[squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)
Victor Sudakov
sudakov at sibptus.tomsk.ru
Sun Oct 19 07:32:58 UTC 2014
Eugene M. Zheganin wrote:
>
> On 18.10.2014 16:11, Victor Sudakov wrote:
> > I thought as much. This error seems suspicious. But why does a second
> > request not cause the same error?
> No idea.
Hopefully I can interest our Windows admin to enable Kerberos event
logging per KB262177.
But for the present I have found an ugly workaround. In squid's keytab, I
created another principal called 'squiduser' with the same hex key and
kvno as that of the principal 'HTTP/proxy.sibptus.transneft.ru.'
Of course this required running the squid authentication helper with
the '-s GSS_C_NO_NAME' option.
And you know what? It works. Browsers are being authenticated all
right.
This means that the encrypted token is all right, and the problem was
only in the principal name (it being different in the request and the
received ticket). This is quite mysterious to me. Also, Heimdal error
messages definitely suck.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the squid-users
mailing list