[squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)

Victor Sudakov sudakov at sibptus.tomsk.ru
Tue Oct 7 16:15:46 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Colleagues,

I am posting below the contents of an HTTP request (especially the
"Proxy-Authorization:" header the browser is sending) to which squid's 
negotiate_kerberos_auth replies:

"ERROR: Negotiate Authentication validating user. Result: {result=BH,
notes={message: gss_acquire_cred() failed:  No credentials were
supplied, or the credentials were unavailable or inaccessible..
unknown mech-code 0 for mech unknown; } 

What's wrong with the contents of the header? Why does
negotiate_kerberos_auth not like it?


No.     Time        Source                Destination           Protocol Length Info
    101 50.565800   10.14.143.228         10.14.140.9           HTTP     897    GET http://www.nasa.gov/ HTTP/1.1 

Frame 101: 897 bytes on wire (7176 bits), 897 bytes captured (7176 bits)
Ethernet II, Src: Cisco_ce:9a:60 (00:17:5a:ce:9a:60), Dst: AsustekC_d9:90:67 (00:22:15:d9:90:67)
Internet Protocol Version 4, Src: 10.14.143.228 (10.14.143.228), Dst: 10.14.140.9 (10.14.140.9)
Transmission Control Protocol, Src Port: 2103 (2103), Dst Port: 3131 (3131), Seq: 7389, Ack: 24813, Len: 843
[2 Reassembled TCP Segments (2303 bytes): #100(1460), #101(843)]
Hypertext Transfer Protocol
    GET http://www.nasa.gov/ HTTP/1.1\r\n
    Accept: */*\r\n
    Accept-Language: ru\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)\r\n
    Accept-Encoding: gzip, deflate\r\n
    Proxy-Connection: Keep-Alive\r\n
    Host: www.nasa.gov\r\n
    Pragma: no-cache\r\n
    Cookie: __utma=259910805.2084310783.1412579533.1412579533.1412579533.1; __utmz=259910805.1412579533.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n
    [truncated] Proxy-Authorization: Negotiate YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVG
        GSS-API Generic Security Service Application Program Interface
            OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
            Simple Protected Negotiation
                negTokenInit
                    mechTypes: 3 items
                        MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
                        MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                        MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
                    mechToken: 608204d606092a864886f71201020201006e8204c5308204...
                    krb5_blob: 608204d606092a864886f71201020201006e8204c5308204...
                        KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                        krb5_tok_id: KRB5_AP_REQ (0x0001)
                        Kerberos AP-REQ
                            Pvno: 5
                            MSG Type: AP-REQ (14)
                            Padding: 0
                            APOptions: 20000000 (Mutual required)
                                0... .... .... .... .... .... .... .... = reserved: RESERVED bit off
                                .0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
                                ..1. .... .... .... .... .... .... .... = Mutual required: MUTUAL authentication is REQUIRED
                            Ticket
                                Tkt-vno: 5
                                Realm: SIBPTUS.TRANSNEFT.RU
                                Server Name (Service and Instance): HTTP/proxy.sibptus.transneft.ru
                                    Name-type: Service and Instance (2)
                                    Name: HTTP
                                    Name: proxy.sibptus.transneft.ru
                                enc-part des-cbc-md5
                                    Encryption type: des-cbc-md5 (3)
                                    enc-part: 6f43ba385aad8624bea2e0e2d9d1b4ad394a2330fa322d2a...
                            Authenticator des-cbc-md5
                                Encryption type: des-cbc-md5 (3)
                                Authenticator data: 55452dc45cbb32cd7ceafa12a3c4eeb28bb5a7d6fc0a37ca...
    \r\n
    [Full request URI: http://www.nasa.govhttp://www.nasa.gov/]
- -- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUNBGyAAoJEA2k8lmbXsY0W+kIAIvnTkXHrhuE8kKRNqPuDEEL
XP5F6fMif31XdcOWbIDmt+JQPUjQXHk6xuT6S0MuSsSSrFxg6LOcSmthZipxkNWy
fejPIiQe2sbpBLqdYqyuERbPtlLakASa0XeBf9iQYZ3AO9HbY21mOjBIWFrJ1tX8
sy9s5myhYVRQyIA03FUoT87nDMjJVZHie62iiHLEDwv4wARNEJ0pGjct904aam3a
JrUDfeyTCWeLoOCioEwCF8wAVnfuXbN5H/O1laefLPIFsb7zRtnRQMPxcGprvO29
bTyow2cQch4m8NjErgHDfeP2C6qqtV+dOBnapuIHuQHetdnw4ddRbClVYXalGqQ=
=gBRs
-----END PGP SIGNATURE-----

More information about the squid-users mailing list