Description of problem: Authentication fails when the client is windows based (IE6 or Firefox), but it works when using Firefox from RHEL 5 or Debian Etch. Workstations use pam_krb for login, then use Firefox/Iceweasel clients to access apache/mod_auth_kerb on RHEL5 box. This works correctly, NegociateAuth works as it should. Using the same config server-side, the authentication fails when the client is on Windows. The same windows client can authentication against an apache/mod_auth_kerb box running Debian Etch (which uses krb5 1.4.4). The error message is: [Mon Apr 30 16:27:56 2007] [debug] src/mod_auth_kerb.c(1432): [client 192.168.0.10] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Mon Apr 30 16:27:57 2007] [debug] src/mod_auth_kerb.c(1432): [client 192.168.0.10] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Mon Apr 30 16:27:57 2007] [debug] src/mod_auth_kerb.c(1147): [client 192.168.0.10] Acquiring creds for HTTP [Mon Apr 30 16:27:57 2007] [debug] src/mod_auth_kerb.c(1266): [client 192.168.0.10] Verifying client data using KRB5 GSS-API [Mon Apr 30 16:27:57 2007] [debug] src/mod_auth_kerb.c(1282): [client 192.168.0.10] Verification returned code 851968 [Mon Apr 30 16:27:57 2007] [error] [client 192.168.0.10] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Cannot allocate memory) Debugging httpd in gdb and tracing function calls leads to the file indicate_mechs.c where gss_int_copy_oid_set() is called. This function returns 0 on success, but in indicate_mechs.c the function is called inside a if(), where, if the result is zero, it fails. Looking at upstream mit release (1.5.3), the test isn't the same as the one in RHEL5 release. If I correct the test in indicate_mechs.c, everything works as it should. The diff between upstream release (1.5.3) and red hat release (1.5-7) is attached. If I can add anything to help more, please ask. Regards, -- Yves-Alexis Perez
Created attachment 154025 [details] patch to correct behavior in indicate_mechs.c
This is also fixed in 1.6, to which we're currently planning to update, but I'm going to leave this open so that we can track it properly.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Moving to MODIFIED.
Does this means that fix will be included in RHEL5 soon? It breaks kerberos pretty hard and the patch is trivial...
By way of going to 1.6.1, yes.
Apparently the equivalant fedora(6) bug is https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=243686
*** Bug 335571 has been marked as a duplicate of this bug. ***
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2007-0893.html