After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 159663 - lacks negotiate/kerberos support
lacks negotiate/kerberos support
Status: RESOLVED FIXED
Product: gnome-vfs
Classification: Deprecated
Component: Module: http
2.9.x
Other Linux
: Normal enhancement
: ---
Assigned To: gnome-vfs maintainers
gnome-vfs maintainers
Depends on:
Blocks:
 
 
Reported: 2004-11-27 22:49 UTC by Sean Middleditch
Modified: 2006-03-21 22:50 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Patch to fix the described errors. (700 bytes, patch)
2005-01-21 23:21 UTC, Fredrik Tolf
none Details | Review
Update neon to use GSSAPI support from neon HEAD. (17.53 KB, patch)
2005-02-21 19:27 UTC, Sean Middleditch
none Details | Review

Description Sean Middleditch 2004-11-27 22:49:42 UTC
Try to connec to any DAV server that allows negotiate authentication to
authenticate using Kerberos tickets.  This fails, resulting in the user being
required to enter their password to authenticate to the server.
Comment 1 Fredrik Tolf 2005-01-21 23:19:28 UTC
I checked this in the neon HTTP method, and found two errors:

1. In the auth_challenge function in imported/neon/ne_auth.c, control is only
passed to the GSSAPI challenge function if the page is being access over HTTPS.
Since GSSAPI is secure in itself, there's no need for this restriction.
2. More importantly, in the gssapi_challenge function in the same file, the
`context' variable must be initialized to GSS_C_NO_CONTEXT before being passed
to gss_init_sec_context. Otherwise gss_init_sec_context will return failure,
which will abort the entire response attempt.

I tried fixing these two errors, and GSSAPI authentication now works perfectly
for me. I haven't looked at the non-neon HTTP code, though, since it seems to be
deprecated (it's called OLD in Makefile.am).
Comment 2 Fredrik Tolf 2005-01-21 23:21:14 UTC
Created attachment 36357 [details] [review]
Patch to fix the described errors.

This patch made GSSAPI authentication work for me.
Comment 3 Sean Middleditch 2005-02-19 06:26:45 UTC
Gave this patch a try on gnome-vfs 2.9.91 (Fedora Rawhide SRPM rebuild), no
luck.  Using WebDAV over SSL, mod_auth_kerb 5.0-rc6.  Mozilla/Firefox/Epiphany
work just fine (once enable the network.negotiate-auth.trusted-uris config key).
Comment 4 Fredrik Tolf 2005-02-19 16:13:12 UTC
I spoke with the neon people about this, and they had already found and fixed
the bug, although they haven't yet released a version with the fix.

However, when gnome-vfs takes that version of neon, I guess this'll be fixed
automagically.
Comment 5 Fredrik Tolf 2005-02-19 16:16:32 UTC
Here's a link to the discussion on the neon mailing list, for anyone interested:
http://mailman.webdav.org/pipermail/neon/2005-January/001875.html
Comment 6 Sean Middleditch 2005-02-19 16:24:18 UTC
Hmm, I take it this isn't something I could just drop into gnome-vfs to see if
it resolves the problem, since it (apparantly) has an API change...?
Comment 7 Sean Middleditch 2005-02-21 19:27:25 UTC
Created attachment 37751 [details] [review]
Update neon to use GSSAPI support from neon HEAD.

Patch originally from
http://cvs.fedora.redhat.com/viewcvs/devel/neon/neon-0.24.7-gssapi.patch but
updated to apply cleanly to gvs 2.9.91 neon copy.
Comment 8 Sean Middleditch 2005-02-21 19:27:40 UTC
I have patched gnome-vfs-2.9.91 to support GSSAPI properly, and it passes the
Works For Me Test (tm).

I found this patch for Fedora's Rawhide neon version:
http://cvs.fedora.redhat.com/viewcvs/devel/neon/neon-0.24.7-gssapi.patch

Unfortunately, it doesn't apply cleanly to the gvs 2.9.91 codebase.  I manually
applied the bits that didn't apply on their own, recompiled, and everything
seems to work great!
Comment 9 Christian Kellner 2005-11-26 13:31:33 UTC
I have updated neon to 0.25.4 on gnome-vfs HEAD. Could you please try it again
with that? I think it has support for GSSAPI, so I am confident this is fix. I
am marking this as NEEDINFO therefore. Please close if its working or reopen if
not. Thanks!
Comment 10 Sean Middleditch 2005-11-27 05:28:23 UTC
Sadly I no longer have a kerberized WebDAV server to test with.  I gave up on it
just a few weeks ago due to partly to this bug and shut it down.  :-(

I do know for a fact that the bug in question was caused fix in Neon 0.25,
though. I can't verify that it's fixed, but I'm fairly sure that that is the case.
Comment 11 Sean Middleditch 2006-03-19 23:42:18 UTC
I still haven't been able to test this, but I do know that Neon 0.25 included the GSSAPI fix.  The original patch I posted from Fedora was a patch backported to 0.24 from the 0.25 series.  I think you can safely close this bug.
Comment 12 Christian Neumair 2006-03-21 22:50:16 UTC
Closing per request.