Victor Sudakov wrote:
> > Well, I have tried negotiate_kerberos_auth with Firefox (Windows)
>
> I have tried the same with MSIE 8 (Windows).
After some adjustment to domain group policies, the Windows host is
at last requesting and successfully receiving the ticket for the proxy
service. Wireshark output:
User Datagram Protocol, Src Port: kerberos (88), Dst Port: dellpwrappks (1266)
Kerberos TGS-REP
Pvno: 5
MSG Type: TGS-REP (13)
Client Realm: SIBPTUS.TRANSNEFT.RU
Client Name (Principal): vas-adm
Ticket
Tkt-vno: 5
Realm: SIBPTUS.TRANSNEFT.RU
Server Name (Service and Instance): HTTP/proxy.sibptus.transneft.ru
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
enc-part: 3e0fc357a26db7dcdb0a5b6436b56f9c96d15ad7626eea08...
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 1
enc-part: db8c9ea1bf85c4bb5005103765767b692ed3c0f247c23d48...
The corresponding Kerberos principal is put into the keytab:
/usr/local/etc/squid/squid.keytab:
Vno Type Principal
1 des-cbc-crc HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
1 des-cbc-md5 HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
1 arcfour-hmac-md5 HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
1 aes256-cts-hmac-sha1-96 HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
1 aes128-cts-hmac-sha1-96 HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
The permissions on the keytab are correct. Squid receives it via the
environment:
env KRB5_KTNAME=/usr/local/etc/squid/squid.keytab \
KRB5_CONFIG=/usr/local/etc/squid/krb5.conf \
squid -f /usr/local/etc/squid/squid-test.conf
However, then actual autthentication begins, it fails with the:
"ERROR: gss_acquire_cred() failed: No credentials were
supplied, or the credentials were unavailable or inaccessible..
unknown mech-code 0 for mech unknown"
If someone finds something familiar in the below debug output, or can
low-level debug actual kerberos, could you please let me know. Thanks
a lot in advance for any help.
negotiate_kerberos_auth.cc(212): pid=40984 :2014/10/07 13:12:08| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(258): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: DEBUG: Got 'YR YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVGVC5SVaItMCugAwIBAqEkMCIbBEhUVFAbGnByb3h5LnNpYnB0dXMudHJhbnNuZWZ0LnJ1o4IDkTCCA42gAwIBA6KCA4QEggOAB8tiAa54xI00BfngMyI8cwFHbNKRZPVn1c/HKYPi4Dppq0fIjp2e5br7rHG51+1/w6zaDwHKqdtnpWh/OplOkn6tDNq0H2fi/jFeT0XKICrLxdpmDHRqNmiyxvtczdkcSyxXJ2254oM9VwuE39D8hqU58NmijTB+WQupz2hw4d+5euIFFwSSO8nD3CMaBVGgyNfp9YvUUy860L+KKEqb0LVXZ+/OsnlsyrEc3AaaXwSwS30+ZRv0jCLh1h7kc84XFPrjGqRPp7JmO5gUCF8k/GXNF3FAMBAaT4r/iAs8LFIixQiRUWJPtjcWAtH0Q3JumqB9Enm+JPNvGBvE83YvbBZtDJQ0uc5lOMVLavBh2Xgj86BmKlCsrOCiMoQ8SgsEAX6o110EeMI1Tef8t+2/WhzP39l5BGuXmdDA1zEmqzA83vvTy5JcKUXZ3IdwwJ4I+kW62qIMsceZ/hfdj/Iy+RjCNrum5FHXMDszMVacKHp9kJTMofuMhhOKD2o+Z91TWTkEwD3NNWGjTWdgECpJT/F7I1x35iQaLGvgLebpalPJEXY8A8od1HhXZaCkIPXcDoPUR1LTTk8bHYKan17EnOBf0CbjOkU8/ib2mLUL81RQHrt6vdTcXzxsAgoZYigptd/ilsXq0dbwjTuZP8ZcFFY+levmSPIn5TF5xZtmtymditNO28hSqDjxC2Lpoy65kqwXglxpijuicSXC4cC/O1TBbksyH/aw/7MbNTKupFpovZTensu/A6zYG3HCjKW9QBsgU4tBXRC6rTP0RAeuASUHpvHv4WhbS5AWNYmX1TNQ8QpfurM2tAzuFzYQN8LL3VT38o4SVK+visE9q1IGez70q9g6Naowvpp6g/h3FuCzUks2ydXchKNPe3KzuSJqzmkLlyjKMlVW8sYUwgKXqNsgi7aRArEfu0L3UqYG/7lao+QLDOBf5+uSzWarZ9IIS7ClIRBejXU7erVJrLBDlGZRbMu+hXacsGwv/1Ls+S8xCxnlRjQngHjLg8vvQBYslgvkMh77eyP+HjiUDOXqDYoDR5bIc/w5UX/Dvb4ECGiqhGd9UHHQkYn6NQnbO/2r+iVBdy1fvXhXE2LKgAFoQtf2tIqsTUZWv12O82X2KzcZJ7IEVMxbGtSj9cdncc16c5Y6DL9AzQryNIhSGxghZ7zyWwp4DBS19ru4l+dVQ4ikgb4wgbugAwIBA6KBswSBsGrVgYewQbJlk43Aw0ujMajwCinYuDDsW9b7I1gCa41ShWl0xSQ6MfkhuPDbcJO6TK6nTYyxSbWMtxo2eiMOehg+bHo5HUUCGyvRCNRnJFcJLP3GAqh8Ogjx9zY4/YcVb8c/eFM/BiBKHw41T4a0fR6scB9GKDjT8vDa4ysgGeEjeiPh+PjDSTS/y/CWrin97xXwrdUbsWbhuxHQ66HZ9rEJoZFb8oxtHgnqyEgMbwdO' from squid (length: 1747).
negotiate_kerberos_auth.cc(311): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: DEBUG: Decode 'YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVGVC5SVaItMCugAwIBAqEkMCIbBEhUVFAbGnByb3h5LnNpYnB0dXMudHJhbnNuZWZ0LnJ1o4IDkTCCA42gAwIBA6KCA4QEggOAB8tiAa54xI00BfngMyI8cwFHbNKRZPVn1c/HKYPi4Dppq0fIjp2e5br7rHG51+1/w6zaDwHKqdtnpWh/OplOkn6tDNq0H2fi/jFeT0XKICrLxdpmDHRqNmiyxvtczdkcSyxXJ2254oM9VwuE39D8hqU58NmijTB+WQupz2hw4d+5euIFFwSSO8nD3CMaBVGgyNfp9YvUUy860L+KKEqb0LVXZ+/OsnlsyrEc3AaaXwSwS30+ZRv0jCLh1h7kc84XFPrjGqRPp7JmO5gUCF8k/GXNF3FAMBAaT4r/iAs8LFIixQiRUWJPtjcWAtH0Q3JumqB9Enm+JPNvGBvE83YvbBZtDJQ0uc5lOMVLavBh2Xgj86BmKlCsrOCiMoQ8SgsEAX6o110EeMI1Tef8t+2/WhzP39l5BGuXmdDA1zEmqzA83vvTy5JcKUXZ3IdwwJ4I+kW62qIMsceZ/hfdj/Iy+RjCNrum5FHXMDszMVacKHp9kJTMofuMhhOKD2o+Z91TWTkEwD3NNWGjTWdgECpJT/F7I1x35iQaLGvgLebpalPJEXY8A8od1HhXZaCkIPXcDoPUR1LTTk8bHYKan17EnOBf0CbjOkU8/ib2mLUL81RQHrt6vdTcXzxsAgoZYigptd/ilsXq0dbwjTuZP8ZcFFY+levmSPIn5TF5xZtmtymditNO28hSqDjxC2Lpoy65kqwXglxpijuicSXC4cC/O1TBbksyH/aw/7MbNTKupFpovZTensu/A6zYG3HCjKW9QBsgU4tBXRC6rTP0RAeuASUHpvHv4WhbS5AWNYmX1TNQ8QpfurM2tAzuFzYQN8LL3VT38o4SVK+visE9q1IGez70q9g6Naowvpp6g/h3FuCzUks2ydXchKNPe3KzuSJqzmkLlyjKMlVW8sYUwgKXqNsgi7aRArEfu0L3UqYG/7lao+QLDOBf5+uSzWarZ9IIS7ClIRBejXU7erVJrLBDlGZRbMu+hXacsGwv/1Ls+S8xCxnlRjQngHjLg8vvQBYslgvkMh77eyP+HjiUDOXqDYoDR5bIc/w5UX/Dvb4ECGiqhGd9UHHQkYn6NQnbO/2r+iVBdy1fvXhXE2LKgAFoQtf2tIqsTUZWv12O82X2KzcZJ7IEVMxbGtSj9cdncc16c5Y6DL9AzQryNIhSGxghZ7zyWwp4DBS19ru4l+dVQ4ikgb4wgbugAwIBA6KBswSBsGrVgYewQbJlk43Aw0ujMajwCinYuDDsW9b7I1gCa41ShWl0xSQ6MfkhuPDbcJO6TK6nTYyxSbWMtxo2eiMOehg+bHo5HUUCGyvRCNRnJFcJLP3GAqh8Ogjx9zY4/YcVb8c/eFM/BiBKHw41T4a0fR6scB9GKDjT8vDa4ysgGeEjeiPh+PjDSTS/y/CWrin97xXwrdUbsWbhuxHQ66HZ9rEJoZFb8oxtHgnqyEgMbwdO' (decoded length: 1308).
