First Last Prev Next    This bug is not in your last search results.
Bug 34206 - Squid ntlm auth failed after user changed password in client
Squid ntlm auth failed after user changed password in client
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Squid
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 4.1-4-errata
Assigned To: Daniel Tröder
Sönke Schwardt-Krummrich
:
Depends on:
Blocks: 34491 35432
  Show dependency treegraph
 
Reported: 2014-02-27 12:28 CET by Tobias Birkefeld
Modified: 2017-02-15 14:57 CET (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.206
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2016070421000714, 2014102021000379
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Birkefeld univentionstaff 2014-02-27 12:28:31 CET 
If a user change his password (in a windows session), the proxy always shows the auth window, but the new password mismatch. The old password is accepted.
I think the cache in /usr/lib/squid3/squid_ldap_ntlm_auth line 305 is the problem. A windows logout/login doesn't solve the problem, only a restart of squid resolve it.

# auth ntlm in squid.conf
auth_param ntlm program /usr/lib/squid3/squid_ldap_ntlm_auth
auth_param ntlm children 50
auth_param ntlm keep_alive off
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2014-04-01 11:59:58 CEST 
(In reply to Tobias Birkefeld from comment #0)
> If a user change his password (in a windows session), the proxy always shows
> the auth window, but the new password mismatch. The old password is accepted.
> I think the cache in /usr/lib/squid3/squid_ldap_ntlm_auth line 305 is the
> problem. A windows logout/login doesn't solve the problem, only a restart of
> squid resolve it.

Looks like you are correct. The default timeout for the cache is 1 hour. So after changing the password, a proxy authentication via NTLM may fail up to 1 hour.
 
> # auth ntlm in squid.conf
> auth_param ntlm program /usr/lib/squid3/squid_ldap_ntlm_auth

Workaround:
reduce cache timeout to 60 seconds:
  ucr set squid/ntlmauth/tool="/usr/lib/squid3/squid_ldap_ntlm_auth -c 60"
Comment 2 Tim Petersen univentionstaff 2014-10-28 07:16:55 CET 
Reported via #2014102021000379
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2014-12-15 09:22:05 CET 
This affects all UCS@school environments that use the proxy.
Comment 4 Ammar Najjar univentionstaff 2014-12-15 10:18:15 CET 
Please re-enable the skipped script "17_http_proxy_auth_after_passwd_reset_check" created for bug #34491 after fixing this bug.
Comment 5 Michael Grandjean univentionstaff 2016-07-04 14:00:31 CEST 
Reported via Ticket#2016070421000714
Comment 6 Tobias Birkefeld univentionstaff 2017-01-12 16:39:12 CET 
Affects a further customer with an UCS@school environment.
Comment 7 Daniel Tröder univentionstaff 2017-01-13 08:44:00 CET 
r75735: reduce NTLM password cache timeout from 1h to 1m, advisory

Package: univention-squid
Version: 9.0.2-4.238.201701130842
Branch: ucs_4.1-0
Scope: errata4.1-4
Comment 8 Daniel Tröder univentionstaff 2017-01-13 10:11:53 CET 
r75737: merge to 4.2
Comment 9 Daniel Tröder univentionstaff 2017-01-17 10:57:05 CET 
r75850: password cache lifetime can now be set by UCRV squid/ntlmauth/cache/timeout
r75851: merge to 4.2

Package: univention-squid
Version: 9.0.2-5.239.201701171054
Branch: ucs_4.1-0
Scope: errata4.1-4
Comment 10 Sönke Schwardt-Krummrich univentionstaff 2017-02-14 14:59:38 CET 
r76649 | Bug #34206: added missing package version in YAML

OK: code change 4.1-4
OK: code change 4.2-0
??: functional test
FIXED: YAML for UCS 4.1-4
Comment 11 Sönke Schwardt-Krummrich univentionstaff 2017-02-14 22:11:33 CET 
OK: functional test

Console 1:
while /bin/sleep 0.1 ; do \
  ~/bin/toolshed/test_proxy -s 10.200.18.63 -n -u foobar -p univention5 ; done

Console 2:
udm users/user modify \
   --dn uid=foobar,cn=schueler,cn=users,ou=gsmitte,dc=nstx,dc=local \
   --set password=univention6

→ measure time after password modification until test_proxy returns an error
Comment 12 Janek Walkenhorst univentionstaff 2017-02-15 14:57:42 CET 
<http://errata.software-univention.de/ucs/4.1/396.html>
First Last Prev Next    This bug is not in your last search results.