Search squid archive

Re: Re: Re: Re: squid_kerb_auth on mac os x

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I think at first I increased some buffers but hit a wall when the
Proxy-Authenticate header got too long. I don't remember the limit,
could have been something around 8k chars.


On Sat, 28 Jun 2008 12:19:41 +0100
"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote:

> Malte,
> 
>   are you saying it works now, becuase you used the AD flag or because you 
> increased the buffer ? I would be curios if the buffer increase would fix 
> it. If it didn't fix it some buffers in squid need to be increased too (e.g. 
> in auth_negotiate.c).
> 
> Thank you
> Markus
> 
> 
> "Malte Schröder" <maltesch@xxxxxx> wrote in message 
> news:20080628125353.0cb728c6@xxxxxxxxxxxxxxxxxxxxxx
> With Windows 2003 SP2 you can set a flag (I think in
> UserAccountControl property) for the computer account that stops AD from
> adding the group-information to the service-ticket. I found it
> somewhere in their knowledgebase, but currently don't remember the
> details.
> I have been searching for quite some time because I had the same problem
> with too large tickets. Now it's working.
> 
> 
> 
> On Fri, 27 Jun 2008 20:07:41 +0100
> "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote:
> 
> > Brian,
> >
> >  the read buffer in squid_kerb_auth is 6400 which I think should be
> > increased to 8192 the value used in squid for writing.  The ticket is
> > usually only that big for users which are members of hundreds of Windows
> > Groups, which I have never seen before to be > 4k.
> >
> > Can you try to increase in the main function the buffer buf to 8192 ?
> >
> > Markus
> >
> >
> > "Brian Kirk" <bekirk@xxxxxxxxx> wrote in message
> > news:6ac1d44b0806271019t5ceef29di99902b366fcc21d4@xxxxxxxxxxxxxxxxx
> > >I am going through a simular nightmare in our environment,  we
> > > currently use NTLM auth and since we have over 6000 Internet users
> > > this isn't very efficent. I can't get kerberos to work.  I used the
> > > ./squid_kerb_auth_test program to generate the blob, and it is over
> > > 5000 characters long.  The squid_kerb_auth seems limited to 4096, am I
> > > going the have to alter squid_kerb_auth code or am I doing something
> > > wrong to get that big of a blob?
> > >
> > > On 6/7/08, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
> > >> Find below a small test program to create a token.  Run a kinit as a 
> > >> user
> > >> and then ./squid_kerb_auth_test  proxy_fqdn. It creates a token like:
> > >>
> > >> ./squid_kerb_auth_test opensuse.suse.home
> > >> Token:
> > >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq9OLL0umYzCethf/CUEcQ6+7xobZYVsyIJtsV9IwAFAscVVO4hbMW3jKbM8BYLts72QCShJPTgBlAaoWwCy/YpZezNwPnYDm2lYDjfPZ2/r23326SmXKtPbNT1VFc+yPwAMrYPCxJr92Cxg2OI4z1qQWcCdRR6c5tidX3SSH4rX+YJHEAVKD/mMsFXmO18iT08B/pG4HQ8BcGs3UvQh4hXwOrnSBeR4xonljtQ==
> > >>
> > >> Then set the keytab with  export
> > >> KRB5_KTNAME=FILE:/etc/squid/squid.keytab and run
> > >> ./squid_kerb_auth -d -i -s HTTP/proxy_fqdn and enter the token starting
> > >> with
> > >> YR as follows (in one line)
> > >>
> > >> ./squid_kerb_auth -d -i -s
> > >> HTTP/opensuse.suse.home@xxxxxxxxx
> > >> YR
> > >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA==
> > >> 2008/06/07 22:52:11| squid_kerb_auth: Got 'YR
> > >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA=='
> > >> from squid (length: 691).
> > >> 2008/06/07 22:52:12| squid_kerb_auth: parseNegTokenInit failed with
> > >> rc=109
> > >> 2008/06/07 22:52:12| squid_kerb_auth: Token is possibly a GSSAPI token
> > >> AF AA== markus@xxxxxxxxx
> > >> 2008/06/07 22:52:12| squid_kerb_auth: AF AA== markus@xxxxxxxxx
> > >> 2008/06/07 22:52:12| squid_kerb_auth: User markus@xxxxxxxxx 
> > >> authenticated
> > >>
> > >>
> > >> Regards
> > >> Markus
> > >>


-- 
---------------------------------------
Malte Schröder
MalteSch@xxxxxx
ICQ# 68121508
---------------------------------------

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux