Victor Sudakov wrote: > > I have squid 3.5.14 successfully authenticating users from a Windows 2003 > domain, but there is a problem authenticating Windows 2008R2 domain > users from another realm. I am using the standard > negotiate_kerberos_auth helper with "-s GSS_C_NO_NAME". > > I have collected a traffic dump of failed HTTP sessions, could someone > knowledgeable look at them and give me a hint what to debug? Does > anything look suspicious? It's at > ftp://ftp.sibptus.ru/pub/vas/badkrb1.zip I have tried debugging it like this: KRB5_KTNAME=/usr/local/etc/squid/squid.keytab ; export KRB5_KTNAME KRB5_CONFIG=/usr/local/etc/squid/krb5.conf ; export KRB5_CONFIG /usr/local/libexec/squid//negotiate_kerberos_auth_test proxy2.sibptus.ru |\ awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' |\ /usr/local/libexec/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME And below is what I get. What I am doing wrong? I am trying to authenticate users from the STN.TN.CORP realm. negotiate_kerberos_auth.cc(487): pid=37067 :2016/03/04 18:50:22| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq negotiate_kerberos_auth.cc(546): pid=37067 :2016/03/04 18:50:22| negotiate_kerberos_auth: INFO: Setting keytab to /usr/local/etc/squid/squid.keytab negotiate_kerberos_auth.cc(570): pid=37067 :2016/03/04 18:50:22| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_37067 negotiate_kerberos_auth.cc(610): pid=37067 :2016/03/04 18:50:22| negotiate_kerberos_auth: DEBUG: Got 'YR YIIC1wYGKwYBBQUCoIICyzCCAsegDTALBgkqhkiG9xIBAgKiggK0BIICsGCCAqwGCSqGSIb3EgECAgEAboICmzCCApegAwIBBaEDAgEOogcDBQAAAAAAo4IBbWGCAWkwggFloAMCAQWhEhsQU0lCUFRVUy5UT01TSy5SVaIkMCKgAwIBAaEbMBkbBEhUVFAbEXByb3h5Mi5zaWJwdHVzLnJ1o4IBIjCCAR6gAwIBEqEDAgEBooIBEASCAQw6QeHYCvLNVmW7+HtnXHZvBQwitJhJ7rNnqu/yoveNqJMorycAT8WGzgjM00SdwLzIWmyEI9Bd4fdFjt06iLGYkFxIKf1HJHS8HFphmSZva2AAMZSuzXonQwi5aIssr7GX8C0kWAauRtPrxOKVTFMNVpOQaVIc6SdN0JSiS6qk5wRIarIZ3uIRdPmXCWd30kRopa6YHAnq8QdXj0CqbLXUQpHXOalSH1nefxFZm8s2DZmSkCFxuhkFWWL3V66w4BeOnlxhtpLYh+Kjc3DptFzroAkdW8ch0CpyGqy5Y0SQSEtj4wkjpmX0RW/3aA9ukt7cI3nVTcETOmYwjZ88yQ7xkIeCRZ46DmSnkyTrpIIBDzCCAQugAwIBEqKCAQIEgf8P+sto+nW0gceVxz8H/gRU/oJhTySTAYE/qX4Dv/IYqzShgqptlAp2TSWiYsS/HzpxXTKqNoFqi4SYfTnVLM5wb3+h0TVaY+x2TJm9D9i8et0xElcFUoSd20B72/nCr+Tkeb8XP3TA/vm6Lfg3c0wTsiglwpAhxgYFNfwmaSIEIR1oWkHBj7FDogrJ/oz0BTmq17kQtXlhxLu0oiCpYhnrt69oc/LWOb7Adx2NMU6xsR++2YaTCQYt5ouyp5M4doSAf7zoB90HNNFAOUXi2WMnmeP09YXlg/Roj3u2y6aObqce7X3DeZk6ypsIPhLuPRJteAeLVNLk5qxOKxiNnyo=' from