Search squid archive

Negotiate NTLM authentication broken?, 3.2.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




I've just upgraded a machine from Squid 3.2.0 to 3.2.3 and can't seem to get the Negotiate authenticator to work any more.

From the traffic, I can see:
1. The client sends an unauthenticated request
2. Squid returns a 407 with "Proxy-Authenticate: Negotiate"
3. The client resends the request with "Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=="
4. Squid returns a 407 with no "Proxy-Authenticate" header

Example traffic:
-----
GET http://example.com HTTP/1.1
Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

HTTP/1.1 407 Proxy Authentication Required
Server: squid/3.2.3
Mime-Version: 1.0
Date: Fri, 07 Dec 2012 16:22:58 GMT
Content-Type: text/html
Content-Length: 3878
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from foo
X-Cache-Lookup: NONE from foo:3128
Via: 1.1 foo (squid/3.2.3)
Connection: keep-alive

-----

This does not appear to be a problem with negotiate_wrapper itself as I can see from the logs that Squid has got a challenge string from it: 2012/12/07 16:29:39.051 kid1| UserRequest.cc(170) authenticate: need to challenge client 'TlRMTVNTUAACAAAABgAGADAAAAAVgonifVf3m5EEkgIAAAAAAAAAAC4ALgA2AAAASwBTAEIAAgAGAEsAUwBCAAEACgBJAEMARQBOAEkABAAAAAMACgBpAGMAZQBuAGkAAAAAAA=='!

Everything I see in the logs indicates that Squid knows it has to send the challenge to the client, but the header never makes it into the response.

I've trimmed my configuration down to a minimum:
-----
debug_options ALL,9

auth_param negotiate program /usr/lib64/squid/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=FOO --kerberos /usr/lib64/squid/negotiate_kerberos_auth -s HTTP/foo
auth_param negotiate children 50
auth_param negotiate keep_alive off

auth_param basic program /usr/lib64/squid/basic_pam_auth
auth_param basic children 50
auth_param basic realm Iceni Web Proxy
auth_param basic credentialsttl 2 hours

acl proxy_auth proxy_auth REQUIRED

http_access allow proxy_auth
http_access deny all

icp_access deny all
htcp_access deny all

http_port 3128

hierarchy_stoplist cgi-bin ?

logformat iceni %tg.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt "%{User-Agent}>h"
access_log stdio:/var/log/squid/access.log iceni
cache_log /var/log/squid/cache.log
cache_store_log stdio:/var/log/squid/store.log
pid_filename /var/run/squid.pid

coredump_dir /var/spool/squid-nocache
-----

The appropriate parts of cache.log are available at: http://persephone.nexusuk.org/~steve/cache.log

--

 - Steve Hill
   Technical Director
   Opendium Limited     http://www.opendium.com

Direct contacts:
   Instant messager: xmpp:steve@xxxxxxxxxxxx
   Email:            steve@xxxxxxxxxxxx
   Phone:            sip:steve@xxxxxxxxxxxx

Sales / enquiries contacts:
   Email:            sales@xxxxxxxxxxxx
   Phone:            +44-844-9791439 / sip:sales@xxxxxxxxxxxx

Support contacts:
   Email:            support@xxxxxxxxxxxx
   Phone:            +44-844-4844916 / sip:support@xxxxxxxxxxxx


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux