Hello, I have configuration of active directory 2003 r2 sp3 working with linux mod_auth_kerb. I use SPNEGO for subversion. When using Linux all work great! When using Windows XP(and Windows 7) Firefox/IE/cifs client work great.
Problem is subversion which uses neon, it get the following: --- Running post_send hooks ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2 auth: SSPI challenge. InitializeSecurityContext [fail] [80090304]. sspi: initializeSecurityContext [failed] [80090304]. --- At windows event log I see the following: --- Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40962 Date: 10/3/2011 Time: 3:55:38 PM User: N/A Computer: VALON Description: The Security System was unable to authenticate to the server HTTP/correlux-gentoo.correlsense.com because the server has completed the authentication, but the client authentication protocol Kerberos has not. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. --- Had anyone seen this before? I tried many configurations, but without success: --- Gentoo --- dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f www-servers/apache-2.2.21 www-apache/mod_auth_kerb-5.4 -> also downgraded to mod_auth_kerb-5.1 net-fs/samba-3.5.11 app-crypt/mit-krb5-1.9.1 -> also downgraded to 1.6.3 --- The strange thing is that I have centos server on the same network with *MUCH* older packages and it does work... --- CentOS --- openssl-0.9.8e-20.el5 httpd-2.2.3-53.el5.centos.1 mod_ssl-2.2.3-53.el5.centos.1 mod_auth_kerb-5.1-3.el5 samba-3.0.33-3.29.el5_7.4 krb5-workstation-1.6.1-62.el5 --- I cannot reach this old state at Gentoo, but I cannot explain the difference between the two machines, I use the same procedure to add them to the domain: <edit smb.conf> net ads join net ads keytab create net ads keytab add HTTP cifs The same configuration for both. I don't know how to activate logs at Microsoft end... I tried to add Lsa\Kerberos\Parameters debug and logging keys but nothing is generated. Any clue? Thanks, Alon. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
