Bug 145500 - GSSAPI / Kerberos authentication broken, Mozilla OK
Summary: GSSAPI / Kerberos authentication broken, Mozilla OK
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: firefox   
(Show other bugs)
Version: 3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Christopher Aillon
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-01-18 23:37 UTC by Dax Kelson
Modified: 2007-11-30 22:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-29 18:40:31 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Dax Kelson 2005-01-18 23:37:47 UTC
Description of problem:

We have a Kerberos Realm and with FC3 the shipped Mozilla works fine
to access mod_auth_kerb protected web pages in seamless single-sign on
fashion with tickets.

With FireFox, on the same machine, it is unable to access the
protected web pages and gets a 401 error "authentication required" page.

Using "klist" to view tickets it can be seen that Mozilla properly
fetches a service ticket for the web server. With FireFox no such
service ticket is obtained.

$ rpm -q mozilla
mozilla-1.7.3-17
$ rpm -q firefox
firefox-1.0-2.fc3

Comment 1 Dax Kelson 2005-01-18 23:42:14 UTC
Supposedly GSSAPI support was added to FireFox in version 0.9 so it
*should* work.

From the Unofficial Changelog:

http://www.squarefree.com/burningedge/releases/0.9.html

"Support for Kerberos HTTP authentication using GSSAPI (benefits
Unix-like platforms including Linux and OS X)."

Also:

$ ldd /usr/lib/firefox-1.0/components/libnegotiateauth.so | grep gssapi
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x003a5000)


Comment 2 Enrico Scholz 2005-01-24 19:55:56 UTC
try to set

| network.negotiate-auth.delegation-uris
| network.negotiate-auth.trusted-uris

to 'https://' (e.g. through 'about:config')

Comment 3 Dax Kelson 2005-01-24 23:36:27 UTC
I meant to update this bug last week.

The addition of:

network.negotiate-auth.trusted-uris to 'https://'

Does indeed solve the problem.

This should added to the default "pref.js" file (or via some other
technique) so that this works out-of-the-box on Firefox as it does on
Mozilla.

Comment 4 Joe Orton 2005-01-27 16:24:16 UTC
I thought this pref was left unset deliberately?  Are you sure it's
set in the default Mozilla config?

$ locate prefs.js | xargs grep negotiate

is indeed blank for all shipped prefs.js in FC3.

Comment 5 Joe Orton 2005-01-27 16:25:13 UTC
Ah, ignore me, you are correct of course...

/usr/lib/firefox-1.0/greprefs/all.js:pref("network.negotiate-auth.trusted-uris",
"");

vs

/usr/lib/mozilla-1.7.3/greprefs/all.js:pref("network.negotiate-auth.trusted-uris",
"https://");


Comment 6 Dax Kelson 2005-01-27 16:41:41 UTC
It was also defaulted on with the errata Mozilla shipped out to FC2 in
Sept/Oct 2004 timeframe.

Comment 7 Christopher Aillon 2005-02-28 04:07:19 UTC
The whitelist of trusted domains is now empty in both firefox and mozilla.  You
need to manually add trusted domains.  Reasons are outlined upstream.

References:
https://bugzilla.mozilla.org/show_bug.cgi?id=237586#c24
https://bugzilla.mozilla.org/show_bug.cgi?id=237586#c27
https://bugzilla.mozilla.org/show_bug.cgi?id=237586#c29

Comment 8 Matthew Miller 2006-07-10 22:57:45 UTC
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!


Comment 9 Christopher Aillon 2006-10-29 18:40:31 UTC
Not a bug per comment 7.


Note You need to log in before you can comment on or make changes to this bug.