squid kerberos auth, acl note group

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

squid kerberos auth, acl note group

Klaus Brandl
Hi there,

we have a problem with the squid kerberos auth helper and the note acl
matching to user groups in an active directory.
First the user was in one group, which was configured via the groupSid base64
string as a note acl, and this was working very well.
Then there was added a new group to the user, and the note acl was changed to
this new groupSid string, but now this group is not matching. We also do not
see this group string in the debug output from the auth helper like this:

/tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos/negot
iate_kerberos_auth.cc(806): pid=32868 :2020/07/21 14:34:54|
negotiate_kerberos_a
uth: DEBUG: Groups group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdjV0AAA==
group=AQUAAAAA
AAUVAAAAMq9NXuhR/XHUeZSdAQIAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdIXIAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdkE8AAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdKUMAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd2UAAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdh0wAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdZk4AAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdFFsAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdH0cAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd+1QAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdDFEAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdWlIAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOEAAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdPUMAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdJ3AAAA==
group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOMQAAA== group=AQEAAAAAABIBAAAA

The config is like this:

auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth
\
-i -d -s GSS_C_NO_NAME
auth_param negotiate children 100
auth_param negotiate keep_alive on
acl authenticated proxy_auth REQUIRED
acl surfen note group AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdmZ0AAA==
http_access allow authenticated surfen
http_access deny all

Any idea, what the problem could be?
Where are this groups from in the debug output, are they from the decoded
authentication token from the client, or from the kerberos connection to the
domain controller?
And why does the last group string looks like truncated?

Thanks for your help!

Regards

Klaus


---

genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de

Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid kerberos auth, acl note group

Alex Rousskov
On 7/21/20 10:41 AM, Klaus Brandl wrote:

> we have a problem with the squid kerberos auth helper and the note acl
> matching to user groups in an active directory.
> First the user was in one group, which was configured via the groupSid base64
> string as a note acl, and this was working very well.
> Then there was added a new group to the user, and the note acl was changed to
> this new groupSid string, but now this group is not matching. We also do not
> see this group string in the debug output from the auth helper like this:

If the helper is not returning the new groupSid to Squid then the note
ACL using that new groupSid should not match. Unfortunately, I do not
know enough about that helper to tell you why it does not tell Squid
about the new group.


> /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos/negot
> iate_kerberos_auth.cc(806): pid=32868 :2020/07/21 14:34:54|
> negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdjV0AAA==
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdAQIAAA==
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdIXIAAA==
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdkE8AAA==
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdKUMAAA==
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd2UAAAA==
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdh0wAAA==
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdZk4AAA==
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdFFsAAA==
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdH0cAAA==
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd+1QAAA==
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdDFEAAA==
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdWlIAAA==
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOEAAAA==
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdPUMAAA==
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdJ3AAAA==
> group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOMQAAA== group=AQEAAAAAABIBAAAA
>
> The config is like this:
>
> auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth
> \
> -i -d -s GSS_C_NO_NAME
> auth_param negotiate children 100
> auth_param negotiate keep_alive on
> acl authenticated proxy_auth REQUIRED
> acl surfen note group AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdmZ0AAA==
> http_access allow authenticated surfen
> http_access deny all
>
> Any idea, what the problem could be?
> Where are this groups from in the debug output, are they from the decoded
> authentication token from the client, or from the kerberos connection to the
> domain controller?

The group membership info should be coming from the authentication
service, not the client.


> And why does the last group string looks like truncated?

I could not find the source of the debug() function used by the helper,
but I would not be surprised it that function has a fixed buffer that
does not accommodate all the groups. It is also possible that there is
not enough space in the helper buffers to store the actual groups -- I
cannot tell whether that is the case from the debugging output you
shared (and the source code has many conditional branches that allocate
this space differently based on various factors AFAICT).

A local developer or a very capable local admin should be able to answer
this question by studying (and possibly adding more) helper debugging.


Please also note that there are a couple of possibly related known bugs:

* https://bugs.squid-cache.org/show_bug.cgi?id=5063
* https://bugs.squid-cache.org/show_bug.cgi?id=5063

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid kerberos auth, acl note group

Klaus Brandl
On Tuesday 21 July 2020 14:21:46 Alex Rousskov wrote:

> On 7/21/20 10:41 AM, Klaus Brandl wrote:
> > we have a problem with the squid kerberos auth helper and the note acl
> > matching to user groups in an active directory.
> > First the user was in one group, which was configured via the groupSid
> > base64 string as a note acl, and this was working very well.
> > Then there was added a new group to the user, and the note acl was changed
> > to this new groupSid string, but now this group is not matching. We also
> > do not
> > see this group string in the debug output from the auth helper like this:
> If the helper is not returning the new groupSid to Squid then the note
> ACL using that new groupSid should not match. Unfortunately, I do not
> know enough about that helper to tell you why it does not tell Squid
> about the new group.
>
> > /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos
> > /negot iate_kerberos_auth.cc(806): pid=32868 :2020/07/21 14:34:54|
> > negotiate_kerberos_auth: DEBUG: Groups
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdjV0AAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdAQIAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdIXIAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdkE8AAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdKUMAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd2UAAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdh0wAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdZk4AAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdFFsAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdH0cAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSd+1QAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdDFEAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdWlIAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOEAAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdPUMAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdJ3AAAA==
> > group=AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdOMQAAA== group=AQEAAAAAABIBAAAA
> >
> > The config is like this:
> >
> > auth_param negotiate program
> > /usr/local/libexec/squid/negotiate_kerberos_auth \
> > -i -d -s GSS_C_NO_NAME
> > auth_param negotiate children 100
> > auth_param negotiate keep_alive on
> > acl authenticated proxy_auth REQUIRED
> > acl surfen note group AQUAAAAAAAUVAAAAMq9NXuhR/XHUeZSdmZ0AAA==
> > http_access allow authenticated surfen
> > http_access deny all
> >
> > Any idea, what the problem could be?
> > Where are this groups from in the debug output, are they from the decoded
> > authentication token from the client, or from the kerberos connection to
> > the domain controller?
>
> The group membership info should be coming from the authentication
> service, not the client.

but i have compared the encoded string from the auth helper with the string at
the Proxy-Authentication header from the client with tcpdump, and it's exactly
the same:

Proxy-Authorization: Negotiate YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...

/tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc(612):
pid=28796 :2020/07/21 16:15:12| negotiate_kerberos_auth: DEBUG: Got 'YR
YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...

On the kerberos connection(port 88) i see only the service prinzipal, so i am
nearly sure, this groups are from the client.

>
> > And why does the last group string looks like truncated?
>
> I could not find the source of the debug() function used by the helper,
> but I would not be surprised it that function has a fixed buffer that
> does not accommodate all the groups. It is also possible that there is
> not enough space in the helper buffers to store the actual groups -- I
> cannot tell whether that is the case from the debugging output you
> shared (and the source code has many conditional branches that allocate
> this space differently based on various factors AFAICT).
>
> A local developer or a very capable local admin should be able to answer
> this question by studying (and possibly adding more) helper debugging.
>
>
> Please also note that there are a couple of possibly related known bugs:
>
> * https://bugs.squid-cache.org/show_bug.cgi?id=5063
> * https://bugs.squid-cache.org/show_bug.cgi?id=5063
>
> Alex.

Klaus

---

genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de

Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid kerberos auth, acl note group

Amos Jeffries
Administrator
On 22/07/20 8:59 pm, Klaus Brandl wrote:

>
> but i have compared the encoded string from the auth helper with the string at
> the Proxy-Authentication header from the client with tcpdump, and it's exactly
> the same:
>
> Proxy-Authorization: Negotiate YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...
>
> /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc(612):
> pid=28796 :2020/07/21 16:15:12| negotiate_kerberos_auth: DEBUG: Got 'YR
> YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...
>
> On the kerberos connection(port 88) i see only the service prinzipal, so i am
> nearly sure, this groups are from the client.
>

Okay. If you run the helper manually on command line and pass that same
"YR ..." line Squid is delivering. How long is the result that comes back?

