[CalendarServer-users] calendarserver on debian via nss and kerberos

Marco Ghidinelli marco.ghidinelli at turboden.net
Tue Mar 24 07:26:08 PDT 2009 

On 03/24/2009 03:03 PM, Marco Ghidinelli wrote:
> On Mon, Mar 23, 2009 at 07:10:51AM +0100, Guido Günther wrote:
>  > On Tue, Mar 03, 2009 at 12:27:45PM +0100, Marco Ghidinelli wrote:
>  > > hello,
>  > > anyone was able to use calendarserver on debian 5 with users from
>  > > nssswitch and authentication via SPNEGO/Kerberos?
>  > >
>  > > I followed the README.Debian, but with no results.
>  > To verify if NSS really works you can change:
>
> [...]
>  >
>  > in twistedcaldav/directory/nss.py. This will disable *all*
>  > authentication but the first/lastValUid etc checks will still be in
>  > place. Once this works we can try to work out why kerberos fails.
>
> hello guido,
>
> i changed the line above, but with or without the change the result is
> the same:
>
> i always get an
> 2009-03-24 14:33:46+0100 [-] [caldav-8008] [NegotiateCredentialFactory]
> 'authGSSServerStep: Unspecified GSS failure. Minor code may provide
> more information(No error)'
>
> so i changed the twistedcalendar/authkerb.py at about the line 231
> to print the base64data associated to the failed request.
>
> when i connect from internetexplorer i get an ntlm base64data,
> when i connect from firefox (from a kerberos authenticated linux
> machine) i get a long message, that i'll send you in a private mail.

from the firefox machine, i tried to

export NSPR_LOG_MODULES=negotiateauth:5
export NSPR_LOG_FILE=/tmp/moz.log

and i got those error messages:

-1211647776[9878060]:   using REQ_DELEGATE
-1211647776[9878060]:   service = muttley.domain.local
-1211647776[9878060]:   using negotiate-gss
-1211647776[9878060]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1211647776[9878060]: entering nsAuthGSSAPI::Init()
-1211647776[9878060]: nsHttpNegotiateAuth::GenerateCredentials() 
[challenge=negotiate]
-1211647776[9878060]: entering nsAuthGSSAPI::GetNextToken()
-1211647776[9878060]:   leaving nsAuthGSSAPI::GetNextToken [rv=0]
-1211647776[9878060]:   Sending a token of length 1376
-1211647776[9878060]: nsHttpNegotiateAuth::GenerateCredentials() 
[challenge=negotiate]
-1211647776[9878060]: entering nsAuthGSSAPI::GetNextToken()
-1211647776[9878060]: Cannot restart authentication sequence!

but i don't know hot to use this informations.

More information about the calendarserver-users mailing list