[squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)
Markus Moeller
huaraz at moeller.plus.com
Wed Oct 8 23:47:41 UTC 2014
Hi Victor,
I only found the following explanation:
This error will happen if you didn't write the key into the keytab file, or
the permission setting of keytab file reject the read access, or the key
file is not the one you should access (for example, you want
/opt/somedir/conf/krb5.conf, but actually read /etc/krb5.conf, which has no
that key).
Is there something like strace/truss on freebsd to see which files are
opened (with and without error) during running negotiate_kerberos_auth ? On
Linux I would run:
./negotiate_kerberos_auth_test proxy.sibptus.transneft.ru | awk
'{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | strace -f -F -o
negotiate_kerberos_auth.strace ./negotiate_kerberos_auth -d
Markus
"Victor Sudakov" wrote in message
news:20141008032925.GA77544 at admin.sibptus.tomsk.ru...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Markus Moeller wrote:
>
> In the helpers/negotiate_auth/kerberos directory is a script
> test_negotiate_auth.sh to test authentication outside of squid.
Markus,
I could find the said script neither in the source nor in the binary
package. However I think I can guess what could be inside. Could you
look below if that makes sense?
===========================
$ setenv KRB5_KTNAME /usr/local/etc/squid/squid.keytab
$ setenv KRB5_CONFIG /usr/local/etc/squid/krb5.conf
$ kdestroy
$ kinit sudakovva
sudakovva at SIBPTUS.TRANSNEFT.RU's Password:
$
$ klist
Credentials cache: FILE:/tmp/krb5cc_XZ1GPU
Principal: sudakovva at SIBPTUS.TRANSNEFT.RU
Issued Expires Principal
Oct 8 09:31:45 Oct 8 19:31:45
krbtgt/SIBPTUS.TRANSNEFT.RU at SIBPTUS.TRANSNEFT.RU
$ ./negotiate_kerberos_auth_test proxy.sibptus.transneft.ru | awk
'{sub(/Token:/,"YR"); print $0}END{print "QQ"}' |
./negotiate_kerberos_auth -d
negotiate_kerberos_auth.cc(212): pid=52357 :2014/10/08 10:03:34|
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(258): pid=52357 :2014/10/08 10:03:34|
negotiate_kerberos_auth: DEBUG: Got 'YR
YIIGFAYGKwYBBQUCoIIGCDCCBgSgDTALBgkqhkiG9xIBAgKiggXxBIIF7WCCBekGCSqGSIb3EgECAgEAboIF2DCCBdSgAwIBBaEDAgEOogcDBQAAAAAAo4IEvGGCBLgwggS0oAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBGQwggRgoAMCAReiggRXBIIEUxpOgFWeZoAcatE6l3MyfDxMoDMjcgYUQzenTLAlEvD3/c0pyRiitZwNMIHvnacXcUSTzLDNjDw75iwfNxZHYjZgvOLHSKQm+rmoWtLIC+3KZoeWCB+pxwcpK8RzXvs8dPCprH1h5OdCn8EB1ZZxl35IhLgg07N72yvnXNiBmW/PmLW6PeVB0U3SLjWiT0ZJ3kXukg5ViYGOMKypeHebHPB0FQ2dgNQy8S00CRIU4ZuoHPVWFNl6mzp9CoIy7Ytwhu3NRb42f49nuQpqBVcsMK/ckgLYvsoz2lYxe7AO4MMOvcGqnEBB/jaSfrGGXpw+ciMNbBtCHH7bN36uGHj+VWOUFL5vR3xclnOWwdUH2OtXqMMcDDnI4v7vNR1U80BS7SdXUpx0D+O1B3ihipaTpSkXtII5UTI4qxmZjXSQGYY0adbG/N6NpMF7HpmGb1Zondp571l4ZV0mZ0pZ7IcIAmvQOmcud/sN0am4z9Oe3lCe7L1RVKBr0Tu30Pz7ySibeCpY/OVR2GJ+ILfov/3o95ozW8W4d+UCHfywAHOioGB+QWSC2NO5VtcjsBYVkhKnBkcG8KOBhJ+qi1qvhGXD3tUgDZnb0pCQAVNyjiDIKZre8KcB23Hu5a2YCM9y0GiBCbfJIbD60LJLVOxozZiRqJfdOCvBhfCvh7R9y5EuNmMswSRgQJwhkh7rCgMPWvFsAWDae9yxN966E85nE+xuUtwtl20NhOjotjG3NgwsRYDg1kQvfJnz7IcPSnSevKiPHU7uvBxSZvR6j6J0BZRgTQg7loUzkOsSRPDefXMt4wFfoHEqaWTtKw3yR0dZkr1W5g6WDn0d0o4uLZRdZteMOtxjsXFTQA3MIQrf/BpVk0NdEQ0EpXo2SZtr+ciy2jNXI40s6rUQakV/vfLG5aGOQY1Ck1gynORrG6Bt/eDMVJF7gf8iEvSDPiZhaHNqfAwfuYDNcO6Sgvl21tkEUfC9YxzkZq2vb0J1gJnkoq3oay+B7GElpgBABZpf22eGTOHakz7m8z9jdPUuIGFf1Jgn1B4i2vFsYRV6tbn3gF/wpnBdPmmG0ZVT2ZnqPDf2Om3kh1cd/THIWDVeuvNGRHbzGYxFJcJ+NIgwr5yfijltcKyynGqHvW2arUQwHzX0UM/dg6iI8+o2IkKmihBL9WQ+04SwHYeMk+D1hJx2rfrIl9RgpQdkrhrjPacqGfKd7NrtEweeSn7MOwFjaVYlT4ruboQHt94BcJKQ1qhuJVsH+rhZaM6XBt6F2NtM5Z+0OmwsLb0sQkdVbnbyEku7McPN0vvOC7tuDL1pT0UuAanSO6IQahXj5X3W/MVNf27rJUmcUQkGbTvCK6nJMuZYNsuKaB9Izs10T/i88V5IOgafwAHgLCxnpwptY551gJwj/0cvv6mpIZSrE8XjMWMUDmeTkeUyU8t2Dz5Vjbb8l1cFCIETgvc5CK9mV+SG0F6soQqf1xs+r6SB/jCB+6ADAgEXooHzBIHwxdPbAIs5nPD2d3wOYONkgkc1qb9krxSlo4FRMoPPIl+80A1OZOlv/SRc9B4VpP8xJJvk1YwY70twgMlOJd/zbXH0lEnyGdGi9mUuN4XdfeNzFwqvjxOrx1e8oPXJPJLIZCGhUik3nY7X4Nb4EMXmfEckzSsuBbVKkVwu7/0xPKbXL4KPs/e3ANJI8Lvkh7AM7iIXrhI2S4/ZKWo4f73R1sjgtt+nw8e1Ga7EeMlQvbejo/i9UBEFldNR2B8GM0DD6449mRrbXE1K5Pij+bHoHl9oZng97DGGnM4ritsN+ts2Rcev1IuSzm6QFaADBwRU'
from squid (length: 2083).
negotiate_kerberos_auth.cc(311): pid=52357 :2014/10/08 10:03:34|
negotiate_kerberos_auth: DEBUG: Decode
'YIIGFAYGKwYBBQUCoIIGCDCCBgSgDTALBgkqhkiG9xIBAgKiggXxBIIF7WCCBekGCSqGSIb3EgECAgEAboIF2DCCBdSgAwIBBaEDAgEOogcDBQAAAAAAo4IEvGGCBLgwggS0oAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBGQwggRgoAMCAReiggRXBIIEUxpOgFWeZoAcatE6l3MyfDxMoDMjcgYUQzenTLAlEvD3/c0pyRiitZwNMIHvnacXcUSTzLDNjDw75iwfNxZHYjZgvOLHSKQm+rmoWtLIC+3KZoeWCB+pxwcpK8RzXvs8dPCprH1h5OdCn8EB1ZZxl35IhLgg07N72yvnXNiBmW/PmLW6PeVB0U3SLjWiT0ZJ3kXukg5ViYGOMKypeHebHPB0FQ2dgNQy8S00CRIU4ZuoHPVWFNl6mzp9CoIy7Ytwhu3NRb42f49nuQpqBVcsMK/ckgLYvsoz2lYxe7AO4MMOvcGqnEBB/jaSfrGGXpw+ciMNbBtCHH7bN36uGHj+VWOUFL5vR3xclnOWwdUH2OtXqMMcDDnI4v7vNR1U80BS7SdXUpx0D+O1B3ihipaTpSkXtII5UTI4qxmZjXSQGYY0adbG/N6NpMF7HpmGb1Zondp571l4ZV0mZ0pZ7IcIAmvQOmcud/sN0am4z9Oe3lCe7L1RVKBr0Tu30Pz7ySibeCpY/OVR2GJ+ILfov/3o95ozW8W4d+UCHfywAHOioGB+QWSC2NO5VtcjsBYVkhKnBkcG8KOBhJ+qi1qvhGXD3tUgDZnb0pCQAVNyjiDIKZre8KcB23Hu5a2YCM9y0GiBCbfJIbD60LJLVOxozZiRqJfdOCvBhfCvh7R9y5EuNmMswSRgQJwhkh7rCgMPWvFsAWDae9yxN966E85nE+xuUtwtl20NhOjotjG3NgwsRYDg1kQvfJnz7IcPSnSevKiPHU7uvBxSZvR6j6J0BZRgTQg7loUzkOsSRPDefXMt4wFfoHEqaWTtKw3yR0dZkr1W5g6WDn0d0o4uLZRdZteMOtxjsXFTQA3MIQrf/BpVk0NdEQ0EpXo2SZtr+ciy2jNXI40s6rUQakV/vfLG5aGOQY1Ck1gynORrG6Bt/eDMVJF7gf8iEvSDPiZhaHNqfAwfuYDNcO6Sgvl21tkEUfC9YxzkZq2vb0J1gJnkoq3oay+B7GElpgBABZpf22eGTOHakz7m8z9jdPUuIGFf1Jgn1B4i2vFsYRV6tbn3gF/wpnBdPmmG0ZVT2ZnqPDf2Om3kh1cd/THIWDVeuvNGRHbzGYxFJcJ+NIgwr5yfijltcKyynGqHvW2arUQwHzX0UM/dg6iI8+o2IkKmihBL9WQ+04SwHYeMk+D1hJx2rfrIl9RgpQdkrhrjPacqGfKd7NrtEweeSn7MOwFjaVYlT4ruboQHt94BcJKQ1qhuJVsH+rhZaM6XBt6F2NtM5Z+0OmwsLb0sQkdVbnbyEku7McPN0vvOC7tuDL1pT0UuAanSO6IQahXj5X3W/MVNf27rJUmcUQkGbTvCK6nJMuZYNsuKaB9Izs10T/i88V5IOgafwAHgLCxnpwptY551gJwj/0cvv6mpIZSrE8XjMWMUDmeTkeUyU8t2Dz5Vjbb8l1cFCIETgvc5CK9mV+SG0F6soQqf1xs+r6SB/jCB+6ADAgEXooHzBIHwxdPbAIs5nPD2d3wOYONkgkc1qb9krxSlo4FRMoPPIl+80A1OZOlv/SRc9B4VpP8xJJvk1YwY70twgMlOJd/zbXH0lEnyGdGi9mUuN4XdfeNzFwqvjxOrx1e8oPXJPJLIZCGhUik3nY7X4Nb4EMXmfEckzSsuBbVKkVwu7/0xPKbXL4KPs/e3ANJI8Lvkh7AM7iIXrhI2S4/ZKWo4f73R1sjgtt+nw8e1Ga7EeMlQvbejo/i9UBEFldNR2B8GM0DD6449mRrbXE1K5Pij+bHoHl9oZng97DGGnM4ritsN+ts2Rcev1IuSzm6QFaADBwRU'
