[squid-users] Squid3 Kerberos Auth works but does not update theusers group membership in the winbind cache of samba as forexamle ntlm_auth does

Markus Moeller huaraz at moeller.plus.com
Sun Sep 13 21:50:05 UTC 2015 

Hi Enrico,
 
   The Kerberos helper will authenticate only for now ( There is a  now code to get the group information, but it is not further processed).  It does not do anything to group membership like the winbind cache.  Also keep in mind Kerberos cache for about 10 hours the ticket on the client machine.  If the user does not lock/unlock his PC  there won’t be any update to the cached ticket and therefore not to the group membership information in the ticket either. 

Regards
Markus 


"Heine, Enrico" <independence at data-core.org> wrote in message news:c821a938e46c6278b4cc39912760b408bb84f83c at data-core.org...
Hello together,

My Issue is the following: 

Using Squid3 with Kerberos Auth works just fine but does not update the users group membership in the winbind cache of samba as for examle ntlm_auth does.

So when using /usr/lib/squid3/negotiate_kerberos_auth for Kerberos, the auth works, but group memberships for my user as example are never updated, when I comment this auth helper then it gets updated because then I use ntlm_auth for ntlmssp
So if I have a new group eg: My_Test , then I can check this like this: 

wbinfo -n My_Test -> returns SID of My_Test
wbinfo -Y SID -> returns mapped GID
wbinfo -r myuser | grep GID -> GID is not listed!!

getent group My_Test -> returns: myuser is member of that group! So just in my account "myuser" it is not listed (wbinfo -r myuser | grep GID -> GID is not listed!!) but ext_wbinfo_group_acl is checking my group membership based on the commands listed above.

Commenting Kerberos auth in the squid conf, so that only ntlm_auth is used and requesting one website to be sure to have done an auth, works. So then the GID is listed in the output of wbinfo -r myuser

How can I ensure that my memberships are getting updated using /usr/lib/squid3/negotiate_kerberos_auth as it does work with ntlm_user? Or is there another auth helper that can be used for Kerberos that is doing what ntlm_user does automatically after an successfull authentication?

My Squid Config for Auth Helpers looks like this:

######################################################### Kerberos #########################################################
#auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -r -s HTTP/myserver.MYDOMAIN at MYDOMAIN
#auth_param negotiate children 300
#auth_param negotiate keep_alive on

######################################################### NTLM #########################################################
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive off

######################################################### BASIC #########################################################
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 50
auth_param basic credentialsttl 2 hours
auth_param basic realm Windows Authentication required
auth_param basic casesensitive off

Also I am using the following to check group memberships, which is working fine !! with all auth helpers !! and it is much faster than the slow Kerberos group check, I assume that this helper is updating automatically the winbind group cache, which is the reason that the group itself is beeing recognized and I am also a member of that group when I check that specific group via getent group My_Test

external_acl_type nt_group ttl=60 children-max=300 children-startup=50 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl -K

Software Versions used:
- Squid Cache: Version 3.4.8
- Samba & winbindd Version 4.1.17-Debian
- Distri: Debian Jessie


-- 
-- 
Best regards,
Enrico Heine

​This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.




--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150913/ec82a288/attachment.html>

More information about the squid-users mailing list