Re: [squid-users] Kerberos / Authentication / squid from Madhav V Diwan on 2013-11-27 (squid-users)

From: Madhav V Diwan <mdiwan_at_diwanconsulting.com>
Date: Wed, 27 Nov 2013 12:41:39 -0500

Berthold

if you look in

squid-3.3.10/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc

the define states

#ifndef MAX_AUTHTOKEN_LEN
#define MAX_AUTHTOKEN_LEN 65535
#endif

which makes it look as if it is probably not squid's helper app that has
the issue .. default WINDOWS token size is somewhere in windows registry
set at 12000

you should make certain that you have changed the windows registry value
to 65535 in Decimal or FFFFF in Hex in your windows server registry

if using an AD farm you will have to do it to every AD Domain
Controller- manually

-----Original Message-----
From: Berthold Zettler <zettler.berthold_at_gmx.de>
To: squid-users_at_squid-cache.org
Subject: [squid-users] Kerberos / Authentication / squid
Date: Wed, 27 Nov 2013 13:41:09 +0100 (CET)

Hello to all,

we are using squid as a authentication proxy with kerberos/ldap-helpers.
This works fine, but (few) users can't be authenticated by the squid (kerberos-helper).

Further investigation are showing a possible relationship to the tokensize (computed with the MS-Tool tokensz.exe) of these users.

Our squid (Version 3.3.10) has been compiled with the following options:

-->
--disable-strict-error-checking' '--with-build-environment=default' '--prefix=/opt/squid-cit' '--enable-storeio=aufs,diskd,ufs' '--enable-internal-dns' '--enable-auth' '--enable-auth-negotiate=kerberos' '--enable-auth-basic=LDAP' '--enable-external-acl-helpers=LDAP_group,kerberos_ldap_group' '--with-maxfd=16384' '--enable-delay-pools' '--with-aufs-threads=30' '--with-large-files' '--enable-ssl'
<--

The OS is a SLES 11 SP1 (Kernel Version 2.6.32.54-0.3-default).

How to reproduce the error:

No Access:
When the user is member of many groups in the AD (ActiceDirectory), we see, that he has no access to the webserver. If if we start the helper (negotiate_kerberos_auth) with -d, we have no additional info in the cache.log. We had to enable debugging (squid -k debug) to see some information. In this case the tokensize was 27332.

Access:
If the same user reduces his number of groups (tokensize 12252), he can access the website.

What can be done to debug/solve this problem?

Berthold
Received on Wed Nov 27 2013 - 17:41:44 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 28 2013 - 12:00:06 MST