This time I tried squidclient to check Kerberos authentication. I am afraid there is a bug in squidclient where the "Proxy-Authorization:" header (the Negotiate token) is being sent truncated, and the server reacts with the 'gss_accept_sec_context() failed: A token was invalid.' error. Here is what I run: ./squidclient -v -h proxy.sibptus.transneft.ru -p 3131 -n http://ya.ru and what it being sent to the server: ===================== Request:'GET http://ya.ru HTTP/1.0 Host: ya.ru User-Agent: squidclient/3.4.8 Accept: */* Proxy-Authorization: Negotiate YIIGDQYGKwYBBQUCoIIGATCCBf2gDTALBgkqhkiG9xIBAgKiggXqBIIF5mCCBeIGCSqGSIb3EgECAgEAboIF0TCCBc2gAwIBBaEDAgEOogcDBQAAAAAAo4IEtGGCBLAwggSsoAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBFwwggRYoAMCAReiggRPBIIES8Tjx9IM4sRh+fXqnEEslV/wXuEqv1o5fA9k9QYfpd1Wwhll7ZDKEsDrGPKp57ylsm7X9l5ODhONBlkGwd24vngmmlgQ3Frxn8csh2+QgxeQZqhiV2QgdT/MVU3Khjae4jklS/F5yFxdd4DO0UrqRu7iaXLsgRf4h/4p/kxkTlQAtn+u5H8Nm50M670pdHU5s5GWAIKFY+v/oq6k8OdmU/COaXn5qkU2UtTPj51i24/Vi8aI7qb+KnvpmEOktMZ/+lhbjerZut6jQYXX7rZ6K/uBAGbI8wBLPjymv8yyd9bE3THTOuykcI+l/lEi3uyPP9ievHYnvlT9c1TSvuTRCJOFpRZ2WM1MPifu7GJ6RYkReHoyhQC+uCXcOaWsCn22uWBYNvVsUWCFEPAkId40k5y7w6IThtoDLC6+3NYtWJgl+LhXbiRNMl25H+4nDyNhm8eg2XC46WPJQ/4ljBfD/GoAJz6I2hWD+5Pvc1zGQQcS1w9vTXuDoWqkDeCQKFhfIWASY7H9w0v1IePRbGx+o8FJZuVtTU/8DKDJJ0x3FVxaMjKwrZk08jsDtxFpk+pdWOH9li+WPjXG5d1TL9tntrt6gsnl89i4hjuCfIL3hpfLN//QE41e+pbVGgyEOQk06mYetn6juKStlslQSPk8wXMr2J40Avmgzv9fFSZ5IdH9uyFbau0Q6Hf4Y6BVNKkT8qDxVjmakCDz8xl93k6HLcDUdt98Connection: close ' Resolving... proxy.sibptus.transneft.ru Connecting... proxy.sibptus.transneft.ru(10.14.140.9) Connected to: proxy.sibptus.transneft.ru (10.14.140.9) Sending HTTP request ... done. HTTP/1.1 407 Proxy Authentication Required Server: squid/3.4.8 ===================== WireShark reports about "SPNEGO-KRB5 truncated" in this packet (though the capture size was set to "unlimited" and squid's helper reacts with 'A token was invalid.' Could someone reproduce? Attached please find how it looks in Wireshark (note the "Connection:" header glued to the end of the truncated Negotiate token). -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@xxxxxxxxxxxxxxxx
