[squid-users] squid kerberos auth, acl note group
Markus Moeller
huaraz at moeller.plus.com
Sat Jul 25 15:43:13 UTC 2020
Hi Klaus,
Is the group you added a security group ? Only security groups are part
of the Kerberos ticket. Which authorisation helper do you use or is this
just based on the auth helper output ?
What do you see on the client ? e.g. in powershell run whoami /groups
Did you clear the client Kerberos cache e.g. by login out and in again
or use klist purge ?
Markus
"Amos Jeffries" wrote in message
news:704e36b3-4cd8-611c-0643-231c02045db6 at treenet.co.nz...
On 25/07/20 2:48 am, Klaus Brandl wrote:
> sorry, i did not found this script, and the binary is not available on our
> product, because i'm no developer...
>
Darn. Okay that hinders testing a bit.
> But i think, we have a caching problem here, i found out, that the group
> informations are only updated on a squid reconfigure.
>
> And also the acl note group ... seems to be cached as long as squid is
> restarted completely. I removed the configured group from the user, but i
> could
> see this group still maching in the cache.log, also after a reconfigure,
> when
> the auth_helper does not tell about this group any more.
>
The groups are attached to credentials which are attached to the TCP
connection (TTL only as long as the connection is open) and a token
replay cache for up to authenticate_ttl directive time (default 1 hour).
Setting that TTL to something very short, eg:
authenticate_ttl 10 seconds
... and disabling connection keep-alive:
client_persistent_connections off
... should work around the cache for testing. At least on HTTP traffic.
HTTPS traffic goes through the proxy as a single tunnel request - so the
entire HTTPS session is just one request/response pair to Squid.
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list