On Wed, Nov 19, 2008 at 09:37:22PM +0100, Paul Windey wrote:
Hi,
When I use test.py in PyKerberos against an original Mac OS X Server running caldav it seems to works fine. (port 8008 , directory /principals/) However if I run it against the Apache 2 server shipped with OS X Server 10.5 (port 80 or 443 ; directory /some-protected-realm/) and a realm protected with Kerberos it fails miserably, resulting in I've run pykerberos against mod-auth-kerb which works.
*** Running HTTP test Second HTTP request did not result in a 2xx response: 401 That's unauthorized. Could you try: http://honk.sigxcpu.org/projects/pykerberos/test-http.py as ./test-http.py --debug <url>. This will show you the http headers returned and possibly give some info.
and a web server error mod_spnego_apple: Cannot get SPNEGO handle from token: -9 binaryTokenLen=595, base64Len=598
So it seems that PyKerberos authenticates fine against the python server behind caldav but NOT against the stock apple spnego module shipped with the server.
Is this the expected behavior or a flagrant bug ? It's a bug. We should handle spnego properly but it's not necessarily a bug in pykerberos. It could be the server side as well as the kerberos library on your system - hard to say.
This test was prompted by efforts of Tim Olsen who wrote a kerberos authetication extension for mercurial (hg revision control software) to help me use it on a Mac Os X server.
Can you use mod-auth-kerb instead of mod-spnego-apple? Sorry if this is not very helpful, -- Guido