GET http://ya.ru HTTP/1.0 Host: ya.ru User-Agent: squidclient/3.4.8 Accept: */* Proxy-Authorization: Negotiate YIIGDQYGKwYBBQUCoIIGATCCBf2gDTALBgkqhkiG9xIBAgKiggXqBIIF5mCCBeIGCSqGSIb3EgECAgEAboIF0TCCBc2gAwIBBaEDAgEOogcDBQAAAAAAo4IEtGGCBLAwggSsoAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBFwwggRYoAMCAReiggRPBIIES8Tjx9IM4sRh+fXqnEEslV/wXuEqv1o5fA9k9QYfpd1Wwhll7ZDKEsDrGPKp57ylsm7X9l5ODhONBlkGwd24vngmmlgQ3Frxn8csh2+QgxeQZqhiV2QgdT/MVU3Khjae4jklS/F5yFxdd4DO0UrqRu7iaXLsgRf4h/4p/kxkTlQAtn+u5H8Nm50M670pdHU5s5GWAIKFY+v/oq6k8OdmU/COaXn5qkU2UtTPj51i24/Vi8aI7qb+KnvpmEOktMZ/+lhbjerZut6jQYXX7rZ6K/uBAGbI8wBLPjymv8yyd9bE3THTOuykcI+l/lEi3uyPP9ievHYnvlT9c1TSvuTRCJOFpRZ2WM1MPifu7GJ6RYkReHoyhQC+uCXcOaWsCn22uWBYNvVsUWCFEPAkId40k5y7w6IThtoDLC6+3NYtWJgl+LhXbiRNMl25H+4nDyNhm8eg2XC46WPJQ/4ljBfD/GoAJz6I2hWD+5Pvc1zGQQcS1w9vTXuDoWqkDeCQKFhfIWASY7H9w0v1IePRbGx+o8FJZuVtTU/8DKDJJ0x3FVxaMjKwrZk08jsDtxFpk+pdWOH9li+WPjXG5d1TL9tntrt6gsnl89i4hjuCfIL3hpfLN//QE41e+pbVGgyEOQk06mYetn6juKStlslQSPk8wXMr2J40Avmgzv9fFSZ5IdH9uyFbau0Q6Hf4Y6BVNKkT8qDxVjmakCDz8xl93k6HLcDUdt98Connection: close HTTP/1.1 407 Proxy Authentication Required Server: squid/3.4.8 Mime-Version: 1.0 Date: Sat, 18 Oct 2014 11:56:09 GMT Content-Type: text/html Content-Length: 4231 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en Proxy-Authenticate: Negotiate X-Cache: MISS from proxy.sibptus.transneft.ru X-Cache-Lookup: NONE from proxy.sibptus.transneft.ru:3131 Via: 1.1 proxy.sibptus.transneft.ru (squid/3.4.8) Connection: close <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>ERROR: Cache Access Denied</title> <style type="text/css"><!-- /* Stylesheet for Squid Error pages Adapted from design by Free CSS Templates http://www.freecsstemplates.org Released for free under a Creative Commons Attribution 2.5 License */ /* Page basics */ * { font-family: verdana, sans-serif; } html body { margin: 0; padding: 0; background: #efefef; font-size: 12px; color: #1e1e1e; } /* Page displayed title area */ #titles { margin-left: 15px; padding: 10px; padding-left: 100px; background: url('http://www.squid-cache.org/Artwork/SN.png') no-repeat left; } /* initial title */ #titles h1 { color: #000000; } #titles h2 { color: #000000; } /* special event: FTP success page titles */ #titles ftpsuccess { background-color:#00ff00; width:100%; } /* Page displayed body content area */ #content { padding: 10px; background: #ffffff; } /* General text */ p { } /* error brief description */ #error p { } /* some data which may have caused the problem */ #data { } /* the error message received from the system or other software */ #sysmsg { } pre { font-family:sans-serif; } /* special event: FTP / Gopher directory listing */ #dirmsg { font-family: courier; color: black; font-size: 10pt; } #dirlisting { margin-left: 2%; margin-right: 2%; } #dirlisting tr.entry td.icon,td.filename,td.size,td.date { border-bottom: groove; } #dirlisting td.size { width: 50px; text-align: right; padding-right: 5px; } /* horizontal lines */ hr { margin: 0; } /* page displayed footer area */ #footer { font-size: 9px; padding-left: 10px; } body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; } --></style> </head><body id=ERR_CACHE_ACCESS_DENIED> <div id="titles"> <h1>ERROR</h1> <h2>Cache Access Denied.