The helper I/O buffer is 32KB in current Squid. The above test will show
how large it needs to be for your network. Unfortunately changes to this
buffer do need a patch.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid kerberos auth, acl note group

Klaus Brandl
On Thursday 23 July 2020 00:16:45 Amos Jeffries wrote:

> On 22/07/20 8:59 pm, Klaus Brandl wrote:
> > but i have compared the encoded string from the auth helper with the
> > string at the Proxy-Authentication header from the client with tcpdump,
> > and it's exactly the same:
> >
> > Proxy-Authorization: Negotiate
> > YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...
> >
> > /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos
> > /negotiate_kerberos_auth.cc(612): pid=28796 :2020/07/21 16:15:12|
> > negotiate_kerberos_auth: DEBUG: Got 'YR
> > YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...
> >
> > On the kerberos connection(port 88) i see only the service prinzipal, so i
> > am nearly sure, this groups are from the client.
>
> Okay. If you run the helper manually on command line and pass that same
> "YR ..." line Squid is delivering. How long is the result that comes back?

thank you, i think you mean this:

DEBUG: OK token=oYG3MIG0oAMKAQChCwYJKoZIgvcSAQIC...

This is only 254 bytes.

>
> The helper I/O buffer is 32KB in current Squid. The above test will show
> how large it needs to be for your network. Unfortunately changes to this
> buffer do need a patch.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

Klaus
---

genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de

Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid kerberos auth, acl note group

Amos Jeffries
Administrator
On 23/07/20 12:53 am, Klaus Brandl wrote:

> On Thursday 23 July 2020 00:16:45 Amos Jeffries wrote:
>> On 22/07/20 8:59 pm, Klaus Brandl wrote:
>>> but i have compared the encoded string from the auth helper with the
>>> string at the Proxy-Authentication header from the client with tcpdump,
>>> and it's exactly the same:
>>>
>>> Proxy-Authorization: Negotiate
>>> YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...
>>>
>>> /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos
>>> /negotiate_kerberos_auth.cc(612): pid=28796 :2020/07/21 16:15:12|
>>> negotiate_kerberos_auth: DEBUG: Got 'YR
>>> YIIGpQYGKwYBBQUCoIIGmTCCBpWgMDAuBgkqhkiC9xIB...
>>>
>>> On the kerberos connection(port 88) i see only the service prinzipal, so i
>>> am nearly sure, this groups are from the client.
>>
>> Okay. If you run the helper manually on command line and pass that same
>> "YR ..." line Squid is delivering. How long is the result that comes back?
>
> thank you, i think you mean this:
>
> DEBUG: OK token=oYG3MIG0oAMKAQChCwYJKoZIgvcSAQIC...
>
> This is only 254 bytes.
>



Ah. Sorry. I should have checked the protocol sequence, it has been a
while since last I played with these tokens.

For Kerberos there should be a test_negotiate_auth.sh script and
negotiate_kerberos_auth_test binary available for debugging these auth
details.

Run the test_negotiate_auth.sh with with your Squid hostname as its
command line parameter.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid kerberos auth, acl note group

Klaus Brandl
sorry, i did not found this script, and the binary is not available on our
product, because i'm no developer...

But i think, we have a caching problem here, i found out, that the group
informations are only updated on a squid reconfigure.

And also the acl note group ... seems to be cached as long as squid is
restarted completely. I removed the configured group from the user, but i could
see this group still maching in the cache.log, also after a reconfigure, when
the auth_helper does not tell about this group any more.