squid (length: 979). negotiate_kerberos_auth.cc(663): pid=37067 :2016/03/04 18:50:22| negotiate_kerberos_auth: DEBUG: Decode 'YIIC1wYGKwYBBQUCoIICyzCCAsegDTALBgkqhkiG9xIBAgKiggK0BIICsGCCAqwGCSqGSIb3EgECAgEAboICmzCCApegAwIBBaEDAgEOogcDBQAAAAAAo4IBbWGCAWkwggFloAMCAQWhEhsQU0lCUFRVUy5UT01TSy5SVaIkMCKgAwIBAaEbMBkbBEhUVFAbEXByb3h5Mi5zaWJwdHVzLnJ1o4IBIjCCAR6gAwIBEqEDAgEBooIBEASCAQw6QeHYCvLNVmW7+HtnXHZvBQwitJhJ7rNnqu/yoveNqJMorycAT8WGzgjM00SdwLzIWmyEI9Bd4fdFjt06iLGYkFxIKf1HJHS8HFphmSZva2AAMZSuzXonQwi5aIssr7GX8C0kWAauRtPrxOKVTFMNVpOQaVIc6SdN0JSiS6qk5wRIarIZ3uIRdPmXCWd30kRopa6YHAnq8QdXj0CqbLXUQpHXOalSH1nefxFZm8s2DZmSkCFxuhkFWWL3V66w4BeOnlxhtpLYh+Kjc3DptFzroAkdW8ch0CpyGqy5Y0SQSEtj4wkjpmX0RW/3aA9ukt7cI3nVTcETOmYwjZ88yQ7xkIeCRZ46DmSnkyTrpIIBDzCCAQugAwIBEqKCAQIEgf8P+sto+nW0gceVxz8H/gRU/oJhTySTAYE/qX4Dv/IYqzShgqptlAp2TSWiYsS/HzpxXTKqNoFqi4SYfTnVLM5wb3+h0TVaY+x2TJm9D9i8et0xElcFUoSd20B72/nCr+Tkeb8XP3TA/vm6Lfg3c0wTsiglwpAhxgYFNfwmaSIEIR1oWkHBj7FDogrJ/oz0BTmq17kQtXlhxLu0oiCpYhnrt69oc/LWOb7Adx2NMU6xsR++2YaTCQYt5ouyp5M4doSAf7zoB90HNNFAOUXi2WMnmeP09YXlg/Roj3u2y6aObqce7X3DeZk6ypsIPhLuPRJteAeLVNLk5qxOKxiNnyo=' (decoded length: 731). negotiate_kerberos_auth.cc(725): pid=37067 :2016/03/04 18:50:22| negotiate_kerberos_auth: INFO: continuation needed TT oRQwEqADCgEBoQsGCSqGSIb3EgECAg== negotiate_kerberos_auth.cc(610): pid=37067 :2016/03/04 18:50:22| negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2). BH quit command /usr/local/etc/squid/squid.keytab: Vno Type Principal 1 arcfour-hmac-md5 HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx 1 arcfour-hmac-md5 squiduser@xxxxxxxxxxxxxxxxxxxx 1 arcfour-hmac-md5 HTTP/proxy2.sibptus.ru@xxxxxxxxxxxxxxxxxxxx 1 arcfour-hmac-md5 HTTP/proxy2.SIBPTUS.ru@xxxxxxxxxxxxxxxxxxxx 1 arcfour-hmac-md5 HTTP/proxy2.sibptus.ru@xxxxxxxxxxx /usr/local/etc/squid/krb5.conf: [libdefaults] default_realm = SIBPTUS.TRANSNEFT.RU default_keytab_name = FILE:/usr/local/etc/squid/squid.keytab [domain_realm] .sibptus.transneft.ru = SIBPTUS.TRANSNEFT.RU .stn.tn.corp = STN.TN.CORP [logging] default = FILE:/var/tmp/krb5lib.log libkrb5 = FILE:/var/tmp/krb5lib.log -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@xxxxxxxxxxxxxxxx _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
