[linux] Firefox + Kerberos autentifikacia voci ISA proxy serveru vo Windows domene

Jan Ostrochovsky jan.ostrochovsky na gmail.com
Čtvrtek Prosinec 30 18:16:06 CET 2010 

Ahojte,

chceme rozchodit nasledovne: autentifikacia Firefoxa voci proxy serveru
(ISA 2004 od Microsoftu) cez Kerberos z Active Directory (AD). Na PC je
nainstalovany Linux od Novellu (SLED 11.1), pouzivatel je z daneho PC
prihlaseny do Windows domeny. V prilohe je /etc/krb5.conf z daneho PC,
namiesto XXXXXX.SK <http://xxxxxx.sk/> je realna domena.

Kerberos ticket dostanem cez PAM z domain controllera pri prihlaseni do
systemu. S tym problem nie je, funguje to napr. pri pripajani zdielanych
Samba foldrov, vystup klist je:

Desktop # klist
Ticket cache: FILE:/tmp/krb5cc_10001
Default principal: 999999 at XXXXXX.SK

Valid starting     Expires            Service principal
12/30/10 15:26:02  12/31/10 01:26:02  krbtgt/XXXXXX.SK <http://xxxxxx.sk/>@
XXXXXX.SK <http://xxxxxx.sk/>
       renew until 01/06/11 15:26:02
12/30/10 15:26:02  12/31/10 01:26:02  Desktop$@XXXXXX.SK <http://xxxxxx.sk/>
       renew until 01/06/11 15:26:02
12/30/10 16:34:58  12/31/10 01:26:02  sambaserver$@XXXXXX.SK<http://xxxxxx.sk/>
       renew until 01/06/11 15:26:02

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

*Avsak problem je s Firefoxom, ktory pouziva Negotiate Authentication
(Kerberos GSSAPI). Namiesto autentifikacie voci ISA 2004 proxy serveru
sa v logu browsera objavuje toto:*

-1220663600[b71551c0]: nsHttpChannel::ProcessAuthentication
[this=af411090 code=407]
-1220663600[b71551c0]: nsHttpChannel::PrepareForAuthentication
[this=af411090]
-1220663600[b71551c0]: nsHttpChannel::GetAuthenticator [this=af411090]
-1220663600[b71551c0]: nsHttpChannel::GetCredentialsForChallenge
[this=af411090 proxyAuth=1 challenges=Negotiate]
-1220663600[b71551c0]: nsHttpAuthCache::GetAuthEntryForDomain
[key=http://isa2004.xxxxxx.sk:8080 realm=]
-1220663600[b71551c0]:   service = isa2004.xxxxxx.sk
-1220663600[b71551c0]:   using negotiate-gss
-1220663600[b71551c0]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1220663600[b71551c0]: Attempting to load user specified library
[libgssapi_krb5.so.2]
-1220663600[b71551c0]: Attempting to load gss functions
-1220663600[b71551c0]: entering nsAuthGSSAPI::Init()
-1220663600[b71551c0]:   identity invalid = 0
-1220663600[b71551c0]: nsHttpNegotiateAuth::GenerateCredentials_1_9_2()
[challenge=Negotiate]
-1220663600[b71551c0]: entering nsAuthGSSAPI::GetNextToken()
-1220663600[b71551c0]: gss_init_sec_context() failed: Unspecified GSS
failure.  Minor code may provide more information
Server not found in Kerberos database

Nasleduje fallback na NTLM, my ale chceme Kerberos ;).

Skusal som okrem googlenia napriklad toto:
- zadanie active directory a proxy servera do /etc/hosts na danom PC
- nainstalovanie krb5-devel
- vytvorenie reverzneho DNS zaznamu pre IP adresu ISA servera
- rozne modifikacie krb5.conf
- modifikacie konfiguracnych parametrov negotiate-auth vo Firefoxe
(about:config)
- medzitym rozne restarty browsera ci celeho PC
- tcpdumpovanie komunikacie

Da niekto skuseny dalsie hinty co vyskusat a na co si posvietit?
Pripadne niekto komu to funguje?

Vopred dakujem.

Jano Ostrochovsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linux.sk/pipermail/linux/attachments/20101230/ebe996da/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5.conf
Type: application/octet-stream
Size: 625 bytes
Desc: not available
URL: <http://lists.linux.sk/pipermail/linux/attachments/20101230/ebe996da/attachment.obj>

Další informace o konferenci linux