[squid-users] Kerberos issues on 4.1
Amos Jeffries
squid3 at treenet.co.nz
Tue Jul 17 13:02:48 UTC 2018
On 17/07/18 14:20, Victor Sudakov wrote:
> Dear Colleagues,
>
> After upgrading to Squid 4.1 (from FreeBSD ports) I started having problems
> with Kerberos authentication.
>
> A user complained about being denied access. The strange things are that:
>
> 1. There was only one such user, others seemed to be authenticating
> properly (or just did not complain).
>
> 2. The user seemed authenticated but still was denied (!), a sample access.log entry:
>
> 1531737712.384 7 212.73.124.190 TCP_DENIED/403 9976 GET http://yandex.ru/zzzzzzzzzzzz user at REA.LM HIER_NONE/- text/html
>
> The user tried different browsers on different hosts, with the same result.
>
> After downgrading to Squid 3.5.27 all went well again.
>
> Sorry I cannot provide more debugging info at present, I had to
> downgrade my two production Squids ASAP.
>
> Was there any major change between Squid 3 and 4 in the way
> Negotiate/Kerberos works?
>
The biggest change is that bundled Kerberos auth helpers are now using
the newer v3.4+ helper protocol. That prevents some malformations of
Unicode and whitespace characters in the username or password which
Squid-3 might have been ignoring when it should have rejected.
You may need to check both what you have on record in your AD/LDAP and
what the affected user thinks they need to enter.
There is also the less likely possibility that other non-auth ACLs are
rejecting the request for completely unrelated reasons.
For completeness; there are some other changes, but those seem
irrelevant to your case.
Amos
More information about the squid-users
mailing list