Univention Bugzilla – Bug 47425
squid/krb5auth/keepalive has no effect / is inconsistent
Last modified: 2018-08-29 12:49:43 CEST
Created attachment 9614 [details] squid.conf_keepalive.diff Setting 'squid/krb5auth/keepalive' to 'no' has no effect, as the squid config value 'auth_param negotiate keep_alive' isn't actively set to off but rather the line is just removed, which applies the default value ('on'). (UCR template /etc/squid/squid.cfg, line 86-87) This creates three inconsistencies: - The UCR value doesn't function like value 'squid/ntlmauth/keepalive', while they both have the same role and the same documentation/description on UCR and Squid side - The UCR value description says that it's possible to unset the variable / set it to off/no/false, which isn't - The UCR value just offers two states of the mentioned squid parameter, which are 'on' and 'on' by default. This can easily be resolved by adding 'else' if lines to the 'git/ucs/services/univention-squid/conffiles/etc/squid/squid.conf' template file. Patch available.
The description for squid/krb5auth/keepalive and squid/ntlmauth/keepalive should be changed as well. Afaik the description is wrong. with "keep_alive = off" squid closes the tcp connection after telling a client that he needs to use authentication. This can be used to ensure that browsers only ask once for domain credentials. (In case a local user account is used on a machine, the browser asks for domain credentials)
univention-squid.yaml 599ca406e870 | Bug #47425: YAML univention-squid (11.0.0-14) 862811a75769 | Bug #47425: fixed ucr variable squid/krb5auth/keepalive Successful build Package: univention-squid Version: 11.0.0-14A~4.3.0.201808141401 Branch: ucs_4.3-0 Scope: errata4.3-1 I applied the patch provided by Hendrik. I did not alter the descriptions of the variables, as they are in line with the official documentation (http://docs.software-univention.de/manual-4.3.html#proxy:userauth).
As discussed, please update the docu and the ucr variable description. Something like: ''' Try set this variable to no if you experience problems with unjoined systems or local user accounts. '''
I updated the docs and the variable description univention-squid (11.0.0-15) 8d98d77c1670 | Bug #47425: Merge branch 'jahlers/47425-squid-keepalive' into 4.3-1 335316f2ffb2 | Bug #47425: enhance documentation/ucr description of ucr variables squid/krb5auth/keepalive and squid/ntlmauth/keepalive univention-squid.yaml 74f0517c16db | Bug #47425: yaml 599ca406e870 | Bug #47425: YAML univention-squid (11.0.0-14) 862811a75769 | Bug #47425: fixed ucr variable squid/krb5auth/keepalive Successful build Package: univention-squid Version: 11.0.0-15A~4.3.0.201808241706 Branch: ucs_4.3-0 Scope: errata4.3-1
I changed the ucr variable description and manual to avoid "unjoined". I had a test from a previous product test which I checked in for easier testing in the future (43_proxy/08_http_proxy_krb5_auth_check). [4.3-1 71324789c1] Bug #47425: Change ucr variable description [4.3-1 242616dd82] Bug #47425: changelog [4.3-1 61934cddca] Bug #47425: yaml [4.3-1 aa1109c82b] Bug #47425: Change ucr variable description2 [4.3-1 7cefd5a356] Bug #47425: Add 43_proxy/08_http_proxy_krb5_auth_check (skipped) [4.3-1 56bcc33cc7] Bug #47425: yaml
<http://errata.software-univention.de/ucs/4.3/225.html>