[squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)

Victor Sudakov sudakov at sibptus.tomsk.ru
Tue Oct 7 08:35:42 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

And my Kerberos server setup seems valid:

$ setenv KRB5_KTNAME /usr/local/etc/squid/squid.keytab
$ setenv KRB5_CONFIG /usr/local/etc/squid/krb5.conf
$ kdestroy
$ kinit -t $KRB5_KTNAME  HTTP/proxy.sibptus.transneft.ru
$ klist
Credentials cache: FILE:/tmp/krb5cc_Ld5uU9
        Principal:
HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU

  Issued           Expires          Principal
Oct  7 15:33:42  Oct  8 01:33:42
krbtgt/SIBPTUS.TRANSNEFT.RU at SIBPTUS.TRANSNEFT.RU
$



Victor Sudakov wrote:
> Victor Sudakov wrote:
> > > Well, I have tried negotiate_kerberos_auth with Firefox (Windows) 
> > 
> > I have tried the same with MSIE 8 (Windows).
> 
> After some adjustment to domain group policies, the Windows host is
> at last requesting and successfully receiving the ticket for the proxy
> service.  Wireshark output:
> 
> User Datagram Protocol, Src Port: kerberos (88), Dst Port: dellpwrappks (1266)
> Kerberos TGS-REP
>     Pvno: 5
>     MSG Type: TGS-REP (13)
>     Client Realm: SIBPTUS.TRANSNEFT.RU
>     Client Name (Principal): vas-adm
>     Ticket
>         Tkt-vno: 5
>         Realm: SIBPTUS.TRANSNEFT.RU
>         Server Name (Service and Instance): HTTP/proxy.sibptus.transneft.ru
>         enc-part rc4-hmac
>             Encryption type: rc4-hmac (23)
>             enc-part: 3e0fc357a26db7dcdb0a5b6436b56f9c96d15ad7626eea08...
>     enc-part rc4-hmac
>         Encryption type: rc4-hmac (23)
>         Kvno: 1
>         enc-part: db8c9ea1bf85c4bb5005103765767b692ed3c0f247c23d48...
> 
> The corresponding Kerberos principal is put into the keytab:
> /usr/local/etc/squid/squid.keytab:
> 
> Vno  Type                     Principal
>   1  des-cbc-crc              HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
>   1  des-cbc-md5              HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
>   1  arcfour-hmac-md5         HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
>   1  aes256-cts-hmac-sha1-96  HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
>   1  aes128-cts-hmac-sha1-96  HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
> 
> The permissions on the keytab are correct. Squid receives it via the
