[squid-users] squid kerberos auth, acl note group

Amos Jeffries squid3 at treenet.co.nz
Wed Jul 22 12:16:45 UTC 2020

On 22/07/20 8:59 pm, Klaus Brandl wrote:
> but i have compared the encoded string from the auth helper with the string at 
> the Proxy-Authentication header from the client with tcpdump, and it's exactly 
> the same:
> Proxy-Authorization: Negotiate YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...
> /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc(612): 
> pid=28796 :2020/07/21 16:15:12| negotiate_kerberos_auth: DEBUG: Got 'YR 
> On the kerberos connection(port 88) i see only the service prinzipal, so i am 
> nearly sure, this groups are from the client.

Okay. If you run the helper manually on command line and pass that same
"YR ..." line Squid is delivering. How long is the result that comes back?

The helper I/O buffer is 32KB in current Squid. The above test will show
how large it needs to be for your network. Unfortunately changes to this
buffer do need a patch.


More information about the squid-users mailing list