Hi Victor,
I only found the following explanation:
This error will happen if you didn't write the key into the keytab file, or
the permission setting of keytab file reject the read access, or the key
file is not the one you should access (for example, you want
/opt/somedir/conf/krb5.conf, but actually read /etc/krb5.conf, which has no
that key).
Is there something like strace/truss on freebsd to see which files are
opened (with and without error) during running negotiate_kerberos_auth ? On
Linux I would run:
./negotiate_kerberos_auth_test proxy.sibptus.transneft.ru | awk
'{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | strace -f -F -o
negotiate_kerberos_auth.strace ./negotiate_kerberos_auth -d
Markus
"Victor Sudakov" wrote in message
news:20141008032925.GA77544@xxxxxxxxxxxxxxxxxxxxxx...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Markus Moeller wrote:
In the helpers/negotiate_auth/kerberos directory is a script
test_negotiate_auth.sh to test authentication outside of squid.
Markus,
I could find the said script neither in the source nor in the binary
package. However I think I can guess what could be inside. Could you
look below if that makes sense?
===========================
$ setenv KRB5_KTNAME /usr/local/etc/squid/squid.keytab
$ setenv KRB5_CONFIG /usr/local/etc/squid/krb5.conf
$ kdestroy
$ kinit sudakovva
sudakovva@xxxxxxxxxxxxxxxxxxxx's Password:
$
$ klist
Credentials cache: FILE:/tmp/krb5cc_XZ1GPU
Principal: sudakovva@xxxxxxxxxxxxxxxxxxxx
Issued Expires Principal
Oct 8 09:31:45 Oct 8 19:31:45
krbtgt/SIBPTUS.TRANSNEFT.RU@xxxxxxxxxxxxxxxxxxxx
$ ./negotiate_kerberos_auth_test proxy.sibptus.transneft.ru | awk
'{sub(/Token:/,"YR"); print $0}END{print "QQ"}' |
./negotiate_kerberos_auth -d
negotiate_kerberos_auth.cc(212): pid=52357 :2014/10/08 10:03:34|
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(258): pid=52357 :2014/10/08 10:03:34|
negotiate_kerberos_auth: DEBUG: Got 'YR
YIIGFAYGKwYBBQUCoIIGCDCCBgSgDTALBgkqhkiG9xIBAgKiggXxBIIF7WCCBekGCSqGSIb3EgECAgEAboIF2DCCBdSgAwIBBaEDAgEOogcDBQAAAAAAo4IEvGGCBLgwggS0oAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBGQwggRgoAMCAReiggRXBIIEUxpOgFWeZoAcatE6l3MyfDxMoDMjcgYUQzenTLAlEvD3/c0pyRiitZwNMIHvnacXcUSTzLDNjDw75iwfNxZHYjZgvOLHSKQm+rmoWtLIC+3KZoeWCB+pxwcpK8RzXvs8dPCprH1h5OdCn8EB1ZZxl35IhLgg07N72yvnXNiBmW/PmLW6PeVB0U3SLjWiT0ZJ3kXukg5ViYGOMKypeHebHPB0FQ2dgNQy8S00CRIU4ZuoHPVWFNl6mzp9CoIy7Ytwhu3NRb42f49nuQpqBVcsMK/ckgLYvsoz2lYxe7AO4MMOvcGqnEBB/jaSfrGGXpw+ciMNbBtCHH7bN36uGHj+VWOUFL5vR3xclnOWwdUH2OtXqMMcDDnI4v7vNR1U80BS7SdXUpx0D+O1B3ihipaTpSkXtII5UTI4qxmZjXSQGYY0adbG/N6NpMF7HpmGb1Zondp571l4ZV0mZ0pZ7IcIAmvQOmcud/sN0am4z9Oe3lCe7L1RVKBr0Tu30Pz7ySibeCpY/OVR2GJ+ILfov/3o95ozW8W4d+UCHfywAHOioGB+QWSC2NO5VtcjsBYVkhKnBkcG8KOBhJ+qi1qvhGXD3tUgDZnb0pCQAVNyjiDIKZre8KcB23Hu5a2YCM9y0GiBCbfJIbD60LJLVOxozZiRqJfdOCvBhfCvh7R9y5EuNmMswSRgQJwhkh7rCgMPWvFsAWDae9yxN966E85nE+xuUtwtl20NhOjotjG3NgwsRYDg1kQvfJnz7IcPSnSevKiPHU7uvBxSZvR6j6J0BZRgTQg7loUzkOsSRPDefXMt4wFfoHEqaWTtKw3yR0dZkr1W5g6WDn0d0o4uLZRdZteMOtxjsXFTQA3MIQrf/BpVk0NdEQ0EpXo2SZtr+ciy2jNXI40s6rUQakV/vfLG5aGOQY1Ck1gynORrG6Bt/eDMVJF7gf8iEvSDPiZhaHNqfAwfuYDNcO6Sgvl21tkEUfC9YxzkZq2vb0J1gJnkoq3oay+B7GElpgBABZpf22eGTOHakz7m8z9jdPUuIGFf1Jgn1B4i2vFsYRV6tbn3gF/wpnBdPmmG0ZVT2ZnqPDf2Om3kh1cd/THIWDVeuvNGRHbzGYxFJcJ+NIgwr5yfijltcKyynGqHvW2arUQwHzX0UM/dg6iI8+o2IkKmihBL9WQ+04SwHYeMk+D1hJx2rfrIl9RgpQdkrhrjPacqGfKd7NrtEweeSn7MOwFjaVYlT4ruboQHt94BcJKQ1qhuJVsH+rhZaM6XBt6F2NtM5Z+0OmwsLb0sQkdVbnbyEku7McPN0vvOC7tuDL1pT0UuAanSO6IQahXj5X3W/MVNf27rJUmcUQkGbTvCK6nJMuZYNsuKaB9Izs10T/i88V5IOgafwAHgLCxnpwptY551gJwj/0cvv6mpIZSrE8XjMWMUDmeTkeUyU8t2Dz5Vjbb8l1cFCIETgvc5CK9mV+SG0F6soQqf1xs+r6SB/jCB+6ADAgEXooHzBIHwxdPbAIs5nPD2d3wOYONkgkc1qb9krxSlo4FRMoPPIl+80A1OZOlv/SRc9B4VpP8xJJvk1YwY70twgMlOJd/zbXH0lEnyGdGi9mUuN4XdfeNzFwqvjxOrx1e8oPXJPJLIZCGhUik3nY7X4Nb4EMXmfEckzSsuBbVKkVwu7/0xPKbXL4KPs/e3ANJI8Lvkh7AM7iIXrhI2S4/ZKWo4f73R1sjgtt+nw8e1Ga7EeMlQvbejo/i9UBEFldNR2B8GM0DD6449mRrbXE1K5Pij+bHoHl9oZng97DGG
nM4ritsN+ts2Rcev1IuSzm6QFaADBwRU'
from squid (length: 2083).
negotiate_kerberos_auth.cc(311): pid=52357 :2014/10/08 10:03:34|
negotiate_kerberos_auth: DEBUG: Decode
'YIIGFAYGKwYBBQUCoIIGCDCCBgSgDTALBgkqhkiG9xIBAgKiggXxBIIF7WCCBekGCSqGSIb3EgECAgEAboIF2DCCBdSgAwIBBaEDAgEOogcDBQAAAAAAo4IEvGGCBLgwggS0oAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBGQwggRgoAMCAReiggRXBIIEUxpOgFWeZoAcatE6l3MyfDxMoDMjcgYUQzenTLAlEvD3/c0pyRiitZwNMIHvnacXcUSTzLDNjDw75iwfNxZHYjZgvOLHSKQm+rmoWtLIC+3KZoeWCB+pxwcpK8RzXvs8dPCprH1h5OdCn8EB1ZZxl35IhLgg07N72yvnXNiBmW/PmLW6PeVB0U3SLjWiT0ZJ3kXukg5ViYGOMKypeHebHPB0FQ2dgNQy8S00CRIU4ZuoHPVWFNl6mzp9CoIy7Ytwhu3NRb42f49nuQpqBVcsMK/ckgLYvsoz2lYxe7AO4MMOvcGqnEBB/jaSfrGGXpw+ciMNbBtCHH7bN36uGHj+VWOUFL5vR3xclnOWwdUH2OtXqMMcDDnI4v7vNR1U80BS7SdXUpx0D+O1B3ihipaTpSkXtII5UTI4qxmZjXSQGYY0adbG/N6NpMF7HpmGb1Zondp571l4ZV0mZ0pZ7IcIAmvQOmcud/sN0am4z9Oe3lCe7L1RVKBr0Tu30Pz7ySibeCpY/OVR2GJ+ILfov/3o95ozW8W4d+UCHfywAHOioGB+QWSC2NO5VtcjsBYVkhKnBkcG8KOBhJ+qi1qvhGXD3tUgDZnb0pCQAVNyjiDIKZre8KcB23Hu5a2YCM9y0GiBCbfJIbD60LJLVOxozZiRqJfdOCvBhfCvh7R9y5EuNmMswSRgQJwhkh7rCgMPWvFsAWDae9yxN966E85nE+xuUtwtl20NhOjotjG3NgwsRYDg1kQvfJnz7IcPSnSevKiPHU7uvBxSZvR6j6J0BZRgTQg7loUzkOsSRPDefXMt4wFfoHEqaWTtKw3yR0dZkr1W5g6WDn0d0o4uLZRdZteMOtxjsXFTQA3MIQrf/BpVk0NdEQ0EpXo2SZtr+ciy2jNXI40s6rUQakV/vfLG5aGOQY1Ck1gynORrG6Bt/eDMVJF7gf8iEvSDPiZhaHNqfAwfuYDNcO6Sgvl21tkEUfC9YxzkZq2vb0J1gJnkoq3oay+B7GElpgBABZpf22eGTOHakz7m8z9jdPUuIGFf1Jgn1B4i2vFsYRV6tbn3gF/wpnBdPmmG0ZVT2ZnqPDf2Om3kh1cd/THIWDVeuvNGRHbzGYxFJcJ+NIgwr5yfijltcKyynGqHvW2arUQwHzX0UM/dg6iI8+o2IkKmihBL9WQ+04SwHYeMk+D1hJx2rfrIl9RgpQdkrhrjPacqGfKd7NrtEweeSn7MOwFjaVYlT4ruboQHt94BcJKQ1qhuJVsH+rhZaM6XBt6F2NtM5Z+0OmwsLb0sQkdVbnbyEku7McPN0vvOC7tuDL1pT0UuAanSO6IQahXj5X3W/MVNf27rJUmcUQkGbTvCK6nJMuZYNsuKaB9Izs10T/i88V5IOgafwAHgLCxnpwptY551gJwj/0cvv6mpIZSrE8XjMWMUDmeTkeUyU8t2Dz5Vjbb8l1cFCIETgvc5CK9mV+SG0F6soQqf1xs+r6SB/jCB+6ADAgEXooHzBIHwxdPbAIs5nPD2d3wOYONkgkc1qb9krxSlo4FRMoPPIl+80A1OZOlv/SRc9B4VpP8xJJvk1YwY70twgMlOJd/zbXH0lEnyGdGi9mUuN4XdfeNzFwqvjxOrx1e8oPXJPJLIZCGhUik3nY7X4Nb4EMXmfEckzSsuBbVKkVwu7/0xPKbXL4KPs/e3ANJI8Lvkh7AM7iIXrhI2S4/ZKWo4f73R1sjgtt+nw8e1Ga7EeMlQvbejo/i9UBEFldNR2B8GM0DD6449mRrbXE1K5Pij+bHoHl9oZng97DG
