I think at first I increased some buffers but hit a wall when the
Proxy-Authenticate header got too long. I don't remember the limit,
could have been something around 8k chars.
On Sat, 28 Jun 2008 12:19:41 +0100
"Markus Moeller" <huaraz_at_moeller.plus.com> wrote:
> Malte,
>
> are you saying it works now, becuase you used the AD flag or because you
> increased the buffer ? I would be curios if the buffer increase would fix
> it. If it didn't fix it some buffers in squid need to be increased too (e.g.
> in auth_negotiate.c).
>
> Thank you
> Markus
>
>
> "Malte Schröder" <maltesch_at_gmx.de> wrote in message
> news:20080628125353.0cb728c6_at_highlander.home.lan...
> With Windows 2003 SP2 you can set a flag (I think in
> UserAccountControl property) for the computer account that stops AD from
> adding the group-information to the service-ticket. I found it
> somewhere in their knowledgebase, but currently don't remember the
> details.
> I have been searching for quite some time because I had the same problem
> with too large tickets. Now it's working.
>
>
>
> On Fri, 27 Jun 2008 20:07:41 +0100
> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote:
>
> > Brian,
> >
> > the read buffer in squid_kerb_auth is 6400 which I think should be
> > increased to 8192 the value used in squid for writing. The ticket is
> > usually only that big for users which are members of hundreds of Windows
> > Groups, which I have never seen before to be > 4k.
> >
> > Can you try to increase in the main function the buffer buf to 8192 ?
> >
> > Markus
> >
> >
> > "Brian Kirk" <bekirk_at_gmail.com> wrote in message
> > news:6ac1d44b0806271019t5ceef29di99902b366fcc21d4_at_mail.gmail.com...
> > >I am going through a simular nightmare in our environment, we
> > > currently use NTLM auth and since we have over 6000 Internet users
> > > this isn't very efficent. I can't get kerberos to work. I used the
> > > ./squid_kerb_auth_test program to generate the blob, and it is over
> > > 5000 characters long. The squid_kerb_auth seems limited to 4096, am I
> > > going the have to alter squid_kerb_auth code or am I doing something
> > > wrong to get that big of a blob?
> > >
> > > On 6/7/08, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
> > >> Find below a small test program to create a token. Run a kinit as a
> > >> user
> > >> and then ./squid_kerb_auth_test proxy_fqdn. It creates a token like:
> > >>
> > >> ./squid_kerb_auth_test opensuse.suse.home
> > >> Token:
> > >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq9OLL0umYzCethf/CUEcQ6+7xobZYVsyIJtsV9IwAFAscVVO4hbMW3jKbM8BYLts72QCShJPTgBlAaoWwCy/YpZezNwPnYDm2lYDjfPZ2/r23326SmXKtPbNT1VFc+yPwAMrYPCxJr92Cxg2OI4z1qQWcCdRR6c5tidX3SSH4rX+YJHEAVKD/mMsFXmO18iT08B/pG4HQ8BcGs3UvQh4hXwOrnSBeR4xonljtQ==
> > >>
> > >> Then set the keytab with export
> > >> KRB5_KTNAME=FILE:/etc/squid/squid.keytab and run
> > >> ./squid_kerb_auth -d -i -s HTTP/proxy_fqdn and enter the token starting
> > >> with
> > >> YR as follows (in one line)
> > >>
> > >> ./squid_kerb_auth -d -i -s
> > >> HTTP/opensuse.suse.home_at_SUSE.HOME
> > >> YR
> > >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA==
> > >> 2008/06/07 22:52:11| squid_kerb_auth: Got 'YR
> > >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA=='
> > >> from squid (length: 691).
> > >> 2008/06/07 22:52:12| squid_kerb_auth: parseNegTokenInit failed with
> > >> rc=109
> > >> 2008/06/07 22:52:12| squid_kerb_auth: Token is possibly a GSSAPI token
> > >> AF AA== markus_at_SUSE.HOME
> > >> 2008/06/07 22:52:12| squid_kerb_auth: AF AA== markus_at_SUSE.HOME
> > >> 2008/06/07 22:52:12| squid_kerb_auth: User markus_at_SUSE.HOME
> > >> authenticated
> > >>
> > >>
> > >> Regards
> > >> Markus
> > >>
-- --------------------------------------- Malte Schröder MalteSch_at_gmx.de ICQ# 68121508 ---------------------------------------
This archive was generated by hypermail 2.2.0 : Sun Jun 29 2008 - 12:00:06 MDT