On Tuesday 21 July 2020 14:21:46 Alex Rousskov wrote: > On 7/21/20 10:41 AM, Klaus Brandl wrote: > > we have a problem with the squid kerberos auth helper and the note acl > > matching to user groups in an active directory. > > First the user was in one group, which was configured via the groupSid > > base64 string as a note acl, and this was working very well. > > Then there was added a new group to the user, and the note acl was changed > > to this new groupSid string, but now this group is not matching. We also > > do not > > see this group string in the debug output from the auth helper like this: > If the helper is not returning the new groupSid to Squid then the note > ACL using that new groupSid should not match. Unfortunately, I do not > know enough about that helper to tell you why it does not tell Squid > about the new group. > > > /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos > > /negot iate_kerberos_auth.cc(806): pid=32868 :2020/07/21 14:34:54| > > negotiate_kerberos_auth: DEBUG: Groups > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdjV0AAA== > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdAQIAAA== > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdIXIAAA== > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdkE8AAA== > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdKUMAAA== > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd2UAAAA== > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdh0wAAA== > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdZk4AAA== > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdFFsAAA== > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdH0cAAA== > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd+1QAAA== > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdDFEAAA== > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdWlIAAA== > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOEAAAA== > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdPUMAAA== > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdJ3AAAA== > > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOMQAAA== group=AQEAAAAAABIBAAAA > > > > The config is like this: > > > > auth_param negotiate program > > /usr/local/libexec/squid/negotiate_kerberos_auth \ > > -i -d -s GSS_C_NO_NAME > > auth_param negotiate children 100 > > auth_param negotiate keep_alive on > > acl authenticated proxy_auth REQUIRED > > acl surfen note group AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdmZ0AAA== > > http_access allow authenticated surfen > > http_access deny all > > > > Any idea, what the problem could be? > > Where are this groups from in the debug output, are they from the decoded > > authentication token from the client, or from the kerberos connection to > > the domain controller? > > The group membership info should be coming from the authentication > service, not the client. but i have compared the encoded string from the auth helper with the string at the Proxy-Authentication header from the client with tcpdump, and it's exactly the same: Proxy-Authorization: Negotiate YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB... /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc(612): pid=28796 :2020/07/21 16:15:12| negotiate_kerberos_auth: DEBUG: Got 'YR YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB... On the kerberos connection(port 88) i see only the service prinzipal, so i am nearly sure, this groups are from the client. > > > And why does the last group string looks like truncated? > > I could not find the source of the debug() function used by the helper, > but I would not be surprised it that function has a fixed buffer that > does not accommodate all the groups. It is also possible that there is > not enough space in the helper buffers to store the actual groups -- I > cannot tell whether that is the case from the debugging output you > shared (and the source code has many conditional branches that allocate > this space differently based on various factors AFAICT). > > A local developer or a very capable local admin should be able to answer > this question by studying (and possibly adding more) helper debugging. > > > Please also note that there are a couple of possibly related known bugs: > > * https://bugs.squid-cache.org/show_bug.cgi?id=5063 > * https://bugs.squid-cache.org/show_bug.cgi?id=5063 > > Alex. Klaus --- genua GmbH Domagkstrasse 7, 85551 Kirchheim bei Muenchen tel +49 89 991950-0, fax -999, www.genua.de Geschaeftsfuehrer: Matthias Ochs, Marc Tesch Amtsgericht Muenchen HRB 98238 genua ist ein Unternehmen der Bundesdruckerei-Gruppe. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