> environment:
> 
> env KRB5_KTNAME=/usr/local/etc/squid/squid.keytab \
>         KRB5_CONFIG=/usr/local/etc/squid/krb5.conf \
>         squid -f /usr/local/etc/squid/squid-test.conf
> 
> However, then actual autthentication begins, it fails with the:
> "ERROR: gss_acquire_cred() failed:  No credentials were
> supplied, or the credentials were unavailable or inaccessible..
> unknown mech-code 0 for mech unknown"
> 
> If someone finds something familiar in the below debug output, or can
> low-level debug actual kerberos, could you please let me know. Thanks
> a lot in advance for any help.
> 
> negotiate_kerberos_auth.cc(212): pid=40984 :2014/10/07 13:12:08| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
> negotiate_kerberos_auth.cc(258): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: DEBUG: Got 'YR YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVGVC5SVaItMCugAwIBAqEkMCIbBEhUVFAbGnByb3h5LnNpYnB0dXMudHJhbnNuZWZ0LnJ1o4IDkTCCA42gAwIBA6KCA4QEggOAB8tiAa54xI00BfngMyI8cwFHbNKRZPVn1c/HKYPi4Dppq0fIjp2e5br7rHG51+1/w6zaDwHKqdtnpWh/OplOkn6tDNq0H2fi/jFeT0XKICrLxdpmDHRqNmiyxvtczdkcSyxXJ2254oM9VwuE39D8hqU58NmijTB+WQupz2hw4d+5euIFFwSSO8nD3CMaBVGgyNfp9YvUUy860L+KKEqb0LVXZ+/OsnlsyrEc3AaaXwSwS30+ZRv0jCLh1h7kc84XFPrjGqRPp7JmO5gUCF8k/GXNF3FAMBAaT4r/iAs8LFIixQiRUWJPtjcWAtH0Q3JumqB9Enm+JPNvGBvE83YvbBZtDJQ0uc5lOMVLavBh2Xgj86BmKlCsrOCiMoQ8SgsEAX6o110EeMI1Tef8t+2/WhzP39l5BGuXmdDA1zEmqzA83vvTy5JcKUXZ3IdwwJ4I+kW62qIMsceZ/hfdj/Iy+RjCNrum5FHXMDszMVacKHp9kJTMofuMhhOKD2o+Z91TWTkEwD3NNWGjTWdgECpJT/F7I1x35iQaLGvgLebpalPJEXY8A8od1HhXZaCkIPXcDoPUR1LTTk8bHYKan17EnOBf0CbjOkU8/ib2mLUL81RQHrt6vdTcXzxsAgoZYigptd/ilsXq0dbwjTuZP8ZcFFY+levmSPIn5TF5xZtmtymditNO28hSqDjxC2Lpoy65kqwXglxpijuicSXC4cC/O1TBbksyH/aw/7MbNTKupFpovZTensu/A6zYG3HCjKW9QBsgU4tBXRC6rTP0RAeuASUHpvHv4WhbS5AWNYmX1TNQ8QpfurM2tAzuFzYQN8LL3VT38o4SVK+visE9q1IGez70q9g6Naowvpp6g/h3FuCzUks2ydXchKNPe3KzuSJqzmkLlyjKMlVW8sYUwgKXqNsgi7aRArEfu0L3UqYG/7lao+QLDOBf5+uSzWarZ9IIS7ClIRBejXU7erVJrLBDlGZRbMu+hXacsGwv/1Ls+S8xCxnlRjQngHjLg8vvQBYslgvkMh77eyP+HjiUDOXqDYoDR5bIc/w5UX/Dvb4ECGiqhGd9UHHQkYn6NQnbO/2r+iVBdy1fvXhXE2LKgAFoQtf2tIqsTUZWv12O82X2KzcZJ7IEVMxbGtSj9cdncc16c5Y6DL9AzQryNIhSGxghZ7zyWwp4DBS19ru4l+dVQ4ikgb4wgbugAwIBA6KBswSBsGrVgYewQbJlk43Aw0ujMajwCinYuDDsW9b7I1gCa41ShWl0xSQ6MfkhuPDbcJO6TK6nTYyxSbWMtxo2eiMOehg+bHo5HUUCGyvRCNRnJFcJLP3GAqh8Ogjx9zY4/YcVb8c/eFM/BiBKHw41T4a0fR6scB9GKDjT8vDa4ysgGeEjeiPh+PjDSTS/y/CWrin97xXwrdUbsWbhuxHQ66HZ9rEJoZFb8oxtHgnqyEgMbwdO' from squid (length: 1747).
