Re: negotiate_kerberos_auth not working anymore

[Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>]

On 2024-08-30 08:35, Michael Egert wrote:

> I have a little problem with this helper, it worked fine for a while and 
> then suddely stopped working.

It may help others if you detail "stopped working" based on a test case 
involving Squid. AFAICT, your email contains an attempt to manually feed 
the helper a syntactically invalid request but does not detail what does 
not work when Squid is involved. The cache.log provided shows an unused 
helper.


> negotiate_kerberos_auth: DEBUG: Got 'admin@ASA.LOCAL' from squid
> negotiate_kerberos_auth: ERROR: Invalid request [admin@ASA.LOCAL]

A helper request must start with "YR" or "KK" characters. This manual 
request does not.


> auth_parauth_param negotiate children 100 startup=0 idle=10

There is no "auth_parauth_param" directive. This is probably a 
copy-paste typo, but please check that the actual spelling is "auth_param".


Disclaimer: I do not know much about kerberos and negotiate_kerberos_auth.


HTH,

Alex.


> I can call a kerberos ticket when using kinit
>
> root@sv-asa-proxy:/var/log/squid# kinit -kt 
> /etc/squid/sv-asa-proxy.keytab HTTP/sv-asa-proxy@ASA.LOCAL
>
> root@sv-asa-proxy:/var/log/squid# klist
>
> Ticket cache: FILE:/tmp/krb5cc_0
>
> Default principal: HTTP/sv-asa-proxy@ASA.LOCAL
>
> Valid starting     Expires            Service principal
>
> 08/30/24 14:24:27  08/31/24 00:24:27  krbtgt/ASA.LOCAL@ASA.LOCAL
>
>          renew until 08/31/24 14:24:27
>
> root@sv-asa-proxy:/var/log/squid#
>
> so – this works well
>
> this is a part of my squid.conf:
>
> auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k 
> /etc/squid/sv-asa-proxy.keytab -s HTTP/sv-asa-proxy@ASA.LOCAL 
> <mailto:HTTP/sv-asa-proxy@ASA.LOCAL>  -r -d
>
> auth_parauth_param negotiate children 100 startup=0 idle=10
>
> auth_param negotiate keep_alive on
>
> acl kerb-auth proxy_auth REQUIRED
>
> i also tried
>
> auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k 
> /etc/squid/sv-asa-proxy.keytab -s HTTP/sv-asa-proxy@ASA.LOCAL  -s 
> GSS_C_NO_NAME -r -d
>
> no success...
>
> when i try
>
> root@sv-asa-proxy:/var/log/squid# 
> /usr/lib/squid/negotiate_kerberos_auth_test -k 
> /etc/squid/sv-asa-proxy.keytab -s HTTP/sv-asa-proxy.asa.local@ASA.LOCAL 
> -s GSS_C_NO_NAME -d -i
>
> 2024/08/30 14:28:35| negotiate_kerberos_auth_test: 
> gss_init_sec_context() failed: Unspecified GSS failure.  Minor code may 
> provide more information. Server not found in Kerberos database
>
> Token: NULL
>
> root@sv-asa-proxy:/var/log/squid#
>
> and when i try this one:
>
> root@sv-asa-proxy:/var/log/squid# /usr/lib/squid/negotiate_kerberos_auth 
> -k /etc/squid/sv-asa-proxy.keytab -s 
> HTTP/sv-asa-proxy.asa.local@ASA.LOCAL 
> <mailto:HTTP/sv-asa-proxy.asa.local@ASA.LOCAL> -d -r
>
> negotiate_kerberos_auth.cc(489): pid=5286 :2024/08/30 14:29:25| 
> negotiate_kerberos_auth: INFO: Starting version 3.1.0sq
>
> negotiate_kerberos_auth.cc(548): pid=5286 :2024/08/30 14:29:25| 
> negotiate_kerberos_auth: INFO: Setting keytab to 
> /etc/squid/sv-asa-proxy.keytab
>
> negotiate_kerberos_auth.cc(571): pid=5286 :2024/08/30 14:29:25| 
> negotiate_kerberos_auth: INFO: Changed keytab to 
> MEMORY:negotiate_kerberos_auth_5286
>
> admin@ASA.LOCAL <mailto:admin@ASA.LOCAL>
>
> negotiate_kerberos_auth.cc(612): pid=5286 :2024/08/30 14:30:06| 
> negotiate_kerberos_auth: DEBUG: Got 'admin@ASA.LOCAL' from squid 
> (length: 15).
>
> negotiate_kerberos_auth.cc(661): pid=5286 :2024/08/30 14:30:06| 
> negotiate_kerberos_auth: ERROR: Invalid request [admin@ASA.LOCAL]
>
> BH Invalid request
>
> And the log:
>
> 2024/08/30 14:31:25 kid1| Set Current Directory to /var/spool/squid
>
> 2024/08/30 14:31:25 kid1| Starting Squid Cache version 5.9 for 
> x86_64-pc-linux-gnu...
>
> 2024/08/30 14:31:25 kid1| Service Name: squid
>
> 2024/08/30 14:31:25 kid1| Process ID 5309
>
> 2024/08/30 14:31:25 kid1| Process Roles: worker
>
> 2024/08/30 14:31:25 kid1| With 1024 file descriptors available
>
> 2024/08/30 14:31:25 kid1| Initializing IP Cache...
>
> 2024/08/30 14:31:25 kid1| DNS Socket created at [::], FD 9
>
> 2024/08/30 14:31:25 kid1| DNS Socket created at 0.0.0.0, FD 10
>
> 2024/08/30 14:31:25 kid1| Adding nameserver 192.168.40.1 from squid.conf
>
> 2024/08/30 14:31:25 kid1| Adding nameserver 192.168.40.2 from squid.conf
>
> 2024/08/30 14:31:25 kid1| helperOpenServers: Starting 0/100 
> 'negotiate_kerberos_auth' processes
>
> 2024/08/30 14:31:25 kid1| helperStatefulOpenServers: No 
> 'negotiate_kerberos_auth' processes needed.
>
> 2024/08/30 14:31:25 kid1| helperOpenServers: Starting 0/25 
> 'ext_kerberos_ldap_group_acl' processes
>
> 2024/08/30 14:31:25 kid1| helperOpenServers: No 
> 'ext_kerberos_ldap_group_acl' processes needed.
>
> 2024/08/30 14:31:25 kid1| Logfile: opening log 
> daemon:/var/log/squid/access.log
>
> 2024/08/30 14:31:25 kid1| Logfile Daemon: opening log 
> /var/log/squid/access.log
>
> 2024/08/30 14:31:26 kid1| Unlinkd pipe opened on FD 16
>
> 2024/08/30 14:31:26 kid1| Local cache digest enabled; rebuild/rewrite 
> every 3600/3600 sec
>
> 2024/08/30 14:31:26 kid1| Logfile: opening log 
> daemon:/var/log/squid/store.log
>
> 2024/08/30 14:31:26 kid1| Logfile Daemon: opening log 
> /var/log/squid/store.log
>
> 2024/08/30 14:31:26 kid1| Swap maxSize 20480000 + 2097152 KB, estimated 
> 1736704 objects
>
> 2024/08/30 14:31:26 kid1| Target number of buckets: 86835
>
> 2024/08/30 14:31:26 kid1| Using 131072 Store buckets
>
> 2024/08/30 14:31:26 kid1| Max Mem  size: 2097152 KB
>
> 2024/08/30 14:31:26 kid1| Max Swap size: 20480000 KB
>
> 2024/08/30 14:31:26 kid1| Rebuilding storage in /var/cache/squid (clean log)
>
> 2024/08/30 14:31:26 kid1| Using Least Load store dir selection
>
> 2024/08/30 14:31:26 kid1| Set Current Directory to /var/spool/squid
>
> 2024/08/30 14:31:26 kid1| Finished loading MIME types and icons.
>
> 2024/08/30 14:31:26 kid1| HTCP Disabled.
>
> 2024/08/30 14:31:26 kid1| Pinger socket opened on FD 23
>
> 2024/08/30 14:31:26 kid1| Squid plugin modules loaded: 0
>
> 2024/08/30 14:31:26 kid1| Adaptation support is off.
>
> 2024/08/30 14:31:26 kid1| Accepting HTTP Socket connections at conn3 
> local=[::]:8080 remote=[::] FD 21 flags=9
>
> 2024/08/30 14:31:26 kid1| Done reading /var/cache/squid swaplog (50 entries)
>
> 2024/08/30 14:31:26 kid1| Finished rebuilding storage from disk.
>
> 2024/08/30 14:31:26 kid1|        50 Entries scanned
>
> 2024/08/30 14:31:26 kid1|         0 Invalid entries.
>
> 2024/08/30 14:31:26 kid1|         0 With invalid flags.
>
> 2024/08/30 14:31:26 kid1|        50 Objects loaded.
>
> 2024/08/30 14:31:26 kid1|         0 Objects expired.
>
> 2024/08/30 14:31:26 kid1|         0 Objects cancelled.
>
> 2024/08/30 14:31:26 kid1|         0 Duplicate URLs purged.
>
> 2024/08/30 14:31:26 kid1|         0 Swapfile clashes avoided.
>
> 2024/08/30 14:31:26 kid1|   Took 0.01 seconds (5303.35 objects/sec).
>
> 2024/08/30 14:31:26 kid1| Beginning Validation Procedure
>
> 2024/08/30 14:31:26 kid1|   Completed Validation Procedure
>
> 2024/08/30 14:31:26 kid1|   Validated 50 Entries
>
> 2024/08/30 14:31:26 kid1|   store_swap_size = 732.00 KB
>
> 2024/08/30 14:31:26| pinger: Initialising ICMP pinger ...
>
> 2024/08/30 14:31:26| pinger: ICMP socket opened.
>
> 2024/08/30 14:31:26| pinger: ICMPv6 socket opened
>
> 2024/08/30 14:31:27 kid1| storeLateRelease: released 0 objects
>
> Do you have any suggstions for me?
>
> Kind regards
>
> Michael
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users