On 10/3/2011 9:12 AM, Alon Bar-Lev wrote: > Hello, > > I have configuration of active directory 2003 r2 sp3 working with > linux mod_auth_kerb. > I use SPNEGO for subversion. > When using Linux all work great! > When using Windows XP(and Windows 7) Firefox/IE/cifs client work great. > > Problem is subversion which uses neon, it get the following:
Googling for: neon SPNEGO shows a lot of issues. Maybe you are seeing one of them? > --- > Running post_send hooks > ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate > oYGfMIG > coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA > DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u > DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2 > auth: SSPI challenge. > InitializeSecurityContext [fail] [80090304]. > sspi: initializeSecurityContext [failed] [80090304]. > --- > > At windows event log I see the following: > --- > Event Type: Warning > Event Source: LSASRV > Event Category: SPNEGO (Negotiator) > Event ID: 40962 > Date: 10/3/2011 > Time: 3:55:38 PM > User: N/A > Computer: VALON > Description: > The Security System was unable to authenticate to the server > HTTP/correlux-gentoo.correlsense.com because the server has completed > the authentication, but the client authentication protocol Kerberos > has not. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > --- > > Had anyone seen this before? > I tried many configurations, but without success: > --- > Gentoo > --- > dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f > www-servers/apache-2.2.21 > www-apache/mod_auth_kerb-5.4 -> also downgraded to mod_auth_kerb-5.1 > net-fs/samba-3.5.11 > app-crypt/mit-krb5-1.9.1 -> also downgraded to 1.6.3 > --- > > The strange thing is that I have centos server on the same network > with *MUCH* older packages and it does work... > --- > CentOS > --- > openssl-0.9.8e-20.el5 > httpd-2.2.3-53.el5.centos.1 > mod_ssl-2.2.3-53.el5.centos.1 > mod_auth_kerb-5.1-3.el5 > samba-3.0.33-3.29.el5_7.4 > krb5-workstation-1.6.1-62.el5 > --- > > I cannot reach this old state at Gentoo, but I cannot explain the > difference between the two machines, I use the same procedure to add > them to the domain: > <edit smb.conf> > net ads join > net ads keytab create > net ads keytab add HTTP cifs > > The same configuration for both. > > I don't know how to activate logs at Microsoft end... > I tried to add Lsa\Kerberos\Parameters debug and logging keys but > nothing is generated. > > Any clue? > > Thanks, > Alon. > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
