With Windows 2003 SP2 you can set a flag (I think in UserAccountControl property) for the computer account that stops AD from adding the group-information to the service-ticket. I found it somewhere in their knowledgebase, but currently don't remember the details. I have been searching for quite some time because I had the same problem with too large tickets. Now it's working. On Fri, 27 Jun 2008 20:07:41 +0100 "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote: > Brian, > > the read buffer in squid_kerb_auth is 6400 which I think should be > increased to 8192 the value used in squid for writing. The ticket is > usually only that big for users which are members of hundreds of Windows > Groups, which I have never seen before to be > 4k. > > Can you try to increase in the main function the buffer buf to 8192 ? > > Markus > > > "Brian Kirk" <bekirk@xxxxxxxxx> wrote in message > news:6ac1d44b0806271019t5ceef29di99902b366fcc21d4@xxxxxxxxxxxxxxxxx > >I am going through a simular nightmare in our environment, we > > currently use NTLM auth and since we have over 6000 Internet users > > this isn't very efficent. I can't get kerberos to work. I used the > > ./squid_kerb_auth_test program to generate the blob, and it is over > > 5000 characters long. The squid_kerb_auth seems limited to 4096, am I > > going the have to alter squid_kerb_auth code or am I doing something > > wrong to get that big of a blob? > > > > On 6/7/08, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > >> Find below a small test program to create a token. Run a kinit as a user > >> and then ./squid_kerb_auth_test proxy_fqdn. It creates a token like: > >> > >> ./squid_kerb_auth_test opensuse.suse.home > >> Token: > >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq9OLL0umYzCethf/CUEcQ6+7xobZYVsyIJtsV9IwAFAscVVO4hbMW3jKbM8BYLts72QCShJPTgBlAaoWwCy/YpZezNwPnYDm2lYDjfPZ2/r23326SmXKtPbNT1VFc+yPwAMrYPCxJr92Cxg2OI4z1qQWcCdRR6c5tidX3SSH4rX+YJHEAVKD/mMsFXmO18iT08B/pG4HQ8BcGs3UvQh4hXwOrnSBeR4xonljtQ== > >> > >> Then set the keytab with export > >> KRB5_KTNAME=FILE:/etc/squid/squid.keytab and run > >> ./squid_kerb_auth -d -i -s HTTP/proxy_fqdn and enter the token starting > >> with > >> YR as follows (in one line) > >> > >> ./squid_kerb_auth -d -i -s > >> HTTP/opensuse.suse.home@xxxxxxxxx > >> YR > >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA== > >> 2008/06/07 22:52:11| squid_kerb_auth: Got 'YR > >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA==' > >> from squid (length: 691). > >> 2008/06/07 22:52:12| squid_kerb_auth: parseNegTokenInit failed with > >> rc=109 > >> 2008/06/07 22:52:12| squid_kerb_auth: Token is possibly a GSSAPI token > >> AF AA== markus@xxxxxxxxx > >> 2008/06/07 22:52:12| squid_kerb_auth: AF AA== markus@xxxxxxxxx > >> 2008/06/07 22:52:12| squid_kerb_auth: User markus@xxxxxxxxx authenticated > >> > >> > >> Regards > >> Markus > >> > >> Compile gcc -o squid_kerb_auth_test squid_kerb_auth_test.c -lgssapi_krb5 > >> -lkrb5 > >> > >> /* > >> * > >> ----------------------------------------------------------------------------- > >> * > >> * Author: Markus Moeller (markus_moeller at compuserve.com) > >> * > >> * Copyright (C) 2007 Markus Moeller. All rights reserved. > >> * > >> * This program is free software; you can redistribute it and/or modify > >> * it under the terms of the GNU General Public License as published by > >> * the Free Software Foundation; either version 2 of the License, or > >> * (at your option) any later version. > >> * > >> * This program is distributed in the hope that it will be useful, > >> * but WITHOUT ANY WARRANTY; without even the implied warranty of > >> * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > >> * GNU General Public License for more details. > >> * > >> * You should have received a copy of the GNU General Public License > >> * along with this program; if not, write to the Free Software > >> * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, > >> USA. > >> * > >> * > >> ----------------------------------------------------------------------------- > >> */ > >> /* > >> * Hosted at http://sourceforge.net/projects/squidkerbauth > >> */ > >> > >> #ifndef HEIMDAL > >> #include <profile.h> > >> #endif > >> #include <krb5.h> > >> > >> #include <unistd.h> > >> #include <stdlib.h> > >> #include <stdio.h> > >> #include <string.h> > >> #include <errno.h> > >> #include <time.h> > >> #include <sys/time.h> > >> > >> #ifdef HEIMDAL > >> #include <gssapi.h> > >> #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE > >> #else > >> #include <gssapi/gssapi.h> > >> #ifndef SOLARIS_11 > >> #include <gssapi/gssapi_generic.h> > >> #else > >> #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE > >> #endif > >> #endif > >> > >> static const char *LogTime(void); > >> > >> int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const > >> char* function); > >> > >> #define PROGRAM "squid_kerb_auth_test" > >> > >> static const char *LogTime() > >> { > >> struct tm *tm; > >> struct timeval now; > >> static time_t last_t = 0; > >> static char buf[128]; > >> > >> gettimeofday(&now, NULL); > >> if (now.tv_sec != last_t) { > >> tm = localtime(&now.tv_sec); > >> strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm); > >> last_t = now.tv_sec; > >> } > >> return buf; > >> } > >> > >> #ifdef HAVE_SPNEGO > >> #ifndef gss_mech_spnego > >> static gss_OID_desc _gss_mech_spnego = {6, (void > >> *)"\x2b\x06\x01\x05\x05\x02"}; > >> gss_OID gss_mech_spnego = &_gss_mech_spnego; > >> #endif > >> #endif > >> > >> int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const > >> char* function){ > >> if (GSS_ERROR(major_status)) { > >> OM_uint32 maj_stat,min_stat; > >> OM_uint32 msg_ctx = 0; > >> gss_buffer_desc status_string; > >> char buf[1024]; > >> size_t len; > >> > >> len = 0; > >> msg_ctx = 0; > >> while (!msg_ctx) { > >> /* convert major status code (GSS-API error) to text */ > >> maj_stat = gss_display_status(&min_stat, major_status, > >> GSS_C_GSS_CODE, > >> GSS_C_NULL_OID, > >> &msg_ctx, &status_string); > >> if (maj_stat == GSS_S_COMPLETE) { > >> if (sizeof(buf) > len + status_string.length + 1) { > >> sprintf(buf+len, "%s", (char*) status_string.value); > >> len += status_string.length; > >> } > >> gss_release_buffer(&min_stat, &status_string); > >> break; > >> } > >> gss_release_buffer(&min_stat, &status_string); > >> } > >> if (sizeof(buf) > len + 2) { > >> sprintf(buf+len, "%s", ". "); > >> len += 2; > >> } > >> msg_ctx = 0; > >> while (!msg_ctx) { > >> /* convert minor status code (underlying routine error) to text */ > >> maj_stat = gss_display_status(&min_stat, minor_status, > >> GSS_C_MECH_CODE, > >> GSS_C_NULL_OID, > >> &msg_ctx, &status_string); > >> if (maj_stat == GSS_S_COMPLETE) { > >> if (sizeof(buf) > len + status_string.length ) { > >> sprintf(buf+len, "%s", (char*) status_string.value); > >> len += status_string.length; > >> } > >> gss_release_buffer(&min_stat, &status_string); > >> break; > >> } > >> gss_release_buffer(&min_stat, &status_string); > >> } > >> fprintf(stderr, "%s| %s: %s failed: %s\n", LogTime(), PROGRAM, > >> function, > >> buf); > >> return(1); > >> } > >> return(0); > >> } > >> > >> static void base64_init(void); > >> > >> static int base64_initialized = 0; > >> #define BASE64_VALUE_SZ 256 > >> #define BASE64_RESULT_SZ 8192 > >> int