Search squid archive

Re: Squid NTLM Authentication and Windows Update Server (WSUS 3.0)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/02/11 22:04, John Treen wrote:
Hi Amos,

I have compared the headers between the 2.6.STABLE5 and 3.1.10 and have
found the following:
* added Mime-Version: 1.0
* added Vary: Accept-Language
* added Content-Language: en
* changed Proxy-Connection: keep-alive to Connection: keep-alive


Hmm, none of which should matter. Though the connection header may affect some strangely written software (I don't believe WSUS to be in that particular group though).

Including the blob of text in the WWW-Authenticate: headers as identical?


After having a quick look with Wireshark (not sure if its a decoding
problem or not) it appears that during the NTLM handshake something is
going wrong at the NTLMSSP_AUTH stage. When Wireshark decodes the
packets going to squid 2.6.STABLE5 the Domain name, User name and Host
name that it decodes are correct, but when looking at the decoded
packets from 3.1.10 those 3 fields only have one character in each of
them (the first character from the string that it should have).

Yes that sounds like a small problem.


I have a dump of the headers from both the old version and the new
version. Would it help to see those? If so, what is the best way to
share them, attach via email or upload to a website and send link?

Regards,
John Treen


Somewhere I can download them. Bugzilla (http://bugs.squid-cache.org) seems appropriate at this stage. With a mention of which software is putting the header packets on the wire and which they are going to.

Amos

Amos Jeffries wrote:
On 01/02/11 16:01, John Treen wrote:
Hi Everyone,

I am having trouble getting WSUS 3.0 to communicate through Squid when
using NTLM authentication. Back in early 2009 I did some testing and
determined that 2.6.STABLE5 appears to be the last version that WSUS
would successfully communicate through the proxy using NTLM.

Yesterday I tried Squid 3.1.10 and WSUS still returns a 407 Proxy
Authentication Required. If I uninstall 3.1.10 and then install
2.6.STABLE5 using the same configuration on my test machine WSUS works

I'm a little suspicious of this. Mainly because we altered many small
background options and behaviours to achieve almost complete HTTP/1.1
compliance in 3.1.


If I comment out the auth_param ntlm lines (just leaving basic
authentication enabled) WSUS works with 3.1.10, so I believe it could be
something going wrong in the NTLM handshake.

What is the best way to start debugging what the problem could be?

The easy way is to take a full packet capture (tcpdump -s 0 ...) when
using the working Squid and again with the non-working. Compare the
two transactions headers in wireshark and see if anything appears.

The hard way is to dredge the squid cache.log at debug_options 29,5 on
the 3.1 install and see what is happening.

Amos


--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.10
  Beta testers wanted for 3.2.0.4


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux