[squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)

Victor Sudakov sudakov at sibptus.tomsk.ru
Tue Oct 21 05:40:20 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eliezer Croitoru wrote:
> > Hopefully I can interest our Windows admin to enable Kerberos
> > event logging per KB262177.
> > 
> > But for the present I have found an ugly workaround. In squid's
> > keytab, I created another principal called 'squiduser' with the
> > same hex key and kvno as that of the principal
> > 'HTTP/proxy.sibptus.transneft.ru.'
> > 
> > Of course this required running the squid authentication helper
> > with the '-s GSS_C_NO_NAME' option.
> > 
> > And you know what? It works. Browsers are being authenticated all 
> > right.
> > 
> > This means that the encrypted token is all right, and the problem
> > was only in the principal name (it being different in the request
> > and the received ticket). This is quite mysterious to me. Also,
> > Heimdal error messages definitely suck.
> > 
> So you actually made it work!??

Yes, I have.

> 
> And about the basic issues that you were having with performance, does
> it help to run Kerberos instead of NTLM (it should...)?

The performance is still poor, much worse than that of squid27 with
the NTLM authenticator.

- -- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJURfHEAAoJEA2k8lmbXsY0n8sIAJzxIBL3LoC+oUKEMC4wBHIs
bTYrLHT9DgJp48G66KZoIBocCXRmHKE4ZhGyHHU7NyPlYUABgqEmk+GBx6IhEoYU
GZDugLbm9tefg4Kpnd/DZiWknlzw/Ps44bSTKDFctI/lkuC3rwlxCiU6a2nQLp/m
OibWBgJS4ob7Ryca1v3wNYWuTwazOjl5h8QelJdwbQCQDdgJCA0QsFDe4S2CHrFs
ldCxivkXOJewLj5MzVjHBuHC7leYK1RQHcbbh4n66uhiX6t6CBg7ZCOXqg6wrF+0
7UQOT8283B3nK44mpGhDroK1wWUoxGeYZe2Jxd/2X2+Gx1PMxXQlnwZDVsw0y44=
=rkPI
-----END PGP SIGNATURE-----


More information about the squid-users mailing list