[squid-users] squid kerberos auth, acl note group

Amos Jeffries squid3 at treenet.co.nz
Wed Jul 22 13:26:06 UTC 2020


On 23/07/20 12:53 am, Klaus Brandl wrote:
> On Thursday 23 July 2020 00:16:45 Amos Jeffries wrote:
>> On 22/07/20 8:59 pm, Klaus Brandl wrote:
>>> but i have compared the encoded string from the auth helper with the
>>> string at the Proxy-Authentication header from the client with tcpdump,
>>> and it's exactly the same:
>>>
>>> Proxy-Authorization: Negotiate
>>> YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...
>>>
>>> /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos
>>> /negotiate_kerberos_auth.cc(612): pid=28796 :2020/07/21 16:15:12|
>>> negotiate_kerberos_auth: DEBUG: Got 'YR
>>> YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...
>>>
>>> On the kerberos connection(port 88) i see only the service prinzipal, so i
>>> am nearly sure, this groups are from the client.
>>
>> Okay. If you run the helper manually on command line and pass that same
>> "YR ..." line Squid is delivering. How long is the result that comes back?
> 
> thank you, i think you mean this:
> 
> DEBUG: OK token=oYG3MIG0oAMKAQChCwYJKoZIgvcSAQIC...
> 
> This is only 254 bytes.
> 



Ah. Sorry. I should have checked the protocol sequence, it has been a
while since last I played with these tokens.

For Kerberos there should be a test_negotiate_auth.sh script and
negotiate_kerberos_auth_test binary available for debugging these auth
details.

Run the test_negotiate_auth.sh with with your Squid hostname as its
command line parameter.


Amos


More information about the squid-users mailing list