(decoded length: 1560).
negotiate_kerberos_auth.cc(128): pid=52357 :2014/10/08 10:03:34|
negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: No credentials
were supplied, or the credentials were unavailable or inaccessible.. unknown
mech-code 0 for mech unknown
BH gss_acquire_cred() failed: No credentials were supplied, or the
credentials were unavailable or inaccessible.. unknown mech-code 0 for mech
unknown
negotiate_kerberos_auth.cc(258): pid=52357 :2014/10/08 10:03:34|
negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2).
BH quit command
$ klist -v
Credentials cache: FILE:/tmp/krb5cc_XZ1GPU
Principal: sudakovva at SIBPTUS.TRANSNEFT.RU
Cache version: 4
Server: krbtgt/SIBPTUS.TRANSNEFT.RU at SIBPTUS.TRANSNEFT.RU
Client: sudakovva at SIBPTUS.TRANSNEFT.RU
Ticket etype: arcfour-hmac-md5
Ticket length: 1128
Auth time: Oct 8 10:00:12 2014
End time: Oct 8 20:00:12 2014
Ticket flags: initial, pre-authenticated
Addresses: addressless
Server: HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
Client: sudakovva at SIBPTUS.TRANSNEFT.RU
Ticket etype: arcfour-hmac-md5
Ticket length: 1212
Auth time: Oct 8 10:00:12 2014
Start time: Oct 8 10:00:16 2014
End time: Oct 8 20:00:12 2014
Ticket flags: pre-authenticated
Addresses: addressless
$
$ ktutil list
/usr/local/etc/squid/squid.keytab:
Vno Type Principal
1 des-cbc-crc
HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
1 des-cbc-md5
HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
1 arcfour-hmac-md5
HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
1 aes256-cts-hmac-sha1-96
HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
1 aes128-cts-hmac-sha1-96
HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
===========================
>
> Let me know what you get.
You can see that I obtain a ticket for the HTTP/proxy.sibptus.transneft.ru
service, but somehow the authentication fails.
> BTW on which platform with which Kerberos
> library( MIT or Heimdal) is this ?
On the squid host: FreeBSD 8.4-RELEASE-p16 i386, Heimdal 1.1.0.
w2k AD as KDC for SIBPTUS.TRANSNEFT.RU.
- --
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUNK+VAAoJEA2k8lmbXsY0JeUIAItkImiYwviy4IEgOepwiamE
NpodTm4bvdhy+bFrchezXjx8vSPSz0mKgM5IdwNxdRaH9qRl5obC5lXQWu9K6d8S
J3e3fxlKY9t7rUcnJYHWXwlClHd0qz7cN9Actp4OOs01RcD1bEHzfnR9yeQnWfNw
vTE+C9IbFpVQnVQyQCsnrS/jwIsGbvXTTWywgeQ9p6hTQsR5Cw/u6pqtUQjIZ6Rq
0elGZ21JY4hzfILNjcKxflU5q7HKULRBtBHWUC8JowZmBUKBBxX5Cci4atFHVd/e
dSg4fPYDqHYoz0H4mu3IzRbPSurjGQZ9g3cUFrClqgX3Fyr8lrWAGbAQVRxABZw=
=Nikr
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list