Re: [squid-users] Re: Re: squid_kerb_auth on mac os x

From: Malte Schröder <maltesch_at_gmx.de>
Date: Sat, 28 Jun 2008 12:53:53 +0200

With Windows 2003 SP2 you can set a flag (I think in
UserAccountControl property) for the computer account that stops AD from
adding the group-information to the service-ticket. I found it
somewhere in their knowledgebase, but currently don't remember the
details.
I have been searching for quite some time because I had the same problem
with too large tickets. Now it's working.

On Fri, 27 Jun 2008 20:07:41 +0100
"Markus Moeller" <huaraz_at_moeller.plus.com> wrote:

> Brian,
>
> the read buffer in squid_kerb_auth is 6400 which I think should be
> increased to 8192 the value used in squid for writing. The ticket is
> usually only that big for users which are members of hundreds of Windows
> Groups, which I have never seen before to be > 4k.
>
> Can you try to increase in the main function the buffer buf to 8192 ?
>
> Markus
>
>
> "Brian Kirk" <bekirk_at_gmail.com> wrote in message
> news:6ac1d44b0806271019t5ceef29di99902b366fcc21d4_at_mail.gmail.com...
> >I am going through a simular nightmare in our environment, we
> > currently use NTLM auth and since we have over 6000 Internet users
> > this isn't very efficent. I can't get kerberos to work. I used the
> > ./squid_kerb_auth_test program to generate the blob, and it is over
> > 5000 characters long. The squid_kerb_auth seems limited to 4096, am I
> > going the have to alter squid_kerb_auth code or am I doing something
> > wrong to get that big of a blob?
> >
> > On 6/7/08, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
> >> Find below a small test program to create a token. Run a kinit as a user
> >> and then ./squid_kerb_auth_test proxy_fqdn. It creates a token like:
> >>
> >> ./squid_kerb_auth_test opensuse.suse.home
> >> Token:
> >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq9OLL0umYzCethf/CUEcQ6+7xobZYVsyIJtsV9IwAFAscVVO4hbMW3jKbM8BYLts72QCShJPTgBlAaoWwCy/YpZezNwPnYDm2lYDjfPZ2/r23326SmXKtPbNT1VFc+yPwAMrYPCxJr92Cxg2OI4z1qQWcCdRR6c5tidX3SSH4rX+YJHEAVKD/mMsFXmO18iT08B/pG4HQ8BcGs3UvQh4hXwOrnSBeR4xonljtQ==
> >>
> >> Then set the keytab with export
> >> KRB5_KTNAME=FILE:/etc/squid/squid.keytab and run
> >> ./squid_kerb_auth -d -i -s HTTP/proxy_fqdn and enter the token starting
> >> with
> >> YR as follows (in one line)
> >>
> >> ./squid_kerb_auth -d -i -s
> >> HTTP/opensuse.suse.home_at_SUSE.HOME
> >> YR
> >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA==
> >> 2008/06/07 22:52:11| squid_kerb_auth: Got 'YR
> >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA=='
> >> from squid (length: 691).
> >> 2008/06/07 22:52:12| squid_kerb_auth: parseNegTokenInit failed with
> >> rc=109
> >> 2008/06/07 22:52:12| squid_kerb_auth: Token is possibly a GSSAPI token
> >> AF AA== markus_at_SUSE.HOME
> >> 2008/06/07 22:52:12| squid_kerb_auth: AF AA== markus_at_SUSE.HOME
> >> 2008/06/07 22:52:12| squid_kerb_auth: User markus_at_SUSE.HOME authenticated
> >>
> >>
> >> Regards
> >> Markus
> >>
> >> Compile gcc -o squid_kerb_auth_test squid_kerb_auth_test.c -lgssapi_krb5
> >> -lkrb5
> >>
> >> /*
> >> *
> >> -----------------------------------------------------------------------------
> >> *
> >> * Author: Markus Moeller (markus_moeller at compuserve.com)
> >> *
> >> * Copyright (C) 2007 Markus Moeller. All rights reserved.
> >> *
> >> * This program is free software; you can redistribute it and/or modify
> >> * it under the terms of the GNU General Public License as published by
> >> * the Free Software Foundation; either version 2 of the License, or
> >> * (at your option) any later version.
> >> *
> >> * This program is distributed in the hope that it will be useful,
> >> * but WITHOUT ANY WARRANTY; without even the implied warranty of
> >> * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> >> * GNU General Public License for more details.
