Hi Amos,I tried 3.4.3 and it didn't change. I attach a access.log cache.log and a wireshark capture file. You will see the first Negotiate/NTLM authentication attempt is declined and the Negotiate/Kerberos attempt is not processed by the auth helper ( I assume because it is on the same session as I get successful authenticated when I wait a bit )
Is there a way in the dispatcher to check the auth method has changed despite being the same session ? I know it is more difficult for
Negotiate/NTLM to Negotiate/Kerberos as you need to check the token. Thank you Markus"Amos Jeffries" wrote in message news:611078a64927db3a27e7bee1924693d2@xxxxxxxxxxxxx...
On 2014-02-03 12:06, Markus Moeller wrote:
Hi, I am testing authenticating a XP machine with Kerberos, but the client tries Negotiate/NTLM first after which squid does not accept the change to Negotiate/Kerberos anymore. If you look at the wireshark log you authentication attempts at 20:44:20 for Negotiate/NTLM and at 22:44:30 the client changed to Negotiate/Kerberos, but the cache.log file does not get any request after the 20:44:20 NTLM request. I can only see the deny entries in the access.log. I use squid 3.4.1 from the repository from 24 Dec 2013. Is this an expected behavious ?
Depends. Is this renegotiation being done on the same connection as NTLM was begun? (sorry cant view the packet trace right now). Do you get the same results with 3.4.3? It could be related to the helper decoding or external ACL loops bugs fixed in 3.4.2 and 3.4.3. Amos
Attachment:
squid_2.pcapng.gz
Description: GNU Zip compressed data
2014/02/04 20:21:07| negotiate_wrapper: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59). 2014/02/04 20:21:07| negotiate_wrapper: Decode 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded length: 40). 2014/02/04 20:21:07| negotiate_wrapper: received type 1 NTLM token 2014/02/04 20:21:07| negotiate_wrapper: Return 'TT TlRMTVNTUAACAAAAEgASADgAAAAFgomi2qilCL+tNc0AAAAAAAAAAHQAdABKAAAABgEAAAAAAA9X AEkATgAyADAAMAAzAFIAMgACABIAVwBJAE4AMgAwADAAMwBSADIAAQAUAE8AUABFAE4AUwBVAFMA RQAxADIABAASAHMAdQBzAGUALgBoAG8AbQBlAAMAKABvAHAAZQBuAHMAdQBzAGUAMQAyAC4AcwB1 AHMAZQAuAGgAbwBtAGUAAAAAAA== ' 2014/02/04 20:21:07| negotiate_wrapper: Got 'KK TlRMTVNTUAADAAAAGAAYAHAAAACkAKQAiAAAAAwADABIAAAAEAAQAFQAAAAMAAwAZAAAAAAAAAAs AQAABYKIogUBKAoAAAAPVwBJAE4AWABQADIAbQBhAHIAawB1AHMALQBhAFcASQBOAFgAUAAyAHVS S4C7nuJuNgDAHmZeeARLJqSkShKttNOsqLu+uWlYbBOzF8zexA4BAQAAAAAAABjYFaLmIc8BSyak pEoSrbQAAAAAAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAyAAQA EgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMgAuAHMAdQBzAGUALgBo AG8AbQBlAAAAAAAAAAAA' from squid (length: 403). 2014/02/04 20:21:07| negotiate_wrapper: Decode 'TlRMTVNTUAADAAAAGAAYAHAAAACkAKQAiAAAAAwADABIAAAAEAAQAFQAAAAMAAwAZAAAAAAAAAA sAQAABYKIogUBKAoAAAAPVwBJAE4AWABQADIAbQBhAHIAawB1AHMALQBhAFcASQBOAFgAUAAyAHV SS4C7nuJuNgDAHmZeeARLJqSkShKttNOsqLu+uWlYbBOzF8zexA4BAQAAAAAAABjYFaLmIc8BSya kpEoSrbQAAAAAAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAyAAQ AEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMgAuAHMAdQBzAGUALgB oAG8AbQBlAAAAAAAAAAAA' (decoded length: 300). 2014/02/04 20:21:07| negotiate_wrapper: received type 3 NTLM token 2014/02/04 20:21:07| negotiate_wrapper: Return 'NA = NT_STATUS_NO_SUCH_USER
04/Feb/2014:20:21:07 +0000 0 192.168.1.5 TCP_DENIED/407 4457 GET
http://google.com/ - HIER_NONE/- text/html
04/Feb/2014:20:21:07 +0000 2 192.168.1.5 TCP_DENIED/407 4791 GET
http://google.com/ - HIER_NONE/- text/html
04/Feb/2014:20:21:07 +0000 4 192.168.1.5 TCP_DENIED/407 4900 GET
http://google.com/ - HIER_NONE/- text/html
04/Feb/2014:20:21:19 +0000 0 192.168.1.5 TCP_DENIED/407 5394 GET
http://google.com/ - HIER_NONE/- text/html
04/Feb/2014:20:21:21 +0000 1 192.168.1.5 TCP_DENIED/407 5414 GET
http://google.com/ - HIER_NONE/- text/html
04/Feb/2014:20:21:22 +0000 2 192.168.1.5 TCP_DENIED/407 5404 GET
http://google.com/ - HIER_NONE/- text/html
04/Feb/2014:20:21:22 +0000 0 192.168.1.5 TCP_DENIED/407 4091 GET
http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
