[squid-users] Re: Re: Re: squid_kerb_auth on mac os x

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 28 Jun 2008 12:19:41 +0100

Malte,

  are you saying it works now, becuase you used the AD flag or because you
increased the buffer ? I would be curios if the buffer increase would fix
it. If it didn't fix it some buffers in squid need to be increased too (e.g.
in auth_negotiate.c).

Thank you
Markus

"Malte Schröder" <maltesch_at_gmx.de> wrote in message
news:20080628125353.0cb728c6_at_highlander.home.lan...
With Windows 2003 SP2 you can set a flag (I think in
UserAccountControl property) for the computer account that stops AD from
adding the group-information to the service-ticket. I found it
somewhere in their knowledgebase, but currently don't remember the
details.
I have been searching for quite some time because I had the same problem
with too large tickets. Now it's working.

On Fri, 27 Jun 2008 20:07:41 +0100
"Markus Moeller" <huaraz_at_moeller.plus.com> wrote:

> Brian,
>
> the read buffer in squid_kerb_auth is 6400 which I think should be
> increased to 8192 the value used in squid for writing. The ticket is
> usually only that big for users which are members of hundreds of Windows
> Groups, which I have never seen before to be > 4k.
>
> Can you try to increase in the main function the buffer buf to 8192 ?
>
> Markus
>
>
> "Brian Kirk" <bekirk_at_gmail.com> wrote in message
> news:6ac1d44b0806271019t5ceef29di99902b366fcc21d4_at_mail.gmail.com...
> >I am going through a simular nightmare in our environment, we
> > currently use NTLM auth and since we have over 6000 Internet users
> > this isn't very efficent. I can't get kerberos to work. I used the
> > ./squid_kerb_auth_test program to generate the blob, and it is over
> > 5000 characters long. The squid_kerb_auth seems limited to 4096, am I
> > going the have to alter squid_kerb_auth code or am I doing something
> > wrong to get that big of a blob?
> >
> > On 6/7/08, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
> >> Find below a small test program to create a token. Run a kinit as a
> >> user
> >> and then ./squid_kerb_auth_test proxy_fqdn. It creates a token like:
> >>
> >> ./squid_kerb_auth_test opensuse.suse.home
> >> Token:
> >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq9OLL0umYzCethf/CUEcQ6+7xobZYVsyIJtsV9IwAFAscVVO4hbMW3jKbM8BYLts72QCShJPTgBlAaoWwCy/YpZezNwPnYDm2lYDjfPZ2/r23326SmXKtPbNT1VFc+yPwAMrYPCxJr92Cxg2OI4z1qQWcCdRR6c5tidX3SSH4rX+YJHEAVKD/mMsFXmO18iT08B/pG4HQ8BcGs3UvQh4hXwOrnSBeR4xonljtQ==
> >>
> >> Then set the keytab with export
> >> KRB5_KTNAME=FILE:/etc/squid/squid.keytab and run
> >> ./squid_kerb_auth -d -i -s HTTP/proxy_fqdn and enter the token starting
> >> with
> >> YR as follows (in one line)
> >>
> >> ./squid_kerb_auth -d -i -s
> >> HTTP/opensuse.suse.home_at_SUSE.HOME
> >> YR
> >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA==
> >> 2008/06/07 22:52:11| squid_kerb_auth: Got 'YR
> >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA=='
> >> from squid (length: 691).
> >> 2008/06/07 22:52:12| squid_kerb_auth: parseNegTokenInit failed with
> >> rc=109
> >> 2008/06/07 22:52:12| squid_kerb_auth: Token is possibly a GSSAPI token
> >> AF AA== markus_at_SUSE.HOME
> >> 2008/06/07 22:52:12| squid_kerb_auth: AF AA== markus_at_SUSE.HOME
> >> 2008/06/07 22:52:12| squid_kerb_auth: User markus_at_SUSE.HOME
> >> authenticated
> >>
> >>
> >> Regards
> >> Markus
> >>

-- 
---------------------------------------
Malte Schröder
MalteSch_at_gmx.de
ICQ# 68121508
---------------------------------------
Received on Sat Jun 28 2008 - 11:19:56 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 28 2008 - 12:00:04 MDT