[squid-users] squid kerberos auth, acl note group

Klaus Brandl klaus_brandl at genua.de
Wed Jul 22 12:53:14 UTC 2020


On Thursday 23 July 2020 00:16:45 Amos Jeffries wrote:
> On 22/07/20 8:59 pm, Klaus Brandl wrote:
> > but i have compared the encoded string from the auth helper with the
> > string at the Proxy-Authentication header from the client with tcpdump,
> > and it's exactly the same:
> > 
> > Proxy-Authorization: Negotiate
> > YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...
> > 
> > /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos
> > /negotiate_kerberos_auth.cc(612): pid=28796 :2020/07/21 16:15:12|
> > negotiate_kerberos_auth: DEBUG: Got 'YR
> > YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...
> > 
> > On the kerberos connection(port 88) i see only the service prinzipal, so i
> > am nearly sure, this groups are from the client.
> 
> Okay. If you run the helper manually on command line and pass that same
> "YR ..." line Squid is delivering. How long is the result that comes back?

thank you, i think you mean this:

DEBUG: OK token=oYG3MIG0oAMKAQChCwYJKoZIgvcSAQIC...

This is only 254 bytes.

> 
> The helper I/O buffer is 32KB in current Squid. The above test will show
> how large it needs to be for your network. Unfortunately changes to this
> buffer do need a patch.
> 
> 
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Klaus
---

genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de

Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.


More information about the squid-users mailing list