[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.

[Alex Rousskov]

On 2026-03-24 09:33, Amos Jeffries wrote:

> Every clt_conn_tag should be added to the client<->Squid TCP connection, 
> after which every transaction on that connection should be able to see 
> them.

The above assertion is false. Squid does not (or should not) work that 
way since Bug 4912 fix (i.e. 2019 commit d665de37) replaced an "always 
add" with an "always overwrite" design for most[^1] annotations, 
including clt_conn_tag:

* An "always add" design does not work well because it does not allow 
helpers to reset/change/update stale client annotations.

* An "always overwrite" design works better because it allows helpers to 
reset or append[^2] annotations, as needed. Squid uses this design for 
most[^1] annotations today. Returning two same-name Squid-recognized 
annotations in a helper response has been classified as a helper bug 
since 2023 commit 27c36771 (see the "B4" case in that commit message). 
IIRC, no diagnostic is given (for now).

* A "use `=` to reset and `+=` to append" design would allow the helper 
to make its intentions explicit and support appending without wasteful 
echoing of old values. This possible enhancement is compatible with the 
"always overwrite" design (as long as annotation names do not add with a 
plus sign).

[^1]: The exceptions are context specific; some contexts append "group", 
"tag", and/or "nonce" annotations AFAICT.

[^2]: When new annotations always overwrite old same-name annotations, 
appending is implemented via supplying the old annotation value to the 
helper, so that the helper can return a `name=old,new` annotation that 
overwrites the previous `name=old` value.


Alex.
P.S. The "always overwrite" design was explicitly (re)adopted when 
clt_conn_tag support was added for helpers in 2014 commit 457857f, but 
we did not document it well enough back then, and bugs sneaked in again:
https://ml-archives.squid-cache.org/squid-users/2018-December/019821.html