[squid-users] negotiate_kerberos_auth not working anymore

Alex Rousskov rousskov at measurement-factory.com
Tue Sep 3 13:28:08 UTC 2024 

On 2024-08-30 08:35, Michael Egert wrote:

> I have a little problem with this helper, it worked fine for a while and 
> then suddely stopped working.

It may help others if you detail "stopped working" based on a test case 
involving Squid. AFAICT, your email contains an attempt to manually feed 
the helper a syntactically invalid request but does not detail what does 
not work when Squid is involved. The cache.log provided shows an unused 
helper.


> negotiate_kerberos_auth: DEBUG: Got 'admin at ASA.LOCAL' from squid
> negotiate_kerberos_auth: ERROR: Invalid request [admin at ASA.LOCAL]

A helper request must start with "YR" or "KK" characters. This manual 
request does not.


 > auth_parauth_param negotiate children 100 startup=0 idle=10

There is no "auth_parauth_param" directive. This is probably a 
copy-paste typo, but please check that the actual spelling is "auth_param".


Disclaimer: I do not know much about kerberos and negotiate_kerberos_auth.


HTH,

Alex.


> I can call a kerberos ticket when using kinit
> 
> root at sv-asa-proxy:/var/log/squid# kinit -kt 
> /etc/squid/sv-asa-proxy.keytab HTTP/sv-asa-proxy at ASA.LOCAL
> 
> root at sv-asa-proxy:/var/log/squid# klist
> 
> Ticket cache: FILE:/tmp/krb5cc_0
> 
> Default principal: HTTP/sv-asa-proxy at ASA.LOCAL
> 
> Valid starting     Expires            Service principal
> 
> 08/30/24 14:24:27  08/31/24 00:24:27  krbtgt/ASA.LOCAL at ASA.LOCAL
> 
>          renew until 08/31/24 14:24:27
> 
> root at sv-asa-proxy:/var/log/squid#
> 
> so – this works well
> 
> this is a part of my squid.conf:
> 
> auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k 
> /etc/squid/sv-asa-proxy.keytab -s HTTP/sv-asa-proxy at ASA.LOCAL 
> <mailto:HTTP/sv-asa-proxy at ASA.LOCAL>  -r -d
> 
> auth_parauth_param negotiate children 100 startup=0 idle=10
> 
> auth_param negotiate keep_alive on
> 
> acl kerb-auth proxy_auth REQUIRED
> 
> i also tried
> 
> auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k 
> /etc/squid/sv-asa-proxy.keytab -s HTTP/sv-asa-proxy at ASA.LOCAL  -s 
> GSS_C_NO_NAME -r -d
> 
> no success...
> 
> when i try
> 
> root at sv-asa-proxy:/var/log/squid# 
> /usr/lib/squid/negotiate_kerberos_auth_test -k 
> /etc/squid/sv-asa-proxy.keytab -s HTTP/sv-asa-proxy.asa.local at ASA.LOCAL 
> -s GSS_C_NO_NAME -d -i
> 
> 2024/08/30 14:28:35| negotiate_kerberos_auth_test: 
> gss_init_sec_context() failed: Unspecified GSS failure.  Minor code may 
> provide more information. Server not found in Kerberos database
> 
> Token: NULL
> 
> root at sv-asa-proxy:/var/log/squid#
> 
> and when i try this one:
> 
> root at sv-asa-proxy:/var/log/squid# /usr/lib/squid/negotiate_kerberos_auth 
> -k /etc/squid/sv-asa-proxy.keytab -s 
> HTTP/sv-asa-proxy.asa.local at ASA.LOCAL 
> <mailto:HTTP/sv-asa-proxy.asa.local at ASA.LOCAL> -d -r
> 
> negotiate_kerberos_auth.cc(489): pid=5286 :2024/08/30 14:29:25| 
> negotiate_kerberos_auth: INFO: Starting version 3.1.0sq
> 
> negotiate_kerberos_auth.cc(548): pid=5286 :2024/08/30 14:29:25| 
> negotiate_kerberos_auth: INFO: Setting keytab to 
> /etc/squid/sv-asa-proxy.keytab
> 
> negotiate_kerberos_auth.cc(571): pid=5286 :2024/08/30 14:29:25| 
> negotiate_kerberos_auth: INFO: Changed keytab to 
> MEMORY:negotiate_kerberos_auth_5286
> 
> admin at ASA.LOCAL <mailto:admin at ASA.LOCAL>
> 
> negotiate_kerberos_auth.cc(612): pid=5286 :2024/08/30 14:30:06| 
> negotiate_kerberos_auth: DEBUG: Got 'admin at ASA.LOCAL' from squid 
> (length: 15).
> 
> negotiate_kerberos_auth.cc(661): pid=5286 :2024/08/30 14:30:06| 
> negotiate_kerberos_auth: ERROR: Invalid request [admin at ASA.LOCAL]
> 
> BH Invalid request
> 
> And the log:
> 
> 2024/08/30 14:31:25 kid1| Set Current Directory to /var/spool/squid
> 
