[squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)

Victor Sudakov sudakov at sibptus.tomsk.ru
Wed Oct 8 08:15:56 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eliezer Croitoru wrote:
> > 
> > I could find the said script neither in the source nor in the
> > binary package. However I think I can guess what could be inside.
> > Could you look below if that makes sense?
> 
> Or you can just look at the source code:
> http://bazaar.launchpad.net/~squid/squid/3.4/view/head:/helpers/negotiate_auth/kerberos/test_negotiate_auth.sh

So I was correct about the script contents. My command line 
$ ./negotiate_kerberos_auth_test proxy.sibptus.transneft.ru | awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | ./negotiate_kerberos_auth -d
does exactly the same.

Do you have any ideas about the cause of the kerberos error?

=====================
$ setenv KRB5_KTNAME /usr/local/etc/squid/squid.keytab
$ setenv KRB5_CONFIG /usr/local/etc/squid/krb5.conf
$ kdestroy
$ kinit sudakovva
sudakovva at SIBPTUS.TRANSNEFT.RU's Password:
$
$ klist
Credentials cache: FILE:/tmp/krb5cc_XZ1GPU
        Principal: sudakovva at SIBPTUS.TRANSNEFT.RU

  Issued           Expires          Principal
Oct  8 09:31:45  Oct  8 19:31:45  krbtgt/SIBPTUS.TRANSNEFT.RU at SIBPTUS.TRANSNEFT.RU

$ ./negotiate_kerberos_auth_test proxy.sibptus.transneft.ru | awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | ./negotiate_kerberos_auth -d