> Ah. Sorry. I should have checked the protocol sequence, it has been a
> while since last I played with these tokens.
>
> For Kerberos there should be a test_negotiate_auth.sh script and
> negotiate_kerberos_auth_test binary available for debugging these auth
> details.
>
> Run the test_negotiate_auth.sh with with your Squid hostname as its
> command line parameter.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

Klaus

---

genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de

Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid kerberos auth, acl note group

Amos Jeffries
Administrator
On 25/07/20 2:48 am, Klaus Brandl wrote:
> sorry, i did not found this script, and the binary is not available on our
> product, because i'm no developer...
>

Darn. Okay that hinders testing a bit.

> But i think, we have a caching problem here, i found out, that the group
> informations are only updated on a squid reconfigure.
>
> And also the acl note group ... seems to be cached as long as squid is
> restarted completely. I removed the configured group from the user, but i could
> see this group still maching in the cache.log, also after a reconfigure, when
> the auth_helper does not tell about this group any more.
>

The groups are attached to credentials which are attached to the TCP
connection (TTL only as long as the connection is open) and a token
replay cache for up to authenticate_ttl directive time (default 1 hour).

Setting that TTL to something very short, eg:

  authenticate_ttl 10 seconds

... and disabling connection keep-alive:

  client_persistent_connections off

... should work around the cache for testing. At least on HTTP traffic.
HTTPS traffic goes through the proxy as a single tunnel request - so the
entire HTTPS session is just one request/response pair to Squid.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid kerberos auth, acl note group

Markus Moeller
Hi Klaus,

    Is the group you added a security group ?  Only security groups are part
of the Kerberos ticket.  Which authorisation helper do you use or is this
just based on the auth helper output ?

    What do you see on the client ?  e.g. in powershell run whoami /groups

    Did you clear the client Kerberos cache e.g. by login out and in again
or use klist purge ?


Markus

"Amos Jeffries"  wrote in message
news:[hidden email]...

On 25/07/20 2:48 am, Klaus Brandl wrote:
> sorry, i did not found this script, and the binary is not available on our
> product, because i'm no developer...
>

Darn. Okay that hinders testing a bit.

> But i think, we have a caching problem here, i found out, that the group
> informations are only updated on a squid reconfigure.
>
> And also the acl note group ... seems to be cached as long as squid is
> restarted completely. I removed the configured group from the user, but i
> could
> see this group still maching in the cache.log, also after a reconfigure,
> when
> the auth_helper does not tell about this group any more.
>

The groups are attached to credentials which are attached to the TCP
connection (TTL only as long as the connection is open) and a token
replay cache for up to authenticate_ttl directive time (default 1 hour).

Setting that TTL to something very short, eg:

  authenticate_ttl 10 seconds

... and disabling connection keep-alive:

  client_persistent_connections off

... should work around the cache for testing. At least on HTTP traffic.
HTTPS traffic goes through the proxy as a single tunnel request - so the
entire HTTPS session is just one request/response pair to Squid.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid kerberos auth, acl note group

Klaus Brandl
Hi Markus and Amos,

thanks for your answers, it is working now, after the group was deleted and
created new. Most likely it was no security object...

Regards

On Saturday 25 July 2020 16:43:13 Markus Moeller wrote:

> Hi Klaus,
>
>     Is the group you added a security group ?  Only security groups are part
> of the Kerberos ticket.  Which authorisation helper do you use or is this
> just based on the auth helper output ?
>
>     What do you see on the client ?  e.g. in powershell run whoami /groups
>
>     Did you clear the client Kerberos cache e.g. by login out and in again
> or use klist purge ?
>
>
> Markus
>
> "Amos Jeffries"  wrote in message
> news:[hidden email]...
>
> On 25/07/20 2:48 am, Klaus Brandl wrote:
> > sorry, i did not found this script, and the binary is not available on our
> > product, because i'm no developer...
>
> Darn. Okay that hinders testing a bit.
>
> > But i think, we have a caching problem here, i found out, that the group
> > informations are only updated on a squid reconfigure.
> >
> > And also the acl note group ... seems to be cached as long as squid is
> > restarted completely. I removed the configured group from the user, but i
> > could
> > see this group still maching in the cache.log, also after a reconfigure,
> > when
> > the auth_helper does not tell about this group any more.
>
> The groups are attached to credentials which are attached to the TCP
> connection (TTL only as long as the connection is open) and a token
> replay cache for up to authenticate_ttl directive time (default 1 hour).
>
> Setting that TTL to something very short, eg:
>
>   authenticate_ttl 10 seconds
>
> ... and disabling connection keep-alive:
>
>   client_persistent_connections off
>
> ... should work around the cache for testing. At least on HTTP traffic.
> HTTPS traffic goes through the proxy as a single tunnel request - so the
> entire HTTPS session is just one request/response pair to Squid.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