negotiate_kerberos_auth.cc(128): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown
2014/10/07 13:12:37 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_acquire_cred() failed: No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown; }}
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@xxxxxxxxxxxxxxxx
negotiate_kerberos_auth.cc(212): pid=40984 :2014/10/07 13:12:08| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(258): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: DEBUG: Got 'YR YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVGVC5SVaItMCugAwIBAqEkMCIbBEhUVFAbGnByb3h5LnNpYnB0dXMudHJhbnNuZWZ0LnJ1o4IDkTCCA42gAwIBA6KCA4QEggOAB8tiAa54xI00BfngMyI8cwFHbNKRZPVn1c/HKYPi4Dppq0fIjp2e5br7rHG51+1/w6zaDwHKqdtnpWh/OplOkn6tDNq0H2fi/jFeT0XKICrLxdpmDHRqNmiyxvtczdkcSyxXJ2254oM9VwuE39D8hqU58NmijTB+WQupz2hw4d+5euIFFwSSO8nD3CMaBVGgyNfp9YvUUy860L+KKEqb0LVXZ+/OsnlsyrEc3AaaXwSwS30+ZRv0jCLh1h7kc84XFPrjGqRPp7JmO5gUCF8k/GXNF3FAMBAaT4r/iAs8LFIixQiRUWJPtjcWAtH0Q3JumqB9Enm+JPNvGBvE83YvbBZtDJQ0uc5lOMVLavBh2Xgj86BmKlCsrOCiMoQ8SgsEAX6o110EeMI1Tef8t+2/WhzP39l5BGuXmdDA1zEmqzA83vvTy5JcKUXZ3IdwwJ4I+kW62qIMsceZ/hfdj/Iy+RjCNrum5FHXMDszMVacKHp9kJTMofuMhhOKD2o+Z91TWTkEwD3NNWGjTWdgECpJT/F7I1x35iQaLGvgLebpalPJEXY8A8od1HhXZaCkIPXcDoPUR1LTTk8bHYKan17EnOBf0CbjOkU8/ib2mLUL81RQHrt6vdTcXzxsAgoZYigptd/ilsXq0dbwjTuZP8ZcFFY+levmSPIn5TF5xZtmtymditNO28hSqDjxC2Lpoy65kqwXglxpijuicSXC4cC/O1TBbksyH/aw/7MbNTKupFpovZTensu/A6zYG3HCjKW9QBsgU4tBXRC6rTP0RAeuASUHpvHv4WhbS5AWNYmX1TNQ8QpfurM2tAzuFzYQN8LL3VT38o4SVK+visE9q1IGez70q9g6Naowvpp6g/h3FuCzUks2ydXchKNPe3KzuSJqzmkLlyjKMlVW8sYUwgKXqNsgi7aRArEfu0L3UqYG/7lao+QLDOBf5+uSzWarZ9IIS7ClIRBejXU7erVJrLBDlGZRbMu+hXacsGwv/1Ls+S8xCxnlRjQngHjLg8vvQBYslgvkMh77eyP+HjiUDOXqDYoDR5bIc/w5UX/Dvb4ECGiqhGd9UHHQkYn6NQnbO/2r+iVBdy1fvXhXE2LKgAFoQtf2tIqsTUZWv12O82X2KzcZJ7IEVMxbGtSj9cdncc16c5Y6DL9AzQryNIhSGxghZ7zyWwp4DBS19ru4l+dVQ4ikgb4wgbugAwIBA6KBswSBsGrVgYewQbJlk43Aw0ujMajwCinYuDDsW9b7I1gCa41ShWl0xSQ6MfkhuPDbcJO6TK6nTYyxSbWMtxo2eiMOehg+bHo5HUUCGyvRCNRnJFcJLP3GAqh8Ogjx9zY4/YcVb8c/eFM/BiBKHw41T4a0fR6scB9GKDjT8vDa4ysgGeEjeiPh+PjDSTS/y/CWrin97xXwrdUbsWbhuxHQ66HZ9rEJoZFb8oxtHgnqyEgMbwdO' from squid (length: 1747).