> negotiate_kerberos_auth.cc(311): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: DEBUG: Decode 'YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVGVC5SVaItMCugAwIBAqEkMCIbBEhUVFAbGnByb3h5LnNpYnB0dXMudHJhbnNuZWZ0LnJ1o4IDkTCCA42gAwIBA6KCA4QEggOAB8tiAa54xI00BfngMyI8cwFHbNKRZPVn1c/HKYPi4Dppq0fIjp2e5br7rHG51+1/w6zaDwHKqdtnpWh/OplOkn6tDNq0H2fi/jFeT0XKICrLxdpmDHRqNmiyxvtczdkcSyxXJ2254oM9VwuE39D8hqU58NmijTB+WQupz2hw4d+5euIFFwSSO8nD3CMaBVGgyNfp9YvUUy860L+KKEqb0LVXZ+/OsnlsyrEc3AaaXwSwS30+ZRv0jCLh1h7kc84XFPrjGqRPp7JmO5gUCF8k/GXNF3FAMBAaT4r/iAs8LFIixQiRUWJPtjcWAtH0Q3JumqB9Enm+JPNvGBvE83YvbBZtDJQ0uc5lOMVLavBh2Xgj86BmKlCsrOCiMoQ8SgsEAX6o110EeMI1Tef8t+2/WhzP39l5BGuXmdDA1zEmqzA83vvTy5JcKUXZ3IdwwJ4I+kW62qIMsceZ/hfdj/Iy+RjCNrum5FHXMDszMVacKHp9kJTMofuMhhOKD2o+Z91TWTkEwD3NNWGjTWdgECpJT/F7I1x35iQaLGvgLebpalPJEXY8A8od1HhXZaCkIPXcDoPUR1LTTk8bHYKan17EnOBf0CbjOkU8/ib2mLUL81RQHrt6vdTcXzxsAgoZYigptd/ilsXq0dbwjTuZP8ZcFFY+levmSPIn5TF5xZtmtymditNO28hSqDjxC2Lpoy65kqwXglxpijuicSXC4cC/O1TBbksyH/aw/7MbNTKupFpovZTensu/A6zYG3HCjKW9QBsgU4tBXRC6rTP0RAeuASUHpvHv4WhbS5AWNYmX1TNQ8QpfurM2tAzuFzYQN8LL3VT38o4SVK+visE9q1IGez70q9g6Naowvpp6g/h3FuCzUks2ydXchKNPe3KzuSJqzmkLlyjKMlVW8sYUwgKXqNsgi7aRArEfu0L3UqYG/7lao+QLDOBf5+uSzWarZ9IIS7ClIRBejXU7erVJrLBDlGZRbMu+hXacsGwv/1Ls+S8xCxnlRjQngHjLg8vvQBYslgvkMh77eyP+HjiUDOXqDYoDR5bIc/w5UX/Dvb4ECGiqhGd9UHHQkYn6NQnbO/2r+iVBdy1fvXhXE2LKgAFoQtf2tIqsTUZWv12O82X2KzcZJ7IEVMxbGtSj9cdncc16c5Y6DL9AzQryNIhSGxghZ7zyWwp4DBS19ru4l+dVQ4ikgb4wgbugAwIBA6KBswSBsGrVgYewQbJlk43Aw0ujMajwCinYuDDsW9b7I1gCa41ShWl0xSQ6MfkhuPDbcJO6TK6nTYyxSbWMtxo2eiMOehg+bHo5HUUCGyvRCNRnJFcJLP3GAqh8Ogjx9zY4/YcVb8c/eFM/BiBKHw41T4a0fR6scB9GKDjT8vDa4ysgGeEjeiPh+PjDSTS/y/CWrin97xXwrdUbsWbhuxHQ66HZ9rEJoZFb8oxtHgnqyEgMbwdO' (decoded length: 1308).
> negotiate_kerberos_auth.cc(128): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed:  No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown
> 2014/10/07 13:12:37 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_acquire_cred() failed:  No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown; }}
> 
> -- 
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> sip:sudakov at sibptus.tomsk.ru

