subversion + neon + windows + mod_kerb = InitializeSecurityContext SEC_E_INTERNAL_ERROR

Alon Bar-Lev alon.barlev at gmail.com
Mon Oct 3 16:53:10 EDT 2011


Well,
I give up... tried everything, nothing wrongs.
With <mit-krb-1.7 I get wrong principal in request.
With >=mit-krb-1.7 I get the sspi error.

Why can't neon be like IE/Firefox and just work?

On Mon, Oct 3, 2011 at 3:42 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
> Downgraded to:
> ---
> openssl-0.9.8r
> mit-krb-1.6.3
> ---
>
> Still now working.
>
> On Mon, Oct 3, 2011 at 1:40 AM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
>> OK, one full work day for this.
>> I proved the problem is not in the domain settings or the way I join
>> machines to the domains.
>>
>> Same client is working with CentOS configuration is working while Gentoo is not.
>> The difference between relevant packages are:
>>
>> CentOS
>> ---
>> openssl-0.9.8e-20.el5
>> httpd-2.2.3-53.el5.centos.1
>> mod_ssl-2.2.3-53.el5.centos.1
>> mod_auth_kerb-5.1-3.el5
>> samba-3.0.33-3.29.el5_7.4
>> krb5-workstation-1.6.1-62.el5
>> ---
>>
>> Gentoo
>> ---
>> dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f
>> www-servers/apache-2.2.21
>> www-apache/mod_auth_kerb-5.4 -> also downgraded to mod_auth_kerb-5.1
>> net-fs/samba-3.5.11
>> app-crypt/mit-krb5-1.9.1
>> ---
>>
>> Unfortunately I could not downgrade openssl to 0.9.8e as it segfaults.
>> The only component I suspect is openssl and the renegotiation modification
>> that was modified in 0.9.8f.
>> We had one machine with old TortoiseSVN which complained that it
>> cannot establish SSL session, so I guess the CentOS openssl is not
>> patched for the CVE-2007-4995.
>>
>> Is this sounds familiar to anyone?
>>
>> Thanks!
>>
>> On Sun, Oct 2, 2011 at 9:31 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
>>> More information, I am getting this message once after reboot, found
>>> no reference for this in the Internet.
>>> ---
>>> Event Type:     Warning
>>> Event Source:   LSASRV
>>> Event Category: SPNEGO (Negotiator)
>>> Event ID:       40962
>>> Date:           10/2/2011
>>> Time:           9:21:58 PM
>>> User:           N/A
>>> Computer:       VALON
>>> Description:
>>> The Security System was unable to authenticate to the server
>>> HTTP/correlux-gentoo.correlsense.com because the server has completed
>>> the authentication, but the client authentication protocol Kerberos
>>> has not.
>>> ---
>>>
>>> I also created spn using ktpass so I have:
>>> ---
>>> Keytab name: WRFILE:/etc/alon1.keytab
>>> KVNO Principal
>>> ---- --------------------------------------------------------------------------
>>>   3 HTTP/correlux-gentoo.correlsense.com at CORRELSENSE.COM (arcfour-hmac)
>>> ---
>>>
>>> Just in cast the DC does not accept DES anymore.
>>> I can see this at setspn -l.
>>>
>>> Again,
>>> All other tools are working except of neon...
>>>
>>> On Sun, Oct 2, 2011 at 4:48 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
>>>> Forgot to mention that when running on the same windows workstation
>>>> Internet Explorer and Firefox do succeed in authenticating without any
>>>> problem to the same location.
>>>>
>>>> XP and Windows 7 - same behavior.
>>>>
>>>> Thanks!
>>>>
>>>> On Sun, Oct 2, 2011 at 4:45 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
>>>>> Hello,
>>>>>
>>>>> On Linux works perfectly!
>>>>>
>>>>> Configuration is Windows 2003 AD, apache2+mod_auth_kerb-5.4
>>>>>
>>>>> At server side I don't see any error, but on client side I see
>>>>> InitializeSecurityContext returning an error.
>>>>>
>>>>> I see in kerbtray that a valid ticket was acquired at windows side.
>>>>>
>>>>> Running both as:
>>>>> ---
>>>>> TortoiseSVN 1.6.16, Build 21511 - 32 Bit , 2011/06/01 19:00:35
>>>>> Subversion 1.6.17,
>>>>> apr 1.3.12
>>>>> apr-utils 1.3.12
>>>>> neon 0.29.6
>>>>> OpenSSL 1.0.0d 8 Feb 2011
>>>>> zlib 1.2.5
>>>>> ---
>>>>> And:
>>>>> ---
>>>>> svn, version 1.6.17-SlikSvn-tag-1.6.17 at 1130896-WIN32 (SlikSvn/1.6.17) WIN32
>>>>>   compiled Jun  3 2011, 07:33:44
>>>>> ---
>>>>>
>>>>> Neon Log
>>>>> ---
>>>>> Running post_send hooks
>>>>> ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is
>>>>> Negotiate oYGfMIGcoAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqADAgEXolsEWeZpnkhcM6L/46+tUax3WtI15nBHJ63lGFL3ohcnJUb5qddhrMDQssCL6fYbOtjrUxpGPMplfIlXDxl089lYbUyqcE++7eBFwDDY9l5dT6FJeAvQfKZ8pUfB
>>>>> auth: SSPI challenge.
>>>>> InitializeSecurityContext [fail] [80090304].
>>>>> sspi: initializeSecurityContext [failed] [80090304].
>>>>> Request ends, status 201 class 2xx, error line:
>>>>> 201 Created
>>>>> Running destroy hooks.
>>>>> Request ends.
>>>>> svn: Commit failed (details follow):
>>>>> svn: MKACTIVITY of '/svn/Test/!svn/act/6694f132-323c-334e-a863-5f6b6ca1d8d9': 20
>>>>> 1 Created (https://correlux-gentoo.correlsense.com)
>>>>> ---
>>>>>
>>>>> httpd Log
>>>>> ---
>>>>> Sun Oct 02 16:32:31 2011] [debug] src/mod_auth_kerb.c(1628): [client
>>>>> 10.10.49.56] kerb_authenticate_user entered with user (NULL) and
>>>>> auth_type Kerberos
>>>>> [Sun Oct 02 16:32:31 2011] [debug] src/mod_auth_kerb.c(1240): [client
>>>>> 10.10.49.56] Acquiring creds for HTTP at correlux-gentoo.correlsense.com
>>>>> [Sun Oct 02 16:32:31 2011] [debug] src/mod_auth_kerb.c(1385): [client
>>>>> 10.10.49.56] Verifying client data using KRB5 GSS-API with our SPNEGO
>>>>> lib
>>>>> [Sun Oct 02 16:32:31 2011] [debug] src/mod_auth_kerb.c(1401): [client
>>>>> 10.10.49.56] Client didn't delegate us their credential
>>>>> [Sun Oct 02 16:32:31 2011] [debug] src/mod_auth_kerb.c(1420): [client
>>>>> 10.10.49.56] GSS-API token of length 162 bytes will be sent back
>>>>> ---
>>>>>
>>>>> I see same httpd messages in working linux client setup.
>>>>>
>>>>> Has anyone had this? Any clue how to debug this farther?
>>>>> Thanks!
>>>>> Alon.
>>>>>
>>>>
>>>
>>
>



More information about the neon mailing list