[squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)

Eliezer Croitoru eliezer at ngtech.co.il
Sun Oct 19 22:50:49 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/19/2014 10:32 AM, Victor Sudakov wrote:
> Hopefully I can interest our Windows admin to enable Kerberos
> event logging per KB262177.
> 
> But for the present I have found an ugly workaround. In squid's
> keytab, I created another principal called 'squiduser' with the
> same hex key and kvno as that of the principal
> 'HTTP/proxy.sibptus.transneft.ru.'
> 
> Of course this required running the squid authentication helper
> with the '-s GSS_C_NO_NAME' option.
> 
> And you know what? It works. Browsers are being authenticated all 
> right.
> 
> This means that the encrypted token is all right, and the problem
> was only in the principal name (it being different in the request
> and the received ticket). This is quite mysterious to me. Also,
> Heimdal error messages definitely suck.
> 
So you actually made it work!??

And about the basic issues that you were having with performance, does
it help to run Kerberos instead of NTLM (it should...)?

Eliezer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUREBJAAoJENxnfXtQ8ZQUGsgIAJYiK+JM4cRpbaXimVDwj7j6
zKmHpwreZYI1848Bo+Gcfxm4M5m9ia2k53EYYCJ6KdBieu8necYMk7/TUdlYQhx+
Zw/T1SmNNr3vRNgn4vFAOeq+Ro/gPuWbhd0towgrG0XOWZVEoPjIFOrQuIxEv+Hw
fa/8YnITpW9ZV6Jlj0NioWAVAwUAlSBK+fZSV2AUM2jt7O095rgzsQAdWNeV2i9n
nxbl52flILyXWFbZCCBMH/yGUE4wgK6oazSlAZlOZfB/LwTwyc8DYUj7eeYpkYXj
u6vzsVho1hBXCZKnekScDRQT+oKOMxP7CwmMNSVkDYOkI3TjEcYdFXo0NWqTK8o=
=OzsW
-----END PGP SIGNATURE-----


More information about the squid-users mailing list