Search squid archive

Re: Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Hi Victor,

  I only found the following explanation:
This error will happen if you didn't write the key into the keytab file, or the permission setting of keytab file reject the read access, or the key file is not the one you should access (for example, you want /opt/somedir/conf/krb5.conf, but actually read /etc/krb5.conf, which has no that key).
Is there something like strace/truss on freebsd to see which files are opened (with and without error) during running negotiate_kerberos_auth ? On Linux I would run:
./negotiate_kerberos_auth_test proxy.sibptus.transneft.ru | awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | strace -f -F -o negotiate_kerberos_auth.strace ./negotiate_kerberos_auth -d 

Markus
"Victor Sudakov" wrote in message news:20141008032925.GA77544@xxxxxxxxxxxxxxxxxxxxxx... 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Markus Moeller wrote:


  In the helpers/negotiate_auth/kerberos directory is a script
test_negotiate_auth.sh to test authentication outside of squid.


Markus,

I could find the said script neither in the source nor in the binary
package. However I think I can guess what could be inside.  Could you
look below if that makes sense?

===========================
$ setenv KRB5_KTNAME /usr/local/etc/squid/squid.keytab
$ setenv KRB5_CONFIG /usr/local/etc/squid/krb5.conf
$ kdestroy
$ kinit sudakovva
sudakovva@xxxxxxxxxxxxxxxxxxxx's Password:
$
$ klist
Credentials cache: FILE:/tmp/krb5cc_XZ1GPU
       Principal: sudakovva@xxxxxxxxxxxxxxxxxxxx

