Uploaded image for project: 'serf'
  1. serf
  2. SERF-125

Can't authenticate with Negotiate/Kerberos to a proxy when reverse dns is not set up correctly

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • None

    Description

      Environment:
      On my development network, I have a kerberos server hosted at lgo-ubuntu1.dev. From my wifi router it gets the domain name of my provider assigned, so if I do a reverse lookup of the IP address of that server I get lgo-ubuntu1.myhostingprovider.be .

      While this is not ideal for a Kerberos setup, MIT kerberos allows me disable reverse lookup in its configuration, so if I configure this in my krb5.conf file (on the server):
      [libdefaults]
      default_realm = DEV
      rdns = false
      kinit on my client can successfully get the initial ticket-granting ticket for my account lgo@DEV.

      Problem:
      The problem is that serf insists on doing a reverse lookup of the proxy's ip address. So if I run:
      $ test/serf_get -p lgo-ubuntu1.dev:8080 http://google.com
      ...
      [2013-08-17T17:17:10.870232+02] [l:192.168.1.113:63973 r:192.168.1.112:8080] auth/auth.c: Proxy authz required. Response header(s): Negotiate oQcwBaADCgEC
      [2013-08-17T17:17:10.870247+02] [l:192.168.1.113:63973 r:192.168.1.112:8080] auth/auth.c: Client supports: Negotiate
      [2013-08-17T17:17:10.870259+02] [l:192.168.1.113:63973 r:192.168.1.112:8080] auth/auth.c: ... matched: Negotiate
      [2013-08-17T17:17:10.870465+02] auth/auth_spnego_gss.c: Get principal for HTTP@lgo-ubuntu1.myhostingprovider.be
      [2013-08-17T17:17:10.870508+02] auth/auth_spnego_gss.c: Error during Kerberos handshake (d0000,100007): SPNEGO failed to negotiate a mechanism
      [2013-08-17T17:17:10.870517+02] [l:192.168.1.113:63973 r:192.168.1.112:8080] auth/auth.c: Negotiate authentication failed.
      Error running context: (120190) An error occurred during authentication

      serf will use lgo-ubuntu1.myhostingprovider.be as hostname for the principal.

      I have only tested on mac os x with gssapi, the code responsible for this behaviour was introduced in r1667. On Windows where SSPI is used it looks like the above setup will fail both for authn to host and proxy, since r1460.

      Suggestion for solution
      Ideally serf can support my not-100% -correctly-setup network, with an option, or maybe it's possible to check of MIT Kerberos is configured to not do reverse lookups.

      Attachments

        Activity

          People

            lgo Lieven Govaerts
            lgo Lieven Govaerts
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: