Search squid archive

Re: Re: negotiate_kerberos_auth - Operation not permitted

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I run squid from rc.local:
squid_enable="YES"

Top show that squid run by user squid:

proxy# top | grep squid
1394 squid 1 44 0 23288K 14232K kqread 1 0:00 0.00% squid
(If i kill squid daemon and start it again by root top show same log)

I have not chroot configuration directive in squid.conf.
Also if so i place HTTP.keytab to /usr/local/etc/squid where is another config file for squid (squid.conf for example).


Markus Moeller писал 06.01.2013 20:34:
If I look at the source no_suid is only called when chroot is
configured and that works only when you run squid as root.

Do you use chroot ?

Markus



"Подшивалов Антон" <support@xxxxxxxxxxxxxxxxx> wrote in message
news:f12fa1c4899e5a792ca5791746dfa89e@xxxxxxxxxxxxxxxxx...
Hello and Happy New Year!
Please help with my trouble. I want use kerberos authorisation, but in user browser appear window with authorization dialog, and any users can't pass it.

squid.conf:
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -s HTTP/proxy.m-tisiz.local@M-TISIZ.LOCAL
auth_param negotiate children 5
auth_param negotiate keep_alive on
external_acl_type ext_kerberos_ldap_group_acl ttl=60 negative_ttl=60 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -g inet_users@ -D m-tisiz.local
acl ldap_group_check external ext_kerberos_ldap_group_acl

In /usr/local/etc/rc.d/squid:
KRB5_KTNAME=/usr/local/etc/squid/HTTP.keytab
export KRB5_KTNAME

proxy# ls -la | grep HTTP.keytab
-rwxrwxrwx   1 squid  squid     387 Jan  1 14:14 HTTP.keytab
(this permission for test only)

