[squid-users] Squid3 Kerberos Auth works but does not update the users group membership in the winbind cache of samba as for examle ntlm_auth does

Heine, Enrico independence at data-core.org
Tue Sep 8 08:42:30 UTC 2015 

Hello together,

My Issue is the following: 

Using Squid3 with Kerberos Auth works just fine but does not update the users group membership in the winbind cache of samba as for examle ntlm_auth does.

So when using /usr/lib/squid3/negotiate_kerberos_auth for Kerberos, the auth works, but group memberships for my user as example are never updated, when I comment this auth helper then it gets updated because then I use ntlm_auth for ntlmssp
So if I have a new group eg: My_Test , then I can check this like this: 

wbinfo -n My_Test -> returns SID of My_Test
wbinfo -Y SID -> returns mapped GID
wbinfo -r myuser | grep GID -> GID is not listed!!

getent group My_Test -> returns: myuser is member of that group! So just in my account "myuser" it is not listed (wbinfo -r myuser | grep GID -> GID is not listed!!) but ext_wbinfo_group_acl is checking my group membership based on the commands listed above.

Commenting Kerberos auth in the squid conf, so that only ntlm_auth is used and requesting one website to be sure to have done an auth, works. So then the GID is listed in the output of wbinfo -r myuser

How can I ensure that my memberships are getting updated using /usr/lib/squid3/negotiate_kerberos_auth as it does work with ntlm_user? Or is there another auth helper that can be used for Kerberos that is doing what ntlm_user does automatically after an successfull authentication?

My Squid Config for Auth Helpers looks like this:

######################################################### Kerberos #########################################################
#auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -r -s HTTP/myserver.MYDOMAIN at MYDOMAIN
#auth_param negotiate children 300
#auth_param negotiate keep_alive on

######################################################### NTLM #########################################################
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive off

######################################################### BASIC #########################################################
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 50
auth_param basic credentialsttl 2 hours
auth_param basic realm Windows Authentication required
auth_param basic casesensitive off

Also I am using the following to check group memberships, which is working fine !! with all auth helpers !! and it is much faster than the slow Kerberos group check, I assume that this helper is updating automatically the winbind group cache, which is the reason that the group itself is beeing recognized and I am also a member of that group when I check that specific group via getent group My_Test

external_acl_type nt_group ttl=60 children-max=300 children-startup=50 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl -K

Software Versions used:
- Squid Cache: Version 3.4.8
- Samba & winbindd Version 4.1.17-Debian
- Distri: Debian Jessie


-- 
-- 
Best regards,
Enrico Heine

​This email and any files transmitted 
        with it are confidential and intended solely for the use of the individual 
        or entity to whom they are addressed. If you have received this email 
        in error please notify the system manager. This message contains confidential 
        information and is intended only for the individual named. If you are 
        not the named addressee you should not disseminate, distribute or copy 
        this e-mail. Please notify the sender immediately by e-mail if you have 
        received this e-mail by mistake and delete this e-mail from your system. 
        If you are not the intended recipient you are notified that disclosing, 
        copying, distributing or taking any action in reliance on the contents 
        of this information is strictly prohibited.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150908/e6a14597/attachment-0001.html>

More information about the squid-users mailing list