Re: [squid-users] Re: negotiate_kerberos_auth - Operation not permitted from Подшивалов Антон on 2013-01-06 (squid-users)

From: Подшивалов Антон <support_at_murmansk-tisiz.ru>
Date: Sun, 06 Jan 2013 22:38:47 +0400

I run squid from rc.local:
squid_enable="YES"

Top show that squid run by user squid:

proxy# top | grep squid
1394 squid 1 44 0 23288K 14232K kqread 1 0:00 0.00%
squid
(If i kill squid daemon and start it again by root top show same log)

I have not chroot configuration directive in squid.conf.
Also if so i place HTTP.keytab to /usr/local/etc/squid where is another
config file for squid (squid.conf for example).

Markus Moeller писал 06.01.2013 20:34:
> If I look at the source no_suid is only called when chroot is
> configured and that works only when you run squid as root.
>
> Do you use chroot ?
>
> Markus
>
>
>
> "Подшивалов Антон" <support_at_murmansk-tisiz.ru> wrote in message
> news:f12fa1c4899e5a792ca5791746dfa89e_at_murmansk-tisiz.ru...
>> Hello and Happy New Year!
>> Please help with my trouble. I want use kerberos authorisation, but
>> in user browser appear window with authorization dialog, and any users
>> can't pass it.
>>
>> squid.conf:
>> auth_param negotiate program
>> /usr/local/libexec/squid/negotiate_kerberos_auth -d -s
>> HTTP/proxy.m-tisiz.local_at_M-TISIZ.LOCAL
>> auth_param negotiate children 5
>> auth_param negotiate keep_alive on
>> external_acl_type ext_kerberos_ldap_group_acl ttl=60 negative_ttl=60
>> %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -g
>> inet_users@ -D m-tisiz.local
>> acl ldap_group_check external ext_kerberos_ldap_group_acl
>>
>> In /usr/local/etc/rc.d/squid:
>> KRB5_KTNAME=/usr/local/etc/squid/HTTP.keytab
>> export KRB5_KTNAME
>>
>> proxy# ls -la | grep HTTP.keytab
>> -rwxrwxrwx 1 squid squid 387 Jan 1 14:14 HTTP.keytab
>> (this permission for test only)
>>
>> 2013/01/02 12:50:47 kid1| Starting Squid Cache version 3.2.4 for
>> i386-portbld-freebsd8.3...
>> 2013/01/02 12:50:47 kid1| Process ID 37309
>> 2013/01/02 12:50:47 kid1| Process Roles: worker
>> 2013/01/02 12:50:47 kid1| With 11095 file descriptors available
>> 2013/01/02 12:50:47 kid1| Initializing IP Cache...
>> 2013/01/02 12:50:47 kid1| DNS Socket created at 0.0.0.0, FD 7
>> 2013/01/02 12:50:47 kid1| Adding domain m-tisiz.local from
>> /etc/resolv.conf
>> 2013/01/02 12:50:47 kid1| Adding nameserver 192.168.100.244 from
>> /etc/resolv.conf
>> 2013/01/02 12:50:47 kid1| Adding nameserver 192.168.100.250 from
>> /etc/resolv.conf
>> 2013/01/02 12:50:47 kid1| helperOpenServers: Starting 0/5
>> 'negotiate_kerberos_auth' processes
>> 2013/01/02 12:50:47 kid1| helperStatefulOpenServers: No
>> 'negotiate_kerberos_auth' processes needed.
>> 2013/01/02 12:50:47 kid1| helperOpenServers: Starting 5/5
>> 'ext_kerberos_ldap_group_acl' processes
>> 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation
>> not permitted
>> 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation
>> not permitted
>> 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation
>> not permitted
>> 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation
>> not permitted
>> kerberos_ldap_group.cc(336): pid=37310 :2013/01/02 12:50:47|
>> kerberos_ldap_group: INFO: Starting version 1.3.0sq
>> support_group.cc(367): pid=37310 :2013/01/02 12:50:47|
>> kerberos_ldap_group: INFO: Group list inet_users@
>> support_group.cc(425): pid=37310 :2013/01/02 12:50:47|
>> kerberos_ldap_group: INFO: Group inet_users Domain
>> support_netbios.cc(62): pid=37310 :2013/01/02 12:50:47|
>> kerberos_ldap_group: DEBUG: Netbios list NULL
>> support_netbios.cc(66): pid=37310 :2013/01/02 12:50:47|
>> kerberos_ldap_group: DEBUG: No netbios names defined.
>> support_lserver.cc(61): pid=37310 :2013/01/02 12:50:47|
>> kerberos_ldap_group: DEBUG: ldap server list NULL
>> support_lserver.cc(65): pid=37310 :2013/01/02 12:50:47|
>> kerberos_ldap_group: DEBUG: No ldap servers defined.
>> 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation
>> not permitted
>> 2013/01/02 12:50:47 kid1| Unlinkd pipe opened on FD 23
>> 2013/01/02 12:50:47 kid1| Local cache digest enabled;
>> rebuild/rewrite every 3600/3600 sec
>> 2013/01/02 12:50:47 kid1| Logfile: opening log
>> daemon:/usr/squid/log/store.log
>> 2013/01/02 12:50:47 kid1| Logfile Daemon: opening log
>> /usr/squid/log/store.log
>> 2013/01/02 12:50:47 kid1| WARNING: no_suid: setuid(0): (1) Operation
>> not permitted
>> 2013/01/02 12:50:47 kid1| Swap maxSize 1843200 + 204800 KB,
>> estimated 157538 objects
>> 2013/01/02 12:50:47 kid1| Target number of buckets: 7876
>> 2013/01/02 12:50:47 kid1| Using 8192 Store buckets
>> 2013/01/02 12:50:47 kid1| Max Mem size: 204800 KB
>> 2013/01/02 12:50:47 kid1| Max Swap size: 1843200 KB
>> 2013/01/02 12:50:47 kid1| Rebuilding storage in /usr/squid/ (no log)
>> 2013/01/02 12:50:47 kid1| Using Least Load store dir selection
>> 2013/01/02 12:50:47 kid1| Current Directory is /usr/local/etc/squid
>> 2013/01/02 12:50:47 kid1| Loaded Icons.
>> 2013/01/02 12:50:47.414 kid1| AsyncCall.cc(22) AsyncCall: The
>> AsyncCall clientListenerConnectionOpened constructed, this=0x293f6830
>> [call21]
>> 2013/01/02 12:50:47.414 kid1| AsyncCall.cc(89) ScheduleCall:
>> StartListening.cc(54) will call
>> clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 27
>> flags=9, err=0, HTTP Socket port=0x28a16350) [call21]
>> 2013/01/02 12:50:47.414 kid1| HTCP Disabled.
>> 2013/01/02 12:50:47.414 kid1| Squid plugin modules loaded: 0
>> 2013/01/02 12:50:47.414 kid1| AsyncCallQueue.cc(53) fireNext:
>> entering clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::]
>> FD 27 flags=9, err=0, HTTP Socket port=0x28a16350)
>> 2013/01/02 12:50:47.414 kid1| AsyncCall.cc(34) make: make call
>> clientListenerConnectionOpened [call21]
>> 2013/01/02 12:50:47.414 kid1| Accepting HTTP Socket connections at
>> local=0.0.0.0:3128 remote=[::] FD 27 flags=9
>> 2013/01/02 12:50:47.414 kid1| AsyncCallQueue.cc(55) fireNext:
>> leaving clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::]
