[cups.bugs] [MOD] STR #2748: Negotiate Authentication Failure on Web Interface
Richard Fuller
rpfuller-cups at cs.york.ac.uk
Mon Apr 7 03:36:09 PDT 2008
On Wednesday 26 Mar 2008, Michael Sweet wrote:
> [STR Closed w/Resolution]
>
> Well, the patch is correct but the credentials your browser is supplying
> are not - the GSS API spec requires that the client (your web browser)
> provide credentials with the "delegatable" bit set...
>
> I'll close this bug out (we are now properly using Kerberos credentials
> for CGI programs), and you need to file a bug with the browser developers.
> Once that problem is fixed, everything should work just fine...
Out of interest, which browsers does this work with? I've managed to get a bit
further, sending credentials with the delegate bit set, but the
gss_krb5_copy_ccache always fails with "Invalid credential was supplied"
con->gss_delegated_cred contains something that looks like valid delegated
credentials when the delegate bit is set.
I've tried Firefox (2 and latest trunk), Safari, Perl with
LWP::Authen::Negotiate, and Konqueror 4, and I'm using the latest stable MIT
Kerberos, 1.6.3.
It's particularly frustrating because if I get it to ignore the result of
gss_krb5_copy_ccache everything works 'fine' for me (the delegated
credentials don't work, but it uses local certificate auth to send the IPP
commands, and renegotiates for each HTTP request, and that all works fine) as
the only real issue I'm having is the basic vs Negotiate mismatch one.
Since I have a workaround this isn't particularly important, but I would like
to resolve the issue properly at some point. I'm happy to do what I can, but
it would really help if there was a combination known to work that I can try
to see what should be happening.
Regards,
Richard
More information about the cups-devel
mailing list