"Aleksandar Ciric" <aciric79@xxxxxxxxx> wrote in message
news:371632.45483.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ok, I will add timers to corelate log events with wireshark output, all
machines sync to AD NTP.
According to this, situation is clear (if one can say so).
If I acknowledge the pass prompt fast 3x in a row (that is 3 GET's get
sent), I get all 3x(DEBUG: Got / Decode / AF) lines in the cache.log the
very moment and an OK for last GET.
That is what I don't understand. Why is it the third not the second ?
In second test, with pause after 2 acks, on first 2 acks of pass prompt
(each dispatches a GET request with valid kerb token) I get no reaction in
log ... so I waited about 10 secs for 3rd ack, did it and got all 3x(DEBUG:
Got / Decode / AF) lines at the same time according to log.
Unlike the situation detailed below where I only got one (DEBUG: Got /
Decode / AF).
Point is that 3rd GET seems to trigger processing the auth momentarily, any
less won't do. The time doesn't seem to matter.
When same desktop client (I tried several just to make sure) is logged in
with a valid domain username, none of this happens. After 1st 407 it goes
through TGS-REQ/TGS-REP and sends GET with GSSAPI (doesn't even try NTLM)
and receives OK.
I don't know how to resolve this or what to troubleshoot further. (beside
scrapping the Gentoo machine and trying with CentOS or Ubuntu server)
desktop_wireshark:
12:58:24.377414 1. GET google
12:58:24.379208 2. 407, Proxy-Authenticate: Negotiate\r\n
12:58:24.404808 3. GET google, Proxy-Authorization: Negotiate <token>,
NTLMSSP
For the above squid_kerb_auth won't return an AF it should be a BH with
error message.
12:58:24.406647 4. 407, Proxy-Authenticate: Negotiate\r\n (no token)
5. Ack. the pass prompt
12:58:36.936887-943069 6. KRB5 AS-REQ/AS-REP, TGS-REQ/TGS-REP (with AD
server)
12:58:37.033969 7. GET google, Proxy-Authorization: Negotiate <token>,
GSS-API (SPNEGO)
12:58:37.036221 8. 407, Proxy-Authenticate: Negotiate\r\n (no token)
The above should not happen. squid should authenticate the user at this
point. Can you attach the logfile ?
9. Ack. the pass prompt again after ~5 sec pause (same user/pass, it stays
filled in)
12:58:43.258456-263817 10. KRB5 AS-REQ/AS-REP, TGS-REQ/TGS-REP (with AD
server)
12:58:43.264872 11. GET google, Proxy-Authorization: Negotiate <token>,
GSS-API (SPNEGO)
12:58:43.267059 12. 407, Proxy-Authenticate: Negotiate\r\n (no token)
13. Ack. the pass prompt again after ~5 sec pause (same user/pass, it stays
filled in)
12:58:50.390082-395554 14. KRB5 AS-REQ/AS-REP, TGS-REQ/TGS-REP (with AD
server)
12:58:50.396739 15. GET google, Proxy-Authorization: Negotiate <token>,
GSS-API (SPNEGO)
12:58:50 DEBUG: Got / Decode / AF (squid cache log)
12:58:50.575546 16. 200 OK, Proxy-Authentication-Info: Negotiate (token)
P.S.
I used pause cause I lack microseconds in squid cache.log
