Hi Mark,
Do you have the token you received as base64 encoded in the log or
better in a wireshark capture ? This could help identifying if the
un-encrypted elements in the tokebn are correct.
Markus
"Mark Davies" <mark_at_ecs.vuw.ac.nz> wrote in message
news:201206201520.52498.mark_at_ecs.vuw.ac.nz...
> Hi,
> we run a couple of squid caches using the squid_kerb_auth helper to
> do Negotiate GSSAPI authentication and generally it all works rather
> nicely but we will get little bursts of the following error
>
> 2012/06/20 14:54:02| authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH
> gss_accept_sec_context() failed: A token was invalid. unknown
> mech-code 1859794441 for mech unknown'
>
>
> Always with that particular mech-code.
>
> Given the number of successful hits on the cache (couple of million a
> day) I'm struggling to identify whats causing these errors and how to
> rectify so suggestions welcomed.
>
> As well as wanting to identify the root cause, this problem has the
> effect that every time squid_kerb_auth deals with one of these
> requests the kerberos libraries (heimdal 1.5pre1 from NetBSD 5.99.59)
> keeps a file descriptor open to the keytab file (actually two) so
> eventually the squid_kerb_auth hits the max filedescriptors per
> process limit and other things start to fail (if it hasn't been
> restarted before then).
>
>
> cheers
> mark
>
Received on Wed Jun 20 2012 - 18:43:34 MDT
This archive was generated by hypermail 2.2.0 : Thu Jun 21 2012 - 12:00:03 MDT