Univention Bugzilla – Bug 44287
squid cannot auth Kerberos/GSSNEGO anymore
Last modified: 2017-04-18 14:35:50 CEST
+++ This bug was initially created as a clone of Bug #44252 +++ The test 90_ucsschool/15_http_proxy_multi_auth_check relieved: -------------------- /var/log/squid3/cache.log ------------------- 2017/04/04 15:28:38 kid1| Starting new helpers 2017/04/04 15:28:38 kid1| helperOpenServers: Starting 1/50 'squid_ldap_ntlm_auth' processes Traceback (most recent call last): File "/usr/lib/squid3/squid_ldap_ntlm_auth", line 663, in <module> kerbPipe = subprocess.Popen(['/usr/lib/squid3/squid_kerb_auth'], stdin=subprocess.PIPE, stdout=subprocess.PIPE) File "/usr/lib/python2.7/subprocess.py", line 710, in __init__ errread, errwrite) File "/usr/lib/python2.7/subprocess.py", line 1335, in _execute_child raise child_exception OSError: [Errno 2] No such file or directory 2017/04/04 15:28:38 kid1| WARNING: negotiateauthenticator #Hlpr0 exited 2017/04/04 15:28:38 kid1| Too few negotiateauthenticator processes are running (need 1/50) ----------------------------------------------------------------- /usr/lib/squid3/squid_kerb_auth doesn't exist anymore in Jessie. It looks like this might fix it, but untested against real clients (only curl-test in ucs-test): ----------- /usr/lib/squid3/squid_ldap_ntlm_auth ----------- 663c663 < kerbPipe = subprocess.Popen(['/usr/lib/squid3/squid_kerb_auth'], stdin=subprocess.PIPE, stdout=subprocess.PIPE) --- > kerbPipe = subprocess.Popen(['/usr/lib/squid3/negotiate_kerberos_auth'], stdin=subprocess.PIPE, stdout=subprocess.PIPE)
Please reenable test ucs-school-4.2/ucs-test-ucsschool/90_ucsschool/15_http_proxy_multi_auth_check once this has been fixed.
The suggested patch has been applied. univention-squid.yaml: r78700 | Bug #44287: switch to new kerberos auth helper univention-squid (10.0.0-9): r78700 | Bug #44287: switch to new kerberos auth helper Package: univention-squid Version: 10.0.0-9A~4.2.0.201704092148 Branch: ucs_4.2-0 Scope: errata4.2-0 (In reply to Daniel Tröder from comment #1) > Please reenable test > ucs-school-4.2/ucs-test-ucsschool/90_ucsschool/ > 15_http_proxy_multi_auth_check once this has been fixed. Please do it in QA. Currently it will fail since the UCS errata scope is not included in jenkins runs (please do not enable it!). A manual test run on a UCS 4.2-0 slave with UCS@school has been successful.
OK: code OK: advisory (r78704: added build number) OK: manual test of basic auth: $ export http_proxy=http://10.200.3.130:3128/ $ wget http://nossl.net/ 2017-04-10 09:06:24 FEHLER 407: Proxy Authentication Required. $ wget --proxy-user=student1 --proxy-password=falsch http://nossl.net/ 2017-04-10 09:06:39 FEHLER 407: Proxy Authentication Required. $ wget --proxy-user=student1 --proxy-password=univention http://nossl.net/ Proxy-Anforderung gesendet, warte auf Antwort... 301 Moved Permanently Wiederverwendung der bestehenden Verbindung zu 10.200.3.130:3128. Proxy-Anforderung gesendet, warte auf Antwort... 200 OK OK: manual test of kerberos auth: $ ucr set "squid/krb5auth/tool=/usr/lib/squid3/squid_ldap_ntlm_auth --gss-spnego --gss-spnego-strip-realm --debug" "squid/ntlmauth/tool=/usr/lib/squid3/squid_ldap_ntlm_auth --debug" $ vi /usr/lib/squid3/squid_ldap_ntlm_auth ========================================================================== --- /usr/lib/squid3/squid_ldap_ntlm_auth.ori 2017-04-10 09:44:28.326403006 +0200 +++ /usr/lib/squid3/squid_ldap_ntlm_auth 2017-04-10 09:37:11.557531503 +0200 @@ -660,6 +660,7 @@ # open pipe to squid_kerb_auth for kerberos stuff kerbPipe = None if options.gssSpnego: + debug("*** negotiate_kerberos_auth ***") kerbPipe = subprocess.Popen(['/usr/lib/squid3/negotiate_kerberos_auth'], stdin=subprocess.PIPE, stdout=subprocess.PIPE) while True: ========================================================================== $ systemctl restart squid3.service * boot Win7 joined to server * configure proxy settings manually to use http://10.200.3.130:3128/ * open page in IE * grep -c '*** negotiate_kerberos_auth ***' /tmp/squid-ntlm-auth.log → 9 * automatic test: 90_ucsschool/15_http_proxy_multi_auth_check → "Test passed"
<http://errata.software-univention.de/ucs/4.2/1.html>