Bug 335571 - Kerberos library bug preventing negotiate authentication via GSSAPI.
Kerberos library bug preventing negotiate authentication via GSSAPI.
Status: CLOSED DUPLICATE of bug 238847
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: krb5 (Show other bugs)
5.0
All Linux
low Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-16 23:30 EDT by Rob
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-17 10:19:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rob 2007-10-16 23:30:06 EDT
Description of problem:
Kerberos authentication via the negotiate method/GSSAPI fails.
Kerberos single sign on, at least via a browser and Apache, is broken.

Version-Release number of selected component (if applicable):
krb5-libs-1.5-29

How reproducible:
Every time.

Steps to Reproduce:
1. Assume a correctly configured krb5.conf and keytab for Apache.
2. Configure Apache to use Kerberos authentication using mod_auth_kerb.
3. Specify 'KrbMethodNegotiate on' in your conf.
4. Access a protected page via a negotiate enabled browser.
(IE or Firefox with network.negotiate-auth.trusted-uris configured)
  
Actual results:
kerb_authenticate_user entered with user (NULL) and auth_type KerberosV5
kerb_authenticate_user entered with user (NULL) and auth_type KerberosV5
Acquiring creds for HTTP/servername@REALM
Verifying client data using KRB5 GSS-API
Verification returned code 851968
gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may
provide more information (Cannot allocate memory)


Expected results:
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
Acquiring creds for HTTP/servername@REALM
Verifying client data using KRB5 GSS-API
Verification returned code 0
GSS-API token of length 162 bytes will be sent back


Additional info:
Solution found from:
http://sourceforge.net/mailarchive/forum.php?thread_name=2306E39C-CE49-4CC2-A902-4AE1C40E486E%40neosaint.org&forum_name=modauthkerb-help
Removing one ! in src/lib/gssapi/krb5/indicate_mechs.c does the trick.
Validated by rebuilding src rpm.

---SNIP---
--- src/lib/gssapi/krb5/indicate_mechs.c 2006-06-14
17:27:54.000000000 -0500
+++ src/lib/gssapi/krb5/indicate_mechs.fixed.c 2007-07-02
16:41:40.000000000 -0500
@@ -33,12 +33,11 @@
gss_OID_set *mech_set;
{
*minor_status = 0;
-
- if (! gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both,
mech_set)) {
+ if (gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both,
+mech_set)) {
*mech_set = GSS_C_NO_OID_SET;
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
}
-
return(GSS_S_COMPLETE);
}
---SNIP---

Thank you Ian Goodacre.
Comment 1 Nalin Dahyabhai 2007-10-17 10:19:39 EDT
Marking this as a duplicate of #238847, which is fixed in the 5.1 beta by the
upgrade to a later version which included this fix.  Thanks!

*** This bug has been marked as a duplicate of 238847 ***

Note You need to log in before you can comment on or make changes to this bug.