[squid-users] squid kerberos auth, acl note group

Markus Moeller huaraz at moeller.plus.com
Sat Jul 25 15:43:13 UTC 2020


Hi Klaus,

    Is the group you added a security group ?  Only security groups are part 
of the Kerberos ticket.  Which authorisation helper do you use or is this 
just based on the auth helper output ?

    What do you see on the client ?  e.g. in powershell run whoami /groups

    Did you clear the client Kerberos cache e.g. by login out and in again 
or use klist purge ?


Markus

"Amos Jeffries"  wrote in message 
news:704e36b3-4cd8-611c-0643-231c02045db6 at treenet.co.nz...

On 25/07/20 2:48 am, Klaus Brandl wrote:
> sorry, i did not found this script, and the binary is not available on our
> product, because i'm no developer...
>

Darn. Okay that hinders testing a bit.

> But i think, we have a caching problem here, i found out, that the group
> informations are only updated on a squid reconfigure.
>
> And also the acl note group ... seems to be cached as long as squid is
> restarted completely. I removed the configured group from the user, but i 
> could
> see this group still maching in the cache.log, also after a reconfigure, 
> when
> the auth_helper does not tell about this group any more.
>

The groups are attached to credentials which are attached to the TCP
connection (TTL only as long as the connection is open) and a token
replay cache for up to authenticate_ttl directive time (default 1 hour).

Setting that TTL to something very short, eg:

  authenticate_ttl 10 seconds

... and disabling connection keep-alive:

  client_persistent_connections off

... should work around the cache for testing. At least on HTTP traffic.
HTTPS traffic goes through the proxy as a single tunnel request - so the
entire HTTPS session is just one request/response pair to Squid.

Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 




More information about the squid-users mailing list