Search squid archive

Re: squid_kerb_auth problem after upgrade from 2.x to 3.1.10

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Alex,
The test you do is not a valid test for the Kerberos authentication helper. The input is a Kerberos token which you can create with the tool provided by issuing: 

kinit user@DOMAIN

and

./squid_kerb_auth_test <squid-fqdn>
Token: YIICigYGKwYBBQUCoIICfjCCAnqgJzAlBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgIGBisGAQUCBaKCAk0EggJJYIICRQYJKoZIhvcSAQICAQBuggI0MIICMKADAgEFoQMCAQ6iBwMFAAAAAACjggFeYYIBWjCCAVagAwIBBaELGwlTVVNFLkhPTUWiJzAloAMCAQOhHjAcGwRIVFRQGxRvcGVuc3VzZTEyLnN1c2UuaG9tZaOCARcwggEToAMCARehAwIBBKKCAQUEggEB5XHlcxE1U21wxlbr9X6mn6s8m5RBxj2aJlbD3FKo91TfE5g4dPLeSXNZ3ZkIONUIhvXuDdr+aa/JI5QD256Ft6tpAhDRjighade9p6IMhHjwcdF5+/aUNTPKJWApVuqT57QhoJk4WhNQdvgtwQn9AwyroVCm0dBdnqxnIFmOWQTXA1aSnbWEih0DLWOpYG30cYK53Eue3ZllXmANyQg7Sviq5JqMtN2+JnZ/0PZh+Jc8tzG0XGkDXYoLuTan6MngUwEi/KicbjowvrSdMebq7AE/w3Hy9ZNaNujuysmgsg2RLjUbtcmsB0nSdSwJ7mpeVPY+vKZ7vDBCnBmtlTLmggGkgbgwgbWgAwIBF6KBrQSBqucRLWoMg2Q9cyrCKlYaULBD19rkFSjStKByb0i3Wn4aGlGsx+BEkwX60pSGtGzX0THws/ibRWe5I4vQtMwlofMHuxki8jcwpDZySMzgIORqU6nN6UeoaAUyVThr6DTeQJdzWTXsS7+vSP70PkAB0HJtDSgUqP3Gxrx66zXgq2WkewVTwiOAox4M6ae0bKGicpQZH0hOpet2l4H3H/c2UeJPppdhDzuraIjc 

With that token you can test squid_kerb_auth i.e.
export KRB5_KTNAME=<path to squid.keytab>
./squid_kerb_auth -d -s HTTP/srvproxy.xxx.local
YR YIICigYGKwYBBQUCoIICfjCCAnqgJzAlBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgIGBisGAQUCBaKCAk0EggJJYIICRQYJKoZIhvcSAQICAQBuggI0MIICMKADAgEFoQMCAQ6iBwMFAAAAAACjggFeYYIBWjCCAVagAwIBBaELGwlTVVNFLkhPTUWiJzAloAMCAQOhHjAcGwRIVFRQGxRvcGVuc3VzZTEyLnN1c2UuaG9tZaOCARcwggEToAMCARehAwIBBKKCAQUEggEB5XHlcxE1U21wxlbr9X6mn6s8m5RBxj2aJlbD3FKo91TfE5g4dPLeSXNZ3ZkIONUIhvXuDdr 

How does cache.log look like when you get the auth error wih squid ?

Regards
Markus
"Almot" <alex.abaev@xxxxxxxxx> wrote in message news:1362987551354-4658936.post@xxxxxxxxxxxxx... 
Hello, previous version 2.x worked fine.
OS: Centos 6.3, kinit pass fine - Authenticated to Kerberos v5


When i upgraded to 3.1.10 i got error in cache.log
authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code 
may provide more information.

I tried check helper

------------------------------------------------------------------------
/usr/lib/squid/squid_kerb_auth -s HTTP/srvproxy.xxx.local@XX.LOCAL -d
user pass
2013/03/11 11:34:03| squid_kerb_auth: DEBUG: Got 'user pass' from squid
(length: 17).
2013/03/11 11:34:03| squid_kerb_auth: ERROR: Invalid request [aabaev
asban81K27]
BH Invalid request
------------------------------------------------------------------------

I do debug

-----------------------------------------------------------------------------------------
1689  execve("/usr/lib/squid/squid_kerb_auth",
["/usr/lib/squid/squid_kerb_auth", "-s", "-d",
"HTTP/srvproxy.7flowers.local@7FL"...], [/* 23 vars */]) = 0
1689  brk(0)                            = 0x1cc7000
1689 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0xb7781000
1689  access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
1689  open("/etc/ld.so.cache", O_RDONLY) = 3
1689  fstat64(3, {st_mode=S_IFREG|0644, st_size=29287, ...}) = 0
1689  mmap2(NULL, 29287, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7779000
1689  close(3)                          = 0
1689  open("/lib/libgssapi_krb5.so.2", O_RDONLY) = 3
1689  read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360m\0\0004\0\0\0"..., 512) 
= 512
1689  fstat64(3, {st_mode=S_IFREG|0755, st_size=262124, ...}) = 0
1689 mmap2(NULL, 261128, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0xdb2000
1689  mmap2(0xdf0000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3e) = 0xdf0000
1689  close(3)                          = 0
1689  open("/lib/libkrb5.so.3", O_RDONLY) = 3
1689  read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\t\1\0004\0\0\0"...,
512) = 512
1689  fstat64(3, {st_mode=S_IFREG|0755, st_size=901552, ...}) = 0
1689 mmap2(NULL, 904716, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0x4a5000
1689  mmap2(0x57b000, 28672, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd5) = 0x57b000
1689  close(3)                          = 0
1689  open("/lib/libk5crypto.so.3", O_RDONLY) = 3
1689  read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340*\0\0004\0\0\0"..., 512) 
= 512
1689  fstat64(3, {st_mode=S_IFREG|0755, st_size=169712, ...}) = 0
1689 mmap2(NULL, 172056, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0xec3000
1689  mmap2(0xeeb000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x28) = 0xeeb000
1689  mmap2(0xeed000, 24, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xeed000
1689  close(3)                          = 0
1689  open("/lib/libcom_err.so.2", O_RDONLY) = 3
1689  read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\16\0\0004\0\0\0"..., 512) 
= 512
1689  fstat64(3, {st_mode=S_IFREG|0755, st_size=13836, ...}) = 0
1689 mmap2(NULL, 16596, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0x37c000
1689  mmap2(0x37f000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0x37f000
1689  close(3)                          = 0
1689  open("/lib/libm.so.6", O_RDONLY)  = 3
1689  read(3,
"\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p4\0\0004\0\0\0"..., 512) = 
512
1689  fstat64(3, {st_mode=S_IFREG|0755, st_size=200024, ...}) = 0
1689 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0xb7778000
1689 mmap2(NULL, 168064, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0x385000
1689  mmap2(0x3ad000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x27) = 0x3ad000
1689  close(3)                          = 0
1689  open("/lib/libc.so.6", O_RDONLY)  = 3
1689  read(3,
"\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@n\1\0004\0\0\0"..., 512) = 
512
1689  fstat64(3, {st_mode=S_IFREG|0755, st_size=1902708, ...}) = 0
1689  mmap2(NULL, 1665416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0x6bf000
1689  mprotect(0x84f000, 4096, PROT_NONE) = 0
1689  mmap2(0x850000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x190) = 0x850000
1689  mmap2(0x853000, 10632, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x853000
1689  close(3)                          = 0
1689  open("/lib/libkrb5support.so.0", O_RDONLY) = 3
1689  read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360\36\0\0004\0\0\0"...,
512) = 512
1689  fstat64(3, {st_mode=S_IFREG|0755, st_size=42716, ...}) = 0
1689 mmap2(NULL, 45592, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0x588000
1689  mmap2(0x592000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9) = 0x592000
1689  close(3)                          = 0
1689  open("/lib/libdl.so.2", O_RDONLY) = 3
1689  read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\n\0\0004\0\0\0"..., 512) = 
512
1689  fstat64(3, {st_mode=S_IFREG|0755, st_size=17892, ...}) = 0
1689 mmap2(NULL, 16500, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0xa20000
1689  mmap2(0xa23000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xa23000
1689  close(3)                          = 0
1689  open("/lib/libkeyutils.so.1", O_RDONLY) = 3
1689  read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\t\0\0004\0\0\0"..., 512) = 
512
1689  fstat64(3, {st_mode=S_IFREG|0755, st_size=9536, ...}) = 0
1689 mmap2(NULL, 12332, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0xb76000
1689  mmap2(0xb78000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb78000
1689  close(3)                          = 0
1689  open("/lib/libresolv.so.2", O_RDONLY) = 3
1689  read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240&\0\0004\0\0\0"..., 512) 
= 512
1689  fstat64(3, {st_mode=S_IFREG|0755, st_size=103384, ...}) = 0
