Malte,
are you saying it works now, becuase you used the AD flag or because you
increased the buffer ? I would be curios if the buffer increase would fix
it. If it didn't fix it some buffers in squid need to be increased too (e.g.
in auth_negotiate.c).
Thank you
Markus
"Malte Schröder" <maltesch@xxxxxx> wrote in message
news:20080628125353.0cb728c6@xxxxxxxxxxxxxxxxxxxxxx
With Windows 2003 SP2 you can set a flag (I think in
UserAccountControl property) for the computer account that stops AD from
adding the group-information to the service-ticket. I found it
somewhere in their knowledgebase, but currently don't remember the
details.
I have been searching for quite some time because I had the same problem
with too large tickets. Now it's working.
On Fri, 27 Jun 2008 20:07:41 +0100
"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote:
Brian,
the read buffer in squid_kerb_auth is 6400 which I think should be
increased to 8192 the value used in squid for writing. The ticket is
usually only that big for users which are members of hundreds of Windows
Groups, which I have never seen before to be > 4k.
Can you try to increase in the main function the buffer buf to 8192 ?
Markus
"Brian Kirk" <bekirk@xxxxxxxxx> wrote in message
news:6ac1d44b0806271019t5ceef29di99902b366fcc21d4@xxxxxxxxxxxxxxxxx
>I am going through a simular nightmare in our environment, we
> currently use NTLM auth and since we have over 6000 Internet users
> this isn't very efficent. I can't get kerberos to work. I used the
> ./squid_kerb_auth_test program to generate the blob, and it is over
> 5000 characters long. The squid_kerb_auth seems limited to 4096, am I
> going the have to alter squid_kerb_auth code or am I doing something
> wrong to get that big of a blob?
>
> On 6/7/08, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
>> Find below a small test program to create a token. Run a kinit as a
>> user
>> and then ./squid_kerb_auth_test proxy_fqdn. It creates a token like:
>>
>> ./squid_kerb_auth_test opensuse.suse.home
>> Token:
>> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq9OLL0umYzCethf/CUEcQ6+7xobZYVsyIJtsV9IwAFAscVVO4hbMW3jKbM8BYLts72QCShJPTgBlAaoWwCy/YpZezNwPnYDm2lYDjfPZ2/r23326SmXKtPbNT1VFc+yPwAMrYPCxJr92Cxg2OI4z1qQWcCdRR6c5tidX3SSH4rX+YJHEAVKD/mMsFXmO18iT08B/pG4HQ8BcGs3UvQh4hXwOrnSBeR4xonljtQ==
>>
>> Then set the keytab with export
>> KRB5_KTNAME=FILE:/etc/squid/squid.keytab and run
>> ./squid_kerb_auth -d -i -s HTTP/proxy_fqdn and enter the token starting
>> with
>> YR as follows (in one line)
>>
>> ./squid_kerb_auth -d -i -s
>> HTTP/opensuse.suse.home@xxxxxxxxx
>> YR
>> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA==
>> 2008/06/07 22:52:11| squid_kerb_auth: Got 'YR
>> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA=='
>> from squid (length: 691).
>> 2008/06/07 22:52:12| squid_kerb_auth: parseNegTokenInit failed with
>> rc=109
>> 2008/06/07 22:52:12| squid_kerb_auth: Token is possibly a GSSAPI token
>> AF AA== markus@xxxxxxxxx
>> 2008/06/07 22:52:12| squid_kerb_auth: AF AA== markus@xxxxxxxxx
>> 2008/06/07 22:52:12| squid_kerb_auth: User markus@xxxxxxxxx
>> authenticated
>>
>>
>> Regards
>> Markus
>>
--
---------------------------------------
Malte Schröder
MalteSch@xxxxxx
ICQ# 68121508
---------------------------------------