[linux] Firefox + Kerberos autentifikacia voci ISA proxy serveru vo Windows domene
Jan Ostrochovsky
jan.ostrochovsky na gmail.com
Čtvrtek Prosinec 30 18:16:06 CET 2010
Ahojte,
chceme rozchodit nasledovne: autentifikacia Firefoxa voci proxy serveru
(ISA 2004 od Microsoftu) cez Kerberos z Active Directory (AD). Na PC je
nainstalovany Linux od Novellu (SLED 11.1), pouzivatel je z daneho PC
prihlaseny do Windows domeny. V prilohe je /etc/krb5.conf z daneho PC,
namiesto XXXXXX.SK <http://xxxxxx.sk/> je realna domena.
Kerberos ticket dostanem cez PAM z domain controllera pri prihlaseni do
systemu. S tym problem nie je, funguje to napr. pri pripajani zdielanych
Samba foldrov, vystup klist je:
Desktop # klist
Ticket cache: FILE:/tmp/krb5cc_10001
Default principal: 999999 at XXXXXX.SK
Valid starting Expires Service principal
12/30/10 15:26:02 12/31/10 01:26:02 krbtgt/XXXXXX.SK <http://xxxxxx.sk/>@
XXXXXX.SK <http://xxxxxx.sk/>
renew until 01/06/11 15:26:02
12/30/10 15:26:02 12/31/10 01:26:02 Desktop$@XXXXXX.SK <http://xxxxxx.sk/>
renew until 01/06/11 15:26:02
12/30/10 16:34:58 12/31/10 01:26:02 sambaserver$@XXXXXX.SK<http://xxxxxx.sk/>
renew until 01/06/11 15:26:02
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
*Avsak problem je s Firefoxom, ktory pouziva Negotiate Authentication
(Kerberos GSSAPI). Namiesto autentifikacie voci ISA 2004 proxy serveru
sa v logu browsera objavuje toto:*
-1220663600[b71551c0]: nsHttpChannel::ProcessAuthentication
[this=af411090 code=407]
-1220663600[b71551c0]: nsHttpChannel::PrepareForAuthentication
[this=af411090]
-1220663600[b71551c0]: nsHttpChannel::GetAuthenticator [this=af411090]
-1220663600[b71551c0]: nsHttpChannel::GetCredentialsForChallenge
[this=af411090 proxyAuth=1 challenges=Negotiate]
-1220663600[b71551c0]: nsHttpAuthCache::GetAuthEntryForDomain
[key=http://isa2004.xxxxxx.sk:8080 realm=]
-1220663600[b71551c0]: service = isa2004.xxxxxx.sk
-1220663600[b71551c0]: using negotiate-gss
-1220663600[b71551c0]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1220663600[b71551c0]: Attempting to load user specified library
[libgssapi_krb5.so.2]
-1220663600[b71551c0]: Attempting to load gss functions
-1220663600[b71551c0]: entering nsAuthGSSAPI::Init()
-1220663600[b71551c0]: identity invalid = 0
-1220663600[b71551c0]: nsHttpNegotiateAuth::GenerateCredentials_1_9_2()
[challenge=Negotiate]
-1220663600[b71551c0]: entering nsAuthGSSAPI::GetNextToken()
-1220663600[b71551c0]: gss_init_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information
Server not found in Kerberos database
Nasleduje fallback na NTLM, my ale chceme Kerberos ;).
Skusal som okrem googlenia napriklad toto:
- zadanie active directory a proxy servera do /etc/hosts na danom PC
- nainstalovanie krb5-devel
- vytvorenie reverzneho DNS zaznamu pre IP adresu ISA servera
- rozne modifikacie krb5.conf
- modifikacie konfiguracnych parametrov negotiate-auth vo Firefoxe
(about:config)
- medzitym rozne restarty browsera ci celeho PC
- tcpdumpovanie komunikacie
Da niekto skuseny dalsie hinty co vyskusat a na co si posvietit?
Pripadne niekto komu to funguje?
Vopred dakujem.
Jano Ostrochovsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linux.sk/pipermail/linux/attachments/20101230/ebe996da/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5.conf
Type: application/octet-stream
Size: 625 bytes
Desc: not available
URL: <http://lists.linux.sk/pipermail/linux/attachments/20101230/ebe996da/attachment.obj>
Další informace o konferenci linux