Hi, I looked at memory leaks for the squid negotiate_kerberos helper and found issues with the following in the heimdal code:
==9424== 16 bytes in 1 blocks are definitely lost in loss record 13 of 64 ==9424== at 0x4C2A110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==9424== by 0x52ACF9C: set_etypes (context.c:74) ==9424== by 0x52ADE8F: init_context_from_config_file (context.c:161) ==9424== by 0x52ADE8F: krb5_set_config_files (context.c:692) ==9424== by 0x52AE49C: krb5_init_context (context.c:451) ==9424== by 0x4023C1: main (negotiate_kerberos_auth.cc:549) which should be fixed with --- lib/krb5/context.c 2017-12-07 04:11:23.000000000 +0000 +++ lib/krb5/context_new.c 2018-09-15 18:45:40.715744342 +0100 @@ -622,6 +622,9 @@ free(context->etypes); free(context->cfg_etypes); free(context->etypes_des); + free(context->permitted_enctypes); + free(context->tgs_etypes); + free(context->as_etypes); krb5_free_host_realm (context, context->default_realms); krb5_config_file_free (context, context->cf); free_error_table (context->et_list); and ==9424== 13,200 bytes in 6 blocks are definitely lost in loss record 63 of 64 ==9424== at 0x4C2C240: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==9424== by 0x4E5E01A: _gss_ntlm_allocate_ctx (accept_sec_context.c:52) ==9424== by 0x4E5E5B4: _gss_ntlm_acquire_cred (acquire_cred.c:60) ==9424== by 0x4E55779: gss_acquire_cred (gss_acquire_cred.c:125) ==9424== by 0x4E635AB: _gss_spnego_acquire_cred (cred_stubs.c:109) ==9424== by 0x4E55779: gss_acquire_cred (gss_acquire_cred.c:125) ==9424== by 0x403227: main (negotiate_kerberos_auth.cc:721) Which could be fixed with --- ./lib/gssapi/ntlm/acquire_cred.c 2016-12-20 14:23:06.000000000 +0000 +++ ./lib/gssapi/ntlm/acquire_cred_new.c 2018-09-15 18:09:04.436985518 +0100 @@ -58,8 +58,10 @@ if (cred_usage == GSS_C_BOTH || cred_usage == GSS_C_ACCEPT) { maj_stat = _gss_ntlm_allocate_ctx(min_stat, &ctx); - if (maj_stat != GSS_S_COMPLETE) + if (maj_stat != GSS_S_COMPLETE) { + if (ctx) free(ctx); return maj_stat; + } domain = name != NULL ? name->domain : NULL; maj_stat = (*ctx->server->nsi_probe)(min_stat, ctx->ictx, domain); Markus