[CalendarServer-dev] PyKerberos with mod_spnego.apple
Guido Günther
agx at sigxcpu.org
Fri Nov 21 04:58:06 PST 2008
On Wed, Nov 19, 2008 at 09:37:22PM +0100, Paul Windey wrote:
> Hi,
>
> When I use test.py in PyKerberos
> against an original Mac OS X Server running caldav it seems to works
> fine. (port 8008 , directory /principals/)
> However if I run it against the Apache 2 server shipped with OS X Server
> 10.5 (port 80 or 443 ; directory /some-protected-realm/)
> and a realm protected with Kerberos it fails miserably, resulting in
I've run pykerberos against mod-auth-kerb which works.
> *** Running HTTP test
> Second HTTP request did not result in a 2xx response: 401
That's unauthorized. Could you try:
http://honk.sigxcpu.org/projects/pykerberos/test-http.py
as ./test-http.py --debug <url>. This will show you the http headers
returned and possibly give some info.
> and a web server error
> mod_spnego_apple: Cannot get SPNEGO handle from token: -9
> binaryTokenLen=595, base64Len=598
>
> So it seems that PyKerberos authenticates fine against the python server
> behind caldav but NOT
> against the stock apple spnego module shipped with the server.
>
> Is this the expected behavior or a flagrant bug ?
It's a bug. We should handle spnego properly but it's not necessarily a
bug in pykerberos. It could be the server side as well as the kerberos
library on your system - hard to say.
>
> This test was prompted by efforts of Tim Olsen who wrote a kerberos
> authetication extension
> for mercurial (hg revision control software) to help me use it on a Mac
> Os X server.
Can you use mod-auth-kerb instead of mod-spnego-apple?
Sorry if this is not very helpful,
-- Guido
More information about the calendarserver-dev
mailing list