OT: Active Directory: Firefox with Kerberos

Christian Meyer c2h5oh at web.de
Tue Jan 5 22:54:32 CET 2016


Hello there
and sorry for sending this off-topic issue to FAI-mailing-list, but i
got stuck since weeks and didn't find help in several forums, manpages,
howtos, searchengines, ...

Does someone of you use GNU/Linux-GUI machines with Active Directory
authentication? Could you please send me your iceweasel config?

Authentication and kerberos (mounting server shares) works well for me,
but I did not manage to get Iceweasel 38.5 working with kerberos.
Internet access is routed over a http-proxy (squid on a virtual machine)
that is configured to use kerberos.

On Windows machines Firefox works with single sign on out of the box.
No special ntlm, negotiate or proxy settings, just "use system
settings".

With Debian Jessie (using "use system settings", configured for Gnome
and Bash) I have to enter username / pw every time. Saving user
credentials is not an option because users home directorys have to be
clean and are deleted after logout.

Samba, winbind, pam and kerberos are configured like this:
https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory
I tried to configure iceweasel with this guide:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html

So I entered about:config and changed
network.negotiate-auth.trusted-uris and
network.negotiate-auth.delegation-uris to something like .WORK.company
(with different case-(in-)sensitive writings, with(out) domaincontroller
and so on).
But it seems that iceweasel doesn't use kerberos at all (at least this
is what I think after reading the logfiles)

$ klist
Ticket cache: FILE:/tmp/krb5cc_11000
Default principal: user at WORK.COMPANY

Valid starting             Expires                      Service
principal
03.01.2016 15:57:41  04.01.2016 01:57:26
krbtgt/WORK.COMPANY at WORK.COMPANY
              renew until 10.01.2016 15:57:41
03.01.2016 15:57:41  04.01.2016 01:57:26  DEBIAN-HOST at WORK.COMPANY
              renew until 10.01.2016 15:57:41
03.01.2016 15:57:41  04.01.2016 01:57:26
ldap/companydc.work.company at WORK.COMPANY
              renew until 10.01.2016 15:57:41
03.01.2016 15:57:43  04.01.2016 01:57:26  cifs/companydc at WORK.COMPANY
              renew until 10.01.2016 15:57:41

$ export NSPR_LOG_MODULES=negotiateauth:5
$ export NSPR_LOG_FILE=/tmp/moz.log
$ firefox
$ cat moz.log
abcd[xyz]: Writing to ntlm_auth: YR
abcd[xyz]: Writing to ntlm_auth: YR

Thanks a lot
Christian Meyer

BTW:
Can anyone confirm that iceweasel is keeping connections open (to the
proxy) and so letting it run out of memory? What are your settings to
prevent this?



More information about the linux-fai mailing list