1689 mmap2(NULL, 104520, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0x201000
1689  mprotect(0x216000, 4096, PROT_NONE) = 0
1689  mmap2(0x217000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15) = 0x217000
1689  mmap2(0x219000, 6216, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x219000
1689  close(3)                          = 0
1689 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0xb7777000
1689  open("/lib/libpthread.so.0", O_RDONLY) = 3
1689  read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260L\0\0004\0\0\0"..., 512) 
= 512
1689  fstat64(3, {st_mode=S_IFREG|0755, st_size=131080, ...}) = 0
1689 mmap2(NULL, 106976, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0xb19000
1689  mmap2(0xb30000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16) = 0xb30000
1689  mmap2(0xb32000, 4576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb32000
1689  close(3)                          = 0
1689  open("/lib/libselinux.so.1", O_RDONLY) = 3
1689  read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220C\0\0004\0\0\0"..., 512) 
= 512
1689  fstat64(3, {st_mode=S_IFREG|0755, st_size=120780, ...}) = 0
1689 mmap2(NULL, 125956, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0x916000
1689  mmap2(0x933000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c) = 0x933000
1689  close(3)                          = 0
1689 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0xb7776000
1689 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0xb7775000
1689  set_thread_area({entry_number:-1 -> 6, base_addr:0xb7775740,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, 
seg_not_present:0, useable:1}) = 0
1689  mprotect(0x933000, 4096, PROT_READ) = 0
1689  mprotect(0xb30000, 4096, PROT_READ) = 0
1689  mprotect(0x217000, 4096, PROT_READ) = 0
1689  mprotect(0xb78000, 4096, PROT_READ) = 0
1689  mprotect(0xa23000, 4096, PROT_READ) = 0
1689  mprotect(0x592000, 4096, PROT_READ) = 0
1689  mprotect(0x850000, 8192, PROT_READ) = 0
1689  mprotect(0x3ad000, 4096, PROT_READ) = 0
1689  mprotect(0x37f000, 4096, PROT_READ) = 0
1689  mprotect(0xeeb000, 4096, PROT_READ) = 0
1689  mprotect(0x57b000, 24576, PROT_READ) = 0
1689  mprotect(0xdf0000, 4096, PROT_READ) = 0
1689  mprotect(0x979000, 4096, PROT_READ) = 0
1689  munmap(0xb7779000, 29287)         = 0
1689  set_tid_address(0xb77757a8)       = 1689
1689  set_robust_list(0xb77757b0, 0xc)  = 0
1689  futex(0xbfde2210, FUTEX_WAKE_PRIVATE, 1) = 0
1689  futex(0xbfde2210, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1,
NULL, bfde2220) = -1 EAGAIN (Resource temporarily unavailable)
1689  rt_sigaction(SIGRTMIN, {0xb1d6e0, [], SA_SIGINFO}, NULL, 8) = 0
1689 rt_sigaction(SIGRT_1, {0xb1db80, [], SA_RESTART|SA_SIGINFO}, NULL, 8) 
= 0
1689  rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
1689 getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) 
= 0
1689  uname({sys="Linux", node="srvproxy", ...}) = 0
1689  statfs64("/selinux", 84, {f_type="EXT2_SUPER_MAGIC", f_bsize=4096,
f_blocks=15384581, f_bfree=12426887, f_bavail=11645397, f_files=3907584,
f_ffree=3015119, f_fsid={133201077, -398225868}, f_namelen=255,
f_frsize=4096}) = 0
1689  brk(0)                            = 0x1cc7000
1689  brk(0x1ce8000)                    = 0x1ce8000
1689  open("/proc/filesystems", O_RDONLY|O_LARGEFILE) = 3
1689  fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
1689 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0xb7780000
1689  read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 1024) = 304
1689  read(3, "", 1024)                 = 0
1689  close(3)                          = 0
1689  munmap(0xb7780000, 4096)          = 0
1689  access("/etc/sysconfig/32bit_ssse3_memcpy_via_32bit_ssse3_memmove",
F_OK) = -1 ENOENT (No such file or directory)
1689  read(0, "a", 1)                   = 1
1689  read(0, "a", 1)                   = 1
1689  read(0, "b", 1)                   = 1
1689  read(0, "a", 1)                   = 1
1689  read(0, "e", 1)                   = 1
1689  read(0, "v", 1)                   = 1
1689  read(0, " ", 1)                   = 1
1689  read(0, "a", 1)                   = 1
1689  read(0, "s", 1)                   = 1
1689  read(0, "b", 1)                   = 1
1689  read(0, "a", 1)                   = 1
1689  read(0, "n", 1)                   = 1
1689  read(0, "8", 1)                   = 1
1689  read(0, "1", 1)                   = 1
1689  read(0, "K", 1)                   = 1
1689  read(0, "2", 1)                   = 1
1689  read(0, "7", 1)                   = 1
1689  read(0, "\n", 1)                  = 1
1689  write(1, "BH Invalid request\n", 19) = 19
1689  read(0, 0x852487, 1)              = ? ERESTARTSYS (To be restarted)
1689  --- SIGINT (Interrupt) @ 0 (0) ---
1689  +++ killed by SIGINT +++




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-kerb-auth-problem-after-upgrade-from-2-x-to-3-1-10-tp4658936.html 
Sent from the Squid - Users mailing list archive at Nabble.com.
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux