Sylvain RICHET <[email protected]> writes: > VERY relevant question ! > It becomes clear that, with a Linux Client, something has to glue > (just like it is in w2k environment, at the session init, in > interaction with the domain controler) > On linux client, this *something* is precisely : kinit !
> So, i have launched a kinit command on my Firefox (Ubuntu) client. > And then, sniffing with WireShark shows me that the SPNEGO token is > transmitted in headers : > [...] > Authorization: Negotiate YII.... > [...] > In Firefox log (easily enabled by command : export > NSPR_LOG_MODULES=negotiateauth:5;export NSPR_LOG_FILE=/tmp/ > negociateauth.log) > no more error like : > "gss_init_sec_context() failed: Unspecified GSS failure. Minor code > may provide more information SPNEGO cannot find mechanisms to > negotiate..." > Everything seems to be ok. Something to watch out for: in the past, with at least some builds of Firefox, I've found that I needed to have a valid ticket cache *before* I start Firefox, or at least before the first time Firefox encounters Negotiate-Auth, or something internally caches the fact that Kerberos authentication doesn't work and then will never try again. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