> >> *
> >> * You should have received a copy of the GNU General Public License
> >> * along with this program; if not, write to the Free Software
> >> * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307,
> >> USA.
> >> *
> >> *
> >> -----------------------------------------------------------------------------
> >> */
> >> /*
> >> * Hosted at http://sourceforge.net/projects/squidkerbauth
> >> */
> >>
> >> #ifndef HEIMDAL
> >> #include <profile.h>
> >> #endif
> >> #include <krb5.h>
> >>
> >> #include <unistd.h>
> >> #include <stdlib.h>
> >> #include <stdio.h>
> >> #include <string.h>
> >> #include <errno.h>
> >> #include <time.h>
> >> #include <sys/time.h>
> >>
> >> #ifdef HEIMDAL
> >> #include <gssapi.h>
> >> #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
> >> #else
> >> #include <gssapi/gssapi.h>
> >> #ifndef SOLARIS_11
> >> #include <gssapi/gssapi_generic.h>
> >> #else
> >> #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
> >> #endif
> >> #endif
> >>
> >> static const char *LogTime(void);
> >>
> >> int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const
> >> char* function);
> >>
> >> #define PROGRAM "squid_kerb_auth_test"
> >>
> >> static const char *LogTime()
> >> {
> >> struct tm *tm;
> >> struct timeval now;
> >> static time_t last_t = 0;
> >> static char buf[128];
> >>
> >> gettimeofday(&now, NULL);
> >> if (now.tv_sec != last_t) {
> >> tm = localtime(&now.tv_sec);
> >> strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
> >> last_t = now.tv_sec;
> >> }
> >> return buf;
> >> }
> >>
> >> #ifdef HAVE_SPNEGO
> >> #ifndef gss_mech_spnego
> >> static gss_OID_desc _gss_mech_spnego = {6, (void
> >> *)"\x2b\x06\x01\x05\x05\x02"};
> >> gss_OID gss_mech_spnego = &_gss_mech_spnego;
> >> #endif
> >> #endif
> >>
> >> int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const
> >> char* function){
> >> if (GSS_ERROR(major_status)) {
> >> OM_uint32 maj_stat,min_stat;
> >> OM_uint32 msg_ctx = 0;
> >> gss_buffer_desc status_string;
> >> char buf[1024];
> >> size_t len;
> >>
> >> len = 0;
> >> msg_ctx = 0;
> >> while (!msg_ctx) {
> >> /* convert major status code (GSS-API error) to text */
> >> maj_stat = gss_display_status(&min_stat, major_status,
> >> GSS_C_GSS_CODE,
> >> GSS_C_NULL_OID,
> >> &msg_ctx, &status_string);
> >> if (maj_stat == GSS_S_COMPLETE) {
> >> if (sizeof(buf) > len + status_string.length + 1) {
> >> sprintf(buf+len, "%s", (char*) status_string.value);
> >> len += status_string.length;
> >> }
> >> gss_release_buffer(&min_stat, &status_string);
> >> break;
> >> }
> >> gss_release_buffer(&min_stat, &status_string);
> >> }
> >> if (sizeof(buf) > len + 2) {
> >> sprintf(buf+len, "%s", ". ");
> >> len += 2;
> >> }
> >> msg_ctx = 0;
> >> while (!msg_ctx) {
> >> /* convert minor status code (underlying routine error) to text */
> >> maj_stat = gss_display_status(&min_stat, minor_status,
> >> GSS_C_MECH_CODE,
> >> GSS_C_NULL_OID,
> >> &msg_ctx, &status_string);
> >> if (maj_stat == GSS_S_COMPLETE) {
> >> if (sizeof(buf) > len + status_string.length ) {
> >> sprintf(buf+len, "%s", (char*) status_string.value);
> >> len += status_string.length;
> >> }
> >> gss_release_buffer(&min_stat, &status_string);
> >> break;
> >> }
> >> gss_release_buffer(&min_stat, &status_string);
> >> }
> >> fprintf(stderr, "%s| %s: %s failed: %s\n", LogTime(), PROGRAM,
> >> function,
> >> buf);
> >> return(1);
> >> }
> >> return(0);
> >> }
> >>
> >> static void base64_init(void);
> >>
> >> static int base64_initialized = 0;
> >> #define BASE64_VALUE_SZ 256
> >> #define BASE64_RESULT_SZ 8192
> >> int base64_value[BASE64_VALUE_SZ];
> >> const char base64_code[] =
> >> "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
> >>
> >> static void
> >> base64_init(void)
> >> {
> >> int i;
> >>
> >> for (i = 0; i < BASE64_VALUE_SZ; i++)
> >> base64_value[i] = -1;
> >>
> >> for (i = 0; i < 64; i++)
> >> base64_value[(int) base64_code[i]] = i;
> >> base64_value['='] = 0;
> >>
> >> base64_initialized = 1;
> >> }
> >>
> >> char *
> >> base64_decode(const char *p)
> >> {
> >> static char result[BASE64_RESULT_SZ];
> >> int j;
> >> int c;
> >> long val;
> >> if (!p)
> >> return NULL;
> >> if (!base64_initialized)
> >> base64_init();
> >> val = c = 0;
> >> for (j = 0; *p && j + 4 < BASE64_RESULT_SZ; p++) {
> >> unsigned int k = ((unsigned char) *p) % BASE64_VALUE_SZ;
> >> if (base64_value[k] < 0)
> >> continue;
> >> val <<= 6;
> >> val += base64_value[k];
> >> if (++c < 4)
> >> continue;
> >> /* One quantum of four encoding characters/24 bit */
> >> result[j++] = val >> 16; /* High 8 bits */
> >> result[j++] = (val >> 8) & 0xff; /* Mid 8 bits */
> >> result[j++] = val & 0xff; /* Low 8 bits */
> >> val = c = 0;
> >> }
> >> result[j] = 0;
> >> return result;
> >> }
> >>
> >> /* adopted from
> >> http://ftp.sunet.se/pub2/gnu/vm/base64-encode.c with
> >> adjustments */
> >> const char *
> >> base64_encode(const char *decoded_str)
> >> {
> >> static char result[BASE64_RESULT_SZ];
> >> int bits = 0;
> >> int char_count = 0;
> >> int out_cnt = 0;
> >> int c;
> >>
> >> if (!decoded_str)
> >> return decoded_str;
> >>
> >> if (!base64_initialized)
> >> base64_init();
> >>
> >> while ((c = (unsigned char) *decoded_str++) && out_cnt <
> >> sizeof(result) -
> >> 5) {
> >> bits += c;
> >> char_count++;
> >> if (char_count == 3) {
> >> result[out_cnt++] = base64_code[bits >> 18];
> >> result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
> >> result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
> >> result[out_cnt++] = base64_code[bits & 0x3f];
> >> bits = 0;
> >> char_count = 0;
> >> } else {
> >> bits <<= 8;
> >> }
> >> }
> >> if (char_count != 0) {
> >> bits <<= 16 - (8 * char_count);
> >> result[out_cnt++] = base64_code[bits >> 18];
> >> result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
> >> if (char_count == 1) {
> >> result[out_cnt++] = '=';
> >> result[out_cnt++] = '=';
> >> } else {
> >> result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
> >> result[out_cnt++] = '=';
> >> }
> >> }
> >> result[out_cnt] = '\0'; /* terminate */
> >> return result;
> >> }
> >>
> >> /* adopted from
> >> http://ftp.sunet.se/pub2/gnu/vm/base64-encode.c with
> >> adjustments */
> >> const char *
> >> base64_encode_bin(const char *data, int len)
> >> {
> >> static char result[BASE64_RESULT_SZ];
> >> int bits = 0;
> >> int char_count = 0;
> >> int out_cnt = 0;
> >>
> >> if (!data)
> >> return data;
> >>
> >> if (!base64_initialized)
> >> base64_init();
> >>
> >> while (len-- && out_cnt < sizeof(result) - 5) {
> >> int c = (unsigned char) *data++;
> >> bits += c;
> >> char_count++;
> >> if (char_count == 3) {
> >> result[out_cnt++] = base64_code[bits >> 18];
> >> result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
> >> result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
> >> result[out_cnt++] = base64_code[bits & 0x3f];
> >> bits = 0;
> >> char_count = 0;
> >> } else {
> >> bits <<= 8;
> >> }
> >> }
> >> if (char_count != 0) {
> >> bits <<= 16 - (8 * char_count);
> >> result[out_cnt++] = base64_code[bits >> 18];
> >> result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
> >> if (char_count == 1) {
> >> result[out_cnt++] = '=';
> >> result[out_cnt++] = '=';
> >> } else {
> >> result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
> >> result[out_cnt++] = '=';
> >> }
> >> }
> >> result[out_cnt] = '\0'; /* terminate */
> >> return result;
> >> }
> >> const char *squid_kerb_proxy_auth(char* principal_name, char *proxy) {
> >> int rc=0;
> >> OM_uint32 major_status, minor_status;
> >> gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT;
> >> gss_name_t server_name = GSS_C_NO_NAME;
> >> gss_buffer_desc service = GSS_C_EMPTY_BUFFER;
> >> gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
> >> gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
> >> const char *token = NULL;
> >>
> >> setbuf(stdout,NULL);
> >> setbuf(stdin,NULL);
> >>
> >> if (!proxy ) {
> >> fprintf(stderr, "%s| %s: Error: No proxy server name\n", LogTime(),
> >> PROGRAM);
> >> return NULL;
> >> }
> >>
> >> service.value = malloc(strlen("HTTP")+strlen(proxy)+2);
> >> snprintf(service.value,strlen("HTTP")+strlen(proxy)+2,"%s@%s","HTTP",proxy);
> >> service.length = strlen((char *)service.value);
> >>
> >> major_status = gss_import_name(&minor_status, &service,
> >> gss_nt_service_name, &server_name);
> >>
> >> if
> >> (check_gss_err(major_status,minor_status,"gss_import_name()")
> >> )
> >> goto cleanup;
> >>
> >> major_status = gss_init_sec_context(&minor_status,
> >> GSS_C_NO_CREDENTIAL,
> >> &gss_context,
> >> server_name,
> >> #ifdef HAVE_SPNEGO
> >> gss_mech_spnego,
> >> #else
> >> 0,
> >> #endif
> >> 0,
> >> 0,
> >> GSS_C_NO_CHANNEL_BINDINGS,
> >> &input_token,
> >> NULL,
> >> &output_token,
> >> NULL,
> >> NULL);
> >>
> >> if
> >> (check_gss_err(major_status,minor_status,"gss_init_sec_context()")
> >> )
> >> goto cleanup;
> >>
> >> if (output_token.length) {
> >>
> >> token = (const char*)base64_encode_bin((const
> >> char*)output_token.value,output_token.length);
> >> }
> >>
> >>
> >> cleanup:
> >> gss_delete_sec_context(&minor_status, &gss_context, NULL);
> >> gss_release_buffer(&minor_status, &service);
> >> gss_release_buffer(&minor_status, &input_token);
> >> gss_release_buffer(&minor_status, &output_token);
> >> gss_release_name(&minor_status, &server_name);
> >>
> >> return token;
> >> }
> >>
> >> int main(int argc, char *argv[]) {
> >>
> >> const char *Token;
> >>
> >> if (argc < 1) {
> >> fprintf(stderr, "%s| %s: Error: No proxy server name given\n",
> >> LogTime(), PROGRAM);
> >> exit(99);
> >> }
> >> Token = (const char *)squid_kerb_proxy_auth(NULL,argv[1]);
> >> fprintf(stdout,"Token: %s\n",Token?Token:"NULL");
> >>
> >> exit(0);
> >> }
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
> >> news:g2c9kv$5vc$1_at_ger.gmane.org...
> >>
> >> > I can create a simple test tool to create blobs. I will post it later
> >> > next
> >> week.
> >> >
> >> > Markus
> >> >
> >> > "Henrik Nordstrom" <henrik_at_henriknordstrom.net> wrote in message
> >> news:1212619464.15703.1.camel_at_henriknordstrom.net...
> >> >
> >> > > On ons, 2008-06-04 at 15:41 -0700, Alex Morken wrote:
> >> > >
> >> > >
> >> > > > Thank you Henrik. I kind of figured it needed something else, but
> >> > > > I
> >> > > > wasn't sure what to put there. Where can I get or generate the
> >> > > > Kerberos GSSAPI blob I need for the input? I have been digging
> >> > > > around kerberos docs and haven't found what I needed.
> >> > > >
> >> > >
> >> > > Not sure. It's a kerberos authentication handshake, and initially
> >> > > depends on a challenge sent by the helper...
> >> > >
> >> > > Regards
> >> > > Henrik
> >> > >
> >> > >
> >> > >
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >>
> >
>
>

-- 
---------------------------------------
Malte Schröder
MalteSch_at_gmx.de
ICQ# 68121508
---------------------------------------

Received on Sat Jun 28 2008 - 10:54:06 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 28 2008 - 12:00:04 MDT