This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 145500 - GSSAPI / Kerberos authentication broken, Mozilla OK
GSSAPI / Kerberos authentication broken, Mozilla OK
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Christopher Aillon
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-18 18:37 EST by Dax Kelson
Modified: 2007-11-30 17:10 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-29 13:40:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Dax Kelson 2005-01-18 18:37:47 EST
Description of problem:

We have a Kerberos Realm and with FC3 the shipped Mozilla works fine
to access mod_auth_kerb protected web pages in seamless single-sign on
fashion with tickets.

With FireFox, on the same machine, it is unable to access the
protected web pages and gets a 401 error "authentication required" page.

Using "klist" to view tickets it can be seen that Mozilla properly
fetches a service ticket for the web server. With FireFox no such
service ticket is obtained.

$ rpm -q mozilla
mozilla-1.7.3-17
$ rpm -q firefox
firefox-1.0-2.fc3
Comment 1 Dax Kelson 2005-01-18 18:42:14 EST
Supposedly GSSAPI support was added to FireFox in version 0.9 so it
*should* work.

From the Unofficial Changelog:

http://www.squarefree.com/burningedge/releases/0.9.html

"Support for Kerberos HTTP authentication using GSSAPI (benefits
Unix-like platforms including Linux and OS X)."

Also:

$ ldd /usr/lib/firefox-1.0/components/libnegotiateauth.so | grep gssapi
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x003a5000)
Comment 2 Enrico Scholz 2005-01-24 14:55:56 EST
try to set

| network.negotiate-auth.delegation-uris
| network.negotiate-auth.trusted-uris

to 'https://' (e.g. through 'about:config')
Comment 3 Dax Kelson 2005-01-24 18:36:27 EST
I meant to update this bug last week.

The addition of:

network.negotiate-auth.trusted-uris to 'https://'

Does indeed solve the problem.

This should added to the default "pref.js" file (or via some other
technique) so that this works out-of-the-box on Firefox as it does on
Mozilla.
Comment 4 Joe Orton 2005-01-27 11:24:16 EST
I thought this pref was left unset deliberately?  Are you sure it's
set in the default Mozilla config?

$ locate prefs.js | xargs grep negotiate

is indeed blank for all shipped prefs.js in FC3.
Comment 5 Joe Orton 2005-01-27 11:25:13 EST
Ah, ignore me, you are correct of course...

/usr/lib/firefox-1.0/greprefs/all.js:pref("network.negotiate-auth.trusted-uris",
"");

vs

/usr/lib/mozilla-1.7.3/greprefs/all.js:pref("network.negotiate-auth.trusted-uris",
"https://");
Comment 6 Dax Kelson 2005-01-27 11:41:41 EST
It was also defaulted on with the errata Mozilla shipped out to FC2 in
Sept/Oct 2004 timeframe.
Comment 7 Christopher Aillon 2005-02-27 23:07:19 EST
The whitelist of trusted domains is now empty in both firefox and mozilla.  You
need to manually add trusted domains.  Reasons are outlined upstream.

References:
https://bugzilla.mozilla.org/show_bug.cgi?id=237586#c24
https://bugzilla.mozilla.org/show_bug.cgi?id=237586#c27
https://bugzilla.mozilla.org/show_bug.cgi?id=237586#c29
Comment 8 Matthew Miller 2006-07-10 18:57:45 EDT
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 9 Christopher Aillon 2006-10-29 13:40:31 EST
Not a bug per comment 7.

Note You need to log in before you can comment on or make changes to this bug.