2013/01/02 12:50:47 kid1| Starting Squid Cache version 3.2.4 for i386-portbld-freebsd8.3...
2013/01/02 12:50:47 kid1| Process ID 37309
2013/01/02 12:50:47 kid1| Process Roles: worker
2013/01/02 12:50:47 kid1| With 11095 file descriptors available
2013/01/02 12:50:47 kid1| Initializing IP Cache...
2013/01/02 12:50:47 kid1| DNS Socket created at 0.0.0.0, FD 7
2013/01/02 12:50:47 kid1| Adding domain m-tisiz.local from /etc/resolv.conf 2013/01/02 12:50:47 kid1| Adding nameserver 192.168.100.244 from /etc/resolv.conf 2013/01/02 12:50:47 kid1| Adding nameserver 192.168.100.250 from /etc/resolv.conf 2013/01/02 12:50:47 kid1| helperOpenServers: Starting 0/5 'negotiate_kerberos_auth' processes 2013/01/02 12:50:47 kid1| helperStatefulOpenServers: No 'negotiate_kerberos_auth' processes needed. 2013/01/02 12:50:47 kid1| helperOpenServers: Starting 5/5 'ext_kerberos_ldap_group_acl' processes 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted kerberos_ldap_group.cc(336): pid=37310 :2013/01/02 12:50:47| kerberos_ldap_group: INFO: Starting version 1.3.0sq support_group.cc(367): pid=37310 :2013/01/02 12:50:47| kerberos_ldap_group: INFO: Group list inet_users@ support_group.cc(425): pid=37310 :2013/01/02 12:50:47| kerberos_ldap_group: INFO: Group inet_users Domain support_netbios.cc(62): pid=37310 :2013/01/02 12:50:47| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(66): pid=37310 :2013/01/02 12:50:47| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(61): pid=37310 :2013/01/02 12:50:47| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(65): pid=37310 :2013/01/02 12:50:47| kerberos_ldap_group: DEBUG: No ldap servers defined. 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2013/01/02 12:50:47 kid1| Unlinkd pipe opened on FD 23
2013/01/02 12:50:47 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2013/01/02 12:50:47 kid1| Logfile: opening log daemon:/usr/squid/log/store.log 2013/01/02 12:50:47 kid1| Logfile Daemon: opening log /usr/squid/log/store.log 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2013/01/02 12:50:47 kid1| Swap maxSize 1843200 + 204800 KB, estimated 157538 objects
2013/01/02 12:50:47 kid1| Target number of buckets: 7876
2013/01/02 12:50:47 kid1| Using 8192 Store buckets
2013/01/02 12:50:47 kid1| Max Mem  size: 204800 KB
2013/01/02 12:50:47 kid1| Max Swap size: 1843200 KB
2013/01/02 12:50:47 kid1| Rebuilding storage in /usr/squid/ (no log)
2013/01/02 12:50:47 kid1| Using Least Load store dir selection
2013/01/02 12:50:47 kid1| Current Directory is /usr/local/etc/squid
2013/01/02 12:50:47 kid1| Loaded Icons.
2013/01/02 12:50:47.414 kid1| AsyncCall.cc(22) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x293f6830 [call21] 2013/01/02 12:50:47.414 kid1| AsyncCall.cc(89) ScheduleCall: StartListening.cc(54) will call clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 27 flags=9, err=0, HTTP Socket port=0x28a16350) [call21]
2013/01/02 12:50:47.414 kid1| HTCP Disabled.
2013/01/02 12:50:47.414 kid1| Squid plugin modules loaded: 0
2013/01/02 12:50:47.414 kid1| AsyncCallQueue.cc(53) fireNext: entering clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 27 flags=9, err=0, HTTP Socket port=0x28a16350) 2013/01/02 12:50:47.414 kid1| AsyncCall.cc(34) make: make call clientListenerConnectionOpened [call21] 2013/01/02 12:50:47.414 kid1| Accepting HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 27 flags=9 2013/01/02 12:50:47.414 kid1| AsyncCallQueue.cc(55) fireNext: leaving clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 27 flags=9, err=0, HTTP Socket port=0x28a16350) 2013/01/02 12:50:47.414 kid1| Done scanning /usr/squid/ dir (0 entries)
2013/01/02 12:50:47.414 kid1| Finished rebuilding storage from disk.
2013/01/02 12:50:47.414 kid1|         0 Entries scanned
2013/01/02 12:50:47.414 kid1|         0 Invalid entries.
2013/01/02 12:50:47.414 kid1|         0 With invalid flags.
2013/01/02 12:50:47.414 kid1|         0 Objects loaded.
2013/01/02 12:50:47.414 kid1|         0 Objects expired.
2013/01/02 12:50:47.414 kid1|         0 Objects cancelled.
2013/01/02 12:50:47.414 kid1|         0 Duplicate URLs purged.
2013/01/02 12:50:47.414 kid1|         0 Swapfile clashes avoided.
2013/01/02 12:50:47.414 kid1| Took 0.13 seconds ( 0.00 objects/sec).
2013/01/02 12:50:47.414 kid1| Beginning Validation Procedure
2013/01/02 12:50:47.414 kid1|   Completed Validation Procedure
2013/01/02 12:50:47.414 kid1|   Validated 0 Entries
2013/01/02 12:50:47.414 kid1|   store_swap_size = 0.00 KB
2013/01/02 12:50:48 kid1| storeLateRelease: released 0 objects
2013/01/02 12:50:58 kid1| Starting new negotiateauthenticator helpers... 2013/01/02 12:50:58 kid1| helperOpenServers: Starting 1/5 'negotiate_kerberos_auth' processes 2013/01/02 12:50:58 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted negotiate_kerberos_auth.cc(271): pid=37324 :2013/01/02 12:50:58| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq negotiate_kerberos_auth.cc(316): pid=37324 :2013/01/02 12:50:58| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHIXAAAADw==' from squid (length: 59). negotiate_kerberos_auth.cc(379): pid=37324 :2013/01/02 12:50:58| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHIXAAAADw==' (decoded length: 40). negotiate_kerberos_auth.cc(389): pid=37324 :2013/01/02 12:50:58| negotiate_kerberos_auth: WARNING: received type 1 NTLM token 2013/01/02 12:50:58 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token' 2013/01/02 12:51:00.323 kid1| client_side.cc(764) swanSong: local=192.168.100.216:3128 remote=192.168.100.244:63943 flags=1

This log WARNING: no_suid: setuid(0): (1) Operation not permitted look like permission trouble, but permission for HTTP.keytab - is OK.


proxy# kinit AnteC
AnteC@M-TISIZ.LOCAL's Password:
proxy# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: AnteC@M-TISIZ.LOCAL

  Issued           Expires          Principal
Jan  2 12:58:48  Jan  2 22:58:48  krbtgt/M-TISIZ.LOCAL@M-TISIZ.LOCAL

i created Keytab on Windows 2008 Server:
ktpass.exe /princ HTTP/proxy.m-tisiz.local@M-TISIZ.LOCAL /mapuser proxy_squid@M-TISIZ.LOCAL /crypto ALL /ptype KRB5_NT_PRINCIPAL /pass +rndpass /out C:\HTTP.keytab




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux