On Mon, 29 Aug 2011 22:07:15 +0200, Rafal Zawierta wrote:
Hello, I've noticed, that in one setup of Squid3 (+kerb auth against AD), when user changes his password (at that moment I'm not sure when he make that change) he receives such message: Sorry, you are not currently allowed to request http://google.com/ from this cache until you have authenticated yourself. Where should I look for solution of that issue? In ttl param of authentication helper? I haven't tried yet, but probably restarting squid after user changes his password solves that problem. Regars Rafal
One of the effects of NTLM and Negotiate attempting stateful authentication of low level TCP connections via a stateless HTTP upper layer protocol (HTTP). The client is attempting to send new credentials over a connection which is already has different ones set as read-only and pinning multiple TCP server connections together. What it needs to be doing to avoid problems is closing any old/existing connections from before the password change and opening new ones with the fresh credentials.
The error message is Squid detecting that and performing the connection flush on the clients behalf. It should be accompanied by a "Connection: close" and a list of auth protocols the browser may open a new connection with credentials for.
Like Marcus said, this is a client problem. If that message reaches user visibility it is failing at both the flush and the recovery after flush fails.
Amos
