[squid-users] squid kerberos auth, acl note group

Amos Jeffries squid3 at treenet.co.nz
Wed Jul 22 12:16:45 UTC 2020


On 22/07/20 8:59 pm, Klaus Brandl wrote:
> 
> but i have compared the encoded string from the auth helper with the string at 
> the Proxy-Authentication header from the client with tcpdump, and it's exactly 
> the same:
> 
> Proxy-Authorization: Negotiate YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...
> 
> /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc(612): 
> pid=28796 :2020/07/21 16:15:12| negotiate_kerberos_auth: DEBUG: Got 'YR 
> YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...
> 
> On the kerberos connection(port 88) i see only the service prinzipal, so i am 
> nearly sure, this groups are from the client.
> 

Okay. If you run the helper manually on command line and pass that same
"YR ..." line Squid is delivering. How long is the result that comes back?

The helper I/O buffer is 32KB in current Squid. The above test will show
how large it needs to be for your network. Unfortunately changes to this
buffer do need a patch.


Amos


More information about the squid-users mailing list