gss_acquire_cred() failed: No credentials were supplied, or the credentials were unavailable or inaccessible.

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

gss_acquire_cred() failed: No credentials were supplied, or the credentials were unavailable or inaccessible.

Victor Sudakov
Colleagues,

I have a kerberized server (squid's Negotiate/Kerberos plugin) running
on FreeBSD 8.4 with Heimdal 1.1.0. When a client tries to authenticate
on the proxy server, Kerberos generates an error message.

Could you please help me with this message. I cannot understand what's
happening and how to fix it. I am ready to provide any additional
debug information on request.

A client is either a Microsoft Internet Explorer or squid's own test
Kerberos client. The error is the same.

Below comes the debug output of the squid plugin. If you tell me how
to enable debugging/logging in the Kerberos library, I would be
grateful too.

===========================
$ setenv KRB5_KTNAME /usr/local/etc/squid/squid.keytab
$ setenv KRB5_CONFIG /usr/local/etc/squid/krb5.conf
$ kdestroy
$ kinit sudakovva
[hidden email]'s Password:
$
$ klist
Credentials cache: FILE:/tmp/krb5cc_XZ1GPU
        Principal: [hidden email]

  Issued           Expires          Principal
Oct  8 09:31:45  Oct  8 19:31:45  krbtgt/[hidden email]

$ ./negotiate_kerberos_auth_test proxy.sibptus.transneft.ru | awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | ./negotiate_kerberos_auth -d

