[squid-users] squid kerberos auth, acl note group

Alex Rousskov rousskov at measurement-factory.com
Tue Jul 21 18:21:46 UTC 2020 

On 7/21/20 10:41 AM, Klaus Brandl wrote:

> we have a problem with the squid kerberos auth helper and the note acl 
> matching to user groups in an active directory.
> First the user was in one group, which was configured via the groupSid base64 
> string as a note acl, and this was working very well.
> Then there was added a new group to the user, and the note acl was changed to 
> this new groupSid string, but now this group is not matching. We also do not 
> see this group string in the debug output from the auth helper like this:

If the helper is not returning the new groupSid to Squid then the note
ACL using that new groupSid should not match. Unfortunately, I do not
know enough about that helper to tell you why it does not tell Squid
about the new group.


> /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos/negot
> iate_kerberos_auth.cc(806): pid=32868 :2020/07/21 14:34:54| 
> negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdjV0AAA== 
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdAQIAAA== 
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdIXIAAA== 
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdkE8AAA== 
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdKUMAAA== 
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd2UAAAA== 
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdh0wAAA== 
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdZk4AAA== 
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdFFsAAA== 
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdH0cAAA== 
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd+1QAAA== 
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdDFEAAA== 
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdWlIAAA== 
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOEAAAA== 
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdPUMAAA== 
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdJ3AAAA== 
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOMQAAA== group=AQEAAAAAABIBAAAA
> 
> The config is like this:
> 
> auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth 
> \
> -i -d -s GSS_C_NO_NAME
> auth_param negotiate children 100
> auth_param negotiate keep_alive on
> acl authenticated proxy_auth REQUIRED
> acl surfen note group AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdmZ0AAA==
> http_access allow authenticated surfen
> http_access deny all
> 
> Any idea, what the problem could be?
> Where are this groups from in the debug output, are they from the decoded 
> authentication token from the client, or from the kerberos connection to the 
> domain controller?

The group membership info should be coming from the authentication
service, not the client.


> And why does the last group string looks like truncated?

I could not find the source of the debug() function used by the helper,
but I would not be surprised it that function has a fixed buffer that
does not accommodate all the groups. It is also possible that there is
not enough space in the helper buffers to store the actual groups -- I
cannot tell whether that is the case from the debugging output you
shared (and the source code has many conditional branches that allocate
this space differently based on various factors AFAICT).

A local developer or a very capable local admin should be able to answer
this question by studying (and possibly adding more) helper debugging.


Please also note that there are a couple of possibly related known bugs:

* https://bugs.squid-cache.org/show_bug.cgi?id=5063
* https://bugs.squid-cache.org/show_bug.cgi?id=5063

Alex.

More information about the squid-users mailing list