[squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)

Victor Sudakov sudakov at sibptus.tomsk.ru
Tue Oct 7 07:04:03 UTC 2014


Victor Sudakov wrote:
> > Well, I have tried negotiate_kerberos_auth with Firefox (Windows) 
> 
> I have tried the same with MSIE 8 (Windows).

After some adjustment to domain group policies, the Windows host is
at last requesting and successfully receiving the ticket for the proxy
service.  Wireshark output:

User Datagram Protocol, Src Port: kerberos (88), Dst Port: dellpwrappks (1266)
Kerberos TGS-REP
    Pvno: 5
    MSG Type: TGS-REP (13)
    Client Realm: SIBPTUS.TRANSNEFT.RU
    Client Name (Principal): vas-adm
    Ticket
        Tkt-vno: 5
        Realm: SIBPTUS.TRANSNEFT.RU
        Server Name (Service and Instance): HTTP/proxy.sibptus.transneft.ru
        enc-part rc4-hmac
            Encryption type: rc4-hmac (23)
            enc-part: 3e0fc357a26db7dcdb0a5b6436b56f9c96d15ad7626eea08...
    enc-part rc4-hmac
        Encryption type: rc4-hmac (23)
        Kvno: 1
        enc-part: db8c9ea1bf85c4bb5005103765767b692ed3c0f247c23d48...

The corresponding Kerberos principal is put into the keytab:
/usr/local/etc/squid/squid.keytab:

Vno  Type                     Principal
  1  des-cbc-crc              HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  des-cbc-md5              HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  arcfour-hmac-md5         HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  aes256-cts-hmac-sha1-96  HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  aes128-cts-hmac-sha1-96  HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU

The permissions on the keytab are correct. Squid receives it via the
environment:

env KRB5_KTNAME=/usr/local/etc/squid/squid.keytab \
        KRB5_CONFIG=/usr/local/etc/squid/krb5.conf \
        squid -f /usr/local/etc/squid/squid-test.conf

However, then actual autthentication begins, it fails with the:
"ERROR: gss_acquire_cred() failed:  No credentials were
supplied, or the credentials were unavailable or inaccessible..
unknown mech-code 0 for mech unknown"

If someone finds something familiar in the below debug output, or can
low-level debug actual kerberos, could you please let me know. Thanks
a lot in advance for any help.

negotiate_kerberos_auth.cc(212): pid=40984 :2014/10/07 13:12:08| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(258): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: DEBUG: Got 'YR YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVGVC5SVaItMCugAwIBAqEkMCIbBEhUVFAbGnByb3h5LnNpYnB0dXMudHJhbnNuZWZ0LnJ1o4IDkTCCA42gAwIBA6KCA4QEggOAB8tiAa54xI00BfngMyI8cwFHbNKRZPVn1c/HKYPi4Dppq0fIjp2e5br7rHG51+1/w6zaDwHKqdtnpWh/OplOkn6tDNq0H2fi/jFeT0XKICrLxdpmDHRqNmiyxvtczdkcSyxXJ2254oM9VwuE39D8hqU58NmijTB+WQupz2hw4d+5euIFFwSSO8nD3CMaBVGgyNfp9YvUUy860L+KKEqb0LVXZ+/OsnlsyrEc3AaaXwSwS30+ZRv0jCLh1h7kc84XFPrjGqRPp7JmO5gUCF8k/GXNF3FAMBAaT4r/iAs8LFIixQiRUWJPtjcWAtH0Q3JumqB9Enm+JPNvGBvE83YvbBZtDJQ0uc5lOMVLavBh2Xgj86BmKlCsrOCiMoQ8SgsEAX6o110EeMI1Tef8t+2/WhzP39l5BGuXmdDA1zEmqzA83vvTy5JcKUXZ3IdwwJ4I+kW62qIMsceZ/hfdj/Iy+RjCNrum5FHXMDszMVacKHp9kJTMofuMhhOKD2o+Z91TWTkEwD3NNWGjTWdgECpJT/F7I1x35iQaLGvgLebpalPJEXY8A8od1HhXZaCkIPXcDoPUR1LTTk8bHYKan17EnOBf0CbjOkU8/ib2mLUL81RQHrt6vdTcXzxsAgoZYigptd/ilsXq0dbwjTuZP8ZcFFY+levmSPIn5TF5xZtmtymditNO28hSqDjxC2Lpoy65kqwXglxpijuicSXC4cC/O1TBbksyH/aw/7MbNTKupFpovZTensu/A6zYG3HCjKW9QBsgU4tBXRC6rTP0RAeuASUHpvHv4WhbS5AWNYmX1TNQ8QpfurM2tAzuFzYQN8LL3VT38o4SVK+visE9q1IGez70q9g6Naowvpp6g/h3FuCzUks2ydXchKNPe3KzuSJqzmkLlyjKMlVW8sYUwgKXqNsgi7aRArEfu0L3UqYG/7lao+QLDOBf5+uSzWarZ9IIS7ClIRBejXU7erVJrLBDlGZRbMu+hXacsGwv/1Ls+S8xCxnlRjQngHjLg8vvQBYslgvkMh77eyP+HjiUDOXqDYoDR5bIc/w5UX/Dvb4ECGiqhGd9UHHQkYn6NQnbO/2r+iVBdy1fvXhXE2LKgAFoQtf2tIqsTUZWv12O82X2KzcZJ7IEVMxbGtSj9cdncc16c5Y6DL9AzQryNIhSGxghZ7zyWwp4DBS19ru4l+dVQ4ikgb4wgbugAwIBA6KBswSBsGrVgYewQbJlk43Aw0ujMajwCinYuDDsW9b7I1gCa41ShWl0xSQ6MfkhuPDbcJO6TK6nTYyxSbWMtxo2eiMOehg+bHo5HUUCGyvRCNRnJFcJLP3GAqh8Ogjx9zY4/YcVb8c/eFM/BiBKHw41T4a0fR6scB9GKDjT8vDa4ysgGeEjeiPh+PjDSTS/y/CWrin97xXwrdUbsWbhuxHQ66HZ9rEJoZFb8oxtHgnqyEgMbwdO' from squid (length: 1747).
negotiate_kerberos_auth.cc(311): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: DEBUG: Decode 'YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVGVC5SVaItMCugAwIBAqEkMCIbBEhUVFAbGnByb3h5LnNpYnB0dXMudHJhbnNuZWZ0LnJ1o4IDkTCCA42gAwIBA6KCA4QEggOAB8tiAa54xI00BfngMyI8cwFHbNKRZPVn1c/HKYPi4Dppq0fIjp2e5br7rHG51+1/w6zaDwHKqdtnpWh/OplOkn6tDNq0H2fi/jFeT0XKICrLxdpmDHRqNmiyxvtczdkcSyxXJ2254oM9VwuE39D8hqU58NmijTB+WQupz2hw4d+5euIFFwSSO8nD3CMaBVGgyNfp9YvUUy860L+KKEqb0LVXZ+/OsnlsyrEc3AaaXwSwS30+ZRv0jCLh1h7kc84XFPrjGqRPp7JmO5gUCF8k/GXNF3FAMBAaT4r/iAs8LFIixQiRUWJPtjcWAtH0Q3JumqB9Enm+JPNvGBvE83YvbBZtDJQ0uc5lOMVLavBh2Xgj86BmKlCsrOCiMoQ8SgsEAX6o110EeMI1Tef8t+2/WhzP39l5BGuXmdDA1zEmqzA83vvTy5JcKUXZ3IdwwJ4I+kW62qIMsceZ/hfdj/Iy+RjCNrum5FHXMDszMVacKHp9kJTMofuMhhOKD2o+Z91TWTkEwD3NNWGjTWdgECpJT/F7I1x35iQaLGvgLebpalPJEXY8A8od1HhXZaCkIPXcDoPUR1LTTk8bHYKan17EnOBf0CbjOkU8/ib2mLUL81RQHrt6vdTcXzxsAgoZYigptd/ilsXq0dbwjTuZP8ZcFFY+levmSPIn5TF5xZtmtymditNO28hSqDjxC2Lpoy65kqwXglxpijuicSXC4cC/O1TBbksyH/aw/7MbNTKupFpovZTensu/A6zYG3HCjKW9QBsgU4tBXRC6rTP0RAeuASUHpvHv4WhbS5AWNYmX1TNQ8QpfurM2tAzuFzYQN8LL3VT38o4SVK+visE9q1IGez70q9g6Naowvpp6g/h3FuCzUks2ydXchKNPe3KzuSJqzmkLlyjKMlVW8sYUwgKXqNsgi7aRArEfu0L3UqYG/7lao+QLDOBf5+uSzWarZ9IIS7ClIRBejXU7erVJrLBDlGZRbMu+hXacsGwv/1Ls+S8xCxnlRjQngHjLg8vvQBYslgvkMh77eyP+HjiUDOXqDYoDR5bIc/w5UX/Dvb4ECGiqhGd9UHHQkYn6NQnbO/2r+iVBdy1fvXhXE2LKgAFoQtf2tIqsTUZWv12O82X2KzcZJ7IEVMxbGtSj9cdncc16c5Y6DL9AzQryNIhSGxghZ7zyWwp4DBS19ru4l+dVQ4ikgb4wgbugAwIBA6KBswSBsGrVgYewQbJlk43Aw0ujMajwCinYuDDsW9b7I1gCa41ShWl0xSQ6MfkhuPDbcJO6TK6nTYyxSbWMtxo2eiMOehg+bHo5HUUCGyvRCNRnJFcJLP3GAqh8Ogjx9zY4/YcVb8c/eFM/BiBKHw41T4a0fR6scB9GKDjT8vDa4ysgGeEjeiPh+PjDSTS/y/CWrin97xXwrdUbsWbhuxHQ66HZ9rEJoZFb8oxtHgnqyEgMbwdO' (decoded length: 1308).
negotiate_kerberos_auth.cc(128): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed:  No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown
2014/10/07 13:12:37 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_acquire_cred() failed:  No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown; }}

