[squid-users] Re: negotiate_kerberos_auth - Operation not permitted

If I look at the source no_suid is only called when chroot is configured and
that works only when you run squid as root.

Do you use chroot ?

Markus

"Подшивалов Антон" <support_at_murmansk-tisiz.ru> wrote in message
news:f12fa1c4899e5a792ca5791746dfa89e_at_murmansk-tisiz.ru...
> Hello and Happy New Year!
> Please help with my trouble. I want use kerberos authorisation, but in
> user browser appear window with authorization dialog, and any users can't
> pass it.
>
> squid.conf:
> auth_param negotiate program
> /usr/local/libexec/squid/negotiate_kerberos_auth -d -s
> HTTP/proxy.m-tisiz.local_at_M-TISIZ.LOCAL
> auth_param negotiate children 5
> auth_param negotiate keep_alive on
> external_acl_type ext_kerberos_ldap_group_acl ttl=60 negative_ttl=60
> %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -g
> inet_users@ -D m-tisiz.local
> acl ldap_group_check external ext_kerberos_ldap_group_acl
>
> In /usr/local/etc/rc.d/squid:
> KRB5_KTNAME=/usr/local/etc/squid/HTTP.keytab
> export KRB5_KTNAME
>
> proxy# ls -la | grep HTTP.keytab
> -rwxrwxrwx 1 squid squid 387 Jan 1 14:14 HTTP.keytab
> (this permission for test only)
>
> 2013/01/02 12:50:47 kid1| Starting Squid Cache version 3.2.4 for
> i386-portbld-freebsd8.3...
> 2013/01/02 12:50:47 kid1| Process ID 37309
> 2013/01/02 12:50:47 kid1| Process Roles: worker
> 2013/01/02 12:50:47 kid1| With 11095 file descriptors available
> 2013/01/02 12:50:47 kid1| Initializing IP Cache...
> 2013/01/02 12:50:47 kid1| DNS Socket created at 0.0.0.0, FD 7
> 2013/01/02 12:50:47 kid1| Adding domain m-tisiz.local from
> /etc/resolv.conf
> 2013/01/02 12:50:47 kid1| Adding nameserver 192.168.100.244 from
> /etc/resolv.conf
> 2013/01/02 12:50:47 kid1| Adding nameserver 192.168.100.250 from
> /etc/resolv.conf
> 2013/01/02 12:50:47 kid1| helperOpenServers: Starting 0/5
> 'negotiate_kerberos_auth' processes
> 2013/01/02 12:50:47 kid1| helperStatefulOpenServers: No
> 'negotiate_kerberos_auth' processes needed.
> 2013/01/02 12:50:47 kid1| helperOpenServers: Starting 5/5
> 'ext_kerberos_ldap_group_acl' processes
> 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> kerberos_ldap_group.cc(336): pid=37310 :2013/01/02 12:50:47|
> kerberos_ldap_group: INFO: Starting version 1.3.0sq
> support_group.cc(367): pid=37310 :2013/01/02 12:50:47|
> kerberos_ldap_group: INFO: Group list inet_users@
> support_group.cc(425): pid=37310 :2013/01/02 12:50:47|
> kerberos_ldap_group: INFO: Group inet_users Domain
> support_netbios.cc(62): pid=37310 :2013/01/02 12:50:47|
> kerberos_ldap_group: DEBUG: Netbios list NULL
> support_netbios.cc(66): pid=37310 :2013/01/02 12:50:47|
> kerberos_ldap_group: DEBUG: No netbios names defined.
> support_lserver.cc(61): pid=37310 :2013/01/02 12:50:47|
> kerberos_ldap_group: DEBUG: ldap server list NULL
> support_lserver.cc(65): pid=37310 :2013/01/02 12:50:47|
> kerberos_ldap_group: DEBUG: No ldap servers defined.
> 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2013/01/02 12:50:47 kid1| Unlinkd pipe opened on FD 23
> 2013/01/02 12:50:47 kid1| Local cache digest enabled; rebuild/rewrite
> every 3600/3600 sec
> 2013/01/02 12:50:47 kid1| Logfile: opening log
> daemon:/usr/squid/log/store.log
> 2013/01/02 12:50:47 kid1| Logfile Daemon: opening log
> /usr/squid/log/store.log
> 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2013/01/02 12:50:47 kid1| Swap maxSize 1843200 + 204800 KB, estimated
> 157538 objects
> 2013/01/02 12:50:47 kid1| Target number of buckets: 7876
> 2013/01/02 12:50:47 kid1| Using 8192 Store buckets
> 2013/01/02 12:50:47 kid1| Max Mem size: 204800 KB
> 2013/01/02 12:50:47 kid1| Max Swap size: 1843200 KB
> 2013/01/02 12:50:47 kid1| Rebuilding storage in /usr/squid/ (no log)
> 2013/01/02 12:50:47 kid1| Using Least Load store dir selection
> 2013/01/02 12:50:47 kid1| Current Directory is /usr/local/etc/squid
> 2013/01/02 12:50:47 kid1| Loaded Icons.
> 2013/01/02 12:50:47.414 kid1| AsyncCall.cc(22) AsyncCall: The AsyncCall
> clientListenerConnectionOpened constructed, this=0x293f6830 [call21]
> 2013/01/02 12:50:47.414 kid1| AsyncCall.cc(89) ScheduleCall:
> StartListening.cc(54) will call
> clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 27
> flags=9, err=0, HTTP Socket port=0x28a16350) [call21]
> 2013/01/02 12:50:47.414 kid1| HTCP Disabled.
> 2013/01/02 12:50:47.414 kid1| Squid plugin modules loaded: 0
> 2013/01/02 12:50:47.414 kid1| AsyncCallQueue.cc(53) fireNext: entering
> clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 27
> flags=9, err=0, HTTP Socket port=0x28a16350)
> 2013/01/02 12:50:47.414 kid1| AsyncCall.cc(34) make: make call
> clientListenerConnectionOpened [call21]
> 2013/01/02 12:50:47.414 kid1| Accepting HTTP Socket connections at
> local=0.0.0.0:3128 remote=[::] FD 27 flags=9
> 2013/01/02 12:50:47.414 kid1| AsyncCallQueue.cc(55) fireNext: leaving
> clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 27
> flags=9, err=0, HTTP Socket port=0x28a16350)
> 2013/01/02 12:50:47.414 kid1| Done scanning /usr/squid/ dir (0 entries)
> 2013/01/02 12:50:47.414 kid1| Finished rebuilding storage from disk.
> 2013/01/02 12:50:47.414 kid1| 0 Entries scanned
> 2013/01/02 12:50:47.414 kid1| 0 Invalid entries.
> 2013/01/02 12:50:47.414 kid1| 0 With invalid flags.
> 2013/01/02 12:50:47.414 kid1| 0 Objects loaded.
> 2013/01/02 12:50:47.414 kid1| 0 Objects expired.
> 2013/01/02 12:50:47.414 kid1| 0 Objects cancelled.
> 2013/01/02 12:50:47.414 kid1| 0 Duplicate URLs purged.
> 2013/01/02 12:50:47.414 kid1| 0 Swapfile clashes avoided.
> 2013/01/02 12:50:47.414 kid1| Took 0.13 seconds ( 0.00 objects/sec).
> 2013/01/02 12:50:47.414 kid1| Beginning Validation Procedure
> 2013/01/02 12:50:47.414 kid1| Completed Validation Procedure
> 2013/01/02 12:50:47.414 kid1| Validated 0 Entries
> 2013/01/02 12:50:47.414 kid1| store_swap_size = 0.00 KB
> 2013/01/02 12:50:48 kid1| storeLateRelease: released 0 objects
> 2013/01/02 12:50:58 kid1| Starting new negotiateauthenticator helpers...
> 2013/01/02 12:50:58 kid1| helperOpenServers: Starting 1/5
> 'negotiate_kerberos_auth' processes
> 2013/01/02 12:50:58 kid1| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> negotiate_kerberos_auth.cc(271): pid=37324 :2013/01/02 12:50:58|
> negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
> negotiate_kerberos_auth.cc(316): pid=37324 :2013/01/02 12:50:58|
> negotiate_kerberos_auth: DEBUG: Got 'YR
> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHIXAAAADw==' from squid
> (length: 59).
> negotiate_kerberos_auth.cc(379): pid=37324 :2013/01/02 12:50:58|
> negotiate_kerberos_auth: DEBUG: Decode
> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHIXAAAADw==' (decoded
> length: 40).
> negotiate_kerberos_auth.cc(389): pid=37324 :2013/01/02 12:50:58|
> negotiate_kerberos_auth: WARNING: received type 1 NTLM token
> 2013/01/02 12:50:58 kid1| ERROR: Negotiate Authentication validating user.
> Error returned 'BH received type 1 NTLM token'
> 2013/01/02 12:51:00.323 kid1| client_side.cc(764) swanSong:
> local=192.168.100.216:3128 remote=192.168.100.244:63943 flags=1
>
> This log WARNING: no_suid: setuid(0): (1) Operation not permitted look
> like permission trouble, but permission for HTTP.keytab - is OK.
>
>
> proxy# kinit AnteC
> AnteC_at_M-TISIZ.LOCAL's Password:
> proxy# klist
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: AnteC_at_M-TISIZ.LOCAL
>
> Issued Expires Principal
> Jan 2 12:58:48 Jan 2 22:58:48 krbtgt/M-TISIZ.LOCAL_at_M-TISIZ.LOCAL
>
> i created Keytab on Windows 2008 Server:
> ktpass.exe /princ HTTP/proxy.m-tisiz.local_at_M-TISIZ.LOCAL /mapuser
> proxy_squid_at_M-TISIZ.LOCAL /crypto ALL /ptype KRB5_NT_PRINCIPAL /pass
> +rndpass /out C:\HTTP.keytab
>
Received on Sun Jan 06 2013 - 16:34:42 MST