[squid-users] Re: squid_kerb_auth problem after upgrade from 2.x to 3.1.10

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sun, 17 Mar 2013 19:34:58 -0000

Hi Alex,

   The test you do is not a valid test for the Kerberos authentication
helper. The input is a Kerberos token which you can create with the tool
provided by issuing:

kinit user_at_DOMAIN

and

./squid_kerb_auth_test <squid-fqdn>
Token:
YIICigYGKwYBBQUCoIICfjCCAnqgJzAlBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgIGBisGAQUCBaKCAk0EggJJYIICRQYJKoZIhvcSAQICAQBuggI0MIICMKADAgEFoQMCAQ6iBwMFAAAAAACjggFeYYIBWjCCAVagAwIBBaELGwlTVVNFLkhPTUWiJzAloAMCAQOhHjAcGwRIVFRQGxRvcGVuc3VzZTEyLnN1c2UuaG9tZaOCARcwggEToAMCARehAwIBBKKCAQUEggEB5XHlcxE1U21wxlbr9X6mn6s8m5RBxj2aJlbD3FKo91TfE5g4dPLeSXNZ3ZkIONUIhvXuDdr+aa/JI5QD256Ft6tpAhDRjighade9p6IMhHjwcdF5+/aUNTPKJWApVuqT57QhoJk4WhNQdvgtwQn9AwyroVCm0dBdnqxnIFmOWQTXA1aSnbWEih0DLWOpYG30cYK53Eue3ZllXmANyQg7Sviq5JqMtN2+JnZ/0PZh+Jc8tzG0XGkDXYoLuTan6MngUwEi/KicbjowvrSdMebq7AE/w3Hy9ZNaNujuysmgsg2RLjUbtcmsB0nSdSwJ7mpeVPY+vKZ7vDBCnBmtlTLmggGkgbgwgbWgAwIBF6KBrQSBqucRLWoMg2Q9cyrCKlYaULBD19rkFSjStKByb0i3Wn4aGlGsx+BEkwX60pSGtGzX0THws/ibRWe5I4vQtMwlofMHuxki8jcwpDZySMzgIORqU6nN6UeoaAUyVThr6DTeQJdzWTXsS7+vSP70PkAB0HJtDSgUqP3Gxrx66zXgq2WkewVTwiOAox4M6ae0bKGicpQZH0hOpet2l4H3H/c2UeJPppdhDzuraIjc

With that token you can test squid_kerb_auth i.e.
export KRB5_KTNAME=<path to squid.keytab>
./squid_kerb_auth -d -s HTTP/srvproxy.xxx.local
YR
YIICigYGKwYBBQUCoIICfjCCAnqgJzAlBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgIGBisGAQUCBaKCAk0EggJJYIICRQYJKoZIhvcSAQICAQBuggI0MIICMKADAgEFoQMCAQ6iBwMFAAAAAACjggFeYYIBWjCCAVagAwIBBaELGwlTVVNFLkhPTUWiJzAloAMCAQOhHjAcGwRIVFRQGxRvcGVuc3VzZTEyLnN1c2UuaG9tZaOCARcwggEToAMCARehAwIBBKKCAQUEggEB5XHlcxE1U21wxlbr9X6mn6s8m5RBxj2aJlbD3FKo91TfE5g4dPLeSXNZ3ZkIONUIhvXuDdr

How does cache.log look like when you get the auth error wih squid ?