Klaus

---

genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de

Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid kerberos auth, acl note group

Klaus Brandl
In reply to this post by Amos Jeffries
> > But i think, we have a caching problem here, i found out, that the
> > group
> > informations are only updated on a squid reconfigure.
> >
> > And also the acl note group ... seems to be cached as long as squid
> > is
> > restarted completely. I removed the configured group from the user,
> > but i could
> > see this group still maching in the cache.log, also after a
> > reconfigure, when
> > the auth_helper does not tell about this group any more.
> >
>
> The groups are attached to credentials which are attached to the TCP
> connection (TTL only as long as the connection is open) and a token
> replay cache for up to authenticate_ttl directive time (default 1
> hour).
>
> Setting that TTL to something very short, eg:
>
>   authenticate_ttl 10 seconds
>
> ... and disabling connection keep-alive:
>
>   client_persistent_connections off
>
> ... should work around the cache for testing. At least on HTTP
> traffic.
> HTTPS traffic goes through the proxy as a single tunnel request - so
> the
> entire HTTPS session is just one request/response pair to Squid.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

sorry again, but i still have this caching problem with the groups in
the note ACL. I have tested the options you suggested, but it takes no
effekt, the group is still matching until squid is completely
restarted. It looks like the note ACL is always appended only.
Or is there a way, to flush this content?

Regards

Klaus



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid kerberos auth, acl note group

Eliezer Croitoru-3
In reply to this post by Klaus Brandl
Hey Klaus,

I tried to follow the thread and understand what went wrong and how it was fixed,
and I didn't manage to understand. (Maybe I am missing some emails in the thread)

Can you please clear out what was done to resolve this issue?

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]

-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Klaus Brandl
Sent: Monday, July 27, 2020 7:36 PM
To: [hidden email]
Subject: Re: [squid-users] squid kerberos auth, acl note group

Hi Markus and Amos,

thanks for your answers, it is working now, after the group was deleted and
created new. Most likely it was no security object...

Regards

On Saturday 25 July 2020 16:43:13 Markus Moeller wrote:

> Hi Klaus,
>
>     Is the group you added a security group ?  Only security groups are part
> of the Kerberos ticket.  Which authorisation helper do you use or is this
> just based on the auth helper output ?
>
>     What do you see on the client ?  e.g. in powershell run whoami /groups
>
>     Did you clear the client Kerberos cache e.g. by login out and in again
> or use klist purge ?
>
>
> Markus
>
> "Amos Jeffries"  wrote in message
> news:[hidden email]...
>
> On 25/07/20 2:48 am, Klaus Brandl wrote:
> > sorry, i did not found this script, and the binary is not available on our
> > product, because i'm no developer...
>
> Darn. Okay that hinders testing a bit.
>
> > But i think, we have a caching problem here, i found out, that the group
> > informations are only updated on a squid reconfigure.
> >
> > And also the acl note group ... seems to be cached as long as squid is
> > restarted completely. I removed the configured group from the user, but i
> > could
> > see this group still maching in the cache.log, also after a reconfigure,
> > when
> > the auth_helper does not tell about this group any more.
>
> The groups are attached to credentials which are attached to the TCP
> connection (TTL only as long as the connection is open) and a token
> replay cache for up to authenticate_ttl directive time (default 1 hour).
>
> Setting that TTL to something very short, eg:
>
>   authenticate_ttl 10 seconds
>
> ... and disabling connection keep-alive:
>
>   client_persistent_connections off
>
> ... should work around the cache for testing. At least on HTTP traffic.
> HTTPS traffic goes through the proxy as a single tunnel request - so the
> entire HTTPS session is just one request/response pair to Squid.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

Klaus

---

genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de

Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid kerberos auth, acl note group

Klaus Brandl
Hi Eliezer,

we have deleted the group in active directory and created it again.
Not sure, if this was the real problem, because this was done by our
customer.

