Closed michael-o closed 2 years ago
Sample exception from a JGSS acceptor:
2021-12-22T17:06:02.350 WARNUNG [https-openssl-apr-8444-exec-43] net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator.doAuthenticate The Negotiate (SPNEGO) authentication token is invalid: YIIM2gYJKoZIhvcSAQICAQBuggzJMIIMxaADAgEFoQMCAQ6iBwMFAA...0WW16gS+vSg
GSSException: No credential found for: 1.2.840.113554.1.2.2 usage: Accept
at sun.security.jgss.GSSCredentialImpl.getElement(GSSCredentialImpl.java:600)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:317)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:148)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:626)
In the init method: https://github.com/pythongssapi/requests-gssapi/blob/74766a6ed1401eb8570ee7c5786cff25475edd4f/requests_gssapi/gssapi_.py#L110-L112
None
is passed to the mech which means MIT Kerberos/Heimdal decide which will be almost always Kerberos 5 and not SPNEGO.This causes two problems:
If using Java GSS on the target server it always requires to provide custom value to this auth class to meet the above which is expected to be default. Other OSS implementations correctly pass a SPNEGO OID w/o a ctor param to modify it and work flawlessly, e.g., browsers, libcurl, libserf.
Willing to provide a PR for this. I am currently using this as an unnecessary workaround.
Question on SO: https://stackoverflow.com/q/57729499/696632 and there are numerous other reports on the internet.