</h2> </div> <hr> <div id="content"> <p>The following error was encountered while trying to retrieve the URL: <a href="http://ya.ru/">http://ya.ru/</a></p> <blockquote id="error"> <p><b>Cache Access Denied.</b></p> </blockquote> <p>Sorry, you are not currently allowed to request http://ya.ru/ from this cache until you have authenticated yourself.</p> <p>Please contact the <a href="mailto:noc@xxxxxxxxxx?subject=CacheErrorInfo%20-%20ERR_CACHE_ACCESS_DENIED&body=CacheHost%3A%20proxy.sibptus.transneft.ru%0D%0AErrPage%3A%20ERR_CACHE_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Sat,%2018%20Oct%202014%2011%3A56%3A09%20GMT%0D%0A%0D%0AClientIP%3A%2010.14.140.125%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.0%0AHost%3A%20ya.ru%0D%0AUser-Agent%3A%20squidclient%2F3.4.8%0D%0AAccept%3A%20*%2F*%0D%0AProxy-Authorization%3A%20Negotiate%20YIIGDQYGKwYBBQUCoIIGATCCBf2gDTALBgkqhkiG9xIBAgKiggXqBIIF5mCCBeIGCSqGSIb3EgECAgEAboIF0TCCBc2gAwIBBaEDAgEOogcDBQAAAAAAo4IEtGGCBLAwggSsoAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBFwwggRYoAMCAReiggRPBIIES8Tjx9IM4sRh+fXqnEEslV%2FwXuEqv1o5fA9k9QYfpd1Wwhll7ZDKEsDrGPKp57ylsm7X9l5ODhONBlkGwd24vngmmlgQ3Frxn8csh2+QgxeQZqhiV2QgdT%2FMVU3Khjae4jklS%2FF5yFxdd4DO0UrqRu7iaXLsgRf4h%2F4p%2FkxkTlQAtn+u5H8Nm50M670pdHU5s5GWAIKFY+v%2Foq6k8OdmU%2FCOaXn5qkU2UtTPj51i24%2FVi8aI7qb+KnvpmEOktMZ%2F+lhbjerZut6jQYXX7rZ6K%2FuBAGbI8wBLPjymv8yyd9bE3THTOuykcI+l%2FlEi3uyPP9ievHYnvlT9c1TSvuTRCJOFpRZ2WM1MPifu7GJ6RYkReHoyhQC+uCXcOaWsCn22uWBYNvVsUWCFEPAkId40k5y7w6IThtoDLC6+3NYtWJgl+LhXbiRNMl25H+4nDyNhm8eg2XC46WPJQ%2F4ljBfD%2FGoAJz6I2hWD+5Pvc1zGQQcS1w9vTXuDoWqkDeCQKFhfIWASY7H9w0v1IePRbGx+o8FJZuVtTU%2F8DKDJJ0x3FVxaMjKwrZk08jsDtxFpk+pdWOH9li+WPjXG5d1TL9tntrt6gsnl89i4hjuCfIL3hpfLN%2F%2FQE41e+pbVGgyEOQk06mYetn6juKStlslQSPk8wXMr2J40Avmgzv9fFSZ5IdH9uyFbau0Q6Hf4Y6BVNKkT8qDxVjmakCDz8xl93k6HLcDUdt98Connection%3A%20close%0D%0A%0D%0A%0D%0A">cache administrator</a> if you have difficulties authenticating yourself.</p> <br> </div> <hr> <div id="footer"> <p>Generated Sat, 18 Oct 2014 11:56:09 GMT by proxy.sibptus.transneft.ru (squid/3.4.8)</p> <!-- ERR_CACHE_ACCESS_DENIED --> </div> </body></html>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users