Univention Bugzilla – Full Text Bug Listing |
Summary: | add gss-spnego (kerberos) support to squid_ldap_ntlm_auth | ||
---|---|---|---|
Product: | UCS | Reporter: | Felix Botner <botner> |
Component: | Squid | Assignee: | Felix Botner <botner> |
Status: | CLOSED FIXED | QA Contact: | Erik Damrose <damrose> |
Severity: | enhancement | ||
Priority: | P5 | CC: | gohmann, jmm, schwardt |
Version: | UCS 3.1 | ||
Target Milestone: | UCS 3.1-1-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=43732 | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 31905, 31972, 31995, 32029 |
Description
Felix Botner
2013-07-12 15:25:13 CEST
Added negotiate support to squid_ldap_ntlm_auth. squid_ldap_ntlm_auth is now also a negotiate wrapper for kerberos (with /usr/lib/squid3/squid_kerb_auth as backend) and ntlm over negotiate. In negotiate mode squid_ldap_ntlm_auth starts /usr/lib/squid3/squid_kerb_auth and redirects negotiate krb5 authentications tickets to squid_kerb_auth. negotiate i still not activate by default and negotiate krb5 works only in a samba4 environment (-> Bug #31968) The default auth negotiate tool for squid is now "/usr/lib/squid3/squid_ldap_ntlm_auth --gss-spnego --gss-spnego-strip-realm". To revert the old config "ucr set squid/krb5auth/tool=/usr/lib/squid3/squid_kerb_auth" can be used. Here is my test matrix. Win7 Proxy settings: FQDN for proxy server -> negotiate kerberos IP for proxy server -> negotiate ntlm UCS 3.1-1 with samba4 and squid server with negotiate, ntlm and basic authentication activated. ok - works nu - not used pp - password prompt | ntlm | negotiate krb5 | negotiate ntlm --------------------|------------|------------------|---------------- winxp (domain user) | ok | nu | nu --------------------|------------|------------------|---------------- winxp (local user) | ok (pp) | nu | nu --------------------|------------|------------------|---------------- win7 (domain user) | nu | ok | ok --------------------| -----------|------------------|---------------- win7 (local user) | ok (pp) | nu | nu --------------------|------------|------------------|---------------- UCC | ok (pp) | ok | nu --------------------|------------|------------------|---------------- ipad | ok (pp) | nu | nu --------------------|------------|------------------|---------------- asus tablet | ok (pp) | nu | nu QA: | ntlm | negotiate krb5 | negotiate ntlm --------------------|------------|------------------|---------------- winxp (domain user) | ok | nu | nu --------------------|------------|------------------|---------------- winxp (local user) | ok (pp) | nu | nu --------------------|------------|------------------|---------------- win7 (domain user) | *OK* | ok | ok --------------------| -----------|------------------|---------------- win7 (local user) | ok (pp) | nu | nu --------------------|------------|------------------|---------------- UCC | ok (pp) | ok | nu --------------------|------------|------------------|---------------- ipad | ok (pp) | nu | nu --------------------|------------|------------------|---------------- asus tablet | ok (pp) | nu | nu - Generally the same results, addition: win7 works with pure ntlm, too - If a local user was used on winxp and win7 which is known in the domain, there is not even a password prompt - ipad: username and password can be entered in the settings dialog, so that one will never be asked for them again --> OK FAIL: ucrv description (2x [de]) [squid/krb5auth/tool] Description[de]=Programm für die Squid negotiate Authentifizierung Description[de]=Squid negotiate authentication tool
> FAIL: ucrv description (2x [de])
> [squid/krb5auth/tool]
> Description[de]=Programm für die Squid negotiate Authentifizierung
> Description[de]=Squid negotiate authentication tool
fixed in 6.0.8-4.198.201307241606, modified yaml file
Bugfix: OK YAML: OK -> Verified One addition to the change in the win7 ntlm-only test: Win7 client, not joined: If a local user has the same credentials as a domain user in which squid runs, this user is not prompted for a password to use squid, the local credentials are passed on. In the same scenario, if the local credentials are not present for an account in the domain, the user is asked for valid credentials. |