[squid-users] squid kerberos auth, acl note group

Klaus Brandl klaus_brandl at genua.de
Wed Jul 22 08:59:41 UTC 2020 

On Tuesday 21 July 2020 14:21:46 Alex Rousskov wrote:
> On 7/21/20 10:41 AM, Klaus Brandl wrote:
> > we have a problem with the squid kerberos auth helper and the note acl
> > matching to user groups in an active directory.
> > First the user was in one group, which was configured via the groupSid
> > base64 string as a note acl, and this was working very well.
> > Then there was added a new group to the user, and the note acl was changed
> > to this new groupSid string, but now this group is not matching. We also
> > do not
> > see this group string in the debug output from the auth helper like this:
> If the helper is not returning the new groupSid to Squid then the note
> ACL using that new groupSid should not match. Unfortunately, I do not
> know enough about that helper to tell you why it does not tell Squid
> about the new group.
> 
> > /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos
> > /negot iate_kerberos_auth.cc(806): pid=32868 :2020/07/21 14:34:54|
> > negotiate_kerberos_auth: DEBUG: Groups
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdjV0AAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdAQIAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdIXIAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdkE8AAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdKUMAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd2UAAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdh0wAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdZk4AAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdFFsAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdH0cAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd+1QAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdDFEAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdWlIAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOEAAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdPUMAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdJ3AAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOMQAAA== group=AQEAAAAAABIBAAAA
> > 
> > The config is like this:
> > 
> > auth_param negotiate program
> > /usr/local/libexec/squid/negotiate_kerberos_auth \
> > -i -d -s GSS_C_NO_NAME
> > auth_param negotiate children 100
> > auth_param negotiate keep_alive on
> > acl authenticated proxy_auth REQUIRED
> > acl surfen note group AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdmZ0AAA==
> > http_access allow authenticated surfen
> > http_access deny all
> > 
> > Any idea, what the problem could be?
> > Where are this groups from in the debug output, are they from the decoded
> > authentication token from the client, or from the kerberos connection to
> > the domain controller?
> 
> The group membership info should be coming from the authentication
> service, not the client.

but i have compared the encoded string from the auth helper with the string at 
the Proxy-Authentication header from the client with tcpdump, and it's exactly 
the same:

Proxy-Authorization: Negotiate YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...

/tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc(612): 
pid=28796 :2020/07/21 16:15:12| negotiate_kerberos_auth: DEBUG: Got 'YR 
YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...

On the kerberos connection(port 88) i see only the service prinzipal, so i am 
nearly sure, this groups are from the client.

> 
> > And why does the last group string looks like truncated?
> 
> I could not find the source of the debug() function used by the helper,
> but I would not be surprised it that function has a fixed buffer that
> does not accommodate all the groups. It is also possible that there is
> not enough space in the helper buffers to store the actual groups -- I
> cannot tell whether that is the case from the debugging output you
> shared (and the source code has many conditional branches that allocate
> this space differently based on various factors AFAICT).
> 
> A local developer or a very capable local admin should be able to answer
> this question by studying (and possibly adding more) helper debugging.
> 
> 
> Please also note that there are a couple of possibly related known bugs:
> 
> * https://bugs.squid-cache.org/show_bug.cgi?id=5063
> * https://bugs.squid-cache.org/show_bug.cgi?id=5063
> 
> Alex.

Klaus

---

genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de

Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.

More information about the squid-users mailing list