> negotiate_kerberos_auth.cc(212): pid=40984 :2014/10/07 13:12:08| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
> negotiate_kerberos_auth.cc(258): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: DEBUG: Got 'YR YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVGVC5SVaItMCugAwIBAqEkMCIbBEhUVFAbGnByb3h5LnNpYnB0dXMudHJhbnNuZWZ0LnJ1o4IDkTCCA42gAwIBA6KCA4QEggOAB8tiAa54xI00BfngMyI8cwFHbNKRZPVn1c/HKYPi4Dppq0fIjp2e5br7rHG51+1/w6zaDwHKqdtnpWh/OplOkn6tDNq0H2fi/jFeT0XKICrLxdpmDHRqNmiyxvtczdkcSyxXJ2254oM9VwuE39D8hqU58NmijTB+WQupz2hw4d+5euIFFwSSO8nD3CMaBVGgyNfp9YvUUy860L+KKEqb0LVXZ+/OsnlsyrEc3AaaXwSwS30+ZRv0jCLh1h7kc84XFPrjGqRPp7JmO5gUCF8k/GXNF3FAMBAaT4r/iAs8LFIixQiRUWJPtjcWAtH0Q3JumqB9Enm+JPNvGBvE83YvbBZtDJQ0uc5lOMVLavBh2Xgj86BmKlCsrOCiMoQ8SgsEAX6o110EeMI1Tef8t+2/WhzP39l5BGuXmdDA1zEmqzA83vvTy5JcKUXZ3IdwwJ4I+kW62qIMsceZ/hfdj/Iy+RjCNrum5FHXMDszMVacKHp9kJTMofuMhhOKD2o+Z91TWTkEwD3NNWGjTWdgECpJT/F7I1x35iQaLGvgLebpalPJEXY8A8od1HhXZaCkIPXcDoPUR1LTTk8bHYKan17EnOBf0CbjOkU8/ib2mLUL81RQHrt6vdTcXzxsAgoZYigptd/ilsXq0dbwjTuZP8ZcFFY+levmSPIn5TF5xZtmtymditNO28hSqDjxC2Lpoy65kqwXglxpijuicSXC4cC/O1TBbksyH/aw/7MbNTKupFpovZTensu/A6zYG3HCjKW9QBsgU4tBXRC6rTP0RAeuASUHpvHv4WhbS5AWNYmX1TNQ8QpfurM2tAzuFzYQN8LL3VT38o4SVK+visE9q1IGez70q9g6Naowvpp6g/h3FuCzUks2ydXchKNPe3KzuSJqzmkLlyjKMlVW8sYUwgKXqNsgi7aRArEfu0L3UqYG/7lao+QLDOBf5+uSzWarZ9IIS7ClIRBejXU7erVJrLBDlGZRbMu+hXacsGwv/1Ls+S8xCxnlRjQngHjLg8vvQBYslgvkMh77eyP+HjiUDOXqDYoDR5bIc/w5UX/Dvb4ECGiqhGd9UHHQkYn6NQnbO/2r+iVBdy1fvXhXE2LKgAFoQtf2tIqsTUZWv12O82X2KzcZJ7IEVMxbGtSj9cdncc16c5Y6DL9AzQryNIhSGxghZ7zyWwp4DBS19ru4l+dVQ4ikgb4wgbugAwIBA6KBswSBsGrVgYewQbJlk43Aw0ujMajwCinYuDDsW9b7I1gCa41ShWl0xSQ6MfkhuPDbcJO6TK6nTYyxSbWMtxo2eiMOehg+bHo5HUUCGyvRCNRnJFcJLP3GAqh8Ogjx9zY4/YcVb8c/eFM/BiBKHw41T4a0fR6scB9GKDjT8vDa4ysgGeEjeiPh+PjDSTS/y/CWrin97xXwrdUbsWbhuxHQ66HZ9rEJoZFb8oxtHgnqyEgMbwdO' from squid (length: 1747).
> negotiate_kerberos_auth.cc(311): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: DEBUG: Decode 'YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVGVC5SVaItMCugAwIBAqEkMCIbBEhUVFAbGnByb3h5LnNpYnB0dXMudHJhbnNuZWZ0LnJ1o4IDkTCCA42gAwIBA6KCA4QEggOAB8tiAa54xI00BfngMyI8cwFHbNKRZPVn1c/HKYPi4Dppq0fIjp2e5br7rHG51+1/w6zaDwHKqdtnpWh/OplOkn6tDNq0H2fi/jFeT0XKICrLxdpmDHRqNmiyxvtczdkcSyxXJ2254oM9VwuE39D8hqU58NmijTB+WQupz2hw4d+5euIFFwSSO8nD3CMaBVGgyNfp9YvUUy860L+KKEqb0LVXZ+/OsnlsyrEc3AaaXwSwS30+ZRv0jCLh1h7kc84XFPrjGqRPp7JmO5gUCF8k/GXNF3FAMBAaT4r/iAs8LFIixQiRUWJPtjcWAtH0Q3JumqB9Enm+JPNvGBvE83YvbBZtDJQ0uc5lOMVLavBh2Xgj86BmKlCsrOCiMoQ8SgsEAX6o110EeMI1Tef8t+2/WhzP39l5BGuXmdDA1zEmqzA83vvTy5JcKUXZ3IdwwJ4I+kW62qIMsceZ/hfdj/Iy+RjCNrum5FHXMDszMVacKHp9kJTMofuMhhOKD2o+Z91TWTkEwD3NNWGjTWdgECpJT/F7I1x35iQaLGvgLebpalPJEXY8A8od1HhXZaCkIPXcDoPUR1LTTk8bHYKan17EnOBf0CbjOkU8/ib2mLUL81RQHrt6vdTcXzxsAgoZYigptd/ilsXq0dbwjTuZP8ZcFFY+levmSPIn5TF5xZtmtymditNO28hSqDjxC2Lpoy65kqwXglxpijuicSXC4cC/O1TBbksyH/aw/7MbNTKupFpovZTensu/A6zYG3HCjKW9QBsgU4tBXRC6rTP0RAeuASUHpvHv4WhbS5AWNYmX1TNQ8QpfurM2tAzuFzYQN8LL3VT38o4SVK+visE9q1IGez70q9g6Naowvpp6g/h3FuCzUks2ydXchKNPe3KzuSJqzmkLlyjKMlVW8sYUwgKXqNsgi7aRArEfu0L3UqYG/7lao+QLDOBf5+uSzWarZ9IIS7ClIRBejXU7erVJrLBDlGZRbMu+hXacsGwv/1Ls+S8xCxnlRjQngHjLg8vvQBYslgvkMh77eyP+HjiUDOXqDYoDR5bIc/w5UX/Dvb4ECGiqhGd9UHHQkYn6NQnbO/2r+iVBdy1fvXhXE2LKgAFoQtf2tIqsTUZWv12O82X2KzcZJ7IEVMxbGtSj9cdncc16c5Y6DL9AzQryNIhSGxghZ7zyWwp4DBS19ru4l+dVQ4ikgb4wgbugAwIBA6KBswSBsGrVgYewQbJlk43Aw0ujMajwCinYuDDsW9b7I1gCa41ShWl0xSQ6MfkhuPDbcJO6TK6nTYyxSbWMtxo2eiMOehg+bHo5HUUCGyvRCNRnJFcJLP3GAqh8Ogjx9zY4/YcVb8c/eFM/BiBKHw41T4a0fR6scB9GKDjT8vDa4ysgGeEjeiPh+PjDSTS/y/CWrin97xXwrdUbsWbhuxHQ66HZ9rEJoZFb8oxtHgnqyEgMbwdO' (decoded length: 1308).
> negotiate_kerberos_auth.cc(128): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed:  No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown
> 2014/10/07 13:12:37 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_acquire_cred() failed:  No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown; }}

> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


- -- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUM6XeAAoJEA2k8lmbXsY0shEH/3k0EU+0PGD1iSx2OLqbkhGv
Z38OUous3LXoxpvOTSTP5mp+jVzutKBUlzqZbo5M0qNPg+WovNtDF2bqPK09scy8
Wuf+zfZv8YXQIvMemLXsnWZkIivLQ8Tgi6nAhX5fewP6zIfjRPMgqr86+ihHYZs4
HfO1IceZkitgeJx+9VvWDrRRDYIikTkXDLssfjFH+2J++tJikDWLqxoXykXTRRR3
xWNHomrRCxHw0q4KixCgefEnUDThvAK6MRnQA57t6xnTXiSTbqMSvkagLFgTLo87
OKI3ex+nVgyax1JZHJy1oOqXYJIeex+KxcLKkEzvXL9mdEUPgiJLg8FJD7rSDHE=
=hOY8
-----END PGP SIGNATURE-----

More information about the squid-users mailing list