On 17/07/18 14:20, Victor Sudakov wrote: > Dear Colleagues, > > After upgrading to Squid 4.1 (from FreeBSD ports) I started having problems > with Kerberos authentication. > > A user complained about being denied access. The strange things are that: > > 1. There was only one such user, others seemed to be authenticating > properly (or just did not complain). > > 2. The user seemed authenticated but still was denied (!), a sample access.log entry: > > 1531737712.384 7 212.73.124.190 TCP_DENIED/403 9976 GET http://yandex.ru/zzzzzzzzzzzz user@xxxxxx HIER_NONE/- text/html > > The user tried different browsers on different hosts, with the same result. > > After downgrading to Squid 3.5.27 all went well again. > > Sorry I cannot provide more debugging info at present, I had to > downgrade my two production Squids ASAP. > > Was there any major change between Squid 3 and 4 in the way > Negotiate/Kerberos works? > The biggest change is that bundled Kerberos auth helpers are now using the newer v3.4+ helper protocol. That prevents some malformations of Unicode and whitespace characters in the username or password which Squid-3 might have been ignoring when it should have rejected. You may need to check both what you have on record in your AD/LDAP and what the affected user thinks they need to enter. There is also the less likely possibility that other non-auth ACLs are rejecting the request for completely unrelated reasons. For completeness; there are some other changes, but those seem irrelevant to your case. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
