On 7/21/20 10:41 AM, Klaus Brandl wrote: > we have a problem with the squid kerberos auth helper and the note acl > matching to user groups in an active directory. > First the user was in one group, which was configured via the groupSid base64 > string as a note acl, and this was working very well. > Then there was added a new group to the user, and the note acl was changed to > this new groupSid string, but now this group is not matching. We also do not > see this group string in the debug output from the auth helper like this: If the helper is not returning the new groupSid to Squid then the note ACL using that new groupSid should not match. Unfortunately, I do not know enough about that helper to tell you why it does not tell Squid about the new group. > /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos/negot > iate_kerberos_auth.cc(806): pid=32868 :2020/07/21 14:34:54| > negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdjV0AAA== > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdAQIAAA== > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdIXIAAA== > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdkE8AAA== > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdKUMAAA== > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd2UAAAA== > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdh0wAAA== > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdZk4AAA== > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdFFsAAA== > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdH0cAAA== > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd+1QAAA== > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdDFEAAA== > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdWlIAAA== > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOEAAAA== > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdPUMAAA== > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdJ3AAAA== > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOMQAAA== group=AQEAAAAAABIBAAAA > > The config is like this: > > auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth > \ > -i -d -s GSS_C_NO_NAME > auth_param negotiate children 100 > auth_param negotiate keep_alive on > acl authenticated proxy_auth REQUIRED > acl surfen note group AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdmZ0AAA== > http_access allow authenticated surfen > http_access deny all > > Any idea, what the problem could be? > Where are this groups from in the debug output, are they from the decoded > authentication token from the client, or from the kerberos connection to the > domain controller? The group membership info should be coming from the authentication service, not the client. > And why does the last group string looks like truncated? I could not find the source of the debug() function used by the helper, but I would not be surprised it that function has a fixed buffer that does not accommodate all the groups. It is also possible that there is not enough space in the helper buffers to store the actual groups -- I cannot tell whether that is the case from the debugging output you shared (and the source code has many conditional branches that allocate this space differently based on various factors AFAICT). A local developer or a very capable local admin should be able to answer this question by studying (and possibly adding more) helper debugging. Please also note that there are a couple of possibly related known bugs: * https://bugs.squid-cache.org/show_bug.cgi?id=5063 * https://bugs.squid-cache.org/show_bug.cgi?id=5063 Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
