[squid-users] squid kerberos auth, acl note group
Amos Jeffries
squid3 at treenet.co.nz
Wed Jul 22 12:16:45 UTC 2020
On 22/07/20 8:59 pm, Klaus Brandl wrote:
>
> but i have compared the encoded string from the auth helper with the string at
> the Proxy-Authentication header from the client with tcpdump, and it's exactly
> the same:
>
> Proxy-Authorization: Negotiate YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...
>
> /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc(612):
> pid=28796 :2020/07/21 16:15:12| negotiate_kerberos_auth: DEBUG: Got 'YR
> YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...
>
> On the kerberos connection(port 88) i see only the service prinzipal, so i am
> nearly sure, this groups are from the client.
>
Okay. If you run the helper manually on command line and pass that same
"YR ..." line Squid is delivering. How long is the result that comes back?
The helper I/O buffer is 32KB in current Squid. The above test will show
how large it needs to be for your network. Unfortunately changes to this
buffer do need a patch.
Amos
More information about the squid-users
mailing list