Hi there, we have a problem with the squid kerberos auth helper and the note acl matching to user groups in an active directory. First the user was in one group, which was configured via the groupSid base64 string as a note acl, and this was working very well. Then there was added a new group to the user, and the note acl was changed to this new groupSid string, but now this group is not matching. We also do not see this group string in the debug output from the auth helper like this: /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos/negot iate_kerberos_auth.cc(806): pid=32868 :2020/07/21 14:34:54| negotiate_kerberos_a uth: DEBUG: Groups group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdjV0AAA== group=AQUAAAAA AAUVAAAAMq9NXuhR/XHUeZSdAQIAAA== group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdIXIAAA== group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdkE8AAA== group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdKUMAAA== group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd2UAAAA== group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdh0wAAA== group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdZk4AAA== group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdFFsAAA== group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdH0cAAA== group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd+1QAAA== group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdDFEAAA== group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdWlIAAA== group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOEAAAA== group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdPUMAAA== group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdJ3AAAA== group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOMQAAA== group=AQEAAAAAABIBAAAA The config is like this: auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth \ -i -d -s GSS_C_NO_NAME auth_param negotiate children 100 auth_param negotiate keep_alive on acl authenticated proxy_auth REQUIRED acl surfen note group AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdmZ0AAA== http_access allow authenticated surfen http_access deny all Any idea, what the problem could be? Where are this groups from in the debug output, are they from the decoded authentication token from the client, or from the kerberos connection to the domain controller? And why does the last group string looks like truncated? Thanks for your help! Regards Klaus --- genua GmbH Domagkstrasse 7, 85551 Kirchheim bei Muenchen tel +49 89 991950-0, fax -999, www.genua.de Geschaeftsfuehrer: Matthias Ochs, Marc Tesch Amtsgericht Muenchen HRB 98238 genua ist ein Unternehmen der Bundesdruckerei-Gruppe. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
