Bug 26296 – negotiate-wrapper für squid3 für Kerberos/NTLM Fallback verwenden.

Bug 26296 - negotiate-wrapper für squid3 für Kerberos/NTLM Fallback verwenden.


Summary:	negotiate-wrapper für squid3 für Kerberos/NTLM Fallback verwenden.

Status:	RESOLVED DUPLICATE of bug 31972

Product:	UCS
Classification:	Unclassified
Component:	Squid
Version:	UCS 3.0
Hardware:	Other Linux

Importance:	P5 enhancement (vote)
Target Milestone:	---
Assigned To:	Squid maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2012-02-29 15:23 CET by Arvid Requate
Modified:	2013-08-05 15:17 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2012-02-29 15:23:59 CET

Als Erweiterung zum dem squid_kerb_auth Helper aus squid3 gibt es den neueren negotiate-wrapper http://sourceforge.net/projects/squidkerbauth/ , der über das negotiate-Protokoll eine transparente Authentifikation für Kerberos und NTLM bietet. Die squid3-Konfigurationszeile dafür sieht dementsprechend so aus:

auth_param negotiate program /usr/sbin/negotiate_wrapper -d \
  --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
  --kerberos /usr/sbin/squid_kerb_auth -d -s GSS_C_NO_NAME

Note: Damit laufen dann bei "auth_param negotiate children 10" sowohl 10 ntlm_auth als auch 10 squid_kerb_auth.

Comment 1 Arvid Requate

2012-02-29 15:39:13 CET

Im aktuellen squid3 3.2-Branch ist das schon drin, ggf. sogar in aktuellerer Fassung:

http://bazaar.launchpad.net/~squid/squid/3.2/files/head:/helpers/negotiate_auth/wrapper/



Das Fehlerbild von squid_kerb_auth mit NTLM-Authentifikationversuchen ist z.B. hier beschrieben:
http://www.squid-cache.org/mail-archive/squid-users/201104/0678.html



Später in dem thread erklärt der Autor des negotiate-wrappers noch etwas mehr, insbesondere dass daran im 3.2-Branch im Mai 2011 noch an spezielleren Problemen gearbeitet wurde:

On 2 May 2011 17:56, Markus Moeller <huaraz_at_moeller.plus.com> wrote: 
>  Negotiate handles both Kerberos and NTLM authentication. If Kerberos is
> setup correctly it is the preferred option for the client, but if Kerberos
> fails for some reason the client will fall back to NTLM and replies to an
> Negotiate authentication request with a NTLM token. To deal with this
> situation I created the negotiate wrapper which sends Kerberos tokens to the
> kerberos authentication handler and NTLM token to the NTLM authentication
> handler. Unfortunately there are applications like IM clients which use
> proxies, but only support NTLM (not Negotiate). To cater for this case squid
> has to offer NTLM too. So you need:
>
> negotiate_wrapper with negotiate_kerberos_auth and ntlm_auth for Negotiate
> Kerberos/NTLM
>
> and
>
> ntlm_auth for pure NTLM
>
> Squid trunk (3.2) has still a problem with the negotiate_wrapper and NTLM. I
> haven't found the reason yet.

Comment 2 Felix Botner

2013-08-05 15:17:50 CEST


*** This bug has been marked as a duplicate of bug 31972 ***