Regards
Markus

"Almot" <alex.abaev_at_gmail.com> wrote in message
news:1362987551354-4658936.post_at_n4.nabble.com...
> Hello, previous version 2.x worked fine.
> OS: Centos 6.3, kinit pass fine - Authenticated to Kerberos v5
>
>
> When i upgraded to 3.1.10 i got error in cache.log
>
> authenticateNegotiateHandleReply: Error validating user via Negotiate.
> Error
> returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor
> code
> may provide more information.
>
> I tried check helper
>
> ------------------------------------------------------------------------
> /usr/lib/squid/squid_kerb_auth -s HTTP/srvproxy.xxx.local_at_XX.LOCAL -d
> user pass
> 2013/03/11 11:34:03| squid_kerb_auth: DEBUG: Got 'user pass' from squid
> (length: 17).
> 2013/03/11 11:34:03| squid_kerb_auth: ERROR: Invalid request [aabaev
> asban81K27]
> BH Invalid request
> ------------------------------------------------------------------------
>
> I do debug
>
> -----------------------------------------------------------------------------------------
> 1689 execve("/usr/lib/squid/squid_kerb_auth",
> ["/usr/lib/squid/squid_kerb_auth", "-s", "-d",
> "HTTP/srvproxy.7flowers.local_at_7FL"...], [/* 23 vars */]) = 0
> 1689 brk(0) = 0x1cc7000
> 1689 mmap2(NULL, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb7781000
> 1689 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
> directory)
> 1689 open("/etc/ld.so.cache", O_RDONLY) = 3
> 1689 fstat64(3, {st_mode=S_IFREG|0644, st_size=29287, ...}) = 0
> 1689 mmap2(NULL, 29287, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7779000
> 1689 close(3) = 0
> 1689 open("/lib/libgssapi_krb5.so.2", O_RDONLY) = 3
> 1689 read(3,
> "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360m\0\0004\0\0\0"...,
> 512)
> = 512
> 1689 fstat64(3, {st_mode=S_IFREG|0755, st_size=262124, ...}) = 0
> 1689 mmap2(NULL, 261128, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3,
> 0) = 0xdb2000
> 1689 mmap2(0xdf0000, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3e) = 0xdf0000
> 1689 close(3) = 0
> 1689 open("/lib/libkrb5.so.3", O_RDONLY) = 3
> 1689 read(3,
> "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\t\1\0004\0\0\0"...,
> 512) = 512
> 1689 fstat64(3, {st_mode=S_IFREG|0755, st_size=901552, ...}) = 0
> 1689 mmap2(NULL, 904716, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3,
> 0) = 0x4a5000
> 1689 mmap2(0x57b000, 28672, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd5) = 0x57b000
> 1689 close(3) = 0
> 1689 open("/lib/libk5crypto.so.3", O_RDONLY) = 3
> 1689 read(3,
> "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340*\0\0004\0\0\0"...,
> 512)
> = 512
> 1689 fstat64(3, {st_mode=S_IFREG|0755, st_size=169712, ...}) = 0
> 1689 mmap2(NULL, 172056, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3,
> 0) = 0xec3000
> 1689 mmap2(0xeeb000, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x28) = 0xeeb000
> 1689 mmap2(0xeed000, 24, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xeed000
> 1689 close(3) = 0
> 1689 open("/lib/libcom_err.so.2", O_RDONLY) = 3
> 1689 read(3,
> "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\16\0\0004\0\0\0"...,
> 512)
> = 512
> 1689 fstat64(3, {st_mode=S_IFREG|0755, st_size=13836, ...}) = 0
> 1689 mmap2(NULL, 16596, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3,
> 0) = 0x37c000
> 1689 mmap2(0x37f000, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0x37f000
> 1689 close(3) = 0
> 1689 open("/lib/libm.so.6", O_RDONLY) = 3
> 1689 read(3,
> "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p4\0\0004\0\0\0"..., 512)
> =
> 512
> 1689 fstat64(3, {st_mode=S_IFREG|0755, st_size=200024, ...}) = 0
