[squid-users] squid kerberos auth, acl note group
Klaus Brandl
klaus_brandl at genua.de
Tue Jul 21 14:41:40 UTC 2020
Hi there,
we have a problem with the squid kerberos auth helper and the note acl
matching to user groups in an active directory.
First the user was in one group, which was configured via the groupSid base64
string as a note acl, and this was working very well.
Then there was added a new group to the user, and the note acl was changed to
this new groupSid string, but now this group is not matching. We also do not
see this group string in the debug output from the auth helper like this:
/tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos/negot
iate_kerberos_auth.cc(806): pid=32868 :2020/07/21 14:34:54|
negotiate_kerberos_a
uth: DEBUG: Groups group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdjV0AAA==
group=AQUAAAAA
AAUVAAAAMq9NXuhR/XHUeZSdAQIAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdIXIAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdkE8AAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdKUMAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd2UAAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdh0wAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdZk4AAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdFFsAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdH0cAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd+1QAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdDFEAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdWlIAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOEAAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdPUMAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdJ3AAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOMQAAA== group=AQEAAAAAABIBAAAA
The config is like this:
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth
\
-i -d -s GSS_C_NO_NAME
auth_param negotiate children 100
auth_param negotiate keep_alive on
acl authenticated proxy_auth REQUIRED
acl surfen note group AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdmZ0AAA==
http_access allow authenticated surfen
http_access deny all
Any idea, what the problem could be?
Where are this groups from in the debug output, are they from the decoded
authentication token from the client, or from the kerberos connection to the
domain controller?
And why does the last group string looks like truncated?
Thanks for your help!
Regards
Klaus
---
genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de
Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
More information about the squid-users
mailing list