>> FD 27 flags=9, err=0, HTTP Socket port=0x28a16350)
>> 2013/01/02 12:50:47.414 kid1| Done scanning /usr/squid/ dir (0
>> entries)
>> 2013/01/02 12:50:47.414 kid1| Finished rebuilding storage from disk.
>> 2013/01/02 12:50:47.414 kid1| 0 Entries scanned
>> 2013/01/02 12:50:47.414 kid1| 0 Invalid entries.
>> 2013/01/02 12:50:47.414 kid1| 0 With invalid flags.
>> 2013/01/02 12:50:47.414 kid1| 0 Objects loaded.
>> 2013/01/02 12:50:47.414 kid1| 0 Objects expired.
>> 2013/01/02 12:50:47.414 kid1| 0 Objects cancelled.
>> 2013/01/02 12:50:47.414 kid1| 0 Duplicate URLs purged.
>> 2013/01/02 12:50:47.414 kid1| 0 Swapfile clashes avoided.
>> 2013/01/02 12:50:47.414 kid1| Took 0.13 seconds ( 0.00
>> objects/sec).
>> 2013/01/02 12:50:47.414 kid1| Beginning Validation Procedure
>> 2013/01/02 12:50:47.414 kid1| Completed Validation Procedure
>> 2013/01/02 12:50:47.414 kid1| Validated 0 Entries
>> 2013/01/02 12:50:47.414 kid1| store_swap_size = 0.00 KB
>> 2013/01/02 12:50:48 kid1| storeLateRelease: released 0 objects
>> 2013/01/02 12:50:58 kid1| Starting new negotiateauthenticator
>> helpers...
>> 2013/01/02 12:50:58 kid1| helperOpenServers: Starting 1/5
>> 'negotiate_kerberos_auth' processes
>> 2013/01/02 12:50:58 kid1| WARNING: no_suid: setuid(0): (1) Operation
>> not permitted
>> negotiate_kerberos_auth.cc(271): pid=37324 :2013/01/02 12:50:58|
>> negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
>> negotiate_kerberos_auth.cc(316): pid=37324 :2013/01/02 12:50:58|
>> negotiate_kerberos_auth: DEBUG: Got 'YR
>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHIXAAAADw==' from squid
>> (length: 59).
>> negotiate_kerberos_auth.cc(379): pid=37324 :2013/01/02 12:50:58|
>> negotiate_kerberos_auth: DEBUG: Decode
>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHIXAAAADw==' (decoded
>> length: 40).
>> negotiate_kerberos_auth.cc(389): pid=37324 :2013/01/02 12:50:58|
>> negotiate_kerberos_auth: WARNING: received type 1 NTLM token
>> 2013/01/02 12:50:58 kid1| ERROR: Negotiate Authentication validating
>> user. Error returned 'BH received type 1 NTLM token'
>> 2013/01/02 12:51:00.323 kid1| client_side.cc(764) swanSong:
>> local=192.168.100.216:3128 remote=192.168.100.244:63943 flags=1
>>
>> This log WARNING: no_suid: setuid(0): (1) Operation not permitted
>> look like permission trouble, but permission for HTTP.keytab - is OK.
>>
>>
>> proxy# kinit AnteC
>> AnteC_at_M-TISIZ.LOCAL's Password:
>> proxy# klist
>> Credentials cache: FILE:/tmp/krb5cc_0
>> Principal: AnteC_at_M-TISIZ.LOCAL
>>
>> Issued Expires Principal
>> Jan 2 12:58:48 Jan 2 22:58:48 krbtgt/M-TISIZ.LOCAL_at_M-TISIZ.LOCAL
>>
>> i created Keytab on Windows 2008 Server:
>> ktpass.exe /princ HTTP/proxy.m-tisiz.local_at_M-TISIZ.LOCAL /mapuser
>> proxy_squid_at_M-TISIZ.LOCAL /crypto ALL /ptype KRB5_NT_PRINCIPAL /pass
>> +rndpass /out C:\HTTP.keytab
>>
Received on Sun Jan 06 2013 - 18:38:55 MST

This archive was generated by hypermail 2.2.0 : Mon Jan 07 2013 - 12:00:03 MST