Bug 44287 - squid cannot auth Kerberos/GSSNEGO anymore
squid cannot auth Kerberos/GSSNEGO anymore
Product: UCS
Classification: Unclassified
Component: Squid
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-0-errata
Assigned To: Sönke Schwardt-Krummrich
Daniel Tröder
Depends on:
Blocks: 44252
  Show dependency treegraph
Reported: 2017-04-04 15:52 CEST by Daniel Tröder
Modified: 2017-04-18 14:35 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.286
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Tröder univentionstaff 2017-04-04 15:52:16 CEST
+++ This bug was initially created as a clone of Bug #44252 +++

The test 90_ucsschool/15_http_proxy_multi_auth_check relieved:

-------------------- /var/log/squid3/cache.log -------------------

2017/04/04 15:28:38 kid1| Starting new helpers
2017/04/04 15:28:38 kid1| helperOpenServers: Starting 1/50 'squid_ldap_ntlm_auth' processes
Traceback (most recent call last):
  File "/usr/lib/squid3/squid_ldap_ntlm_auth", line 663, in <module>
    kerbPipe = subprocess.Popen(['/usr/lib/squid3/squid_kerb_auth'], stdin=subprocess.PIPE, stdout=subprocess.PIPE)
  File "/usr/lib/python2.7/subprocess.py", line 710, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1335, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory
2017/04/04 15:28:38 kid1| WARNING: negotiateauthenticator #Hlpr0 exited
2017/04/04 15:28:38 kid1| Too few negotiateauthenticator processes are running (need 1/50)


/usr/lib/squid3/squid_kerb_auth doesn't exist anymore in Jessie.

It looks like this might fix it, but untested against real clients (only curl-test in ucs-test):

----------- /usr/lib/squid3/squid_ldap_ntlm_auth -----------
< 		kerbPipe = subprocess.Popen(['/usr/lib/squid3/squid_kerb_auth'], stdin=subprocess.PIPE, stdout=subprocess.PIPE)
> 		kerbPipe = subprocess.Popen(['/usr/lib/squid3/negotiate_kerberos_auth'], stdin=subprocess.PIPE, stdout=subprocess.PIPE)
Comment 1 Daniel Tröder univentionstaff 2017-04-05 11:27:42 CEST
Please reenable test ucs-school-4.2/ucs-test-ucsschool/90_ucsschool/15_http_proxy_multi_auth_check once this has been fixed.
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2017-04-09 22:15:20 CEST
The suggested patch has been applied.

r78700 | Bug #44287: switch to new kerberos auth helper

univention-squid (10.0.0-9):
r78700 | Bug #44287: switch to new kerberos auth helper

Package: univention-squid
Version: 10.0.0-9A~
Branch: ucs_4.2-0
Scope: errata4.2-0

(In reply to Daniel Tröder from comment #1)
> Please reenable test
> ucs-school-4.2/ucs-test-ucsschool/90_ucsschool/
> 15_http_proxy_multi_auth_check once this has been fixed.

Please do it in QA. Currently it will fail since the UCS errata scope is not included in jenkins runs (please do not enable it!).

A manual test run on a UCS 4.2-0 slave with UCS@school has been successful.
Comment 3 Daniel Tröder univentionstaff 2017-04-10 10:11:51 CEST
OK: code
OK: advisory (r78704: added build number)
OK: manual test of basic auth:

$ export http_proxy=

$ wget http://nossl.net/
2017-04-10 09:06:24 FEHLER 407: Proxy Authentication Required.

$ wget --proxy-user=student1 --proxy-password=falsch http://nossl.net/
2017-04-10 09:06:39 FEHLER 407: Proxy Authentication Required.

$ wget --proxy-user=student1 --proxy-password=univention http://nossl.net/
Proxy-Anforderung gesendet, warte auf Antwort... 301 Moved Permanently
Wiederverwendung der bestehenden Verbindung zu
Proxy-Anforderung gesendet, warte auf Antwort... 200 OK

OK: manual test of kerberos auth:

$ ucr set "squid/krb5auth/tool=/usr/lib/squid3/squid_ldap_ntlm_auth --gss-spnego --gss-spnego-strip-realm --debug" "squid/ntlmauth/tool=/usr/lib/squid3/squid_ldap_ntlm_auth --debug"

$ vi /usr/lib/squid3/squid_ldap_ntlm_auth
--- /usr/lib/squid3/squid_ldap_ntlm_auth.ori	2017-04-10 09:44:28.326403006 +0200
+++ /usr/lib/squid3/squid_ldap_ntlm_auth	2017-04-10 09:37:11.557531503 +0200
@@ -660,6 +660,7 @@
 	# open pipe to squid_kerb_auth for kerberos stuff
 	kerbPipe = None
 	if options.gssSpnego:
+		debug("*** negotiate_kerberos_auth ***")
 		kerbPipe = subprocess.Popen(['/usr/lib/squid3/negotiate_kerberos_auth'], stdin=subprocess.PIPE, stdout=subprocess.PIPE)
 	while True:

$ systemctl restart squid3.service

* boot Win7 joined to server
* configure proxy settings manually to use
* open page in IE
* grep -c '*** negotiate_kerberos_auth ***' /tmp/squid-ntlm-auth.log 
→ 9

* automatic test: 90_ucsschool/15_http_proxy_multi_auth_check
→ "Test passed"
Comment 4 Janek Walkenhorst univentionstaff 2017-04-12 15:44:36 CEST