GNOME Bugzilla – Bug 159663
lacks negotiate/kerberos support
Last modified: 2006-03-21 22:50:16 UTC
Try to connec to any DAV server that allows negotiate authentication to authenticate using Kerberos tickets. This fails, resulting in the user being required to enter their password to authenticate to the server.
I checked this in the neon HTTP method, and found two errors: 1. In the auth_challenge function in imported/neon/ne_auth.c, control is only passed to the GSSAPI challenge function if the page is being access over HTTPS. Since GSSAPI is secure in itself, there's no need for this restriction. 2. More importantly, in the gssapi_challenge function in the same file, the `context' variable must be initialized to GSS_C_NO_CONTEXT before being passed to gss_init_sec_context. Otherwise gss_init_sec_context will return failure, which will abort the entire response attempt. I tried fixing these two errors, and GSSAPI authentication now works perfectly for me. I haven't looked at the non-neon HTTP code, though, since it seems to be deprecated (it's called OLD in Makefile.am).
Created attachment 36357 [details] [review] Patch to fix the described errors. This patch made GSSAPI authentication work for me.
Gave this patch a try on gnome-vfs 2.9.91 (Fedora Rawhide SRPM rebuild), no luck. Using WebDAV over SSL, mod_auth_kerb 5.0-rc6. Mozilla/Firefox/Epiphany work just fine (once enable the network.negotiate-auth.trusted-uris config key).
I spoke with the neon people about this, and they had already found and fixed the bug, although they haven't yet released a version with the fix. However, when gnome-vfs takes that version of neon, I guess this'll be fixed automagically.
Here's a link to the discussion on the neon mailing list, for anyone interested: http://mailman.webdav.org/pipermail/neon/2005-January/001875.html
Hmm, I take it this isn't something I could just drop into gnome-vfs to see if it resolves the problem, since it (apparantly) has an API change...?
Created attachment 37751 [details] [review] Update neon to use GSSAPI support from neon HEAD. Patch originally from http://cvs.fedora.redhat.com/viewcvs/devel/neon/neon-0.24.7-gssapi.patch but updated to apply cleanly to gvs 2.9.91 neon copy.
I have patched gnome-vfs-2.9.91 to support GSSAPI properly, and it passes the Works For Me Test (tm). I found this patch for Fedora's Rawhide neon version: http://cvs.fedora.redhat.com/viewcvs/devel/neon/neon-0.24.7-gssapi.patch Unfortunately, it doesn't apply cleanly to the gvs 2.9.91 codebase. I manually applied the bits that didn't apply on their own, recompiled, and everything seems to work great!
I have updated neon to 0.25.4 on gnome-vfs HEAD. Could you please try it again with that? I think it has support for GSSAPI, so I am confident this is fix. I am marking this as NEEDINFO therefore. Please close if its working or reopen if not. Thanks!
Sadly I no longer have a kerberized WebDAV server to test with. I gave up on it just a few weeks ago due to partly to this bug and shut it down. :-( I do know for a fact that the bug in question was caused fix in Neon 0.25, though. I can't verify that it's fixed, but I'm fairly sure that that is the case.
I still haven't been able to test this, but I do know that Neon 0.25 included the GSSAPI fix. The original patch I posted from Fedora was a patch backported to 0.24 from the 0.25 series. I think you can safely close this bug.
Closing per request.