negotiate_kerberos_auth.cc(212): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(258): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: DEBUG: Got 'YR YIIGFAYGKwYBBQUCoIIGCDCCBgSgDTALBgkqhkiG9xIBAgKiggXxBIIF7WCCBekGCSqGSIb3EgECAgEAboIF2DCCBdSgAwIBBaEDAgEOogcDBQAAAAAAo4IEvGGCBLgwggS0oAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBGQwggRgoAMCAReiggRXBIIEUxpOgFWeZoAcatE6l3MyfDxMoDMjcgYUQzenTLAlEvD3/c0pyRiitZwNMIHvnacXcUSTzLDNjDw75iwfNxZHYjZgvOLHSKQm+rmoWtLIC+3KZoeWCB+pxwcpK8RzXvs8dPCprH1h5OdCn8EB1ZZxl35IhLgg07N72yvnXNiBmW/PmLW6PeVB0U3SLjWiT0ZJ3kXukg5ViYGOMKypeHebHPB0FQ2dgNQy8S00CRIU4ZuoHPVWFNl6mzp9CoIy7Ytwhu3NRb42f49nuQpqBVcsMK/ckgLYvsoz2lYxe7AO4MMOvcGqnEBB/jaSfrGGXpw+ciMNbBtCHH7bN36uGHj+VWOUFL5vR3xclnOWwdUH2OtXqMMcDDnI4v7vNR1U80BS7SdXUpx0D+O1B3ihipaTpSkXtII5UTI4qxmZjXSQGYY0adbG/N6NpMF7HpmGb1Zondp571l4ZV0mZ0pZ7IcIAmvQOmcud/sN0am4z9Oe3lCe7L1RVKBr0Tu30Pz7ySibeCpY/OVR2GJ+ILfov/3o95ozW8W4d+UCHfywAHOioGB+QWSC2NO5VtcjsBYVkhKnBkcG8KOBhJ+qi1qvhGXD3tUgDZnb0pCQAVNyjiDIKZre8KcB23Hu5a2YCM9y0GiBCbfJIbD60LJLVOxozZiRqJfdOCvBhfCvh7R9y5EuNmMswSRgQJwhkh7rCgMPWvFsAWDae9yxN966E85nE+xuUtwtl20NhOjotjG3NgwsRYDg1kQvfJnz7IcPSnSevKiPHU7uvBxSZvR6j6J0BZRgTQg7loUzkOsSRPDefXMt4wFfoHEqaWTtKw3yR0dZkr1W5g6WDn0d0o4uLZRdZteMOtxjsXFTQA3MIQrf/BpVk0NdEQ0EpXo2SZtr+ciy2jNXI40s6rUQakV/vfLG5aGOQY1Ck1gynORrG6Bt/eDMVJF7gf8iEvSDPiZhaHNqfAwfuYDNcO6Sgvl21tkEUfC9YxzkZq2vb0J1gJnkoq3oay+B7GElpgBABZpf22eGTOHakz7m8z9jdPUuIGFf1Jgn1B4i2vFsYRV6tbn3gF/wpnBdPmmG0ZVT2ZnqPDf2Om3kh1cd/THIWDVeuvNGRHbzGYxFJcJ+NIgwr5yfijltcKyynGqHvW2arUQwHzX0UM/dg6iI8+o2IkKmihBL9WQ+04SwHYeMk+D1hJx2rfrIl9RgpQdkrhrjPacqGfKd7NrtEweeSn7MOwFjaVYlT4ruboQHt94BcJKQ1qhuJVsH+rhZaM6XBt6F2NtM5Z+0OmwsLb0sQkdVbnbyEku7McPN0vvOC7tuDL1pT0UuAanSO6IQahXj5X3W/MVNf27rJUmcUQkGbTvCK6nJMuZYNsuKaB9Izs10T/i88V5IOgafwAHgLCxnpwptY551gJwj/0cvv6mpIZSrE8XjMWMUDmeTkeUyU8t2Dz5Vjbb8l1cFCIETgvc5CK9mV+SG0F6soQqf1xs+r6SB/jCB+6ADAgEXooHzBIHwxdPbAIs5nPD2d3wOYONkgkc1qb9krxSlo4FRMoPPIl+80A1OZOlv/SRc9B4VpP8xJJvk1YwY70twgMlOJd/zbXH0lEnyGdGi9mUuN4XdfeNzFwqvjxOrx1e8oPXJPJLIZCGhUik3nY7X4Nb4EMXmfEckzSsuBbVKkVwu7/0xPKbXL4KPs/e3ANJI8Lvkh7AM7iIXrhI2S4/ZKWo4f73R1sjgtt+nw8e1Ga7EeMlQvbejo/i9UBEFldNR2B8GM0DD6449mRrbXE1K5Pij+bHoHl9oZng97DGGnM4ritsN+ts2Rcev1IuSzm6QFaADBwRU' from squid (length: 2083).
negotiate_kerberos_auth.cc(311): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: DEBUG: Decode 'YIIGFAYGKwYBBQUCoIIGCDCCBgSgDTALBgkqhkiG9xIBAgKiggXxBIIF7WCCBekGCSqGSIb3EgECAgEAboIF2DCCBdSgAwIBBaEDAgEOogcDBQAAAAAAo4IEvGGCBLgwggS0oAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBGQwggRgoAMCAReiggRXBIIEUxpOgFWeZoAcatE6l3MyfDxMoDMjcgYUQzenTLAlEvD3/c0pyRiitZwNMIHvnacXcUSTzLDNjDw75iwfNxZHYjZgvOLHSKQm+rmoWtLIC+3KZoeWCB+pxwcpK8RzXvs8dPCprH1h5OdCn8EB1ZZxl35IhLgg07N72yvnXNiBmW/PmLW6PeVB0U3SLjWiT0ZJ3kXukg5ViYGOMKypeHebHPB0FQ2dgNQy8S00CRIU4ZuoHPVWFNl6mzp9CoIy7Ytwhu3NRb42f49nuQpqBVcsMK/ckgLYvsoz2lYxe7AO4MMOvcGqnEBB/jaSfrGGXpw+ciMNbBtCHH7bN36uGHj+VWOUFL5vR3xclnOWwdUH2OtXqMMcDDnI4v7vNR1U80BS7SdXUpx0D+O1B3ihipaTpSkXtII5UTI4qxmZjXSQGYY0adbG/N6NpMF7HpmGb1Zondp571l4ZV0mZ0pZ7IcIAmvQOmcud/sN0am4z9Oe3lCe7L1RVKBr0Tu30Pz7ySibeCpY/OVR2GJ+ILfov/3o95ozW8W4d+UCHfywAHOioGB+QWSC2NO5VtcjsBYVkhKnBkcG8KOBhJ+qi1qvhGXD3tUgDZnb0pCQAVNyjiDIKZre8KcB23Hu5a2YCM9y0GiBCbfJIbD60LJLVOxozZiRqJfdOCvBhfCvh7R9y5EuNmMswSRgQJwhkh7rCgMPWvFsAWDae9yxN966E85nE+xuUtwtl20NhOjotjG3NgwsRYDg1kQvfJnz7IcPSnSevKiPHU7uvBxSZvR6j6J0BZRgTQg7loUzkOsSRPDefXMt4wFfoHEqaWTtKw3yR0dZkr1W5g6WDn0d0o4uLZRdZteMOtxjsXFTQA3MIQrf/BpVk0NdEQ0EpXo2SZtr+ciy2jNXI40s6rUQakV/vfLG5aGOQY1Ck1gynORrG6Bt/eDMVJF7gf8iEvSDPiZhaHNqfAwfuYDNcO6Sgvl21tkEUfC9YxzkZq2vb0J1gJnkoq3oay+B7GElpgBABZpf22eGTOHakz7m8z9jdPUuIGFf1Jgn1B4i2vFsYRV6tbn3gF/wpnBdPmmG0ZVT2ZnqPDf2Om3kh1cd/THIWDVeuvNGRHbzGYxFJcJ+NIgwr5yfijltcKyynGqHvW2arUQwHzX0UM/dg6iI8+o2IkKmihBL9WQ+04SwHYeMk+D1hJx2rfrIl9RgpQdkrhrjPacqGfKd7NrtEweeSn7MOwFjaVYlT4ruboQHt94BcJKQ1qhuJVsH+rhZaM6XBt6F2NtM5Z+0OmwsLb0sQkdVbnbyEku7McPN0vvOC7tuDL1pT0UuAanSO6IQahXj5X3W/MVNf27rJUmcUQkGbTvCK6nJMuZYNsuKaB9Izs10T/i88V5IOgafwAHgLCxnpwptY551gJwj/0cvv6mpIZSrE8XjMWMUDmeTkeUyU8t2Dz5Vjbb8l1cFCIETgvc5CK9mV+SG0F6soQqf1xs+r6SB/jCB+6ADAgEXooHzBIHwxdPbAIs5nPD2d3wOYONkgkc1qb9krxSlo4FRMoPPIl+80A1OZOlv/SRc9B4VpP8xJJvk1YwY70twgMlOJd/zbXH0lEnyGdGi9mUuN4XdfeNzFwqvjxOrx1e8oPXJPJLIZCGhUik3nY7X4Nb4EMXmfEckzSsuBbVKkVwu7/0xPKbXL4KPs/e3ANJI8Lvkh7AM7iIXrhI2S4/ZKWo4f73R1sjgtt+nw8e1Ga7EeMlQvbejo/i9UBEFldNR2B8GM0DD6449mRrbXE1K5Pij+bHoHl9oZng97DGGnM4ritsN+ts2Rcev1IuSzm6QFaADBwRU' (decoded length: 1560).
negotiate_kerberos_auth.cc(128): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed:  No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown
BH gss_acquire_cred() failed:  No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown
negotiate_kerberos_auth.cc(258): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2).
BH quit command

