[squid-users] squid kerberos auth, acl note group

[Klaus Brandl]

Hi Eliezer,

we have deleted the group in active directory and created it again.
Not sure, if this was the real problem, because this was done by our
customer.

But we have already this caching problem, if membership of this group
is changed in AD, squid has to be completely restartet to take effekt.

Regards

Klaus

Am Mittwoch, den 04.11.2020, 15:13 +0200 schrieb Eliezer Croitor:
> Hey Klaus,
> 
> I tried to follow the thread and understand what went wrong and how
> it was fixed,
> and I didn't manage to understand. (Maybe I am missing some emails in
> the thread)
> 
> Can you please clear out what was done to resolve this issue?
> 
> Thanks,
> Eliezer
> 
> ----
> Eliezer Croitoru
> Tech Support
> Mobile: +972-5-28704261
> Email: ngtech1ltd at gmail.com
> 
> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On
> Behalf Of Klaus Brandl
> Sent: Monday, July 27, 2020 7:36 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] squid kerberos auth, acl note group
> 
> Hi Markus and Amos,
> 
> thanks for your answers, it is working now, after the group was
> deleted and 
> created new. Most likely it was no security object...
> 
> Regards
> 
> On Saturday 25 July 2020 16:43:13 Markus Moeller wrote:
> > Hi Klaus,
> > 
> >     Is the group you added a security group ?  Only security groups
> > are part
> > of the Kerberos ticket.  Which authorisation helper do you use or
> > is this
> > just based on the auth helper output ?
> > 
> >     What do you see on the client ?  e.g. in powershell run whoami
> > /groups
> > 
> >     Did you clear the client Kerberos cache e.g. by login out and
> > in again
> > or use klist purge ?
> > 
> > 
> > Markus
> > 
> > "Amos Jeffries"  wrote in message
> > news:704e36b3-4cd8-611c-0643-231c02045db6 at treenet.co.nz...
> > 
> > On 25/07/20 2:48 am, Klaus Brandl wrote:
> > > sorry, i did not found this script, and the binary is not
> > > available on our
> > > product, because i'm no developer...
> > 
> > Darn. Okay that hinders testing a bit.
> > 
> > > But i think, we have a caching problem here, i found out, that
> > > the group
> > > informations are only updated on a squid reconfigure.
> > > 
> > > And also the acl note group ... seems to be cached as long as
> > > squid is
> > > restarted completely. I removed the configured group from the
> > > user, but i
> > > could
> > > see this group still maching in the cache.log, also after a
> > > reconfigure,
> > > when
> > > the auth_helper does not tell about this group any more.
> > 
> > The groups are attached to credentials which are attached to the
> > TCP
> > connection (TTL only as long as the connection is open) and a token
> > replay cache for up to authenticate_ttl directive time (default 1
> > hour).
> > 
> > Setting that TTL to something very short, eg:
> > 
> >   authenticate_ttl 10 seconds
> > 
> > ... and disabling connection keep-alive:
> > 
> >   client_persistent_connections off
> > 
> > ... should work around the cache for testing. At least on HTTP
> > traffic.
> > HTTPS traffic goes through the proxy as a single tunnel request -
> > so the
> > entire HTTPS session is just one request/response pair to Squid.
> > 
> > Amos
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> > 
> > 
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> 
> Klaus
> 
> ---
> 
> genua GmbH
> Domagkstrasse 7, 85551 Kirchheim bei Muenchen
> tel +49 89 991950-0, fax -999, www.genua.de
> 
> Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
> Amtsgericht Muenchen HRB 98238
> genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>