subversion + neon + windows + mod_kerb = InitializeSecurityContext SEC_E_INTERNAL_ERROR

Alon Bar-Lev alon.barlev at gmail.com
Mon Oct 3 09:42:41 EDT 2011


Downgraded to:
---
openssl-0.9.8r
mit-krb-1.6.3
---

Still now working.

On Mon, Oct 3, 2011 at 1:40 AM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
> OK, one full work day for this.
> I proved the problem is not in the domain settings or the way I join
> machines to the domains.
>
> Same client is working with CentOS configuration is working while Gentoo is not.
> The difference between relevant packages are:
>
> CentOS
> ---
> openssl-0.9.8e-20.el5
> httpd-2.2.3-53.el5.centos.1
> mod_ssl-2.2.3-53.el5.centos.1
> mod_auth_kerb-5.1-3.el5
> samba-3.0.33-3.29.el5_7.4
> krb5-workstation-1.6.1-62.el5
> ---
>
> Gentoo
> ---
> dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f
> www-servers/apache-2.2.21
> www-apache/mod_auth_kerb-5.4 -> also downgraded to mod_auth_kerb-5.1
> net-fs/samba-3.5.11
> app-crypt/mit-krb5-1.9.1
> ---
>
> Unfortunately I could not downgrade openssl to 0.9.8e as it segfaults.
> The only component I suspect is openssl and the renegotiation modification
> that was modified in 0.9.8f.
> We had one machine with old TortoiseSVN which complained that it
> cannot establish SSL session, so I guess the CentOS openssl is not
> patched for the CVE-2007-4995.
>
> Is this sounds familiar to anyone?
>
> Thanks!
>
> On Sun, Oct 2, 2011 at 9:31 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
>> More information, I am getting this message once after reboot, found
>> no reference for this in the Internet.
>> ---
>> Event Type:     Warning
>> Event Source:   LSASRV
>> Event Category: SPNEGO (Negotiator)
>> Event ID:       40962
>> Date:           10/2/2011
>> Time:           9:21:58 PM
>> User:           N/A
>> Computer:       VALON
>> Description:
>> The Security System was unable to authenticate to the server
>> HTTP/correlux-gentoo.correlsense.com because the server has completed
>> the authentication, but the client authentication protocol Kerberos
>> has not.
>> ---
>>
>> I also created spn using ktpass so I have:
>> ---
>> Keytab name: WRFILE:/etc/alon1.keytab
>> KVNO Principal
>> ---- --------------------------------------------------------------------------
>>   3 HTTP/correlux-gentoo.correlsense.com at CORRELSENSE.COM (arcfour-hmac)
>> ---
>>
>> Just in cast the DC does not accept DES anymore.
>> I can see this at setspn -l.
>>
>> Again,
>> All other tools are working except of neon...
>>
>> On Sun, Oct 2, 2011 at 4:48 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
>>> Forgot to mention that when running on the same windows workstation
>>> Internet Explorer and Firefox do succeed in authenticating without any
>>> problem to the same location.
>>>
>>> XP and Windows 7 - same behavior.
>>>
>>> Thanks!
>>>
>>> On Sun, Oct 2, 2011 at 4:45 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
>>>> Hello,
>>>>
>>>> On Linux works perfectly!
>>>>
>>>> Configuration is Windows 2003 AD, apache2+mod_auth_kerb-5.4
>>>>
>>>> At server side I don't see any error, but on client side I see
>>>> InitializeSecurityContext returning an error.
>>>>
>>>> I see in kerbtray that a valid ticket was acquired at windows side.
>>>>
>>>> Running both as:
>>>> ---
>>>> TortoiseSVN 1.6.16, Build 21511 - 32 Bit , 2011/06/01 19:00:35
>>>> Subversion 1.6.17,
>>>> apr 1.3.12
>>>> apr-utils 1.3.12
>>>> neon 0.29.6
>>>> OpenSSL 1.0.0d 8 Feb 2011
>>>> zlib 1.2.5
>>>> ---
>>>> And:
>>>> ---
>>>> svn, version 1.6.17-SlikSvn-tag-1.6.17 at 1130896-WIN32 (SlikSvn/1.6.17) WIN32
>>>>   compiled Jun  3 2011, 07:33:44
>>>> ---
>>>>
>>>> Neon Log
>>>> ---
>>>> Running post_send hooks
>>>> ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is
>>>> Negotiate oYGfMIGcoAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqADAgEXolsEWeZpnkhcM6L/46+tUax3WtI15nBHJ63lGFL3ohcnJUb5qddhrMDQssCL6fYbOtjrUxpGPMplfIlXDxl089lYbUyqcE++7eBFwDDY9l5dT6FJeAvQfKZ8pUfB
>>>> auth: SSPI challenge.
>>>> InitializeSecurityContext [fail] [80090304].
>>>> sspi: initializeSecurityContext [failed] [80090304].
>>>> Request ends, status 201 class 2xx, error line:
>>>> 201 Created
>>>> Running destroy hooks.
>>>> Request ends.
>>>> svn: Commit failed (details follow):
>>>> svn: MKACTIVITY of '/svn/Test/!svn/act/6694f132-323c-334e-a863-5f6b6ca1d8d9': 20
>>>> 1 Created (https://correlux-gentoo.correlsense.com)
>>>> ---
>>>>
>>>> httpd Log
>>>> ---
>>>> Sun Oct 02 16:32:31 2011] [debug] src/mod_auth_kerb.c(1628): [client
>>>> 10.10.49.56] kerb_authenticate_user entered with user (NULL) and
>>>> auth_type Kerberos
>>>> [Sun Oct 02 16:32:31 2011] [debug] src/mod_auth_kerb.c(1240): [client
>>>> 10.10.49.56] Acquiring creds for HTTP at correlux-gentoo.correlsense.com
>>>> [Sun Oct 02 16:32:31 2011] [debug] src/mod_auth_kerb.c(1385): [client
>>>> 10.10.49.56] Verifying client data using KRB5 GSS-API with our SPNEGO
>>>> lib
>>>> [Sun Oct 02 16:32:31 2011] [debug] src/mod_auth_kerb.c(1401): [client
>>>> 10.10.49.56] Client didn't delegate us their credential
>>>> [Sun Oct 02 16:32:31 2011] [debug] src/mod_auth_kerb.c(1420): [client
>>>> 10.10.49.56] GSS-API token of length 162 bytes will be sent back
>>>> ---
>>>>
>>>> I see same httpd messages in working linux client setup.
>>>>
>>>> Has anyone had this? Any clue how to debug this farther?
>>>> Thanks!
>>>> Alon.
>>>>
>>>
>>
>



More information about the neon mailing list