 Issued           Expires          Principal
Oct 8 09:31:45 Oct 8 19:31:45 krbtgt/SIBPTUS.TRANSNEFT.RU@xxxxxxxxxxxxxxxxxxxx
$ ./negotiate_kerberos_auth_test proxy.sibptus.transneft.ru | awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | ./negotiate_kerberos_auth -d
negotiate_kerberos_auth.cc(212): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq negotiate_kerberos_auth.cc(258): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: DEBUG: Got 'YR YIIGFAYGKwYBBQUCoIIGCDCCBgSgDTALBgkqhkiG9xIBAgKiggXxBIIF7WCCBekGCSqGSIb3EgECAgEAboIF2DCCBdSgAwIBBaEDAgEOogcDBQAAAAAAo4IEvGGCBLgwggS0oAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBGQwggRgoAMCAReiggRXBIIEUxpOgFWeZoAcatE6l3MyfDxMoDMjcgYUQzenTLAlEvD3/c0pyRiitZwNMIHvnacXcUSTzLDNjDw75iwfNxZHYjZgvOLHSKQm+rmoWtLIC+3KZoeWCB+pxwcpK8RzXvs8dPCprH1h5OdCn8EB1ZZxl35IhLgg07N72yvnXNiBmW/PmLW6PeVB0U3SLjWiT0ZJ3kXukg5ViYGOMKypeHebHPB0FQ2dgNQy8S00CRIU4ZuoHPVWFNl6mzp9CoIy7Ytwhu3NRb42f49nuQpqBVcsMK/ckgLYvsoz2lYxe7AO4MMOvcGqnEBB/jaSfrGGXpw+ciMNbBtCHH7bN36uGHj+VWOUFL5vR3xclnOWwdUH2OtXqMMcDDnI4v7vNR1U80BS7SdXUpx0D+O1B3ihipaTpSkXtII5UTI4qxmZjXSQGYY0adbG/N6NpMF7HpmGb1Zondp571l4ZV0mZ0pZ7IcIAmvQOmcud/sN0am4z9Oe3lCe7L1RVKBr0Tu30Pz7ySibeCpY/OVR2GJ+ILfov/3o95ozW8W4d+UCHfywAHOioGB+QWSC2NO5VtcjsBYVkhKnBkcG8KOBhJ+qi1qvhGXD3tUgDZnb0pCQAVNyjiDIKZre8KcB23Hu5a2YCM9y0GiBCbfJIbD60LJLVOxozZiRqJfdOCvBhfCvh7R9y5EuNmMswSRgQJwhkh7rCgMPWvFsAWDae9yxN966E85nE+xuUtwtl20NhOjotjG3NgwsRYDg1kQvfJnz7IcPSnSevKiPHU7uvBxSZvR6j6J0BZRgTQg7loUzkOsSRPDefXMt4wFfoHEqaWTtKw3yR0dZkr1W5g6WDn0d0o4uLZRdZteMOtxjsXFTQA3MIQrf/BpVk0NdEQ0EpXo2SZtr+ciy2jNXI40s6rUQakV/vfLG5aGOQY1Ck1gynORrG6Bt/eDMVJF7gf8iEvSDPiZhaHNqfAwfuYDNcO6Sgvl21tkEUfC9YxzkZq2vb0J1gJnkoq3oay+B7GElpgBABZpf22eGTOHakz7m8z9jdPUuIGFf1Jgn1B4i2vFsYRV6tbn3gF/wpnBdPmmG0ZVT2ZnqPDf2Om3kh1cd/THIWDVeuvNGRHbzGYxFJcJ+NIgwr5yfijltcKyynGqHvW2arUQwHzX0UM/dg6iI8+o2IkKmihBL9WQ+04SwHYeMk+D1hJx2rfrIl9RgpQdkrhrjPacqGfKd7NrtEweeSn7MOwFjaVYlT4ruboQHt94BcJKQ1qhuJVsH+rhZaM6XBt6F2NtM5Z+0OmwsLb0sQkdVbnbyEku7McPN0vvOC7tuDL1pT0UuAanSO6IQahXj5X3W/MVNf27rJUmcUQkGbTvCK6nJMuZYNsuKaB9Izs10T/i88V5IOgafwAHgLCxnpwptY551gJwj/0cvv6mpIZSrE8XjMWMUDmeTkeUyU8t2Dz5Vjbb8l1cFCIETgvc5CK9mV+SG0F6soQqf1xs+r6SB/jCB+6ADAgEXooHzBIHwxdPbAIs5nPD2d3wOYONkgkc1qb9krxSlo4FRMoPPIl+80A1OZOlv/SRc9B4VpP8xJJvk1YwY70twgMlOJd/zbXH0lEnyGdGi9mUuN4XdfeNzFwqvjxOrx1e8oPXJPJLIZCGhUik3nY7X4Nb4EMXmfEckzSsuBbVKkVwu7/0xPKbXL4KPs/e3ANJI8Lvkh7AM7iIXrhI2S4/ZKWo4f73R1sjgtt+nw8e1Ga7EeMlQvbejo/i9UBEFldNR2B8GM0DD6449mRrbXE1K5Pij+bHoHl9oZng97DGG nM4ritsN+ts2Rcev1IuSzm6QFaADBwRU' from squid (length: 2083). negotiate_kerberos_auth.cc(311): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: DEBUG: Decode 'YIIGFAYGKwYBBQUCoIIGCDCCBgSgDTALBgkqhkiG9xIBAgKiggXxBIIF7WCCBekGCSqGSIb3EgECAgEAboIF2DCCBdSgAwIBBaEDAgEOogcDBQAAAAAAo4IEvGGCBLgwggS0oAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBGQwggRgoAMCAReiggRXBIIEUxpOgFWeZoAcatE6l3MyfDxMoDMjcgYUQzenTLAlEvD3/c0pyRiitZwNMIHvnacXcUSTzLDNjDw75iwfNxZHYjZgvOLHSKQm+rmoWtLIC+3KZoeWCB+pxwcpK8RzXvs8dPCprH1h5OdCn8EB1ZZxl35IhLgg07N72yvnXNiBmW/PmLW6PeVB0U3SLjWiT0ZJ3kXukg5ViYGOMKypeHebHPB0FQ2dgNQy8S00CRIU4ZuoHPVWFNl6mzp9CoIy7Ytwhu3NRb42f49nuQpqBVcsMK/ckgLYvsoz2lYxe7AO4MMOvcGqnEBB/jaSfrGGXpw+ciMNbBtCHH7bN36uGHj+VWOUFL5vR3xclnOWwdUH2OtXqMMcDDnI4v7vNR1U80BS7SdXUpx0D+O1B3ihipaTpSkXtII5UTI4qxmZjXSQGYY0adbG/N6NpMF7HpmGb1Zondp571l4ZV0mZ0pZ7IcIAmvQOmcud/sN0am4z9Oe3lCe7L1RVKBr0Tu30Pz7ySibeCpY/OVR2GJ+ILfov/3o95ozW8W4d+UCHfywAHOioGB+QWSC2NO5VtcjsBYVkhKnBkcG8KOBhJ+qi1qvhGXD3tUgDZnb0pCQAVNyjiDIKZre8KcB23Hu5a2YCM9y0GiBCbfJIbD60LJLVOxozZiRqJfdOCvBhfCvh7R9y5EuNmMswSRgQJwhkh7rCgMPWvFsAWDae9yxN966E85nE+xuUtwtl20NhOjotjG3NgwsRYDg1kQvfJnz7IcPSnSevKiPHU7uvBxSZvR6j6J0BZRgTQg7loUzkOsSRPDefXMt4wFfoHEqaWTtKw3yR0dZkr1W5g6WDn0d0o4uLZRdZteMOtxjsXFTQA3MIQrf/BpVk0NdEQ0EpXo2SZtr+ciy2jNXI40s6rUQakV/vfLG5aGOQY1Ck1gynORrG6Bt/eDMVJF7gf8iEvSDPiZhaHNqfAwfuYDNcO6Sgvl21tkEUfC9YxzkZq2vb0J1gJnkoq3oay+B7GElpgBABZpf22eGTOHakz7m8z9jdPUuIGFf1Jgn1B4i2vFsYRV6tbn3gF/wpnBdPmmG0ZVT2ZnqPDf2Om3kh1cd/THIWDVeuvNGRHbzGYxFJcJ+NIgwr5yfijltcKyynGqHvW2arUQwHzX0UM/dg6iI8+o2IkKmihBL9WQ+04SwHYeMk+D1hJx2rfrIl9RgpQdkrhrjPacqGfKd7NrtEweeSn7MOwFjaVYlT4ruboQHt94BcJKQ1qhuJVsH+rhZaM6XBt6F2NtM5Z+0OmwsLb0sQkdVbnbyEku7McPN0vvOC7tuDL1pT0UuAanSO6IQahXj5X3W/MVNf27rJUmcUQkGbTvCK6nJMuZYNsuKaB9Izs10T/i88V5IOgafwAHgLCxnpwptY551gJwj/0cvv6mpIZSrE8XjMWMUDmeTkeUyU8t2Dz5Vjbb8l1cFCIETgvc5CK9mV+SG0F6soQqf1xs+r6SB/jCB+6ADAgEXooHzBIHwxdPbAIs5nPD2d3wOYONkgkc1qb9krxSlo4FRMoPPIl+80A1OZOlv/SRc9B4VpP8xJJvk1YwY70twgMlOJd/zbXH0lEnyGdGi9mUuN4XdfeNzFwqvjxOrx1e8oPXJPJLIZCGhUik3nY7X4Nb4EMXmfEckzSsuBbVKkVwu7/0xPKbXL4KPs/e3ANJI8Lvkh7AM7iIXrhI2S4/ZKWo4f73R1sjgtt+nw8e1Ga7EeMlQvbejo/i9UBEFldNR2B8GM0DD6449mRrbXE1K5Pij+bHoHl9oZng97DG GnM4ritsN+ts2Rcev1IuSzm6QFaADBwRU' (decoded length: 1560). negotiate_kerberos_auth.cc(128): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown BH gss_acquire_cred() failed: No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown negotiate_kerberos_auth.cc(258): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2). 
BH quit command

