Univention Bugzilla – Full Text Bug Listing |
Summary: | Squid ntlm auth failed after user changed password in client | ||
---|---|---|---|
Product: | UCS | Reporter: | Tobias Birkefeld <birkefeld> |
Component: | Squid | Assignee: | Daniel Tröder <troeder> |
Status: | CLOSED FIXED | QA Contact: | Sönke Schwardt-Krummrich <schwardt> |
Severity: | normal | ||
Priority: | P5 | CC: | ebersbach, gohmann, grandjean, najjar, petersen, schwardt, troeder |
Version: | UCS 3.2 | ||
Target Milestone: | UCS 4.1-4-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 4: Minor Usability: Impairs usability in secondary scenarios |
Who will be affected by this bug?: | 3: Will affect average number of installed domains | How will those affected feel about the bug?: | 3: A User would likely not purchase the product |
User Pain: | 0.206 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2016070421000714, 2014102021000379 | Bug group (optional): | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 34491, 35432 |
Description
Tobias Birkefeld
2014-02-27 12:28:31 CET
(In reply to Tobias Birkefeld from comment #0) > If a user change his password (in a windows session), the proxy always shows > the auth window, but the new password mismatch. The old password is accepted. > I think the cache in /usr/lib/squid3/squid_ldap_ntlm_auth line 305 is the > problem. A windows logout/login doesn't solve the problem, only a restart of > squid resolve it. Looks like you are correct. The default timeout for the cache is 1 hour. So after changing the password, a proxy authentication via NTLM may fail up to 1 hour. > # auth ntlm in squid.conf > auth_param ntlm program /usr/lib/squid3/squid_ldap_ntlm_auth Workaround: reduce cache timeout to 60 seconds: ucr set squid/ntlmauth/tool="/usr/lib/squid3/squid_ldap_ntlm_auth -c 60" Reported via #2014102021000379 This affects all UCS@school environments that use the proxy. Please re-enable the skipped script "17_http_proxy_auth_after_passwd_reset_check" created for bug #34491 after fixing this bug. Reported via Ticket#2016070421000714 Affects a further customer with an UCS@school environment. r75735: reduce NTLM password cache timeout from 1h to 1m, advisory Package: univention-squid Version: 9.0.2-4.238.201701130842 Branch: ucs_4.1-0 Scope: errata4.1-4 r75737: merge to 4.2 r75850: password cache lifetime can now be set by UCRV squid/ntlmauth/cache/timeout r75851: merge to 4.2 Package: univention-squid Version: 9.0.2-5.239.201701171054 Branch: ucs_4.1-0 Scope: errata4.1-4 r76649 | Bug #34206: added missing package version in YAML OK: code change 4.1-4 OK: code change 4.2-0 ??: functional test FIXED: YAML for UCS 4.1-4 OK: functional test Console 1: while /bin/sleep 0.1 ; do \ ~/bin/toolshed/test_proxy -s 10.200.18.63 -n -u foobar -p univention5 ; done Console 2: udm users/user modify \ --dn uid=foobar,cn=schueler,cn=users,ou=gsmitte,dc=nstx,dc=local \ --set password=univention6 → measure time after password modification until test_proxy returns an error |