base64_value[BASE64_VALUE_SZ]; > >> const char base64_code[] = > >> "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; > >> > >> static void > >> base64_init(void) > >> { > >> int i; > >> > >> for (i = 0; i < BASE64_VALUE_SZ; i++) > >> base64_value[i] = -1; > >> > >> for (i = 0; i < 64; i++) > >> base64_value[(int) base64_code[i]] = i; > >> base64_value['='] = 0; > >> > >> base64_initialized = 1; > >> } > >> > >> char * > >> base64_decode(const char *p) > >> { > >> static char result[BASE64_RESULT_SZ]; > >> int j; > >> int c; > >> long val; > >> if (!p) > >> return NULL; > >> if (!base64_initialized) > >> base64_init(); > >> val = c = 0; > >> for (j = 0; *p && j + 4 < BASE64_RESULT_SZ; p++) { > >> unsigned int k = ((unsigned char) *p) % BASE64_VALUE_SZ; > >> if (base64_value[k] < 0) > >> continue; > >> val <<= 6; > >> val += base64_value[k]; > >> if (++c < 4) > >> continue; > >> /* One quantum of four encoding characters/24 bit */ > >> result[j++] = val >> 16; /* High 8 bits */ > >> result[j++] = (val >> 8) & 0xff; /* Mid 8 bits */ > >> result[j++] = val & 0xff; /* Low 8 bits */ > >> val = c = 0; > >> } > >> result[j] = 0; > >> return result; > >> } > >> > >> /* adopted from > >> http://ftp.sunet.se/pub2/gnu/vm/base64-encode.c with > >> adjustments */ > >> const char * > >> base64_encode(const char *decoded_str) > >> { > >> static char result[BASE64_RESULT_SZ]; > >> int bits = 0; > >> int char_count = 0; > >> int out_cnt = 0; > >> int c; > >> > >> if (!decoded_str) > >> return decoded_str; > >> > >> if (!base64_initialized) > >> base64_init(); > >> > >> while ((c = (unsigned char) *decoded_str++) && out_cnt < > >> sizeof(result) - > >> 5) { > >> bits += c; > >> char_count++; > >> if (char_count == 3) { > >> result[out_cnt++] = base64_code[bits >> 18]; > >> result[out_cnt++] = base64_code[(bits >> 12) & 0x3f]; > >> result[out_cnt++] = base64_code[(bits >> 6) & 0x3f]; > >> result[out_cnt++] = base64_code[bits & 0x3f]; > >> bits = 0; > >> char_count = 0; > >> } else { > >> bits <<= 8; > >> } > >> } > >> if (char_count != 0) { > >> bits <<= 16 - (8 * char_count); > >> result[out_cnt++] = base64_code[bits >> 18]; > >> result[out_cnt++] = base64_code[(bits >> 12) & 0x3f]; > >> if (char_count == 1) { > >> result[out_cnt++] = '='; > >> result[out_cnt++] = '='; > >> } else { > >> result[out_cnt++] = base64_code[(bits >> 6) & 0x3f]; > >> result[out_cnt++] = '='; > >> } > >> } > >> result[out_cnt] = '\0'; /* terminate */ > >> return result; > >> } > >> > >> /* adopted from > >> http://ftp.sunet.se/pub2/gnu/vm/base64-encode.c with > >> adjustments */ > >> const char * > >> base64_encode_bin(const char *data, int len) > >> { > >> static char result[BASE64_RESULT_SZ]; > >> int bits = 0; > >> int char_count = 0; > >> int out_cnt = 0; > >> > >> if (!data) > >> return data; > >> > >> if (!base64_initialized) > >> base64_init(); > >> > >> while (len-- && out_cnt < sizeof(result) - 5) { > >> int c = (unsigned char) *data++; > >> bits += c; > >> char_count++; > >> if (char_count == 3) { > >> result[out_cnt++] = base64_code[bits >> 18]; > >> result[out_cnt++] = base64_code[(bits >> 12) & 0x3f]; > >> result[out_cnt++] = base64_code[(bits >> 6) & 0x3f]; > >> result[out_cnt++] = base64_code[bits & 0x3f]; > >> bits = 0; > >> char_count = 0; > >> } else { > >> bits <<= 8; > >> } > >> } > >> if (char_count != 0) { > >> bits <<= 16 - (8 * char_count); > >> result[out_cnt++] = base64_code[bits >> 18]; > >> result[out_cnt++] = base64_code[(bits >> 12) & 0x3f]; > >> if (char_count == 1) { > >> result[out_cnt++] = '='; > >> result[out_cnt++] = '='; > >> } else { > >> result[out_cnt++] = base64_code[(bits >> 6) & 