I've just upgraded a machine from Squid 3.2.0 to 3.2.3 and can't seem to
get the Negotiate authenticator to work any more.
From the traffic, I can see:
1. The client sends an unauthenticated request
2. Squid returns a 407 with "Proxy-Authenticate: Negotiate"
3. The client resends the request with "Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=="
4. Squid returns a 407 with no "Proxy-Authenticate" header
Example traffic:
-----
GET http://example.com HTTP/1.1
Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
HTTP/1.1 407 Proxy Authentication Required
Server: squid/3.2.3
Mime-Version: 1.0
Date: Fri, 07 Dec 2012 16:22:58 GMT
Content-Type: text/html
Content-Length: 3878
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from foo
X-Cache-Lookup: NONE from foo:3128
Via: 1.1 foo (squid/3.2.3)
Connection: keep-alive
-----
This does not appear to be a problem with negotiate_wrapper itself as I
can see from the logs that Squid has got a challenge string from it:
2012/12/07 16:29:39.051 kid1| UserRequest.cc(170) authenticate: need to
challenge client
'TlRMTVNTUAACAAAABgAGADAAAAAVgonifVf3m5EEkgIAAAAAAAAAAC4ALgA2AAAASwBTAEIAAgAGAEsAUwBCAAEACgBJAEMARQBOAEkABAAAAAMACgBpAGMAZQBuAGkAAAAAAA=='!
Everything I see in the logs indicates that Squid knows it has to send
the challenge to the client, but the header never makes it into the
response.
I've trimmed my configuration down to a minimum:
-----
debug_options ALL,9
auth_param negotiate program /usr/lib64/squid/negotiate_wrapper_auth -d
--ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--domain=FOO --kerberos /usr/lib64/squid/negotiate_kerberos_auth -s HTTP/foo
auth_param negotiate children 50
auth_param negotiate keep_alive off
auth_param basic program /usr/lib64/squid/basic_pam_auth
auth_param basic children 50
auth_param basic realm Iceni Web Proxy
auth_param basic credentialsttl 2 hours
acl proxy_auth proxy_auth REQUIRED
http_access allow proxy_auth
http_access deny all
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
logformat iceni %tg.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a
%mt "%{User-Agent}>h"
access_log stdio:/var/log/squid/access.log iceni
cache_log /var/log/squid/cache.log
cache_store_log stdio:/var/log/squid/store.log
pid_filename /var/run/squid.pid
coredump_dir /var/spool/squid-nocache
-----
The appropriate parts of cache.log are available at:
http://persephone.nexusuk.org/~steve/cache.log
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:steve@xxxxxxxxxxxx
Email: steve@xxxxxxxxxxxx
Phone: sip:steve@xxxxxxxxxxxx
Sales / enquiries contacts:
Email: sales@xxxxxxxxxxxx
Phone: +44-844-9791439 / sip:sales@xxxxxxxxxxxx
Support contacts:
Email: support@xxxxxxxxxxxx
Phone: +44-844-4844916 / sip:support@xxxxxxxxxxxx