GnM4ritsN+ts2Rcev1IuSzm6QFaADBwRU'
(decoded length: 1560).
negotiate_kerberos_auth.cc(128): pid=52357 :2014/10/08 10:03:34|
negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: No credentials
were supplied, or the credentials were unavailable or inaccessible.. unknown
mech-code 0 for mech unknown
BH gss_acquire_cred() failed: No credentials were supplied, or the
credentials were unavailable or inaccessible.. unknown mech-code 0 for mech
unknown
negotiate_kerberos_auth.cc(258): pid=52357 :2014/10/08 10:03:34|
negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2).
BH quit command
$ klist -v
Credentials cache: FILE:/tmp/krb5cc_XZ1GPU
Principal: sudakovva@xxxxxxxxxxxxxxxxxxxx
Cache version: 4
Server: krbtgt/SIBPTUS.TRANSNEFT.RU@xxxxxxxxxxxxxxxxxxxx
Client: sudakovva@xxxxxxxxxxxxxxxxxxxx
Ticket etype: arcfour-hmac-md5
Ticket length: 1128
Auth time: Oct 8 10:00:12 2014
End time: Oct 8 20:00:12 2014
Ticket flags: initial, pre-authenticated
Addresses: addressless
Server: HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
Client: sudakovva@xxxxxxxxxxxxxxxxxxxx
Ticket etype: arcfour-hmac-md5
Ticket length: 1212
Auth time: Oct 8 10:00:12 2014
Start time: Oct 8 10:00:16 2014
End time: Oct 8 20:00:12 2014
Ticket flags: pre-authenticated
Addresses: addressless
$
$ ktutil list
/usr/local/etc/squid/squid.keytab:
Vno Type Principal
1 des-cbc-crc
HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
1 des-cbc-md5
HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
1 arcfour-hmac-md5
HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
1 aes256-cts-hmac-sha1-96
HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
1 aes128-cts-hmac-sha1-96
HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx
===========================
Let me know what you get.
You can see that I obtain a ticket for the HTTP/proxy.sibptus.transneft.ru
service, but somehow the authentication fails.
BTW on which platform with which Kerberos
library( MIT or Heimdal) is this ?
On the squid host: FreeBSD 8.4-RELEASE-p16 i386, Heimdal 1.1.0.
w2k AD as KDC for SIBPTUS.TRANSNEFT.RU.
- --
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@xxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUNK+VAAoJEA2k8lmbXsY0JeUIAItkImiYwviy4IEgOepwiamE
NpodTm4bvdhy+bFrchezXjx8vSPSz0mKgM5IdwNxdRaH9qRl5obC5lXQWu9K6d8S
J3e3fxlKY9t7rUcnJYHWXwlClHd0qz7cN9Actp4OOs01RcD1bEHzfnR9yeQnWfNw
vTE+C9IbFpVQnVQyQCsnrS/jwIsGbvXTTWywgeQ9p6hTQsR5Cw/u6pqtUQjIZ6Rq
0elGZ21JY4hzfILNjcKxflU5q7HKULRBtBHWUC8JowZmBUKBBxX5Cci4atFHVd/e
dSg4fPYDqHYoz0H4mu3IzRbPSurjGQZ9g3cUFrClqgX3Fyr8lrWAGbAQVRxABZw=
=Nikr
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
