Hi Klaus,
Is the group you added a security group ? Only security groups are part
of the Kerberos ticket. Which authorisation helper do you use or is this
just based on the auth helper output ?
What do you see on the client ? e.g. in powershell run whoami /groups
Did you clear the client Kerberos cache e.g. by login out and in again
or use klist purge ?
Markus
"Amos Jeffries" wrote in message
news:704e36b3-4cd8-611c-0643-231c02045db6@xxxxxxxxxxxxx...
On 25/07/20 2:48 am, Klaus Brandl wrote:
sorry, i did not found this script, and the binary is not available on our
product, because i'm no developer...
Darn. Okay that hinders testing a bit.
But i think, we have a caching problem here, i found out, that the group
informations are only updated on a squid reconfigure.
And also the acl note group ... seems to be cached as long as squid is
restarted completely. I removed the configured group from the user, but i
could
see this group still maching in the cache.log, also after a reconfigure,
when
the auth_helper does not tell about this group any more.
The groups are attached to credentials which are attached to the TCP
connection (TTL only as long as the connection is open) and a token
replay cache for up to authenticate_ttl directive time (default 1 hour).
Setting that TTL to something very short, eg:
authenticate_ttl 10 seconds
... and disabling connection keep-alive:
client_persistent_connections off
... should work around the cache for testing. At least on HTTP traffic.
HTTPS traffic goes through the proxy as a single tunnel request - so the
entire HTTPS session is just one request/response pair to Squid.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
