[Freeipa-devel] freeipa and samba
Rob Crittenden
rcritten at redhat.com
Tue Feb 12 21:43:16 UTC 2008
Thomas Sailer wrote:
> On Mon, 2008-02-11 at 13:11 -0500, Simo Sorce wrote:
>
>> Can you provide the error you get with Firefox ?
>
> Ok, on the server:
> krb5-devel-1.6.3-4.fc8.jnx
> krb5-server-1.6.3-4.fc8.jnx
> krb5-server-ldap-1.6.3-4.fc8.jnx
> krb5-workstation-1.6.3-4.fc8.jnx
> krb5-libs-1.6.3-4.fc8.jnx
I don't see a changelog entry in the rawhide version that says discusses
the spnego changes required. It may be that this is simply already done
in 1.6.3 versus 1.6.1/2. It might be worth it to try 1.6.2-12 from f8.
> These are rebuilt from the source RPM from Rawhide.
>
>
> # curl -u : --negotiate -k https://xxx.xxx.com/ipatest/
> KRB5CCNAME: FILE:/tmp/krb5cc_apache_iHWoIo<br>
> HTTPS: on<br>
> GATEWAY_INTERFACE: CGI/1.1<br>
> SERVER_PROTOCOL: HTTP/1.1<br>
> REQUEST_METHOD: GET<br>
> QUERY_STRING: <br>
> REQUEST_URI: /ipatest/<br>
> SCRIPT_NAME: /ipatest/<br>
> HTTP_USER_AGENT: curl/7.17.1 (i686-redhat-linux-gnu) libcurl/7.17.1
> NSS/3.11.7.1 zlib/1.2.3 libidn/0.6.14<br>
> HTTP_HOST: xxx.xxx.com<br>
> HTTP_ACCEPT: */*<br>
> PATH: /sbin:/usr/sbin:/bin:/usr/bin<br>
> SERVER_SIGNATURE: <address>Apache/2.2.6 (Fedora) Server at xxx.xxx.com
> Port 443</address>
> <br>
> SERVER_SOFTWARE: Apache/2.2.6 (Fedora)<br>
> SERVER_NAME: xxx.xxx.com<br>
> SERVER_ADDR: 192.168.1.2<br>
> SERVER_PORT: 443<br>
> REMOTE_ADDR: 192.168.1.2<br>
> DOCUMENT_ROOT: /var/www/html<br>
> SERVER_ADMIN: root at localhost<br>
> SCRIPT_FILENAME: /usr/share/ipa/ipatest/<br>
> REMOTE_PORT: 59159<br>
> REMOTE_USER: admin at XXX.COM<br>
> AUTH_TYPE: Negotiate<br>
> KRB5CCNAME is FILE:/tmp/krb5cc_apache_iHWoIo<br>
> Sucessfully bound to LDAP using SASL mechanism GSSAPI<br>
>
> with firefox:
> KRB5CCNAME: FILE:/tmp/krb5cc_apache_bpP78u<br>
> HTTPS: on<br>
> GATEWAY_INTERFACE: CGI/1.1<br>
> SERVER_PROTOCOL: HTTP/1.1<br>
> REQUEST_METHOD: GET<br>
> QUERY_STRING: <br>
> REQUEST_URI: /ipatest/<br>
> SCRIPT_NAME: /ipatest/<br>
> HTTP_HOST: xxx.xxx.com<br>
> HTTP_USER_AGENT: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10<br>
> HTTP_ACCEPT: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5<br>
> HTTP_ACCEPT_LANGUAGE: en-us,en;q=0.5<br>
> HTTP_ACCEPT_ENCODING: gzip,deflate<br>
> HTTP_ACCEPT_CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.7<br>
> HTTP_KEEP_ALIVE: 300<br>
> HTTP_CONNECTION: keep-alive<br>
> PATH: /sbin:/usr/sbin:/bin:/usr/bin<br>
> SERVER_SIGNATURE: <address>Apache/2.2.6 (Fedora) Server at xxx.xxx.com Port 443</address>
> <br>
> SERVER_SOFTWARE: Apache/2.2.6 (Fedora)<br>
> SERVER_NAME: xxx.xxx.com<br>
> SERVER_ADDR: 192.168.1.2<br>
> SERVER_PORT: 443<br>
> REMOTE_ADDR: 192.168.1.2<br>
> DOCUMENT_ROOT: /var/www/html<br>
> SERVER_ADMIN: root at localhost<br>
> SCRIPT_FILENAME: /usr/share/ipa/ipatest/<br>
> REMOTE_PORT: 59165<br>
> REMOTE_USER: admin at XXX.COM<br>
> AUTH_TYPE: Negotiate<br>
> KRB5CCNAME is FILE:/tmp/krb5cc_apache_bpP78u<br>
> Error using SASL mechanism GSSAPI {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)', 'desc': 'Local error'}<br>
I'm glad you found and were able to setup that debug stuff!
I'm a little baffled by this error. It would seem that Firefox is
sending the ticket since a ccache is being created by Apache.
Just to be sure, can you set these in a shell and then start Firefox
from there?
export NSPR_LOG_MODULES=negotiateauth:5
export NSPR_LOG_FILE=/tmp/moz.log
This will enable some debugging in Firefox that might point to something.
And I assume you have network.negotiate-auth.delegation-uris and
network.negotiate-auth.trusted-uris set properly or you wouldn't have
gotten as far as you have.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080212/5975d0ab/attachment.bin>
More information about the Freeipa-devel
mailing list