But we have already this caching problem, if membership of this group
is changed in AD, squid has to be completely restartet to take effekt.

Regards

Klaus

Am Mittwoch, den 04.11.2020, 15:13 +0200 schrieb Eliezer Croitor:

> Hey Klaus,
>
> I tried to follow the thread and understand what went wrong and how
> it was fixed,
> and I didn't manage to understand. (Maybe I am missing some emails in
> the thread)
>
> Can you please clear out what was done to resolve this issue?
>
> Thanks,
> Eliezer
>
> ----
> Eliezer Croitoru
> Tech Support
> Mobile: +972-5-28704261
> Email: [hidden email]
>
> -----Original Message-----
> From: squid-users <[hidden email]> On
> Behalf Of Klaus Brandl
> Sent: Monday, July 27, 2020 7:36 PM
> To: [hidden email]
> Subject: Re: [squid-users] squid kerberos auth, acl note group
>
> Hi Markus and Amos,
>
> thanks for your answers, it is working now, after the group was
> deleted and
> created new. Most likely it was no security object...
>
> Regards
>
> On Saturday 25 July 2020 16:43:13 Markus Moeller wrote:
> > Hi Klaus,
> >
> >     Is the group you added a security group ?  Only security groups
> > are part
> > of the Kerberos ticket.  Which authorisation helper do you use or
> > is this
> > just based on the auth helper output ?
> >
> >     What do you see on the client ?  e.g. in powershell run whoami
> > /groups
> >
> >     Did you clear the client Kerberos cache e.g. by login out and
> > in again
> > or use klist purge ?
> >
> >
> > Markus
> >
> > "Amos Jeffries"  wrote in message
> > news:[hidden email]...
> >
> > On 25/07/20 2:48 am, Klaus Brandl wrote:
> > > sorry, i did not found this script, and the binary is not
> > > available on our
> > > product, because i'm no developer...
> >
> > Darn. Okay that hinders testing a bit.
> >
> > > But i think, we have a caching problem here, i found out, that
> > > the group
> > > informations are only updated on a squid reconfigure.
> > >
> > > And also the acl note group ... seems to be cached as long as
> > > squid is
> > > restarted completely. I removed the configured group from the
> > > user, but i
> > > could
> > > see this group still maching in the cache.log, also after a
> > > reconfigure,
> > > when
> > > the auth_helper does not tell about this group any more.
> >
> > The groups are attached to credentials which are attached to the
> > TCP
> > connection (TTL only as long as the connection is open) and a token
> > replay cache for up to authenticate_ttl directive time (default 1
> > hour).
> >
> > Setting that TTL to something very short, eg:
> >
> >   authenticate_ttl 10 seconds
> >
> > ... and disabling connection keep-alive:
> >
> >   client_persistent_connections off
> >
> > ... should work around the cache for testing. At least on HTTP
> > traffic.
> > HTTPS traffic goes through the proxy as a single tunnel request -
> > so the
> > entire HTTPS session is just one request/response pair to Squid.
> >
> > Amos
> > _______________________________________________
> > squid-users mailing list
> > [hidden email]
> > http://lists.squid-cache.org/listinfo/squid-users
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > [hidden email]
> > http://lists.squid-cache.org/listinfo/squid-users
>
> Klaus
>
> ---
>
> genua GmbH
> Domagkstrasse 7, 85551 Kirchheim bei Muenchen
> tel +49 89 991950-0, fax -999, www.genua.de
>
> Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
> Amtsgericht Muenchen HRB 98238
> genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid kerberos auth, acl note group

Eliezer Croitoru-3
Thanks.

