0Iem49dy67oA5KOOfvNK9t5iC3wmJE+j5Mytc1GMBuV4fuEPmsxpAzcaqlaRy/CinIZoAnD0lH7pSJnKSBsjCBr6ADAgEXooGnBIGkgmnTkGllzZBFGWV3pWc98ZBGjB++DfhR7hrUQkHaqnMfesVwHUK8hQgKsym35KWZy8klVyZB/ge3sUhKJl6a0hzaRsSsNExSh9dghKUPBd0KZ8pZ1oTzj4p7HZyxUVaKURiA7I3z+s3ZCvYDS/vnettKwIqkheHRUfB2lbpGgTDYr4EBtO+VgIaYTTyF3VT9ws2+UrZGODyFl/uiyrk1Q3P/b94wgdWhBAICAIiigcwEgcmggcYwgcOhHDAaoAQCAv92oRIEENADzN17cScXJnKzdJyjGBCigaIwgZ+gAwIBF6KBlwSBlIIMyrP7cBbJSj1HU7FXB6OJ6ma0zfFHMFcbqgkFEFF80jCR3l5dBqowhICpHABMiONBF3otaGqffIwxI7SBvBB3S4M8K8eMC4Qjxqj77+qKqGgd14+bre3ryM1qN58szG+FQIBqAS9dwWpE1LMQsp5Lk+IQLMZ/3NPPjwx6iePRerY5+E/4pjJHkCIXvGdrc0QB2n2kazBpoAcDBQBAgQAAohQbEkdFUi5DT1JQLklOVEVMLkNPTaMgMB6gAwIBA6EXMBUbBEhUVFAbDW90cC5pbnRlbC5jb22lERgPMjAxNDA3MTAwMzE3MDhapwYCBFO9eUSoCzAJAgEXAgEDAgEB ...and gets a 401 back with this: WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo= If I 'kdestroy' and try again, authentication works just fine with NTLM (via gss-ntlmssp): Authorization: Negotiate YFEGBisGAQUFAqBHMEWgDjAMBgorBgEEAYI3AgIKojMEMU5UTE1TU1AAAQAAABWyCKADAAMAIAAAAA4ADgAjAAAAR0VSRFdPT0RIT1UtTElOVVg= WWW-Authenticate: Negotiate oYIBHDCCARigAwoBAaEMBgorBgEEAYI3AgIKooIBAQSB/k5UTE1TU1AAAgAAAAYABgA4AAAAFYKJor3g82gBoEOnAAAAAAAAAADAAMAAPgAAAAYAchcAAAAPQQBNAFIAAgAGAEEATQBSAAEAGABGAE0AUwBQAFMATQBTAE8AVABQADAAMwAEACQAYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0AAwA+AEYATQBTAFAAUwBNAFMATwBUAFAAMAAzAC4AYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0ABQAcAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAHAAgAy44uzpmbzwEAAAAA Authorization: Negotiate oYIBhzCCAYOgAwoBAaKCAXoEggF2TlRMTVNTUAADAAAAGAAYAEAAAADsAOwAWAAAAAYABgBEAQAAEAAQAEoBAAAcABwAWgEAAAAAAAB2AQAAFbKJoqmg54V6175b3F8hAp4O98G18JGf7OmnH1KOzKkxo6efI32UX5QveQQBAQAAAAAAAICNRc6Zm88BMnur5cIRXIAAAAAAAgAGAEEATQBSAAEAGABGAE0AUwBQAFMATQBTAE8AVABQADAAMwAEACQAYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0AAwA+AEYATQBTAFAAUwBNAFMATwBUAFAAMAAzAC4AYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0ABQAcAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAHAAgAy44uzpmbzwEAAAAARwBFAFIAZAB3AG8AbwBkAGgAbwB1AEQAVwBPAE8ARABIAE8AVQAtAEwASQBOAFUAWAA= Quite why firefox doesn't try actual NTLM auth (as opposed to NTLM-in-SPNEGO) after GSSAPI auth fails, I don't know. That should have worked too.
Is there a way to easily use wireshark's dissectors (or something else) to interpret SPNEGO packets? Other than faking a real Ethernet packet capture of an HTTP exchange by using 'nc' and 'nc -l'... The first request is: [truncated] Authorization: Negotiate YIIP1wYGKwYBBQUCoIIPyzCCD8egF... GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) Simple Protected Negotiation negTokenInit mechTypes: 2 items MechType: 1.3.6.1.5.2.5 (iso.3.6.1.5.2.5) MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) mechToken: 60820fa306062b060105020505013016a11404124745522e... The response from the server (after which we give up) is: WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=\r\n GSS-API Generic Security Service Application Program Interface Simple Protected Negotiation negTokenTarg negResult: Unknown (3) supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) It's *telling* us to try NTLMSSP. Why didn't we? That 'unknown' negResult is, if I'm reading RFC4178 correctly, 'request-mic'. Is that the problem? I see recent changes in gssntlmssp and krb5 to handle MIC generation... (Simo, note that I'm testing this with the unhacked package in Fedora and $NTLM_USER_FILE set; not my patches to make it use winbind which don't support MIC generation).
Fixed (slightly unexpectedly) by http://david.woodhou.se/krb5-fix-spnego-double-free.patch In trying to reproduce, I could only get a crash in gss_delete_sec_context(). And once that was fixed, so was this.
==31436== Invalid free() / delete / delete[] / realloc() ==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==31436== by 0x3AE900D6A7: generic_gss_release_oid_set (gssapi_alloc.h:93) ==31436== by 0x3AE903775F: release_spnego_ctx (spnego_mech.c:2895) ==31436== by 0x3AE9037830: spnego_gss_delete_sec_context (spnego_mech.c:2164) ==31436== by 0x3AE9012292: gss_delete_sec_context (g_delete_sec_context.c:90) ==31436== Address 0x4fb55a0 is 0 bytes inside a block of size 9 free'd ==31436== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==31436== by 0x3AE900C881: generic_gss_release_oid (oid_ops.c:102) ==31436== by 0x3AE903BE85: spnego_gss_init_sec_context (spnego_mech.c:792) ==31436== by 0x3AE90154CA: gss_init_sec_context (g_init_sec_context.c:210) http://mailman.mit.edu/pipermail/krbdev/2014-July/012079.html
krb5-1.11.5-9.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/FEDORA-2014-8189/krb5-1.11.5-9.fc20
krb5-1.11.3-23.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/FEDORA-2014-8176/krb5-1.11.3-23.fc19
Package krb5-1.11.3-23.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing krb5-1.11.3-23.fc19' as soon as you are able to, then reboot. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-8176/krb5-1.11.3-23.fc19 then log in and leave karma (feedback).
krb5-1.11.3-24.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
krb5-1.11.5-10.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.