0x3f]; > >> result[out_cnt++] = '='; > >> } > >> } > >> result[out_cnt] = '\0'; /* terminate */ > >> return result; > >> } > >> const char *squid_kerb_proxy_auth(char* principal_name, char *proxy) { > >> int rc=0; > >> OM_uint32 major_status, minor_status; > >> gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT; > >> gss_name_t server_name = GSS_C_NO_NAME; > >> gss_buffer_desc service = GSS_C_EMPTY_BUFFER; > >> gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; > >> gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; > >> const char *token = NULL; > >> > >> setbuf(stdout,NULL); > >> setbuf(stdin,NULL); > >> > >> if (!proxy ) { > >> fprintf(stderr, "%s| %s: Error: No proxy server name\n", LogTime(), > >> PROGRAM); > >> return NULL; > >> } > >> > >> service.value = malloc(strlen("HTTP")+strlen(proxy)+2); > >> snprintf(service.value,strlen("HTTP")+strlen(proxy)+2,"%s@%s","HTTP",proxy); > >> service.length = strlen((char *)service.value); > >> > >> major_status = gss_import_name(&minor_status, &service, > >> gss_nt_service_name, &server_name); > >> > >> if > >> (check_gss_err(major_status,minor_status,"gss_import_name()") > >> ) > >> goto cleanup; > >> > >> major_status = gss_init_sec_context(&minor_status, > >> GSS_C_NO_CREDENTIAL, > >> &gss_context, > >> server_name, > >> #ifdef HAVE_SPNEGO > >> gss_mech_spnego, > >> #else > >> 0, > >> #endif > >> 0, > >> 0, > >> GSS_C_NO_CHANNEL_BINDINGS, > >> &input_token, > >> NULL, > >> &output_token, > >> NULL, > >> NULL); > >> > >> if > >> (check_gss_err(major_status,minor_status,"gss_init_sec_context()") > >> ) > >> goto cleanup; > >> > >> if (output_token.length) { > >> > >> token = (const char*)base64_encode_bin((const > >> char*)output_token.value,output_token.length); > >> } > >> > >> > >> cleanup: > >> gss_delete_sec_context(&minor_status, &gss_context, NULL); > >> gss_release_buffer(&minor_status, &service); > >> gss_release_buffer(&minor_status, &input_token); > >> gss_release_buffer(&minor_status, &output_token); > >> gss_release_name(&minor_status, &server_name); > >> > >> return token; > >> } > >> > >> int main(int argc, char *argv[]) { > >> > >> const char *Token; > >> > >> if (argc < 1) { > >> fprintf(stderr, "%s| %s: Error: No proxy server name given\n", > >> LogTime(), PROGRAM); > >> exit(99); > >> } > >> Token = (const char *)squid_kerb_proxy_auth(NULL,argv[1]); > >> fprintf(stdout,"Token: %s\n",Token?Token:"NULL"); > >> > >> exit(0); > >> } > >> > >> > >> > >> > >> > >> > >> > >> "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message > >> news:g2c9kv$5vc$1@xxxxxxxxxxxxxxxx > >> > >> > I can create a simple test tool to create blobs. I will post it later > >> > next > >> week. > >> > > >> > Markus > >> > > >> > "Henrik Nordstrom" <henrik@xxxxxxxxxxxxxxxxxxx> wrote in message > >> news:1212619464.15703.1.camel@xxxxxxxxxxxxxxxxxxxxxx > >> > > >> > > On ons, 2008-06-04 at 15:41 -0700, Alex Morken wrote: > >> > > > >> > > > >> > > > Thank you Henrik. I kind of figured it needed something else, but > >> > > > I > >> > > > wasn't sure what to put there. Where can I get or generate the > >> > > > Kerberos GSSAPI blob I need for the input? I have been digging > >> > > > around kerberos docs and haven't found what I needed. > >> > > > > >> > > > >> > > Not sure. It's a kerberos authentication handshake, and initially > >> > > depends on a challenge sent by the helper... > >> > > > >> > > Regards > >> > > Henrik > >> > > > >> > > > >> > > > >> > > >> > > >> > > >> > > >> > >> > >> > > > > -- --------------------------------------- Malte Schröder MalteSch@xxxxxx ICQ# 68121508 ---------------------------------------
Attachment:
signature.asc
Description: PGP signature
