Sometimes due to reverse DNS issues, we attempt to obtain a Kerberos ticket for the *wrong* host. When we present the ticket, it obviously doesn't work. If the server is a proxy and returns an empty 'Proxy-Authenticate: Negotiate' header indicating that it didn't work and we should try something else... we just try again. Over and over and over again. Actually, this is just the tip of the iceberg when it comes to curl's brokenness with GSSAPI. Fixes at http://git.infradead.org/users/dwmw2/curl.git (posted to the list today).
Thanks for the pointer and the patches. I would prefer to wait till they are merged upstream before submitting updates for stable releases though.
That makes perfect sense. The patches are now merged upstream.
They are included in curl-7.37.1-1.fc22 for now, will consider backport later...
There is a possible regression of bug #1093348, which is being discussed upstream: http://curl.haxx.se/mail/lib-2014-07/0207.html
Yeah, I wish I could remember which server I was using when I saw bug 1093348 :)
I still can't find the original server but I've set up something to emulate it and retested with the latest curl code. It still behaves correctly... or as well as it did before, at least :) It's still using the *first* Negotiate response, where using the non-empty one might make more sense. But that's not a regression.
Thanks for checking it! Do you want to backport some additional patches on top of the original patchset then? http://pkgs.fedoraproject.org/cgit/curl.git/tree/0001-curl-7.37.1-gssapi.patch?id=8490cd97
No need for anything more at the moment; I think that patch set captures everything that's important. Michael O is working on some other improvements but they are mostly cosmetic. I've just done a test build of your 7.37.1-1.fc22 package locally and it seems to be working correctly for me — Negotiate auth is sanely falling back to GSS-NTLMSSP etc. Thanks.
curl-7.32.0-12.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/curl-7.32.0-12.fc20
Package curl-7.32.0-12.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing curl-7.32.0-12.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-9070/curl-7.32.0-12.fc20 then log in and leave karma (feedback).
curl-7.32.0-12.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.