Univention Bugzilla – Bug 34206
Squid ntlm auth failed after user changed password in client
Last modified: 2017-02-15 14:57:42 CET
If a user change his password (in a windows session), the proxy always shows the auth window, but the new password mismatch. The old password is accepted. I think the cache in /usr/lib/squid3/squid_ldap_ntlm_auth line 305 is the problem. A windows logout/login doesn't solve the problem, only a restart of squid resolve it. # auth ntlm in squid.conf auth_param ntlm program /usr/lib/squid3/squid_ldap_ntlm_auth auth_param ntlm children 50 auth_param ntlm keep_alive off
(In reply to Tobias Birkefeld from comment #0) > If a user change his password (in a windows session), the proxy always shows > the auth window, but the new password mismatch. The old password is accepted. > I think the cache in /usr/lib/squid3/squid_ldap_ntlm_auth line 305 is the > problem. A windows logout/login doesn't solve the problem, only a restart of > squid resolve it. Looks like you are correct. The default timeout for the cache is 1 hour. So after changing the password, a proxy authentication via NTLM may fail up to 1 hour. > # auth ntlm in squid.conf > auth_param ntlm program /usr/lib/squid3/squid_ldap_ntlm_auth Workaround: reduce cache timeout to 60 seconds: ucr set squid/ntlmauth/tool="/usr/lib/squid3/squid_ldap_ntlm_auth -c 60"
Reported via #2014102021000379
This affects all UCS@school environments that use the proxy.
Please re-enable the skipped script "17_http_proxy_auth_after_passwd_reset_check" created for bug #34491 after fixing this bug.
Reported via Ticket#2016070421000714
Affects a further customer with an UCS@school environment.
r75735: reduce NTLM password cache timeout from 1h to 1m, advisory Package: univention-squid Version: 9.0.2-4.238.201701130842 Branch: ucs_4.1-0 Scope: errata4.1-4
r75737: merge to 4.2
r75850: password cache lifetime can now be set by UCRV squid/ntlmauth/cache/timeout r75851: merge to 4.2 Package: univention-squid Version: 9.0.2-5.239.201701171054 Branch: ucs_4.1-0 Scope: errata4.1-4
r76649 | Bug #34206: added missing package version in YAML OK: code change 4.1-4 OK: code change 4.2-0 ??: functional test FIXED: YAML for UCS 4.1-4
OK: functional test Console 1: while /bin/sleep 0.1 ; do \ ~/bin/toolshed/test_proxy -s 10.200.18.63 -n -u foobar -p univention5 ; done Console 2: udm users/user modify \ --dn uid=foobar,cn=schueler,cn=users,ou=gsmitte,dc=nstx,dc=local \ --set password=univention6 → measure time after password modification until test_proxy returns an error
<http://errata.software-univention.de/ucs/4.1/396.html>