On 23/07/20 12:53 am, Klaus Brandl wrote: > On Thursday 23 July 2020 00:16:45 Amos Jeffries wrote: >> On 22/07/20 8:59 pm, Klaus Brandl wrote: >>> but i have compared the encoded string from the auth helper with the >>> string at the Proxy-Authentication header from the client with tcpdump, >>> and it's exactly the same: >>> >>> Proxy-Authorization: Negotiate >>> YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB... >>> >>> /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos >>> /negotiate_kerberos_auth.cc(612): pid=28796 :2020/07/21 16:15:12| >>> negotiate_kerberos_auth: DEBUG: Got 'YR >>> YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB... >>> >>> On the kerberos connection(port 88) i see only the service prinzipal, so i >>> am nearly sure, this groups are from the client. >> >> Okay. If you run the helper manually on command line and pass that same >> "YR ..." line Squid is delivering. How long is the result that comes back? > > thank you, i think you mean this: > > DEBUG: OK token=oYG3MIG0oAMKAQChCwYJKoZIgvcSAQIC... > > This is only 254 bytes. > Ah. Sorry. I should have checked the protocol sequence, it has been a while since last I played with these tokens. For Kerberos there should be a test_negotiate_auth.sh script and negotiate_kerberos_auth_test binary available for debugging these auth details. Run the test_negotiate_auth.sh with with your Squid hostname as its command line parameter. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