$ klist -v
Credentials cache: FILE:/tmp/krb5cc_XZ1GPU
       Principal: sudakovva@xxxxxxxxxxxxxxxxxxxx
   Cache version: 4

Server: krbtgt/SIBPTUS.TRANSNEFT.RU@xxxxxxxxxxxxxxxxxxxx
Client: sudakovva@xxxxxxxxxxxxxxxxxxxx
Ticket etype: arcfour-hmac-md5
Ticket length: 1128
Auth time:  Oct  8 10:00:12 2014
End time:   Oct  8 20:00:12 2014
Ticket flags: initial, pre-authenticated
Addresses: addressless

Server: HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
Client: sudakovva@xxxxxxxxxxxxxxxxxxxx
Ticket etype: arcfour-hmac-md5
Ticket length: 1212
Auth time:  Oct  8 10:00:12 2014
Start time: Oct  8 10:00:16 2014
End time:   Oct  8 20:00:12 2014
Ticket flags: pre-authenticated
Addresses: addressless

$
$  ktutil list
/usr/local/etc/squid/squid.keytab:

Vno  Type                     Principal
1 des-cbc-crc HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx 1 des-cbc-md5 HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx 1 arcfour-hmac-md5 HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx 1 aes256-cts-hmac-sha1-96 HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx 1 aes128-cts-hmac-sha1-96 HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx 
===========================



Let me know what you get.


You can see that I obtain a ticket for the HTTP/proxy.sibptus.transneft.ru
service, but somehow the authentication fails.


BTW on which platform with which Kerberos
library( MIT or Heimdal)  is this ?


On the squid host: FreeBSD 8.4-RELEASE-p16 i386, Heimdal 1.1.0.

w2k AD as KDC for SIBPTUS.TRANSNEFT.RU.
- -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 
sip:sudakov@xxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUNK+VAAoJEA2k8lmbXsY0JeUIAItkImiYwviy4IEgOepwiamE
NpodTm4bvdhy+bFrchezXjx8vSPSz0mKgM5IdwNxdRaH9qRl5obC5lXQWu9K6d8S
J3e3fxlKY9t7rUcnJYHWXwlClHd0qz7cN9Actp4OOs01RcD1bEHzfnR9yeQnWfNw
vTE+C9IbFpVQnVQyQCsnrS/jwIsGbvXTTWywgeQ9p6hTQsR5Cw/u6pqtUQjIZ6Rq
0elGZ21JY4hzfILNjcKxflU5q7HKULRBtBHWUC8JowZmBUKBBxX5Cci4atFHVd/e
dSg4fPYDqHYoz0H4mu3IzRbPSurjGQZ9g3cUFrClqgX3Fyr8lrWAGbAQVRxABZw=
=Nikr
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux