I think at first I increased some buffers but hit a wall when the Proxy-Authenticate header got too long. I don't remember the limit, could have been something around 8k chars. On Sat, 28 Jun 2008 12:19:41 +0100 "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote: > Malte, > > are you saying it works now, becuase you used the AD flag or because you > increased the buffer ? I would be curios if the buffer increase would fix > it. If it didn't fix it some buffers in squid need to be increased too (e.g. > in auth_negotiate.c). > > Thank you > Markus > > > "Malte Schröder" <maltesch@xxxxxx> wrote in message > news:20080628125353.0cb728c6@xxxxxxxxxxxxxxxxxxxxxx > With Windows 2003 SP2 you can set a flag (I think in > UserAccountControl property) for the computer account that stops AD from > adding the group-information to the service-ticket. I found it > somewhere in their knowledgebase, but currently don't remember the > details. > I have been searching for quite some time because I had the same problem > with too large tickets. Now it's working. > > > > On Fri, 27 Jun 2008 20:07:41 +0100 > "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote: > > > Brian, > > > > the read buffer in squid_kerb_auth is 6400 which I think should be > > increased to 8192 the value used in squid for writing. The ticket is > > usually only that big for users which are members of hundreds of Windows > > Groups, which I have never seen before to be > 4k. > > > > Can you try to increase in the main function the buffer buf to 8192 ? > > > > Markus > > > > > > "Brian Kirk" <bekirk@xxxxxxxxx> wrote in message > > news:6ac1d44b0806271019t5ceef29di99902b366fcc21d4@xxxxxxxxxxxxxxxxx > > >I am going through a simular nightmare in our environment, we > > > currently use NTLM auth and since we have over 6000 Internet users > > > this isn't very efficent. I can't get kerberos to work. I used the > > > ./squid_kerb_auth_test program to generate the blob, and it is over > > > 5000 characters long. The squid_kerb_auth seems limited to 4096, am I > > > going the have to alter squid_kerb_auth code or am I doing something > > > wrong to get that big of a blob? > > > > > > On 6/7/08, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > > >> Find below a small test program to create a token. Run a kinit as a > > >> user > > >> and then ./squid_kerb_auth_test proxy_fqdn. It creates a token like: > > >> > > >> ./squid_kerb_auth_test opensuse.suse.home > > >> Token: > > >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq9OLL0umYzCethf/CUEcQ6+7xobZYVsyIJtsV9IwAFAscVVO4hbMW3jKbM8BYLts72QCShJPTgBlAaoWwCy/YpZezNwPnYDm2lYDjfPZ2/r23326SmXKtPbNT1VFc+yPwAMrYPCxJr92Cxg2OI4z1qQWcCdRR6c5tidX3SSH4rX+YJHEAVKD/mMsFXmO18iT08B/pG4HQ8BcGs3UvQh4hXwOrnSBeR4xonljtQ== > > >> > > >> Then set the keytab with export > > >> KRB5_KTNAME=FILE:/etc/squid/squid.keytab and run > > >> ./squid_kerb_auth -d -i -s HTTP/proxy_fqdn and enter the token starting > > >> with > > >> YR as follows (in one line) > > >> > > >> ./squid_kerb_auth -d -i -s > > >> HTTP/opensuse.suse.home@xxxxxxxxx > > >> YR > > >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA== > > >> 2008/06/07 22:52:11| squid_kerb_auth: Got 'YR > > >> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA==' > > >> from squid (length: 691). > > >> 2008/06/07 22:52:12| squid_kerb_auth: parseNegTokenInit failed with > > >> rc=109 > > >> 2008/06/07 22:52:12| squid_kerb_auth: Token is possibly a GSSAPI token > > >> AF AA== markus@xxxxxxxxx > > >> 2008/06/07 22:52:12| squid_kerb_auth: AF AA== markus@xxxxxxxxx > > >> 2008/06/07 22:52:12| squid_kerb_auth: User markus@xxxxxxxxx > > >> authenticated > > >> > > >> > > >> Regards > > >> Markus > > >> -- --------------------------------------- Malte Schröder MalteSch@xxxxxx ICQ# 68121508 ---------------------------------------
Attachment:
signature.asc
Description: PGP signature
