Re: Re: negotiate_kerberos_auth - Operation not permitted

[Подшивалов Антон <support@xxxxxxxxxxxxxxxxx>]

I run squid from rc.local:
squid_enable="YES"

Top show that squid run by user squid:

proxy# top | grep squid
 1394 squid       1  44    0 23288K 14232K kqread  1   0:00  0.00% 
squid
(If i kill squid daemon and start it again by root top show same log)

I have not chroot configuration directive in squid.conf.
Also if so i place HTTP.keytab to /usr/local/etc/squid where is another 
config file for squid (squid.conf for example).


Markus Moeller писал 06.01.2013 20:34:
> If I look at the source no_suid is only called when chroot is
> configured and that works only when you run squid as root.
>
> Do you use chroot ?
>
> Markus
>
>
>
> "Подшивалов Антон" <support@xxxxxxxxxxxxxxxxx> wrote in message
> news:f12fa1c4899e5a792ca5791746dfa89e@xxxxxxxxxxxxxxxxx...
> > Hello and Happy New Year!
> > Please help with my trouble. I want use kerberos authorisation, but 
> > in user browser appear window with authorization dialog, and any users 
> > can't pass it.
> >
> > squid.conf:
> > auth_param negotiate program 
> > /usr/local/libexec/squid/negotiate_kerberos_auth -d -s 
> > HTTP/proxy.m-tisiz.local@M-TISIZ.LOCAL
> > auth_param negotiate children 5
> > auth_param negotiate keep_alive on
> > external_acl_type ext_kerberos_ldap_group_acl ttl=60 negative_ttl=60 
> > %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -g 
> > inet_users@ -D m-tisiz.local
> > acl ldap_group_check external ext_kerberos_ldap_group_acl
> >
> > In /usr/local/etc/rc.d/squid:
> > KRB5_KTNAME=/usr/local/etc/squid/HTTP.keytab
> > export KRB5_KTNAME
> >
> > proxy# ls -la | grep HTTP.keytab
> > -rwxrwxrwx   1 squid  squid     387 Jan  1 14:14 HTTP.keytab
> > (this permission for test only)
> >
> > 2013/01/02 12:50:47 kid1| Starting Squid Cache version 3.2.4 for 
> > i386-portbld-freebsd8.3...
> > 2013/01/02 12:50:47 kid1| Process ID 37309
> > 2013/01/02 12:50:47 kid1| Process Roles: worker
> > 2013/01/02 12:50:47 kid1| With 11095 file descriptors available
> > 2013/01/02 12:50:47 kid1| Initializing IP Cache...
> > 2013/01/02 12:50:47 kid1| DNS Socket created at 0.0.0.0, FD 7
> > 2013/01/02 12:50:47 kid1| Adding domain m-tisiz.local from 
> > /etc/resolv.conf
> > 2013/01/02 12:50:47 kid1| Adding nameserver 192.168.100.244 from 
> > /etc/resolv.conf
> > 2013/01/02 12:50:47 kid1| Adding nameserver 192.168.100.250 from 
> > /etc/resolv.conf
> > 2013/01/02 12:50:47 kid1| helperOpenServers: Starting 0/5 
> > 'negotiate_kerberos_auth' processes
> > 2013/01/02 12:50:47 kid1| helperStatefulOpenServers: No 
> > 'negotiate_kerberos_auth' processes needed.
> > 2013/01/02 12:50:47 kid1| helperOpenServers: Starting 5/5 
> > 'ext_kerberos_ldap_group_acl' processes
> > 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation 
> > not permitted
> > 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation 
> > not permitted
> > 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation 
> > not permitted
> > 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation 
> > not permitted
> > kerberos_ldap_group.cc(336): pid=37310 :2013/01/02 12:50:47| 
> > kerberos_ldap_group: INFO: Starting version 1.3.0sq
> > support_group.cc(367): pid=37310 :2013/01/02 12:50:47| 
> > kerberos_ldap_group: INFO: Group list inet_users@
> > support_group.cc(425): pid=37310 :2013/01/02 12:50:47| 
> > kerberos_ldap_group: INFO: Group inet_users  Domain
> > support_netbios.cc(62): pid=37310 :2013/01/02 12:50:47| 
> > kerberos_ldap_group: DEBUG: Netbios list NULL
> > support_netbios.cc(66): pid=37310 :2013/01/02 12:50:47| 
> > kerberos_ldap_group: DEBUG: No netbios names defined.
> > support_lserver.cc(61): pid=37310 :2013/01/02 12:50:47| 
> > kerberos_ldap_group: DEBUG: ldap server list NULL
> > support_lserver.cc(65): pid=37310 :2013/01/02 12:50:47| 
> > kerberos_ldap_group: DEBUG: No ldap servers defined.
> > 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation 
> > not permitted
> > 2013/01/02 12:50:47 kid1| Unlinkd pipe opened on FD 23
> > 2013/01/02 12:50:47 kid1| Local cache digest enabled; 
> > rebuild/rewrite every 3600/3600 sec
> > 2013/01/02 12:50:47 kid1| Logfile: opening log 
> > daemon:/usr/squid/log/store.log
> > 2013/01/02 12:50:47 kid1| Logfile Daemon: opening log 
> > /usr/squid/log/store.log
> > 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation 
> > not permitted
> > 2013/01/02 12:50:47 kid1| Swap maxSize 1843200 + 204800 KB, 
> > estimated 157538 objects
> > 2013/01/02 12:50:47 kid1| Target number of buckets: 7876
> > 2013/01/02 12:50:47 kid1| Using 8192 Store buckets
> > 2013/01/02 12:50:47 kid1| Max Mem  size: 204800 KB
> > 2013/01/02 12:50:47 kid1| Max Swap size: 1843200 KB
> > 2013/01/02 12:50:47 kid1| Rebuilding storage in /usr/squid/ (no log)
> > 2013/01/02 12:50:47 kid1| Using Least Load store dir selection
> > 2013/01/02 12:50:47 kid1| Current Directory is /usr/local/etc/squid
> > 2013/01/02 12:50:47 kid1| Loaded Icons.
> > 2013/01/02 12:50:47.414 kid1| AsyncCall.cc(22) AsyncCall: The 
> > AsyncCall clientListenerConnectionOpened constructed, this=0x293f6830 
> > [call21]
> > 2013/01/02 12:50:47.414 kid1| AsyncCall.cc(89) ScheduleCall: 
> > StartListening.cc(54) will call 
> > clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 27 
> > flags=9, err=0, HTTP Socket port=0x28a16350) [call21]
> > 2013/01/02 12:50:47.414 kid1| HTCP Disabled.
> > 2013/01/02 12:50:47.414 kid1| Squid plugin modules loaded: 0
> > 2013/01/02 12:50:47.414 kid1| AsyncCallQueue.cc(53) fireNext: 
> > entering clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] 
> > FD 27 flags=9, err=0, HTTP Socket port=0x28a16350)
> > 2013/01/02 12:50:47.414 kid1| AsyncCall.cc(34) make: make call 
> > clientListenerConnectionOpened [call21]
> > 2013/01/02 12:50:47.414 kid1| Accepting HTTP Socket connections at 
> > local=0.0.0.0:3128 remote=[::] FD 27 flags=9
> > 2013/01/02 12:50:47.414 kid1| AsyncCallQueue.cc(55) fireNext: 
> > leaving clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] 
> > FD 27 flags=9, err=0, HTTP Socket port=0x28a16350)
> > 2013/01/02 12:50:47.414 kid1| Done scanning /usr/squid/ dir (0 
> > entries)
> > 2013/01/02 12:50:47.414 kid1| Finished rebuilding storage from disk.
> > 2013/01/02 12:50:47.414 kid1|         0 Entries scanned
> > 2013/01/02 12:50:47.414 kid1|         0 Invalid entries.
> > 2013/01/02 12:50:47.414 kid1|         0 With invalid flags.
> > 2013/01/02 12:50:47.414 kid1|         0 Objects loaded.
> > 2013/01/02 12:50:47.414 kid1|         0 Objects expired.
> > 2013/01/02 12:50:47.414 kid1|         0 Objects cancelled.
> > 2013/01/02 12:50:47.414 kid1|         0 Duplicate URLs purged.
> > 2013/01/02 12:50:47.414 kid1|         0 Swapfile clashes avoided.
> > 2013/01/02 12:50:47.414 kid1|   Took 0.13 seconds (  0.00 
> > objects/sec).
> > 2013/01/02 12:50:47.414 kid1| Beginning Validation Procedure
> > 2013/01/02 12:50:47.414 kid1|   Completed Validation Procedure
> > 2013/01/02 12:50:47.414 kid1|   Validated 0 Entries
> > 2013/01/02 12:50:47.414 kid1|   store_swap_size = 0.00 KB
> > 2013/01/02 12:50:48 kid1| storeLateRelease: released 0 objects
> > 2013/01/02 12:50:58 kid1| Starting new negotiateauthenticator 
> > helpers...
> > 2013/01/02 12:50:58 kid1| helperOpenServers: Starting 1/5 
> > 'negotiate_kerberos_auth' processes
> > 2013/01/02 12:50:58 kid1| WARNING: no_suid: setuid(0): (1) Operation 
> > not permitted
> > negotiate_kerberos_auth.cc(271): pid=37324 :2013/01/02 12:50:58| 
> > negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
> > negotiate_kerberos_auth.cc(316): pid=37324 :2013/01/02 12:50:58| 
> > negotiate_kerberos_auth: DEBUG: Got 'YR 
> > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHIXAAAADw==' from squid 
> > (length: 59).
> > negotiate_kerberos_auth.cc(379): pid=37324 :2013/01/02 12:50:58| 
> > negotiate_kerberos_auth: DEBUG: Decode 
> > 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHIXAAAADw==' (decoded 
> > length: 40).
> > negotiate_kerberos_auth.cc(389): pid=37324 :2013/01/02 12:50:58| 
> > negotiate_kerberos_auth: WARNING: received type 1 NTLM token
> > 2013/01/02 12:50:58 kid1| ERROR: Negotiate Authentication validating 
> > user. Error returned 'BH received type 1 NTLM token'
> > 2013/01/02 12:51:00.323 kid1| client_side.cc(764) swanSong: 
> > local=192.168.100.216:3128 remote=192.168.100.244:63943 flags=1
> >
> > This log WARNING: no_suid: setuid(0): (1) Operation not permitted 
> > look like permission trouble, but permission for HTTP.keytab - is OK.
> >
> >
> > proxy# kinit AnteC
> > AnteC@M-TISIZ.LOCAL's Password:
> > proxy# klist
> > Credentials cache: FILE:/tmp/krb5cc_0
> >         Principal: AnteC@M-TISIZ.LOCAL
> >
> >   Issued           Expires          Principal
> > Jan  2 12:58:48  Jan  2 22:58:48  krbtgt/M-TISIZ.LOCAL@M-TISIZ.LOCAL
> >
> > i created Keytab on Windows 2008 Server:
> > ktpass.exe /princ HTTP/proxy.m-tisiz.local@M-TISIZ.LOCAL /mapuser 
> > proxy_squid@M-TISIZ.LOCAL /crypto ALL /ptype KRB5_NT_PRINCIPAL /pass 
> > +rndpass /out C:\HTTP.keytab