negotiate_kerberos_auth.cc(212): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(258): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: DEBUG: Got 'YR YIIGFAYGKwYBBQUCoIIGCDCCBgSgDTALBgkqhkiG9xIBAgKiggXxBIIF7WCCBekGCSqGSIb3EgECAgEAboIF2DCCBdSgAwIBBaEDAgEOogcDBQAAAAAAo4IEvGGCBLgwggS0oAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBGQwggRgoAMCAReiggRXBIIEUxpOgFWeZoAcatE6l3MyfDxMoDMjcgYUQzenTLAlEvD3/c0pyRiitZwNMIHvnacXcUSTzLDNjDw75iwfNxZHYjZgvOLHSKQm+rmoWtLIC+3KZoeWCB+pxwcpK8RzXvs8dPCprH1h5OdCn8EB1ZZxl35IhLgg07N72yvnXNiBmW/PmLW6PeVB0U3SLjWiT0ZJ3kXukg5ViYGOMKypeHebHPB0FQ2dgNQy8S00CRIU4ZuoHPVWFNl6mzp9CoIy7Ytwhu3NRb42f49nuQpqBVcsMK/ckgLYvsoz2lYxe7AO4MMOvcGqnEBB/jaSfrGGXpw+ciMNbBtCHH7bN36uGHj+VWOUFL5vR3xclnOWwdUH2OtXqMMcDDnI4v7vNR1U80BS7SdXUpx0D+O1B3ihipaTpSkXtII5UTI4qxmZjXSQGYY0adbG/N6NpMF7HpmGb1Zondp571l4ZV0mZ0pZ7IcIAmvQOmcud/sN0am4z9Oe3lCe7L1RVKBr0Tu30Pz7ySibeCpY/OVR2GJ+ILfov/3o95ozW8W4d+UCHfywAHOioGB+QWSC2NO5VtcjsBYVkhKnBkcG8KOBhJ+qi1qvhGXD3tUgDZnb0pCQAVNyjiDIKZre8KcB23Hu5a2YCM9y0GiBCbfJIbD60LJLVOxozZiRqJfdOCvBhfCvh7R9y5EuNmMswSRgQJwhkh7rCgMPWvFsAWDae9yxN966E85nE+xuUtwtl20NhOjotjG3NgwsRYDg1kQvfJnz7IcPSnSevKiPHU7uvBxSZvR6j6J0BZRgTQg7loUzkOsSRPDefXMt4wFfoHEqaWTtKw3yR0dZkr1W5g6WDn0d0o4uLZRdZteMOtxjsXFTQA3MIQrf/BpVk0NdEQ0EpXo2SZtr+ciy2jNXI40s6rUQakV/vfLG5aGOQY1Ck1gynORrG6Bt/eDMVJF7gf8iEvSDPiZhaHNqfAwfuYDNcO6Sgvl21tkEUfC9YxzkZq2vb0J1gJnkoq3oay+B7GElpgBABZpf22eGTOHakz7m8z9jdPUuIGFf1Jgn1B4i2vFsYRV6tbn3gF/wpnBdPmmG0ZVT2ZnqPDf2Om3kh1cd/THIWDVeuvNGRHbzGYxFJcJ+NIgwr5yfijltcKyynGqHvW2arUQwHzX0UM/dg6iI8+o2IkKmihBL9WQ+04SwHYeMk+D1hJx2rfrIl9RgpQdkrhrjPacqGfKd7NrtEweeSn7MOwFjaVYlT4ruboQHt94BcJKQ1qhuJVsH+rhZaM6XBt6F2NtM5Z+0OmwsLb0sQkdVbnbyEku7McPN0vvOC7tuDL1pT0UuAanSO6IQahXj5X3W/MVNf27rJUmcUQkGbTvCK6nJMuZYNsuKaB9Izs10T/i88V5IOgafwAHgLCxnpwptY551gJwj/0cvv6mpIZSrE8XjMWMUDmeTkeUyU8t2Dz5Vjbb8l1cFCIETgvc5CK9mV+SG0F6soQqf1xs+r6SB/jCB+6ADAgEXooHzBIHwxdPbAIs5nPD2d3wOYONkgkc1qb9krxSlo4FRMoPPIl+80A1OZOlv/SRc9B4VpP8xJJvk1YwY70twgMlOJd/zbXH0lEnyGdGi9mUuN4XdfeNzFwqvjxOrx1e8oPXJPJLIZCGhUik3nY7X4Nb4EMXmfEckzSsuBbVKkVwu7/0xPKbXL4KPs/e3ANJI8Lvkh7AM7iIXrhI2S4/ZKWo4f73R1sjgtt+nw8e1Ga7EeMlQvbejo/i9UBEFldNR2B8GM0DD6449mRrbXE1K5Pij+bHoHl9oZng97DGGnM4ritsN+ts2Rcev1IuSzm6QFaADBwRU' from squid (length: 2083).
negotiate_kerberos_auth.cc(311): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: DEBUG: Decode 'YIIGFAYGKwYBBQUCoIIGCDCCBgSgDTALBgkqhkiG9xIBAgKiggXxBIIF7WCCBekGCSqGSIb3EgECAgEAboIF2DCCBdSgAwIBBaEDAgEOogcDBQAAAAAAo4IEvGGCBLgwggS0oAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBGQwggRgoAMCAReiggRXBIIEUxpOgFWeZoAcatE6l3MyfDxMoDMjcgYUQzenTLAlEvD3/c0pyRiitZwNMIHvnacXcUSTzLDNjDw75iwfNxZHYjZgvOLHSKQm+rmoWtLIC+3KZoeWCB+pxwcpK8RzXvs8dPCprH1h5OdCn8EB1ZZxl35IhLgg07N72yvnXNiBmW/PmLW6PeVB0U3SLjWiT0ZJ3kXukg5ViYGOMKypeHebHPB0FQ2dgNQy8S00CRIU4ZuoHPVWFNl6mzp9CoIy7Ytwhu3NRb42f49nuQpqBVcsMK/ckgLYvsoz2lYxe7AO4MMOvcGqnEBB/jaSfrGGXpw+ciMNbBtCHH7bN36uGHj+VWOUFL5vR3xclnOWwdUH2OtXqMMcDDnI4v7vNR1U80BS7SdXUpx0D+O1B3ihipaTpSkXtII5UTI4qxmZjXSQGYY0adbG/N6NpMF7HpmGb1Zondp571l4ZV0mZ0pZ7IcIAmvQOmcud/sN0am4z9Oe3lCe7L1RVKBr0Tu30Pz7ySibeCpY/OVR2GJ+ILfov/3o95ozW8W4d+UCHfywAHOioGB+QWSC2NO5VtcjsBYVkhKnBkcG8KOBhJ+qi1qvhGXD3tUgDZnb0pCQAVNyjiDIKZre8KcB23Hu5a2YCM9y0GiBCbfJIbD60LJLVOxozZiRqJfdOCvBhfCvh7R9y5EuNmMswSRgQJwhkh7rCgMPWvFsAWDae9yxN966E85nE+xuUtwtl20NhOjotjG3NgwsRYDg1kQvfJnz7IcPSnSevKiPHU7uvBxSZvR6j6J0BZRgTQg7loUzkOsSRPDefXMt4wFfoHEqaWTtKw3yR0dZkr1W5g6WDn0d0o4uLZRdZteMOtxjsXFTQA3MIQrf/BpVk0NdEQ0EpXo2SZtr+ciy2jNXI40s6rUQakV/vfLG5aGOQY1Ck1gynORrG6Bt/eDMVJF7gf8iEvSDPiZhaHNqfAwfuYDNcO6Sgvl21tkEUfC9YxzkZq2vb0J1gJnkoq3oay+B7GElpgBABZpf22eGTOHakz7m8z9jdPUuIGFf1Jgn1B4i2vFsYRV6tbn3gF/wpnBdPmmG0ZVT2ZnqPDf2Om3kh1cd/THIWDVeuvNGRHbzGYxFJcJ+NIgwr5yfijltcKyynGqHvW2arUQwHzX0UM/dg6iI8+o2IkKmihBL9WQ+04SwHYeMk+D1hJx2rfrIl9RgpQdkrhrjPacqGfKd7NrtEweeSn7MOwFjaVYlT4ruboQHt94BcJKQ1qhuJVsH+rhZaM6XBt6F2NtM5Z+0OmwsLb0sQkdVbnbyEku7McPN0vvOC7tuDL1pT0UuAanSO6IQahXj5X3W/MVNf27rJUmcUQkGbTvCK6nJMuZYNsuKaB9Izs10T/i88V5IOgafwAHgLCxnpwptY551gJwj/0cvv6mpIZSrE8XjMWMUDmeTkeUyU8t2Dz5Vjbb8l1cFCIETgvc5CK9mV+SG0F6soQqf1xs+r6SB/jCB+6ADAgEXooHzBIHwxdPbAIs5nPD2d3wOYONkgkc1qb9krxSlo4FRMoPPIl+80A1OZOlv/SRc9B4VpP8xJJvk1YwY70twgMlOJd/zbXH0lEnyGdGi9mUuN4XdfeNzFwqvjxOrx1e8oPXJPJLIZCGhUik3nY7X4Nb4EMXmfEckzSsuBbVKkVwu7/0xPKbXL4KPs/e3ANJI8Lvkh7AM7iIXrhI2S4/ZKWo4f73R1sjgtt+nw8e1Ga7EeMlQvbejo/i9UBEFldNR2B8GM0DD6449mRrbXE1K5Pij+bHoHl9oZng97DGGnM4ritsN+ts2Rcev1IuSzm6QFaADBwRU' (decoded length: 1560).
negotiate_kerberos_auth.cc(128): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed:  No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown
BH gss_acquire_cred() failed:  No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown
negotiate_kerberos_auth.cc(258): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2).
BH quit command