> 1689 mmap2(NULL, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb7778000
> 1689 mmap2(NULL, 168064, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3,
> 0) = 0x385000
> 1689 mmap2(0x3ad000, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x27) = 0x3ad000
> 1689 close(3) = 0
> 1689 open("/lib/libc.so.6", O_RDONLY) = 3
> 1689 read(3,
> "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0_at_n\1\0004\0\0\0"..., 512)
> =
> 512
> 1689 fstat64(3, {st_mode=S_IFREG|0755, st_size=1902708, ...}) = 0
> 1689 mmap2(NULL, 1665416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3, 0) = 0x6bf000
> 1689 mprotect(0x84f000, 4096, PROT_NONE) = 0
> 1689 mmap2(0x850000, 12288, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x190) = 0x850000
> 1689 mmap2(0x853000, 10632, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x853000
> 1689 close(3) = 0
> 1689 open("/lib/libkrb5support.so.0", O_RDONLY) = 3
> 1689 read(3,
> "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360\36\0\0004\0\0\0"...,
> 512) = 512
> 1689 fstat64(3, {st_mode=S_IFREG|0755, st_size=42716, ...}) = 0
> 1689 mmap2(NULL, 45592, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3,
> 0) = 0x588000
> 1689 mmap2(0x592000, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9) = 0x592000
> 1689 close(3) = 0
> 1689 open("/lib/libdl.so.2", O_RDONLY) = 3
> 1689 read(3,
> "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\n\0\0004\0\0\0"..., 512)
> =
> 512
> 1689 fstat64(3, {st_mode=S_IFREG|0755, st_size=17892, ...}) = 0
> 1689 mmap2(NULL, 16500, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3,
> 0) = 0xa20000
> 1689 mmap2(0xa23000, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xa23000
> 1689 close(3) = 0
> 1689 open("/lib/libkeyutils.so.1", O_RDONLY) = 3
> 1689 read(3,
> "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\t\0\0004\0\0\0"..., 512)
> =
> 512
> 1689 fstat64(3, {st_mode=S_IFREG|0755, st_size=9536, ...}) = 0
> 1689 mmap2(NULL, 12332, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3,
> 0) = 0xb76000
> 1689 mmap2(0xb78000, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb78000
> 1689 close(3) = 0
> 1689 open("/lib/libresolv.so.2", O_RDONLY) = 3
> 1689 read(3,
> "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240&\0\0004\0\0\0"...,
> 512)
> = 512
> 1689 fstat64(3, {st_mode=S_IFREG|0755, st_size=103384, ...}) = 0
> 1689 mmap2(NULL, 104520, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3,
> 0) = 0x201000
> 1689 mprotect(0x216000, 4096, PROT_NONE) = 0
> 1689 mmap2(0x217000, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15) = 0x217000
> 1689 mmap2(0x219000, 6216, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x219000
> 1689 close(3) = 0
> 1689 mmap2(NULL, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb7777000
> 1689 open("/lib/libpthread.so.0", O_RDONLY) = 3
> 1689 read(3,
> "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260L\0\0004\0\0\0"...,
> 512)
> = 512
> 1689 fstat64(3, {st_mode=S_IFREG|0755, st_size=131080, ...}) = 0
> 1689 mmap2(NULL, 106976, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3,
> 0) = 0xb19000
> 1689 mmap2(0xb30000, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16) = 0xb30000
> 1689 mmap2(0xb32000, 4576, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb32000
> 1689 close(3) = 0
> 1689 open("/lib/libselinux.so.1", O_RDONLY) = 3
> 1689 read(3,
> "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220C\0\0004\0\0\0"...,
> 512)
> = 512
> 1689 fstat64(3, {st_mode=S_IFREG|0755, st_size=120780, ...}) = 0
> 1689 mmap2(NULL, 125956, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3,
> 0) = 0x916000
> 1689 mmap2(0x933000, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c) = 0x933000
> 1689 close(3) = 0
> 1689 mmap2(NULL, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb7776000
> 1689 mmap2(NULL, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb7775000
> 1689 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7775740,
> limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
> limit_in_pages:1,
> seg_not_present:0, useable:1}) = 0
> 1689 mprotect(0x933000, 4096, PROT_READ) = 0
> 1689 mprotect(0xb30000, 4096, PROT_READ) = 0
> 1689 mprotect(0x217000, 4096, PROT_READ) = 0
> 1689 mprotect(0xb78000, 4096, PROT_READ) = 0
> 1689 mprotect(0xa23000, 4096, PROT_READ) = 0
> 1689 mprotect(0x592000, 4096, PROT_READ) = 0
> 1689 mprotect(0x850000, 8192, PROT_READ) = 0
> 1689 mprotect(0x3ad000, 4096, PROT_READ) = 0
> 1689 mprotect(0x37f000, 4096, PROT_READ) = 0
> 1689 mprotect(0xeeb000, 4096, PROT_READ) = 0
> 1689 mprotect(0x57b000, 24576, PROT_READ) = 0
> 1689 mprotect(0xdf0000, 4096, PROT_READ) = 0
> 1689 mprotect(0x979000, 4096, PROT_READ) = 0
> 1689 munmap(0xb7779000, 29287) = 0
> 1689 set_tid_address(0xb77757a8) = 1689
> 1689 set_robust_list(0xb77757b0, 0xc) = 0
> 1689 futex(0xbfde2210, FUTEX_WAKE_PRIVATE, 1) = 0
> 1689 futex(0xbfde2210, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1,
> NULL, bfde2220) = -1 EAGAIN (Resource temporarily unavailable)
> 1689 rt_sigaction(SIGRTMIN, {0xb1d6e0, [], SA_SIGINFO}, NULL, 8) = 0
> 1689 rt_sigaction(SIGRT_1, {0xb1db80, [], SA_RESTART|SA_SIGINFO}, NULL,
> 8)
> = 0
> 1689 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
> 1689 getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024,
> rlim_max=RLIM_INFINITY})
> = 0
> 1689 uname({sys="Linux", node="srvproxy", ...}) = 0
> 1689 statfs64("/selinux", 84, {f_type="EXT2_SUPER_MAGIC", f_bsize=4096,
> f_blocks=15384581, f_bfree=12426887, f_bavail=11645397, f_files=3907584,
> f_ffree=3015119, f_fsid={133201077, -398225868}, f_namelen=255,
> f_frsize=4096}) = 0
> 1689 brk(0) = 0x1cc7000
> 1689 brk(0x1ce8000) = 0x1ce8000
> 1689 open("/proc/filesystems", O_RDONLY|O_LARGEFILE) = 3
> 1689 fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> 1689 mmap2(NULL, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb7780000
> 1689 read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 1024) = 304
> 1689 read(3, "", 1024) = 0
> 1689 close(3) = 0
> 1689 munmap(0xb7780000, 4096) = 0
> 1689 access("/etc/sysconfig/32bit_ssse3_memcpy_via_32bit_ssse3_memmove",
> F_OK) = -1 ENOENT (No such file or directory)
> 1689 read(0, "a", 1) = 1
> 1689 read(0, "a", 1) = 1
> 1689 read(0, "b", 1) = 1
> 1689 read(0, "a", 1) = 1
> 1689 read(0, "e", 1) = 1
> 1689 read(0, "v", 1) = 1
> 1689 read(0, " ", 1) = 1
> 1689 read(0, "a", 1) = 1
> 1689 read(0, "s", 1) = 1
> 1689 read(0, "b", 1) = 1
> 1689 read(0, "a", 1) = 1
> 1689 read(0, "n", 1) = 1
> 1689 read(0, "8", 1) = 1
> 1689 read(0, "1", 1) = 1
> 1689 read(0, "K", 1) = 1
> 1689 read(0, "2", 1) = 1
> 1689 read(0, "7", 1) = 1
> 1689 read(0, "\n", 1) = 1
> 1689 write(1, "BH Invalid request\n", 19) = 19
> 1689 read(0, 0x852487, 1) = ? ERESTARTSYS (To be restarted)
> 1689 --- SIGINT (Interrupt) @ 0 (0) ---
> 1689 +++ killed by SIGINT +++
>
>
>
>
> --
> View this message in context:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-kerb-auth-problem-after-upgrade-from-2-x-to-3-1-10-tp4658936.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>
Received on Sun Mar 17 2013 - 19:35:25 MDT

This archive was generated by hypermail 2.2.0 : Mon Mar 18 2013 - 12:00:08 MDT