[squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)

Markus Moeller huaraz at moeller.plus.com
Wed Oct 8 23:43:41 UTC 2014 

Hi Victor,

   I only found the following explanation:

This error will happen if you didn't write the key into the keytab file, or 
the permission setting of keytab file reject the read access, or the key 
file is not the one you should access (for example, you want 
/opt/somedir/conf/krb5.conf, but actually read /etc/krb5.conf, which has no 
that key).

  Is there something like strace/truss on freebsd to see which files are 
opened (with and without error) during running negotiate_kerberos_auth ? On 
Linux I would run:

./negotiate_kerberos_auth_test proxy.sibptus.transneft.ru | awk 
'{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | strace -f -F -o 
negotiate_kerberos_auth.strace ./negotiate_kerberos_auth -d

Markus

"Victor Sudakov"  wrote in message 
news:20141008032925.GA77544 at admin.sibptus.tomsk.ru...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Markus Moeller wrote:
>
>   In the helpers/negotiate_auth/kerberos directory is a script
> test_negotiate_auth.sh to test authentication outside of squid.

Markus,

I could find the said script neither in the source nor in the binary
package. However I think I can guess what could be inside.  Could you
look below if that makes sense?

===========================
$ setenv KRB5_KTNAME /usr/local/etc/squid/squid.keytab
$ setenv KRB5_CONFIG /usr/local/etc/squid/krb5.conf
$ kdestroy
$ kinit sudakovva
sudakovva at SIBPTUS.TRANSNEFT.RU's Password:
$
$ klist
Credentials cache: FILE:/tmp/krb5cc_XZ1GPU
        Principal: sudakovva at SIBPTUS.TRANSNEFT.RU

  Issued           Expires          Principal
Oct  8 09:31:45  Oct  8 19:31:45 
krbtgt/SIBPTUS.TRANSNEFT.RU at SIBPTUS.TRANSNEFT.RU

$ ./negotiate_kerberos_auth_test proxy.sibptus.transneft.ru | awk 
'{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | 
./negotiate_kerberos_auth -d