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]

-----Original Message-----
From: Klaus Brandl <[hidden email]>
Sent: Thursday, November 5, 2020 11:21 AM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [squid-users] squid kerberos auth, acl note group

Hi Eliezer,

we have deleted the group in active directory and created it again.
Not sure, if this was the real problem, because this was done by our
customer.

But we have already this caching problem, if membership of this group
is changed in AD, squid has to be completely restartet to take effekt.

Regards

Klaus

Am Mittwoch, den 04.11.2020, 15:13 +0200 schrieb Eliezer Croitor:

> Hey Klaus,
>
> I tried to follow the thread and understand what went wrong and how
> it was fixed,
> and I didn't manage to understand. (Maybe I am missing some emails in
> the thread)
>
> Can you please clear out what was done to resolve this issue?
>
> Thanks,
> Eliezer
>
> ----
> Eliezer Croitoru
> Tech Support
> Mobile: +972-5-28704261
> Email: [hidden email]
>
> -----Original Message-----
> From: squid-users <[hidden email]> On
> Behalf Of Klaus Brandl
> Sent: Monday, July 27, 2020 7:36 PM
> To: [hidden email]
> Subject: Re: [squid-users] squid kerberos auth, acl note group
>
> Hi Markus and Amos,
>
> thanks for your answers, it is working now, after the group was
> deleted and
> created new. Most likely it was no security object...
>
> Regards
>
> On Saturday 25 July 2020 16:43:13 Markus Moeller wrote:
> > Hi Klaus,
> >
> >     Is the group you added a security group ?  Only security groups
> > are part
> > of the Kerberos ticket.  Which authorisation helper do you use or
> > is this
> > just based on the auth helper output ?
> >
> >     What do you see on the client ?  e.g. in powershell run whoami
> > /groups
> >
> >     Did you clear the client Kerberos cache e.g. by login out and
> > in again
> > or use klist purge ?
> >
> >
> > Markus
> >
> > "Amos Jeffries"  wrote in message
> > news:[hidden email]...
> >
> > On 25/07/20 2:48 am, Klaus Brandl wrote:
> > > sorry, i did not found this script, and the binary is not
> > > available on our
> > > product, because i'm no developer...
> >
> > Darn. Okay that hinders testing a bit.
> >
> > > But i think, we have a caching problem here, i found out, that
> > > the group
> > > informations are only updated on a squid reconfigure.
> > >
> > > And also the acl note group ... seems to be cached as long as
> > > squid is
> > > restarted completely. I removed the configured group from the
> > > user, but i
> > > could
> > > see this group still maching in the cache.log, also after a
> > > reconfigure,
> > > when
> > > the auth_helper does not tell about this group any more.
> >
> > The groups are attached to credentials which are attached to the
> > TCP
> > connection (TTL only as long as the connection is open) and a token
> > replay cache for up to authenticate_ttl directive time (default 1
> > hour).
> >
> > Setting that TTL to something very short, eg:
> >
> >   authenticate_ttl 10 seconds
> >
> > ... and disabling connection keep-alive:
> >
> >   client_persistent_connections off
> >
> > ... should work around the cache for testing. At least on HTTP
> > traffic.
> > HTTPS traffic goes through the proxy as a single tunnel request -
> > so the
> > entire HTTPS session is just one request/response pair to Squid.
> >
> > Amos
> > _______________________________________________
> > squid-users mailing list
> > [hidden email]
> > http://lists.squid-cache.org/listinfo/squid-users
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > [hidden email]
> > http://lists.squid-cache.org/listinfo/squid-users
>
> Klaus
>
> ---
>
> genua GmbH
> Domagkstrasse 7, 85551 Kirchheim bei Muenchen
> tel +49 89 991950-0, fax -999, www.genua.de
>
> Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
> Amtsgericht Muenchen HRB 98238
> genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users