[Freeipa-devel] Safari and web interface

W. Michael Petullo mike at flyn.org
Tue Jul 29 00:25:18 UTC 2008 

>>> I have an iMac running Mac OS X 10.4 that authenticates against  
>>> a  FreeIPA 1.1.0 server. Although the computer otherwise works as  
>>> a  FreeIPA client, I am unable to connect to the FreeIPA web  
>>> interface  using Safari. Firefox connects fine from the same  
>>> machine. Safari says:
>>>
>>> "Permission Denied"
>>> "You do not have permission to access this page."
>>> "Kerberos login failed"
>>>
>>> The Kerberos server logs this when I use Safari:
>>>
>>> Jul 26 20:38:28 golem.flyn.org krb5kdc[28682](info): TGS_REQ (7   
>>> etypes {18 17 16 23 1 3 2}) 192.168.0.102: ISSUE: authtime   
>>> 1217119078, etypes {rep=18 tkt=18 ses=18}, admin at FLYN.ORG for  
>>> HTTP/ golem.flyn.org at FLYN.ORG
>>>
>>> The Kerberos server logs this when I use Firefox:
>>>
>>> Jul 26 20:39:28 golem.flyn.org krb5kdc[28682](info): TGS_REQ (1   
>>> etypes {18}) 192.168.0.102: ISSUE: authtime 1217119078, etypes   
>>> {rep=18 tkt=18 ses=18}, admin at FLYN.ORG for krbtgt/FLYN.ORG at FLYN.ORG
>>> Jul 26 20:39:29 golem.flyn.org krb5kdc[28682](info): TGS_REQ (7   
>>> etypes {18 17 16 23 1 3 2}) 192.168.0.10: ISSUE: authtime  
>>> 1217119078,  etypes {rep=18 tkt=18 ses=18}, admin at FLYN.ORG for  
>>> ldap/ golem.flyn.org at FLYN.ORG
>>> [...]
>>>
>>> Is anyone using Safari to configure FreeIPA?
>> I never tried but from the logs it seem that Safari might not be
>> forwarding the user TGT.
>
> IIRC Safari was originally based on Konqueror/KHTML.
>
> Currently Konqueror doesn't support delegation (though it does  
> support GSSAPI). Not sure if this bug is apropos to Safari http:// 
> bugs.kde.org/show_bug.cgi?id=138414

Okay, I think you have it, Simo and Rob. Yes, Safari was based on  
Konqueror's engine, now called WebKit. I had to crack open my copy of  
Applied Cryptography, but now I see why and how Apache "proxies" the  
user TGT.

This may become more of an issue in the future as other browsers  
(GNOME's epiphany in particular) are looking at moving from Mozilla's  
XULrunner to WebKit.

I have submitted a bug against Apple's Open Source WebKit project  
(https://bugs.webkit.org/show_bug.cgi?id=20203) and Apple's Safari  
browser (bug report not available publicly).

Mike

More information about the Freeipa-devel mailing list