negotiate_kerberos_auth.cc(311): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: DEBUG: Decode 'YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVGVC5SVaItMCugAwIBAqEkMCIbBEhUVFAbGnByb3h5LnNpYnB0dXMudHJhbnNuZWZ0LnJ1o4IDkTCCA42gAwIBA6KCA4QEggOAB8tiAa54xI00BfngMyI8cwFHbNKRZPVn1c/HKYPi4Dppq0fIjp2e5br7rHG51+1/w6zaDwHKqdtnpWh/OplOkn6tDNq0H2fi/jFeT0XKICrLxdpmDHRqNmiyxvtczdkcSyxXJ2254oM9VwuE39D8hqU58NmijTB+WQupz2hw4d+5euIFFwSSO8nD3CMaBVGgyNfp9YvUUy860L+KKEqb0LVXZ+/OsnlsyrEc3AaaXwSwS30+ZRv0jCLh1h7kc84XFPrjGqRPp7JmO5gUCF8k/GXNF3FAMBAaT4r/iAs8LFIixQiRUWJPtjcWAtH0Q3JumqB9Enm+JPNvGBvE83YvbBZtDJQ0uc5lOMVLavBh2Xgj86BmKlCsrOCiMoQ8SgsEAX6o110EeMI1Tef8t+2/WhzP39l5BGuXmdDA1zEmqzA83vvTy5JcKUXZ3IdwwJ4I+kW62qIMsceZ/hfdj/Iy+RjCNrum5FHXMDszMVacKHp9kJTMofuMhhOKD2o+Z91TWTkEwD3NNWGjTWdgECpJT/F7I1x35iQaLGvgLebpalPJEXY8A8od1HhXZaCkIPXcDoPUR1LTTk8bHYKan17EnOBf0CbjOkU8/ib2mLUL81RQHrt6vdTcXzxsAgoZYigptd/ilsXq0dbwjTuZP8ZcFFY+levmSPIn5TF5xZtmtymditNO28hSqDjxC2Lpoy65kqwXglxpijuicSXC4cC/O1TBbksyH/aw/7MbNTKupFpovZTensu/A6zYG3HCjKW9QBsgU4tBXRC6rTP0RAeuASUHpvHv4WhbS5AWNYmX1TNQ8QpfurM2tAzuFzYQN8LL3VT38o4SVK+visE9q1IGez70q9g6Naowvpp6g/h3FuCzUks2ydXchKNPe3KzuSJqzmkLlyjKMlVW8sYUwgKXqNsgi7aRArEfu0L3UqYG/7lao+QLDOBf5+uSzWarZ9IIS7ClIRBejXU7erVJrLBDlGZRbMu+hXacsGwv/1Ls+S8xCxnlRjQngHjLg8vvQBYslgvkMh77eyP+HjiUDOXqDYoDR5bIc/w5UX/Dvb4ECGiqhGd9UHHQkYn6NQnbO/2r+iVBdy1fvXhXE2LKgAFoQtf2tIqsTUZWv12O82X2KzcZJ7IEVMxbGtSj9cdncc16c5Y6DL9AzQryNIhSGxghZ7zyWwp4DBS19ru4l+dVQ4ikgb4wgbugAwIBA6KBswSBsGrVgYewQbJlk43Aw0ujMajwCinYuDDsW9b7I1gCa41ShWl0xSQ6MfkhuPDbcJO6TK6nTYyxSbWMtxo2eiMOehg+bHo5HUUCGyvRCNRnJFcJLP3GAqh8Ogjx9zY4/YcVb8c/eFM/BiBKHw41T4a0fR6scB9GKDjT8vDa4ysgGeEjeiPh+PjDSTS/y/CWrin97xXwrdUbsWbhuxHQ66HZ9rEJoZFb8oxtHgnqyEgMbwdO' (decoded length: 1308).
negotiate_kerberos_auth.cc(128): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown
2014/10/07 13:12:37 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_acquire_cred() failed: No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown; }}
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
