Hi Mark,
Do you have the token you received as base64 encoded in the log or
better in a wireshark capture ? This could help identifying if the
un-encrypted elements in the tokebn are correct.
Markus
"Mark Davies" <mark@xxxxxxxxxxxxx> wrote in message
news:201206201520.52498.mark@xxxxxxxxxxxxx...
Hi,
we run a couple of squid caches using the squid_kerb_auth helper to
do Negotiate GSSAPI authentication and generally it all works rather
nicely but we will get little bursts of the following error
2012/06/20 14:54:02| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH
gss_accept_sec_context() failed: A token was invalid. unknown
mech-code 1859794441 for mech unknown'
Always with that particular mech-code.
Given the number of successful hits on the cache (couple of million a
day) I'm struggling to identify whats causing these errors and how to
rectify so suggestions welcomed.
As well as wanting to identify the root cause, this problem has the
effect that every time squid_kerb_auth deals with one of these
requests the kerberos libraries (heimdal 1.5pre1 from NetBSD 5.99.59)
keeps a file descriptor open to the keytab file (actually two) so
eventually the squid_kerb_auth hits the max filedescriptors per
process limit and other things start to fail (if it hasn't been
restarted before then).
cheers
mark
