Search squid archive

Re: squid kerberos auth, acl note group

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Markus and Amos,

thanks for your answers, it is working now, after the group was deleted and 
created new. Most likely it was no security object...

Regards

On Saturday 25 July 2020 16:43:13 Markus Moeller wrote:
> Hi Klaus,
> 
>     Is the group you added a security group ?  Only security groups are part
> of the Kerberos ticket.  Which authorisation helper do you use or is this
> just based on the auth helper output ?
> 
>     What do you see on the client ?  e.g. in powershell run whoami /groups
> 
>     Did you clear the client Kerberos cache e.g. by login out and in again
> or use klist purge ?
> 
> 
> Markus
> 
> "Amos Jeffries"  wrote in message
> news:704e36b3-4cd8-611c-0643-231c02045db6@xxxxxxxxxxxxx...
> 
> On 25/07/20 2:48 am, Klaus Brandl wrote:
> > sorry, i did not found this script, and the binary is not available on our
> > product, because i'm no developer...
> 
> Darn. Okay that hinders testing a bit.
> 
> > But i think, we have a caching problem here, i found out, that the group
> > informations are only updated on a squid reconfigure.
> > 
> > And also the acl note group ... seems to be cached as long as squid is
> > restarted completely. I removed the configured group from the user, but i
> > could
> > see this group still maching in the cache.log, also after a reconfigure,
> > when
> > the auth_helper does not tell about this group any more.
> 
> The groups are attached to credentials which are attached to the TCP
> connection (TTL only as long as the connection is open) and a token
> replay cache for up to authenticate_ttl directive time (default 1 hour).
> 
> Setting that TTL to something very short, eg:
> 
>   authenticate_ttl 10 seconds
> 
> ... and disabling connection keep-alive:
> 
>   client_persistent_connections off
> 
> ... should work around the cache for testing. At least on HTTP traffic.
> HTTPS traffic goes through the proxy as a single tunnel request - so the
> entire HTTPS session is just one request/response pair to Squid.
> 
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users

Klaus

---

genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de

Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux