-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
And my Kerberos server setup seems valid:
$ setenv KRB5_KTNAME /usr/local/etc/squid/squid.keytab
$ setenv KRB5_CONFIG /usr/local/etc/squid/krb5.conf
$ kdestroy
$ kinit -t $KRB5_KTNAME HTTP/proxy.sibptus.transneft.ru
$ klist
Credentials cache: FILE:/tmp/krb5cc_Ld5uU9
Principal:
HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
Issued Expires Principal
Oct 7 15:33:42 Oct 8 01:33:42
krbtgt/SIBPTUS.TRANSNEFT.RU@xxxxxxxxxxxxxxxxxxxx
$
Victor Sudakov wrote:
> Victor Sudakov wrote:
> > > Well, I have tried negotiate_kerberos_auth with Firefox (Windows)
> >
> > I have tried the same with MSIE 8 (Windows).
>
> After some adjustment to domain group policies, the Windows host is
> at last requesting and successfully receiving the ticket for the proxy
> service. Wireshark output:
>
> User Datagram Protocol, Src Port: kerberos (88), Dst Port: dellpwrappks (1266)
> Kerberos TGS-REP
> Pvno: 5
> MSG Type: TGS-REP (13)
> Client Realm: SIBPTUS.TRANSNEFT.RU
> Client Name (Principal): vas-adm
> Ticket
> Tkt-vno: 5
> Realm: SIBPTUS.TRANSNEFT.RU
> Server Name (Service and Instance): HTTP/proxy.sibptus.transneft.ru
> enc-part rc4-hmac
> Encryption type: rc4-hmac (23)
> enc-part: 3e0fc357a26db7dcdb0a5b6436b56f9c96d15ad7626eea08...
> enc-part rc4-hmac
> Encryption type: rc4-hmac (23)
> Kvno: 1
> enc-part: db8c9ea1bf85c4bb5005103765767b692ed3c0f247c23d48...
>
> The corresponding Kerberos principal is put into the keytab:
> /usr/local/etc/squid/squid.keytab:
>
> Vno Type Principal
> 1 des-cbc-crc HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
> 1 des-cbc-md5 HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
> 1 arcfour-hmac-md5 HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
> 1 aes256-cts-hmac-sha1-96 HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
> 1 aes128-cts-hmac-sha1-96 HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
>
> The permissions on the keytab are correct. Squid receives it via the
> environment:
>
> env KRB5_KTNAME=/usr/local/etc/squid/squid.keytab \
> KRB5_CONFIG=/usr/local/etc/squid/krb5.conf \
> squid -f /usr/local/etc/squid/squid-test.conf
>
> However, then actual autthentication begins, it fails with the:
> "ERROR: gss_acquire_cred() failed: No credentials were
> supplied, or the credentials were unavailable or inaccessible..
> unknown mech-code 0 for mech unknown"
>
> If someone finds something familiar in the below debug output, or can
> low-level debug actual kerberos, could you please let me know. Thanks
> a lot in advance for any help.
>
> negotiate_kerberos_auth.cc(212): pid=40984 :2014/10/07 13:12:08| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
> negotiate_kerberos_auth.cc(258): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: DEBUG: Got 'YR YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVGVC5SVaItMCugAwIBAqEkMCIbBEhUVFAbGnByb3h5LnNpYnB0dXMudHJhbnNuZWZ0LnJ1o4IDkTCCA42gAwIBA6KCA4QEggOAB8tiAa54xI00BfngMyI8cwFHbNKRZPVn1c/HKYPi4Dppq0fIjp2e5br7rHG51+1/w6zaDwHKqdtnpWh/OplOkn6tDNq0H2fi/jFeT0XKICrLxdpmDHRqNmiyxvtczdkcSyxXJ2254oM9VwuE39D8hqU58NmijTB+WQupz2hw4d+5euIFFwSSO8nD3CMaBVGgyNfp9YvUUy860L+KKEqb0LVXZ+/OsnlsyrEc3AaaXwSwS30+ZRv0jCLh1h7kc84XFPrjGqRPp7JmO5gUCF8k/GXNF3FAMBAaT4r/iAs8LFIixQiRUWJPtjcWAtH0Q3JumqB9Enm+JPNvGBvE83YvbBZtDJQ0uc5lOMVLavBh2Xgj86BmKlCsrOCiMoQ8SgsEAX6o110EeMI1Tef8t+2/WhzP39l5BGuXmdDA1zEmqzA83vvTy5JcKUXZ3IdwwJ4I+kW62qIMsceZ/hfdj/Iy+RjCNrum5FHXMDszMVacKHp9kJTMofuMhhOKD2o+Z91TWTkEwD3NNWGjTWdgECpJT/F7I1x35iQaLGvgLebpalPJEXY8A8od1HhXZaCkIPXcDoPUR1LTTk8bHYKan17EnOBf0CbjOkU8/ib2mLUL81RQHrt6vdTcXzxsAgoZYigptd/ilsXq0dbwjTuZP8ZcFFY+levmSPIn5TF5xZtmtymditNO28hSqDjxC2Lpoy65kqwXglxpijuicSXC4cC/O1TBbksyH/aw/7MbNTKupFpovZTensu/A6zYG3HCjKW9QBsgU4tBXRC6rTP0RAeuASUHpvHv4WhbS5AWNYmX1TNQ8QpfurM2tAzuFzYQN8LL3VT38o4SVK+visE9q1IGez70q9g6Naowvpp6g/h3FuCzUks2ydXchKNPe3KzuSJqzmkLlyjKMlVW8sYUwgKXqNsgi7aRArEfu0L3UqYG/7lao+QLDOBf5+uSzWarZ9IIS7ClIRBejXU7erVJrLBDlGZRbMu+hXacsGwv/1Ls+S8xCxnlRjQngHjLg8vvQBYslgvkMh77eyP+HjiUDOXqDYoDR5bIc/w5UX/Dvb4ECGiqhGd9UHHQkYn6NQnbO/2r+iVBdy1fvXhXE2LKgAFoQtf2tIqsTUZWv12O82X2KzcZJ7IEVMxbGtSj9cdncc16c5Y6DL9AzQryNIhSGxghZ7zyWwp4DBS19ru4l+dVQ4ikgb4wgbugAwIBA6KBswSBsGrVgYewQbJlk43Aw0ujMajwCinYuDDsW9b7I1gCa41ShWl0xSQ6MfkhuPDbcJO6TK6nTYyxSbWMtxo2eiMOehg+bHo5HUUCGyvRCNRnJFcJLP3GAqh8Ogjx9zY4/YcVb8c/eFM/BiBKHw41T4a0fR6scB9GKDjT8vDa4ysgGeEjeiPh+PjDSTS/y/CWrin97xXwrdUbsWbhuxHQ66HZ9rEJoZFb8oxtHgnqyEgMbwdO' from squid (length: 1747).
> negotiate_kerberos_auth.cc(311): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: DEBUG: Decode 'YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVGVC5SVaItMCugAwIBAqEkMCIbBEhUVFAbGnByb3h5LnNpYnB0dXMudHJhbnNuZWZ0LnJ1o4IDkTCCA42gAwIBA6KCA4QEggOAB8tiAa54xI00BfngMyI8cwFHbNKRZPVn1c/HKYPi4Dppq0fIjp2e5br7rHG51+1/w6zaDwHKqdtnpWh/OplOkn6tDNq0H2fi/jFeT0XKICrLxdpmDHRqNmiyxvtczdkcSyxXJ2254oM9VwuE39D8hqU58NmijTB+WQupz2hw4d+5euIFFwSSO8nD3CMaBVGgyNfp9YvUUy860L+KKEqb0LVXZ+/OsnlsyrEc3AaaXwSwS30+ZRv0jCLh1h7kc84XFPrjGqRPp7JmO5gUCF8k/GXNF3FAMBAaT4r/iAs8LFIixQiRUWJPtjcWAtH0Q3JumqB9Enm+JPNvGBvE83YvbBZtDJQ0uc5lOMVLavBh2Xgj86BmKlCsrOCiMoQ8SgsEAX6o110EeMI1Tef8t+2/WhzP39l5BGuXmdDA1zEmqzA83vvTy5JcKUXZ3IdwwJ4I+kW62qIMsceZ/hfdj/Iy+RjCNrum5FHXMDszMVacKHp9kJTMofuMhhOKD2o+Z91TWTkEwD3NNWGjTWdgECpJT/F7I1x35iQaLGvgLebpalPJEXY8A8od1HhXZaCkIPXcDoPUR1LTTk8bHYKan17EnOBf0CbjOkU8/ib2mLUL81RQHrt6vdTcXzxsAgoZYigptd/ilsXq0dbwjTuZP8ZcFFY+levmSPIn5TF5xZtmtymditNO28hSqDjxC2Lpoy65kqwXglxpijuicSXC4cC/O1TBbksyH/aw/7MbNTKupFpovZTensu/A6zYG3HCjKW9QBsgU4tBXRC6rTP0RAeuASUHpvHv4WhbS5AWNYmX1TNQ8QpfurM2tAzuFzYQN8LL3VT38o4SVK+visE9q1IGez70q9g6Naowvpp6g/h3FuCzUks2ydXchKNPe3KzuSJqzmkLlyjKMlVW8sYUwgKXqNsgi7aRArEfu0L3UqYG/7lao+QLDOBf5+uSzWarZ9IIS7ClIRBejXU7erVJrLBDlGZRbMu+hXacsGwv/1Ls+S8xCxnlRjQngHjLg8vvQBYslgvkMh77eyP+HjiUDOXqDYoDR5bIc/w5UX/Dvb4ECGiqhGd9UHHQkYn6NQnbO/2r+iVBdy1fvXhXE2LKgAFoQtf2tIqsTUZWv12O82X2KzcZJ7IEVMxbGtSj9cdncc16c5Y6DL9AzQryNIhSGxghZ7zyWwp4DBS19ru4l+dVQ4ikgb4wgbugAwIBA6KBswSBsGrVgYewQbJlk43Aw0ujMajwCinYuDDsW9b7I1gCa41ShWl0xSQ6MfkhuPDbcJO6TK6nTYyxSbWMtxo2eiMOehg+bHo5HUUCGyvRCNRnJFcJLP3GAqh8Ogjx9zY4/YcVb8c/eFM/BiBKHw41T4a0fR6scB9GKDjT8vDa4ysgGeEjeiPh+PjDSTS/y/CWrin97xXwrdUbsWbhuxHQ66HZ9rEJoZFb8oxtHgnqyEgMbwdO' (decoded length: 1308).
> negotiate_kerberos_auth.cc(128): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown
> 2014/10/07 13:12:37 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_acquire_cred() failed: No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown; }}
>
> --
> Victor Sudakov, VAS4-RIPE, VAS47-RIPN
> sip:sudakov@xxxxxxxxxxxxxxxx
> negotiate_kerberos_auth.cc(212): pid=40984 :2014/10/07 13:12:08| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
> negotiate_kerberos_auth.cc(258): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: DEBUG: Got 'YR YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVGVC5SVaItMCugAwIBAqEkMCIbBEhUVFAbGnByb3h5LnNpYnB0dXMudHJhbnNuZWZ0LnJ1o4IDkTCCA42gAwIBA6KCA4QEggOAB8tiAa54xI00BfngMyI8cwFHbNKRZPVn1c/HKYPi4Dppq0fIjp2e5br7rHG51+1/w6zaDwHKqdtnpWh/OplOkn6tDNq0H2fi/jFeT0XKICrLxdpmDHRqNmiyxvtczdkcSyxXJ2254oM9VwuE39D8hqU58NmijTB+WQupz2hw4d+5euIFFwSSO8nD3CMaBVGgyNfp9YvUUy860L+KKEqb0LVXZ+/OsnlsyrEc3AaaXwSwS30+ZRv0jCLh1h7kc84XFPrjGqRPp7JmO5gUCF8k/GXNF3FAMBAaT4r/iAs8LFIixQiRUWJPtjcWAtH0Q3JumqB9Enm+JPNvGBvE83YvbBZtDJQ0uc5lOMVLavBh2Xgj86BmKlCsrOCiMoQ8SgsEAX6o110EeMI1Tef8t+2/WhzP39l5BGuXmdDA1zEmqzA83vvTy5JcKUXZ3IdwwJ4I+kW62qIMsceZ/hfdj/Iy+RjCNrum5FHXMDszMVacKHp9kJTMofuMhhOKD2o+Z91TWTkEwD3NNWGjTWdgECpJT/F7I1x35iQaLGvgLebpalPJEXY8A8od1HhXZaCkIPXcDoPUR1LTTk8bHYKan17EnOBf0CbjOkU8/ib2mLUL81RQHrt6vdTcXzxsAgoZYigptd/ilsXq0dbwjTuZP8ZcFFY+levmSPIn5TF5xZtmtymditNO28hSqDjxC2Lpoy65kqwXglxpijuicSXC4cC/O1TBbksyH/aw/7MbNTKupFpovZTensu/A6zYG3HCjKW9QBsgU4tBXRC6rTP0RAeuASUHpvHv4WhbS5AWNYmX1TNQ8QpfurM2tAzuFzYQN8LL3VT38o4SVK+visE9q1IGez70q9g6Naowvpp6g/h3FuCzUks2ydXchKNPe3KzuSJqzmkLlyjKMlVW8sYUwgKXqNsgi7aRArEfu0L3UqYG/7lao+QLDOBf5+uSzWarZ9IIS7ClIRBejXU7erVJrLBDlGZRbMu+hXacsGwv/1Ls+S8xCxnlRjQngHjLg8vvQBYslgvkMh77eyP+HjiUDOXqDYoDR5bIc/w5UX/Dvb4ECGiqhGd9UHHQkYn6NQnbO/2r+iVBdy1fvXhXE2LKgAFoQtf2tIqsTUZWv12O82X2KzcZJ7IEVMxbGtSj9cdncc16c5Y6DL9AzQryNIhSGxghZ7zyWwp4DBS19ru4l+dVQ4ikgb4wgbugAwIBA6KBswSBsGrVgYewQbJlk43Aw0ujMajwCinYuDDsW9b7I1gCa41ShWl0xSQ6MfkhuPDbcJO6TK6nTYyxSbWMtxo2eiMOehg+bHo5HUUCGyvRCNRnJFcJLP3GAqh8Ogjx9zY4/YcVb8c/eFM/BiBKHw41T4a0fR6scB9GKDjT8vDa4ysgGeEjeiPh+PjDSTS/y/CWrin97xXwrdUbsWbhuxHQ66HZ9rEJoZFb8oxtHgnqyEgMbwdO' from squid (length: 1747).
> negotiate_kerberos_auth.cc(311): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: DEBUG: Decode 'YIIFGAYGKwYBBQUCoIIFDDCCBQigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBN4EggTaYIIE1gYJKoZIhvcSAQICAQBuggTFMIIEwaADAgEFoQMCAQ6iBwMFACAAAACjggPpYYID5TCCA+GgAwIBBaEWGxRTSUJQVFVTLlRSQU5TTkVGVC5SVaItMCugAwIBAqEkMCIbBEhUVFAbGnByb3h5LnNpYnB0dXMudHJhbnNuZWZ0LnJ1o4IDkTCCA42gAwIBA6KCA4QEggOAB8tiAa54xI00BfngMyI8cwFHbNKRZPVn1c/HKYPi4Dppq0fIjp2e5br7rHG51+1/w6zaDwHKqdtnpWh/OplOkn6tDNq0H2fi/jFeT0XKICrLxdpmDHRqNmiyxvtczdkcSyxXJ2254oM9VwuE39D8hqU58NmijTB+WQupz2hw4d+5euIFFwSSO8nD3CMaBVGgyNfp9YvUUy860L+KKEqb0LVXZ+/OsnlsyrEc3AaaXwSwS30+ZRv0jCLh1h7kc84XFPrjGqRPp7JmO5gUCF8k/GXNF3FAMBAaT4r/iAs8LFIixQiRUWJPtjcWAtH0Q3JumqB9Enm+JPNvGBvE83YvbBZtDJQ0uc5lOMVLavBh2Xgj86BmKlCsrOCiMoQ8SgsEAX6o110EeMI1Tef8t+2/WhzP39l5BGuXmdDA1zEmqzA83vvTy5JcKUXZ3IdwwJ4I+kW62qIMsceZ/hfdj/Iy+RjCNrum5FHXMDszMVacKHp9kJTMofuMhhOKD2o+Z91TWTkEwD3NNWGjTWdgECpJT/F7I1x35iQaLGvgLebpalPJEXY8A8od1HhXZaCkIPXcDoPUR1LTTk8bHYKan17EnOBf0CbjOkU8/ib2mLUL81RQHrt6vdTcXzxsAgoZYigptd/ilsXq0dbwjTuZP8ZcFFY+levmSPIn5TF5xZtmtymditNO28hSqDjxC2Lpoy65kqwXglxpijuicSXC4cC/O1TBbksyH/aw/7MbNTKupFpovZTensu/A6zYG3HCjKW9QBsgU4tBXRC6rTP0RAeuASUHpvHv4WhbS5AWNYmX1TNQ8QpfurM2tAzuFzYQN8LL3VT38o4SVK+visE9q1IGez70q9g6Naowvpp6g/h3FuCzUks2ydXchKNPe3KzuSJqzmkLlyjKMlVW8sYUwgKXqNsgi7aRArEfu0L3UqYG/7lao+QLDOBf5+uSzWarZ9IIS7ClIRBejXU7erVJrLBDlGZRbMu+hXacsGwv/1Ls+S8xCxnlRjQngHjLg8vvQBYslgvkMh77eyP+HjiUDOXqDYoDR5bIc/w5UX/Dvb4ECGiqhGd9UHHQkYn6NQnbO/2r+iVBdy1fvXhXE2LKgAFoQtf2tIqsTUZWv12O82X2KzcZJ7IEVMxbGtSj9cdncc16c5Y6DL9AzQryNIhSGxghZ7zyWwp4DBS19ru4l+dVQ4ikgb4wgbugAwIBA6KBswSBsGrVgYewQbJlk43Aw0ujMajwCinYuDDsW9b7I1gCa41ShWl0xSQ6MfkhuPDbcJO6TK6nTYyxSbWMtxo2eiMOehg+bHo5HUUCGyvRCNRnJFcJLP3GAqh8Ogjx9zY4/YcVb8c/eFM/BiBKHw41T4a0fR6scB9GKDjT8vDa4ysgGeEjeiPh+PjDSTS/y/CWrin97xXwrdUbsWbhuxHQ66HZ9rEJoZFb8oxtHgnqyEgMbwdO' (decoded length: 1308).
> negotiate_kerberos_auth.cc(128): pid=40980 :2014/10/07 13:12:37| negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown
> 2014/10/07 13:12:37 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_acquire_cred() failed: No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown; }}
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
- --
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@xxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUM6XeAAoJEA2k8lmbXsY0shEH/3k0EU+0PGD1iSx2OLqbkhGv
Z38OUous3LXoxpvOTSTP5mp+jVzutKBUlzqZbo5M0qNPg+WovNtDF2bqPK09scy8
Wuf+zfZv8YXQIvMemLXsnWZkIivLQ8Tgi6nAhX5fewP6zIfjRPMgqr86+ihHYZs4
HfO1IceZkitgeJx+9VvWDrRRDYIikTkXDLssfjFH+2J++tJikDWLqxoXykXTRRR3
xWNHomrRCxHw0q4KixCgefEnUDThvAK6MRnQA57t6xnTXiSTbqMSvkagLFgTLo87
OKI3ex+nVgyax1JZHJy1oOqXYJIeex+KxcLKkEzvXL9mdEUPgiJLg8FJD7rSDHE=
=hOY8
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