$ klist -v
Credentials cache: FILE:/tmp/krb5cc_XZ1GPU
        Principal: [hidden email]
    Cache version: 4

Server: krbtgt/[hidden email]
Client: [hidden email]
Ticket etype: arcfour-hmac-md5
Ticket length: 1128
Auth time:  Oct  8 10:00:12 2014
End time:   Oct  8 20:00:12 2014
Ticket flags: initial, pre-authenticated
Addresses: addressless

Server: HTTP/[hidden email]
Client: [hidden email]
Ticket etype: arcfour-hmac-md5
Ticket length: 1212
Auth time:  Oct  8 10:00:12 2014
Start time: Oct  8 10:00:16 2014
End time:   Oct  8 20:00:12 2014
Ticket flags: pre-authenticated
Addresses: addressless

$
$  ktutil list
/usr/local/etc/squid/squid.keytab:

Vno  Type                     Principal
  1  des-cbc-crc              HTTP/[hidden email]
  1  des-cbc-md5              HTTP/[hidden email]
  1  arcfour-hmac-md5         HTTP/[hidden email]
  1  aes256-cts-hmac-sha1-96  HTTP/[hidden email]
  1  aes128-cts-hmac-sha1-96  HTTP/[hidden email]
===========================

You can see that I obtain a ticket for the HTTP/proxy.sibptus.transneft.ru
service, but somehow the authentication fails.

On the squid host: FreeBSD 8.4-RELEASE-p16 i386, Heimdal 1.1.0.

w2k AD as KDC for SIBPTUS.TRANSNEFT.RU.

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]