On 26/11/2012 4:00 p.m., Eliezer Croitoru wrote:
You are using A dinosaur!!
Squid 2.6 dosnt have support for about 5 years.
what you should do is use a newer version of squid.
If you are using CentOS 5.5 you will have trouble finding RPM for this
version.
I dont think that my RPM will work on your old system.
But I created RPM for CentOS\RHEL 6.0 and FEDORA 16-17 that works on
CentOS 6.3 also at: http://repo.ngtech.co.il/rpm/
In your case that you are not intercepting traffic I would recommend
you to compile squid with basic configuration to fit your needs.
I am almost sure that there are RPMs of squi 3.1 for this version .
You can also try to copy only the helpers from a newer Version of
squid in case there was a bug 5 years ago.
Unfortunately that alone will not help in this case.
Back in 2.6 both the helper internal buffer and read logics Squid
received the helpers response into were set at 8KB long. Kerberos keys
can reach close to 64KB as seen here. So he will need to rebuild the
whole of Squid to extend this buffer size.
At which point ... it becomes better to rebuild newer sources and gain
all the bug fixes and security patches found over the last 5 years.
Amos
Regards,
Eliezer
On 11/26/2012 4:46 AM, John Xue wrote:
Sorry! This is my problem.
My problem is when ad user1 try to access internet through squid,
the squid_kerb_auth process is dead, then IE doesn't have any respond.
When I open debug, I can see these information:
2012/11/02 14:24:21| squid_kerb_auth: Got 'YR
YIIdSwYGKwYBBQUCoIIdPzCCHTugJDAiBgkq.........FF/cmFtd9bzIcFVddg9fuSHH0ZcR7rl1XDRRyMhngmtxhVozrWML4k/c2ejMSTSxrVks0Eb6JZ2UvrXDBfQh2ZQBKeckALc3vvVOt2BmujG+YZmPEDjkAzb/TQf68fpSHyvCU1IwSkYVmqetnYKjDWLqKTdJqtCwGc/8ZuOR3AxeDSaXrB1TcKtRFo47fzI/xf8avhPxR0Dp/k4ZmoUfvfOy5hqr0AN7e2b/BNHVKaxWADi/q'
from squid (length: *62163*).
2012/11/02 14:24:23| squid_kerb_auth: Decode
'YIIdSwYGKwYBBQUCoIIdPzCCHTugJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCHREEgh0NYIIdCQYJKoZIhvcSAQICAQBughz4MIIc9KADAgEFoQMCAQ6iBwMFACAAAACjghwcYYIcGDCCHBSgAwIBBaEQGw5TWi....PmsQeFF/cmFtd9bzIcFVddg9fuSHH0ZcR7rl1XDRRyMhngmtxhVozrWML4k/c2ejMSTSxrVks0Eb6JZ2UvrXDBfQh2ZQBKeckALc3vvVOt2BmujG+YZmPEDjkAzb/TQf68fpSHyvCU1IwSkYVmqetnYKjDWLqKTdJqtCwGc/8ZuOR3AxeDSaXrB1TcKtRFo47fzI/xf8avhPxR0Dp/k4ZmoUfvfOy5hqr0AN7e2b/BNHVKaxWADi/q'
(decoded length: *6141*).
2012/11/02 14:24:24| squid_kerb_auth: gss_accept_sec_context()
failed: Unspecified GSS failure. Minor code may provide more
information. *Token header is malformed or corrupt*
When user2 try to access in the same machine, everything is ok. So
I think the problem is user1 have a big kerberos token size.
My squid is:
Centos 5.5
kernel 2.6.18-194.el5PAE
Squid 2.6.STABLE21
squid_kerb_auth: 1.0.7
AD: Windows 2003
Client: Windows XP SP3 + IE8
Thank you!