$ klist -v
Credentials cache: FILE:/tmp/krb5cc_XZ1GPU
        Principal: sudakovva at SIBPTUS.TRANSNEFT.RU
    Cache version: 4

Server: krbtgt/SIBPTUS.TRANSNEFT.RU at SIBPTUS.TRANSNEFT.RU
Client: sudakovva at SIBPTUS.TRANSNEFT.RU
Ticket etype: arcfour-hmac-md5
Ticket length: 1128
Auth time:  Oct  8 10:00:12 2014
End time:   Oct  8 20:00:12 2014
Ticket flags: initial, pre-authenticated
Addresses: addressless

Server: HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
Client: sudakovva at SIBPTUS.TRANSNEFT.RU
Ticket etype: arcfour-hmac-md5
Ticket length: 1212
Auth time:  Oct  8 10:00:12 2014
Start time: Oct  8 10:00:16 2014
End time:   Oct  8 20:00:12 2014
Ticket flags: pre-authenticated
Addresses: addressless

$
$  ktutil list
/usr/local/etc/squid/squid.keytab:

Vno  Type                     Principal
  1  des-cbc-crc              HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  des-cbc-md5              HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  arcfour-hmac-md5         HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  aes256-cts-hmac-sha1-96  HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  aes128-cts-hmac-sha1-96  HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU

=====================

- -- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUNPK7AAoJEA2k8lmbXsY05yUH/jduGAOfE5WXp36+F+U7/kbI
NUxYgj/tKPFUHWLiC7WCAfmCpVzXhFGL9vTLzCupZsYTe0N/h1BFLpV0yTcmgFbs
JkwuiCb3q5orcKAbWs6T2xEr9hLM7twRA8ksPWgdm1dXOw8FsrkuUnloDUi8Ikil
L5sWPRiRCJlDvwiGjM/CH1fDkLHaM5k0INnqk4VukGjXYKhg70alwq1ZWF+jnPEy
IsGfxuVtIrUG+d+7KEv6bQ+Ts5JJ1LSxp9i7eSb0LvTp5mKPIEpffkAGvqEcxW9u
ZyENqikgLxnpUJTkMvSeJkXHPbSorzvkDXYzgs9LgwNGlSbQc7p/x8rSUQypNuk=
=+oGT
-----END PGP SIGNATURE-----


More information about the squid-users mailing list