[squid-users] Re: Re: squid_kerb_auth - Negotiate

From: Markus Moeller <huaraz@dont-contact.us>
Date: Thu, 12 Jul 2007 09:51:23 +0100

The token seems alright. If you use a recent Kerberos implementation you
should compile with -DHAVE_SPNEGO which will avoid the use of the spnego
helper routines. If you don't run a recent Kerberos implementation make sure
that you use:
for Linux:
 -D__LITTLE_ENDIAN__
for Solaris:
 -D__BIG_ENDIAN__

As this is important for the spnegohelper.

Regards
Markus

"miolinux" <miolinux@libero.it> wrote in message
news:20070712101259.3d81ccd9@scorm.polito.it...
> On Wed, 11 Jul 2007 21:55:56 +0100
> "Markus Moeller" <huaraz@moeller.plus.com> wrote:
>
>> The return code 102 of parseNegTokenInit usually means the token is
>> not a SPNEGO token. Could you sned me the complete token ?
>
> Sure, here it is (full debug output (level 9) can also be sent if
> needed)
>
> 2007/07/11 17:00:22| squid_kerb_auth: Got 'YR
> YIICTAYGKwYBBQUCoIICQDCCAjygMDAuBgk
> qhkiC9xIBAgIGCSqGSIb3EgECAgYKKoZIhvcSAQICAwYKKwYBBAGCNwICCqKCAgYEggICYIIB/gYJKoZI
> hvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFACAAAACjggEhYYIBHTCCARmgAwIBBaEUGxJTVFVER
> U5USS5QT0xJVE8uSVSiIjAgoAMCAQKhGTAXGwRIVFRQGw9zcXVpZC5wb2xpdG8uaXSjgdcwgdSgAwIBEK
> EDAgEDooHHBIHEWyFsulqOVPaP44POoDEBOs1Gz02LEdTBrYYGsJTDp4RGOUuEwY+GHPaJSSx/HtNNq76
> XwssFV6tmiqsJw3MVwZ5EyakJwyYVjEbSuB9qmoOCOGFUmdiaogv9mQayHyOZXJA+54wmYmXn19RpOx7g
> WpCYtoxZ9MBtanCWMSWp6glY0jVpi/hHdPzTD8uGQ2asR/kcqHxdPTslL1pH5uC+Bunk6C9ukVj9/Oe9e
> dQRFsBHwHw14aaKQKmPQnH4liYcqFjRvqSBrjCBq6ADAgEBooGjBIGgX7XTlG0dTRI7Uz42jvA47p09tu
> 5Yh7zu/BuNKLILo4WcC1JGThjBQQZyL5cKWqmLIsI4+hUpeUdvIuU8J642Hnv2xZ3rcMloSWWeflan682
> 8a8ONLUq9sUnUgxWMOrFpDEkmL7bUhGB7kniaOCAH552mp86gHHOeYHb/QU7c9rSFHb4HcnGYw9QuUSlE
> n0Xd9w52gYAqz7x7qwAeEi0+Zg==' from squid (length: 795).
> 2007/07/11 17:00:22| squid_kerb_auth: parseNegTokenInit failed with rc=102
> 2007/07/11 17:00:22| squid_kerb_auth: gss_accept_sec_context() failed: A
> token was invalid. Mechanism is incorrect
>
> It was sent by a Firefox 2.0.0.4 on a Win2000 Computer.
>
>
>>
>> Which Kerberos release are you using ?
>
>
> Debian Etch current one.
> krb5 (1.4.4-7etch2)
>
> Uoah, that's old!, didn't notice before.
> Do you think kerberos 1.5.* or even 1.6.* will work better? (aka should
> i upgrade kerberos to make things works?)
>
> Tomorrow i think i'll do some other tests with ie7 and maybe i'll try with
> a different kerberos version.
>
> Regards
>
> --
> Miolinux
>
Received on Thu Jul 12 2007 - 02:51:49 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:03 MDT