Univention Bugzilla – Full Text Bug Listing |
Summary: | squid cannot auth Kerberos/GSSNEGO anymore | ||
---|---|---|---|
Product: | UCS | Reporter: | Daniel Tröder <troeder> |
Component: | Squid | Assignee: | Sönke Schwardt-Krummrich <schwardt> |
Status: | CLOSED FIXED | QA Contact: | Daniel Tröder <troeder> |
Severity: | normal | ||
Priority: | P5 | CC: | best, schwardt |
Version: | UCS 4.2 | ||
Target Milestone: | UCS 4.2-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 5: Blocking further progress on the daily work |
User Pain: | 0.286 | Enterprise Customer affected?: | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 44252 |
Description
Daniel Tröder
2017-04-04 15:52:16 CEST
Please reenable test ucs-school-4.2/ucs-test-ucsschool/90_ucsschool/15_http_proxy_multi_auth_check once this has been fixed. The suggested patch has been applied. univention-squid.yaml: r78700 | Bug #44287: switch to new kerberos auth helper univention-squid (10.0.0-9): r78700 | Bug #44287: switch to new kerberos auth helper Package: univention-squid Version: 10.0.0-9A~4.2.0.201704092148 Branch: ucs_4.2-0 Scope: errata4.2-0 (In reply to Daniel Tröder from comment #1) > Please reenable test > ucs-school-4.2/ucs-test-ucsschool/90_ucsschool/ > 15_http_proxy_multi_auth_check once this has been fixed. Please do it in QA. Currently it will fail since the UCS errata scope is not included in jenkins runs (please do not enable it!). A manual test run on a UCS 4.2-0 slave with UCS@school has been successful. OK: code OK: advisory (r78704: added build number) OK: manual test of basic auth: $ export http_proxy=http://10.200.3.130:3128/ $ wget http://nossl.net/ 2017-04-10 09:06:24 FEHLER 407: Proxy Authentication Required. $ wget --proxy-user=student1 --proxy-password=falsch http://nossl.net/ 2017-04-10 09:06:39 FEHLER 407: Proxy Authentication Required. $ wget --proxy-user=student1 --proxy-password=univention http://nossl.net/ Proxy-Anforderung gesendet, warte auf Antwort... 301 Moved Permanently Wiederverwendung der bestehenden Verbindung zu 10.200.3.130:3128. Proxy-Anforderung gesendet, warte auf Antwort... 200 OK OK: manual test of kerberos auth: $ ucr set "squid/krb5auth/tool=/usr/lib/squid3/squid_ldap_ntlm_auth --gss-spnego --gss-spnego-strip-realm --debug" "squid/ntlmauth/tool=/usr/lib/squid3/squid_ldap_ntlm_auth --debug" $ vi /usr/lib/squid3/squid_ldap_ntlm_auth ========================================================================== --- /usr/lib/squid3/squid_ldap_ntlm_auth.ori 2017-04-10 09:44:28.326403006 +0200 +++ /usr/lib/squid3/squid_ldap_ntlm_auth 2017-04-10 09:37:11.557531503 +0200 @@ -660,6 +660,7 @@ # open pipe to squid_kerb_auth for kerberos stuff kerbPipe = None if options.gssSpnego: + debug("*** negotiate_kerberos_auth ***") kerbPipe = subprocess.Popen(['/usr/lib/squid3/negotiate_kerberos_auth'], stdin=subprocess.PIPE, stdout=subprocess.PIPE) while True: ========================================================================== $ systemctl restart squid3.service * boot Win7 joined to server * configure proxy settings manually to use http://10.200.3.130:3128/ * open page in IE * grep -c '*** negotiate_kerberos_auth ***' /tmp/squid-ntlm-auth.log → 9 * automatic test: 90_ucsschool/15_http_proxy_multi_auth_check → "Test passed" |