[cups.bugs] [MOD] STR #2748: Negotiate Authentication Failure on Web Interface

Richard Fuller rpfuller-cups at cs.york.ac.uk
Mon Apr 7 03:36:09 PDT 2008


On Wednesday 26 Mar 2008, Michael Sweet wrote:
> [STR Closed w/Resolution]
>
> Well, the patch is correct but the credentials your browser is supplying
> are not - the GSS API spec requires that the client (your web browser)
> provide credentials with the "delegatable" bit set...
>
> I'll close this bug out (we are now properly using Kerberos credentials
> for CGI programs), and you need to file a bug with the browser developers.
> Once that problem is fixed, everything should work just fine...

Out of interest, which browsers does this work with? I've managed to get a bit 
further, sending credentials with the delegate bit set, but the 
gss_krb5_copy_ccache always fails with "Invalid credential was supplied" 
con->gss_delegated_cred contains something that looks like valid delegated 
credentials when the delegate bit is set.

I've tried Firefox (2 and latest trunk), Safari, Perl with 
LWP::Authen::Negotiate, and Konqueror 4, and I'm using the latest stable MIT 
Kerberos, 1.6.3.

It's particularly frustrating because if I get it to ignore the result of 
gss_krb5_copy_ccache everything works 'fine' for me (the delegated 
credentials don't work, but it uses local certificate auth to send the IPP 
commands, and renegotiates for each HTTP request, and that all works fine) as 
the only real issue I'm having is the basic vs Negotiate mismatch one.

Since I have a workaround this isn't particularly important, but I would like 
to resolve the issue properly at some point. I'm happy to do what I can, but 
it would really help if there was a combination known to work that I can try 
to see what should be happening.

Regards,
Richard





More information about the cups-devel mailing list