[squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)

Markus Moeller huaraz at moeller.plus.com
Sat Oct 11 12:33:21 UTC 2014


Hi Viktor,

   These sections of code do the selection in squid:


char *service_name = (char *) "HTTP", *host_name = NULL;


if (service_principal && strcasecmp(service_principal, "GSS_C_NO_NAME")) {
    service.value = service_principal;
    service.length = strlen((char *) service.value);
} else {
    host_name = gethost_name();
    if (!host_name) {
        fprintf(stderr,
                "%s| %s: FATAL: Local hostname could not be determined. 
Please specify the service principal\n",
                LogTime(), PROGRAM);
        fprintf(stdout, "BH hostname error\n");
        exit(-1);
    }
    service.value = xmalloc(strlen(service_name) + strlen(host_name) + 2);
    snprintf((char *) service.value, strlen(service_name) + 
strlen(host_name) + 2,
             "%s@%s", service_name, host_name);
    service.length = strlen((char *) service.value);
    xfree(host_name);
}

.......

if (service_principal) {
    if (strcasecmp(service_principal, "GSS_C_NO_NAME")) {
        major_status = gss_import_name(&minor_status, &service,
                                       (gss_OID) GSS_C_NULL_OID, 
&server_name);

    } else {
        server_name = GSS_C_NO_NAME;
        major_status = GSS_S_COMPLETE;
        minor_status = 0;
    }
} else {
    major_status = gss_import_name(&minor_status, &service,
                                   gss_nt_service_name, &server_name);
}


Regards
Markus

"Victor Sudakov"  wrote in message 
news:20141011044626.GB49506 at admin.sibptus.tomsk.ru...

Markus Moeller wrote:
>
> > What if the service principal's name in squid's keytab does not
> > coincide with the host's primary FQDN (AKA `hostname`)?
> >
> > E.g. the squid's keytab contains keys for HTTP/proxy.my.domain while
> > the server's actual FQDN is fw.my.domain?
> >
> > Should it cause the obscure error I have stumbled upon?

> I think it could. Can you try the option -s GSS_C_NO_NAME ?

Thank you, Markus! With "-s GSS_C_NO_NAME" it works, at least with the
negotiate_kerberos_auth_test client. I will try later with real hosts
and browsers, though.

I should have guessed this before. The server's `hostname` is
"big.sibptus.transneft.ru", while "proxy.sibptus.transneft.ru" is an A
record pointing to another IP alias of the same server.

If only the Kerberos error message was more informative, something
like "principal not found in the keytab" instead of "mech unknown", I
would have guessed this long ago and would have spared myself a week
of tribulation.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 




More information about the squid-users mailing list