> 2024/08/30 14:31:25 kid1| Starting Squid Cache version 5.9 for 
> x86_64-pc-linux-gnu...
> 
> 2024/08/30 14:31:25 kid1| Service Name: squid
> 
> 2024/08/30 14:31:25 kid1| Process ID 5309
> 
> 2024/08/30 14:31:25 kid1| Process Roles: worker
> 
> 2024/08/30 14:31:25 kid1| With 1024 file descriptors available
> 
> 2024/08/30 14:31:25 kid1| Initializing IP Cache...
> 
> 2024/08/30 14:31:25 kid1| DNS Socket created at [::], FD 9
> 
> 2024/08/30 14:31:25 kid1| DNS Socket created at 0.0.0.0, FD 10
> 
> 2024/08/30 14:31:25 kid1| Adding nameserver 192.168.40.1 from squid.conf
> 
> 2024/08/30 14:31:25 kid1| Adding nameserver 192.168.40.2 from squid.conf
> 
> 2024/08/30 14:31:25 kid1| helperOpenServers: Starting 0/100 
> 'negotiate_kerberos_auth' processes
> 
> 2024/08/30 14:31:25 kid1| helperStatefulOpenServers: No 
> 'negotiate_kerberos_auth' processes needed.
> 
> 2024/08/30 14:31:25 kid1| helperOpenServers: Starting 0/25 
> 'ext_kerberos_ldap_group_acl' processes
> 
> 2024/08/30 14:31:25 kid1| helperOpenServers: No 
> 'ext_kerberos_ldap_group_acl' processes needed.
> 
> 2024/08/30 14:31:25 kid1| Logfile: opening log 
> daemon:/var/log/squid/access.log
> 
> 2024/08/30 14:31:25 kid1| Logfile Daemon: opening log 
> /var/log/squid/access.log
> 
> 2024/08/30 14:31:26 kid1| Unlinkd pipe opened on FD 16
> 
> 2024/08/30 14:31:26 kid1| Local cache digest enabled; rebuild/rewrite 
> every 3600/3600 sec
> 
> 2024/08/30 14:31:26 kid1| Logfile: opening log 
> daemon:/var/log/squid/store.log
> 
> 2024/08/30 14:31:26 kid1| Logfile Daemon: opening log 
> /var/log/squid/store.log
> 
> 2024/08/30 14:31:26 kid1| Swap maxSize 20480000 + 2097152 KB, estimated 
> 1736704 objects
> 
> 2024/08/30 14:31:26 kid1| Target number of buckets: 86835
> 
> 2024/08/30 14:31:26 kid1| Using 131072 Store buckets
> 
> 2024/08/30 14:31:26 kid1| Max Mem  size: 2097152 KB
> 
> 2024/08/30 14:31:26 kid1| Max Swap size: 20480000 KB
> 
> 2024/08/30 14:31:26 kid1| Rebuilding storage in /var/cache/squid (clean log)
> 
> 2024/08/30 14:31:26 kid1| Using Least Load store dir selection
> 
> 2024/08/30 14:31:26 kid1| Set Current Directory to /var/spool/squid
> 
> 2024/08/30 14:31:26 kid1| Finished loading MIME types and icons.
> 
> 2024/08/30 14:31:26 kid1| HTCP Disabled.
> 
> 2024/08/30 14:31:26 kid1| Pinger socket opened on FD 23
> 
> 2024/08/30 14:31:26 kid1| Squid plugin modules loaded: 0
> 
> 2024/08/30 14:31:26 kid1| Adaptation support is off.
> 
> 2024/08/30 14:31:26 kid1| Accepting HTTP Socket connections at conn3 
> local=[::]:8080 remote=[::] FD 21 flags=9
> 
> 2024/08/30 14:31:26 kid1| Done reading /var/cache/squid swaplog (50 entries)
> 
> 2024/08/30 14:31:26 kid1| Finished rebuilding storage from disk.
> 
> 2024/08/30 14:31:26 kid1|        50 Entries scanned
> 
> 2024/08/30 14:31:26 kid1|         0 Invalid entries.
> 
> 2024/08/30 14:31:26 kid1|         0 With invalid flags.
> 
> 2024/08/30 14:31:26 kid1|        50 Objects loaded.
> 
> 2024/08/30 14:31:26 kid1|         0 Objects expired.
> 
> 2024/08/30 14:31:26 kid1|         0 Objects cancelled.
> 
> 2024/08/30 14:31:26 kid1|         0 Duplicate URLs purged.
> 
> 2024/08/30 14:31:26 kid1|         0 Swapfile clashes avoided.
> 
> 2024/08/30 14:31:26 kid1|   Took 0.01 seconds (5303.35 objects/sec).
> 
> 2024/08/30 14:31:26 kid1| Beginning Validation Procedure
> 
> 2024/08/30 14:31:26 kid1|   Completed Validation Procedure
> 
> 2024/08/30 14:31:26 kid1|   Validated 50 Entries
> 
> 2024/08/30 14:31:26 kid1|   store_swap_size = 732.00 KB
> 
> 2024/08/30 14:31:26| pinger: Initialising ICMP pinger ...
> 
> 2024/08/30 14:31:26| pinger: ICMP socket opened.
> 
> 2024/08/30 14:31:26| pinger: ICMPv6 socket opened
> 
> 2024/08/30 14:31:27 kid1| storeLateRelease: released 0 objects
> 
> Do you have any suggstions for me?
> 
> Kind regards
> 
> Michael
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list