Re: [Squid 4.x]: Truncated accounts when there is spaces in usernames

[David Touzeau <david@xxxxxxxxxxxxxx>]

Le 25/10/2015 09:01, Amos Jeffries a écrit :
> On 25/10/2015 5:47 a.m., David Touzeau wrote:
> > auth_param ntlm program /usr/bin/ntlm_auth  --domain=TOUZEAU.BIZ
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 20 startup=5 idle=3
> > auth_param ntlm keep_alive on
> > authenticate_ttl 14400 seconds
> > authenticate_cache_garbage_interval 18000 seconds
> > authenticate_ip_ttl 14400 seconds
> >
> > auth_param basic program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic
> > auth_param basic children 10 startup=5 idle=1
> > auth_param basic realm Basic Identification
> > auth_param basic credentialsttl 4 hours
> >
> > here a debug log with an account logged as "david touzeau"
> >
> >
> > Proxy-Authorization: NTLM
> > TlRMTVNTUAADAAAAGAAYAJAAAAAYABgAqAAAAA4ADgBYAAAAGgAaAGYAAAAQABAAgAAAAAAAAADAAAAABYKIogYBsR0AAAAPudyEOYFjFhMW+qrJNxLkdlQATwBVAFoARQBBAFUAZABhAHYAaQBkACAAdABvAHUAegBlAGEAdQBXAEkATgA3AFUAUwAtADEAkZrVyKTcrdAAAAAAAAAAAAAAAAAAAAAA/wlnYT2Q+F
> >
> > 2015/10/24 12:34:58.089 kid1| 84,5| helper.cc(1384)
> > helperStatefulDispatch: helperStatefulDispatch: Request sent to
> > ntlmauthenticator #Hlpr65, 260 bytes
> > 2015/10/24 12:34:58.092 kid1| 84,5| helper.cc(1000)
> > helperStatefulHandleRead: helperStatefulHandleRead: 17 bytes from
> > ntlmauthenticator #Hlpr65
> > 2015/10/24 12:34:58.092 kid1| 29,6| UserRequest.cc(171)
> > releaseAuthServer: releasing NTLM auth server '0x1d91cd8'
> > 2015/10/24 12:34:58.092 kid1| 29,4| UserRequest.cc(327) HandleReply:
> > Successfully validated user via NTLM. Username 'touzeau'
> Okay. I think there is nothing we can do about it except to say you
> can't have whitespace in usernames when using the old-style helpers.
> That currently still includes ntlm_auth from Samba.
>
> It is not a new problem. The NTLM/Negotiate helper response lines have
> an optional token field before the username and the line is whitespace
> delimited. If the username has whitespace inside it, then the first part
> is parsed as being that field. It should be %-encoding the username,
> which seems not to be happening.
>
> We moved to the key=value protocol as the solution to avoid that in
> future. But it requires the helper(s) to be using the new protocol. And
> this one is not doing that either.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users

I think you are right Amos, but could you explain why in 3.2x, 3.4x 
branchs (exactly 3.4.6 ) there is no issue.
And samba was the same version...






_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users