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
-------------- next part --------------
negotiate_kerberos_auth.cc(212): pid=40984 :2014/10/07 13:12:08| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(258): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: DEBUG: Got 'YR YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVGVC5SVaItMCugAwIBAqEkMCIbBEhUVFAbGnByb3h5LnNpYnB0dXMudHJhbnNuZWZ0LnJ1o4IDkTCCA42gAwIBA6KCA4QEggOAB8tiAa54xI00BfngMyI8cwFHbNKRZPVn1c/HKYPi4Dppq0fIjp2e5br7rHG51+1/w6zaDwHKqdtnpWh/OplOkn6tDNq0H2fi/jFeT0XKICrLxdpmDHRqNmiyxvtczdkcSyxXJ2254oM9VwuE39D8hqU58NmijTB+WQupz2hw4d+5euIFFwSSO8nD3CMaBVGgyNfp9YvUUy860L+KKEqb0LVXZ+/OsnlsyrEc3AaaXwSwS30+ZRv0jCLh1h7kc84XFPrjGqRPp7JmO5gUCF8k/GXNF3FAMBAaT4r/iAs8LFIixQiRUWJPtjcWAtH0Q3JumqB9Enm+JPNvGBvE83YvbBZtDJQ0uc5lOMVLavBh2Xgj86BmKlCsrOCiMoQ8SgsEAX6o110EeMI1Tef8t+2/WhzP39l5BGuXmdDA1zEmqzA83vvTy5JcKUXZ3IdwwJ4I+kW62qIMsceZ/hfdj/Iy+RjCNrum5FHXMDszMVacKHp9kJTMofuMhhOKD2o+Z91TWTkEwD3NNWGjTWdgECpJT/F7I1x35iQaLGvgLebpalPJEXY8A8od1HhXZaCkIPXcDoPUR1LTTk8bHYKan17EnOBf0CbjOkU8/ib2mLUL81RQHrt6vdTcXzxsAgoZYigptd/ilsXq0dbwjTuZP8ZcFFY+levmSPIn5TF5xZtmtymditNO28hSqDjxC2Lpoy65kqwXglxpijuicSXC4cC/O1TBbksyH/aw/7MbNTKupFpovZTensu/A6zYG3HCjKW9QBsgU4tBXRC6rTP0RAeuASUHpvHv4WhbS5AWNYmX1TNQ8QpfurM2tAzuFzYQN8LL3VT38o4SVK+visE9q1IGez70q9g6Naowvpp6g/h3FuCzUks2ydXchKNPe3KzuSJqzmkLlyjKMlVW8sYUwgKXqNsgi7aRArEfu0L3UqYG/7lao+QLDOBf5+uSzWarZ9IIS7ClIRBejXU7erVJrLBDlGZRbMu+hXacsGwv/1Ls+S8xCxnlRjQngHjLg8vvQBYslgvkMh77eyP+HjiUDOXqDYoDR5bIc/w5UX/Dvb4ECGiqhGd9UHHQkYn6NQnbO/2r+iVBdy1fvXhXE2LKgAFoQtf2tIqsTUZWv12O82X2KzcZJ7IEVMxbGtSj9cdncc16c5Y6DL9AzQryNIhSGxghZ7zyWwp4DBS19ru4l+dVQ4ikgb4wgbugAwIBA6KBswSBsGrVgYewQbJlk43Aw0ujMajwCinYuDDsW9b7I1gCa41ShWl0xSQ6MfkhuPDbcJO6TK6nTYyxSbWMtxo2eiMOehg+bHo5HUUCGyvRCNRnJFcJLP3GAqh8Ogjx9zY4/YcVb8c/eFM/BiBKHw41T4a0fR6scB9GKDjT8vDa4ysgGeEjeiPh+PjDSTS/y/CWrin97xXwrdUbsWbhuxHQ66HZ9rEJoZFb8oxtHgnqyEgMbwdO' from squid (length: 1747).
negotiate_kerberos_auth.cc(311): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: DEBUG: Decode 'YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVGVC5SVaItMCugAwIBAqEkMCIbBEhUVFAbGnByb3h5LnNpYnB0dXMudHJhbnNuZWZ0LnJ1o4IDkTCCA42gAwIBA6KCA4QEggOAB8tiAa54xI00BfngMyI8cwFHbNKRZPVn1c/HKYPi4Dppq0fIjp2e5br7rHG51+1/w6zaDwHKqdtnpWh/OplOkn6tDNq0H2fi/jFeT0XKICrLxdpmDHRqNmiyxvtczdkcSyxXJ2254oM9VwuE39D8hqU58NmijTB+WQupz2hw4d+5euIFFwSSO8nD3CMaBVGgyNfp9YvUUy860L+KKEqb0LVXZ+/OsnlsyrEc3AaaXwSwS30+ZRv0jCLh1h7kc84XFPrjGqRPp7JmO5gUCF8k/GXNF3FAMBAaT4r/iAs8LFIixQiRUWJPtjcWAtH0Q3JumqB9Enm+JPNvGBvE83YvbBZtDJQ0uc5lOMVLavBh2Xgj86BmKlCsrOCiMoQ8SgsEAX6o110EeMI1Tef8t+2/WhzP39l5BGuXmdDA1zEmqzA83vvTy5JcKUXZ3IdwwJ4I+kW62qIMsceZ/hfdj/Iy+RjCNrum5FHXMDszMVacKHp9kJTMofuMhhOKD2o+Z91TWTkEwD3NNWGjTWdgECpJT/F7I1x35iQaLGvgLebpalPJEXY8A8od1HhXZaCkIPXcDoPUR1LTTk8bHYKan17EnOBf0CbjOkU8/ib2mLUL81RQHrt6vdTcXzxsAgoZYigptd/ilsXq0dbwjTuZP8ZcFFY+levmSPIn5TF5xZtmtymditNO28hSqDjxC2Lpoy65kqwXglxpijuicSXC4cC/O1TBbksyH/aw/7MbNTKupFpovZTensu/A6zYG3HCjKW9QBsgU4tBXRC6rTP0RAeuASUHpvHv4WhbS5AWNYmX1TNQ8QpfurM2tAzuFzYQN8LL3VT38o4SVK+visE9q1IGez70q9g6Naowvpp6g/h3FuCzUks2ydXchKNPe3KzuSJqzmkLlyjKMlVW8sYUwgKXqNsgi7aRArEfu0L3UqYG/7lao+QLDOBf5+uSzWarZ9IIS7ClIRBejXU7erVJrLBDlGZRbMu+hXacsGwv/1Ls+S8xCxnlRjQngHjLg8vvQBYslgvkMh77eyP+HjiUDOXqDYoDR5bIc/w5UX/Dvb4ECGiqhGd9UHHQkYn6NQnbO/2r+iVBdy1fvXhXE2LKgAFoQtf2tIqsTUZWv12O82X2KzcZJ7IEVMxbGtSj9cdncc16c5Y6DL9AzQryNIhSGxghZ7zyWwp4DBS19ru4l+dVQ4ikgb4wgbugAwIBA6KBswSBsGrVgYewQbJlk43Aw0ujMajwCinYuDDsW9b7I1gCa41ShWl0xSQ6MfkhuPDbcJO6TK6nTYyxSbWMtxo2eiMOehg+bHo5HUUCGyvRCNRnJFcJLP3GAqh8Ogjx9zY4/YcVb8c/eFM/BiBKHw41T4a0fR6scB9GKDjT8vDa4ysgGeEjeiPh+PjDSTS/y/CWrin97xXwrdUbsWbhuxHQ66HZ9rEJoZFb8oxtHgnqyEgMbwdO' (decoded length: 1308).
negotiate_kerberos_auth.cc(128): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed:  No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown
2014/10/07 13:12:37 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_acquire_cred() failed:  No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown; }}


More information about the squid-users mailing list