On 25/10/2015 9:01 p.m., Amos Jeffries wrote: > On 25/10/2015 5:47 a.m., David Touzeau wrote: >> >> auth_param ntlm program /usr/bin/ntlm_auth --domain=TOUZEAU.BIZ >> --helper-protocol=squid-2.5-ntlmssp >> auth_param ntlm children 20 startup=5 idle=3 >> auth_param ntlm keep_alive on >> authenticate_ttl 14400 seconds >> authenticate_cache_garbage_interval 18000 seconds >> authenticate_ip_ttl 14400 seconds >> >> auth_param basic program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-basic >> auth_param basic children 10 startup=5 idle=1 >> auth_param basic realm Basic Identification >> auth_param basic credentialsttl 4 hours >> >> here a debug log with an account logged as "david touzeau" >> >> >> Proxy-Authorization: NTLM >> TlRMTVNTUAADAAAAGAAYAJAAAAAYABgAqAAAAA4ADgBYAAAAGgAaAGYAAAAQABAAgAAAAAAAAADAAAAABYKIogYBsR0AAAAPudyEOYFjFhMW+qrJNxLkdlQATwBVAFoARQBBAFUAZABhAHYAaQBkACAAdABvAHUAegBlAGEAdQBXAEkATgA3AFUAUwAtADEAkZrVyKTcrdAAAAAAAAAAAAAAAAAAAAAA/wlnYT2Q+F >> >> 2015/10/24 12:34:58.089 kid1| 84,5| helper.cc(1384) >> helperStatefulDispatch: helperStatefulDispatch: Request sent to >> ntlmauthenticator #Hlpr65, 260 bytes >> 2015/10/24 12:34:58.092 kid1| 84,5| helper.cc(1000) >> helperStatefulHandleRead: helperStatefulHandleRead: 17 bytes from >> ntlmauthenticator #Hlpr65 >> 2015/10/24 12:34:58.092 kid1| 29,6| UserRequest.cc(171) >> releaseAuthServer: releasing NTLM auth server '0x1d91cd8' >> 2015/10/24 12:34:58.092 kid1| 29,4| UserRequest.cc(327) HandleReply: >> Successfully validated user via NTLM. Username 'touzeau' >> > > Okay. I think there is nothing we can do about it except to say you > can't have whitespace in usernames when using the old-style helpers. > That currently still includes ntlm_auth from Samba. > > It is not a new problem. The NTLM/Negotiate helper response lines have > an optional token field before the username and the line is whitespace > delimited. If the username has whitespace inside it, then the first part > is parsed as being that field. It should be %-encoding the username, > which seems not to be happening. > > We moved to the key=value protocol as the solution to avoid that in > future. But it requires the helper(s) to be using the new protocol. And > this one is not doing that either. This is being tracked at: <https://bugzilla.samba.org/show_bug.cgi?id=10959> Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