negotiate_kerberos_auth.cc(212): pid=52357 :2014/10/08 10:03:34| 
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(258): pid=52357 :2014/10/08 10:03:34| 
negotiate_kerberos_auth: DEBUG: Got 'YR 
YIIGFAYGKwYBBQUCoIIGCDCCBgSgDTALBgkqhkiG9xIBAgKiggXxBIIF7WCCBekGCSqGSIb3EgECAgEAboIF2DCCBdSgAwIBBaEDAgEOogcDBQAAAAAAo4IEvGGCBLgwggS0oAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBGQwggRgoAMCAReiggRXBIIEUxpOgFWeZoAcatE6l3MyfDxMoDMjcgYUQzenTLAlEvD3/c0pyRiitZwNMIHvnacXcUSTzLDNjDw75iwfNxZHYjZgvOLHSKQm+rmoWtLIC+3KZoeWCB+pxwcpK8RzXvs8dPCprH1h5OdCn8EB1ZZxl35IhLgg07N72yvnXNiBmW/PmLW6PeVB0U3SLjWiT0ZJ3kXukg5ViYGOMKypeHebHPB0FQ2dgNQy8S00CRIU4ZuoHPVWFNl6mzp9CoIy7Ytwhu3NRb42f49nuQpqBVcsMK/ckgLYvsoz2lYxe7AO4MMOvcGqnEBB/jaSfrGGXpw+ciMNbBtCHH7bN36uGHj+VWOUFL5vR3xclnOWwdUH2OtXqMMcDDnI4v7vNR1U80BS7SdXUpx0D+O1B3ihipaTpSkXtII5UTI4qxmZjXSQGYY0adbG/N6NpMF7HpmGb1Zondp571l4ZV0mZ0pZ7IcIAmvQOmcud/sN0am4z9Oe3lCe7L1RVKBr0Tu30Pz7ySibeCpY/OVR2GJ+ILfov/3o95ozW8W4d+UCHfywAHOioGB+QWSC2NO5VtcjsBYVkhKnBkcG8KOBhJ+qi1qvhGXD3tUgDZnb0pCQAVNyjiDIKZre8KcB23Hu5a2YCM9y0GiBCbfJIbD60LJLVOxozZiRqJfdOCvBhfCvh7R9y5EuNmMswSRgQJwhkh7rCgMPWvFsAWDae9yxN966E85nE+xuUtwtl20NhOjotjG3NgwsRYDg1kQvfJnz7IcPSnSevKiPHU7uvBxSZvR6j6J0BZRgTQg7loUzkOsSRPDefXMt4wFfoHEqaWTtKw3yR0dZkr1W5g6WDn0d0o4uLZRdZteMOtxjsXFTQA3MIQrf/BpVk0NdEQ0EpXo2SZtr+ciy2jNXI40s6rUQakV/vfLG5aGOQY1Ck1gynORrG6Bt/eDMVJF7gf8iEvSDPiZhaHNqfAwfuYDNcO6Sgvl21tkEUfC9YxzkZq2vb0J1gJnkoq3oay+B7GElpgBABZpf22eGTOHakz7m8z9jdPUuIGFf1Jgn1B4i2vFsYRV6tbn3gF/wpnBdPmmG0ZVT2ZnqPDf2Om3kh1cd/THIWDVeuvNGRHbzGYxFJcJ+NIgwr5yfijltcKyynGqHvW2arUQwHzX0UM/dg6iI8+o2IkKmihBL9WQ+04SwHYeMk+D1hJx2rfrIl9RgpQdkrhrjPacqGfKd7NrtEweeSn7MOwFjaVYlT4ruboQHt94BcJKQ1qhuJVsH+rhZaM6XBt6F2NtM5Z+0OmwsLb0sQkdVbnbyEku7McPN0vvOC7tuDL1pT0UuAanSO6IQahXj5X3W/MVNf27rJUmcUQkGbTvCK6nJMuZYNsuKaB9Izs10T/i88V5IOgafwAHgLCxnpwptY551gJwj/0cvv6mpIZSrE8XjMWMUDmeTkeUyU8t2Dz5Vjbb8l1cFCIETgvc5CK9mV+SG0F6soQqf1xs+r6SB/jCB+6ADAgEXooHzBIHwxdPbAIs5nPD2d3wOYONkgkc1qb9krxSlo4FRMoPPIl+80A1OZOlv/SRc9B4VpP8xJJvk1YwY70twgMlOJd/zbXH0lEnyGdGi9mUuN4XdfeNzFwqvjxOrx1e8oPXJPJLIZCGhUik3nY7X4Nb4EMXmfEckzSsuBbVKkVwu7/0xPKbXL4KPs/e3ANJI8Lvkh7AM7iIXrhI2S4/ZKWo4f73R1sjgtt+nw8e1Ga7EeMlQvbejo/i9UBEFldNR2B8GM0DD6449mRrbXE1K5Pij+bHoHl9oZng97DGGnM4ritsN+ts2Rcev1IuSzm6QFaADBwRU' 
from squid (length: 2083).
negotiate_kerberos_auth.cc(311): pid=52357 :2014/10/08 10:03:34| 
negotiate_kerberos_auth: DEBUG: Decode 
'YIIGFAYGKwYBBQUCoIIGCDCCBgSgDTALBgkqhkiG9xIBAgKiggXxBIIF7WCCBekGCSqGSIb3EgECAgEAboIF2DCCBdSgAwIBBaEDAgEOogcDBQAAAAAAo4IEvGGCBLgwggS0oAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBGQwggRgoAMCAReiggRXBIIEUxpOgFWeZoAcatE6l3MyfDxMoDMjcgYUQzenTLAlEvD3/c0pyRiitZwNMIHvnacXcUSTzLDNjDw75iwfNxZHYjZgvOLHSKQm+rmoWtLIC+3KZoeWCB+pxwcpK8RzXvs8dPCprH1h5OdCn8EB1ZZxl35IhLgg07N72yvnXNiBmW/PmLW6PeVB0U3SLjWiT0ZJ3kXukg5ViYGOMKypeHebHPB0FQ2dgNQy8S00CRIU4ZuoHPVWFNl6mzp9CoIy7Ytwhu3NRb42f49nuQpqBVcsMK/ckgLYvsoz2lYxe7AO4MMOvcGqnEBB/jaSfrGGXpw+ciMNbBtCHH7bN36uGHj+VWOUFL5vR3xclnOWwdUH2OtXqMMcDDnI4v7vNR1U80BS7SdXUpx0D+O1B3ihipaTpSkXtII5UTI4qxmZjXSQGYY0adbG/N6NpMF7HpmGb1Zondp571l4ZV0mZ0pZ7IcIAmvQOmcud/sN0am4z9Oe3lCe7L1RVKBr0Tu30Pz7ySibeCpY/OVR2GJ+ILfov/3o95ozW8W4d+UCHfywAHOioGB+QWSC2NO5VtcjsBYVkhKnBkcG8KOBhJ+qi1qvhGXD3tUgDZnb0pCQAVNyjiDIKZre8KcB23Hu5a2YCM9y0GiBCbfJIbD60LJLVOxozZiRqJfdOCvBhfCvh7R9y5EuNmMswSRgQJwhkh7rCgMPWvFsAWDae9yxN966E85nE+xuUtwtl20NhOjotjG3NgwsRYDg1kQvfJnz7IcPSnSevKiPHU7uvBxSZvR6j6J0BZRgTQg7loUzkOsSRPDefXMt4wFfoHEqaWTtKw3yR0dZkr1W5g6WDn0d0o4uLZRdZteMOtxjsXFTQA3MIQrf/BpVk0NdEQ0EpXo2SZtr+ciy2jNXI40s6rUQakV/vfLG5aGOQY1Ck1gynORrG6Bt/eDMVJF7gf8iEvSDPiZhaHNqfAwfuYDNcO6Sgvl21tkEUfC9YxzkZq2vb0J1gJnkoq3oay+B7GElpgBABZpf22eGTOHakz7m8z9jdPUuIGFf1Jgn1B4i2vFsYRV6tbn3gF/wpnBdPmmG0ZVT2ZnqPDf2Om3kh1cd/THIWDVeuvNGRHbzGYxFJcJ+NIgwr5yfijltcKyynGqHvW2arUQwHzX0UM/dg6iI8+o2IkKmihBL9WQ+04SwHYeMk+D1hJx2rfrIl9RgpQdkrhrjPacqGfKd7NrtEweeSn7MOwFjaVYlT4ruboQHt94BcJKQ1qhuJVsH+rhZaM6XBt6F2NtM5Z+0OmwsLb0sQkdVbnbyEku7McPN0vvOC7tuDL1pT0UuAanSO6IQahXj5X3W/MVNf27rJUmcUQkGbTvCK6nJMuZYNsuKaB9Izs10T/i88V5IOgafwAHgLCxnpwptY551gJwj/0cvv6mpIZSrE8XjMWMUDmeTkeUyU8t2Dz5Vjbb8l1cFCIETgvc5CK9mV+SG0F6soQqf1xs+r6SB/jCB+6ADAgEXooHzBIHwxdPbAIs5nPD2d3wOYONkgkc1qb9krxSlo4FRMoPPIl+80A1OZOlv/SRc9B4VpP8xJJvk1YwY70twgMlOJd/zbXH0lEnyGdGi9mUuN4XdfeNzFwqvjxOrx1e8oPXJPJLIZCGhUik3nY7X4Nb4EMXmfEckzSsuBbVKkVwu7/0xPKbXL4KPs/e3ANJI8Lvkh7AM7iIXrhI2S4/ZKWo4f73R1sjgtt+nw8e1Ga7EeMlQvbejo/i9UBEFldNR2B8GM0DD6449mRrbXE1K5Pij+bHoHl9oZng97DGGnM4ritsN+ts2Rcev1IuSzm6QFaADBwRU' 
(decoded length: 1560).
negotiate_kerberos_auth.cc(128): pid=52357 :2014/10/08 10:03:34| 
negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed:  No credentials 
were supplied, or the credentials were unavailable or inaccessible.. unknown 
mech-code 0 for mech unknown
BH gss_acquire_cred() failed:  No credentials were supplied, or the 
credentials were unavailable or inaccessible.. unknown mech-code 0 for mech 
unknown
negotiate_kerberos_auth.cc(258): pid=52357 :2014/10/08 10:03:34| 
negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2).
BH quit command

$ klist -v
Credentials cache: FILE:/tmp/krb5cc_XZ1GPU
        Principal: sudakovva at SIBPTUS.TRANSNEFT.RU
    Cache version: 4

Server: krbtgt/SIBPTUS.TRANSNEFT.RU at SIBPTUS.TRANSNEFT.RU
Client: sudakovva at SIBPTUS.TRANSNEFT.RU
Ticket etype: arcfour-hmac-md5
Ticket length: 1128
Auth time:  Oct  8 10:00:12 2014
End time:   Oct  8 20:00:12 2014
Ticket flags: initial, pre-authenticated
Addresses: addressless

Server: HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
Client: sudakovva at SIBPTUS.TRANSNEFT.RU
Ticket etype: arcfour-hmac-md5
Ticket length: 1212
Auth time:  Oct  8 10:00:12 2014
Start time: Oct  8 10:00:16 2014
End time:   Oct  8 20:00:12 2014
Ticket flags: pre-authenticated
Addresses: addressless

$
$  ktutil list
/usr/local/etc/squid/squid.keytab:

Vno  Type                     Principal
  1  des-cbc-crc 
HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  des-cbc-md5 
HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  arcfour-hmac-md5 
HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  aes256-cts-hmac-sha1-96 
HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  aes128-cts-hmac-sha1-96 
HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
===========================

>
> Let me know what you get.

You can see that I obtain a ticket for the HTTP/proxy.sibptus.transneft.ru
service, but somehow the authentication fails.

> BTW on which platform with which Kerberos
> library( MIT or Heimdal)  is this ?

On the squid host: FreeBSD 8.4-RELEASE-p16 i386, Heimdal 1.1.0.

w2k AD as KDC for SIBPTUS.TRANSNEFT.RU.

- -- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUNK+VAAoJEA2k8lmbXsY0JeUIAItkImiYwviy4IEgOepwiamE
NpodTm4bvdhy+bFrchezXjx8vSPSz0mKgM5IdwNxdRaH9qRl5obC5lXQWu9K6d8S
J3e3fxlKY9t7rUcnJYHWXwlClHd0qz7cN9Actp4OOs01RcD1bEHzfnR9yeQnWfNw
vTE+C9IbFpVQnVQyQCsnrS/jwIsGbvXTTWywgeQ9p6hTQsR5Cw/u6pqtUQjIZ6Rq
0elGZ21JY4hzfILNjcKxflU5q7HKULRBtBHWUC8JowZmBUKBBxX5Cci4atFHVd/e
dSg4fPYDqHYoz0H4mu3IzRbPSurjGQZ9g3cUFrClqgX3Fyr8lrWAGbAQVRxABZw=
=Nikr
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list