Hi Henrik,
At 21.00 16/10/2005, Henrik Nordstrom wrote:
>On Sun, 16 Oct 2005, Serassio Guido wrote:
>
>>Using Kerberos, only the blob provided from the client (should be
>>the Service Token) is needed, so the communication between Squid
>>and the helper must be only YR ==> AF.
>
>Very odd.. there is supposed to be a significantly longer exchange..
Exactly what I'm expecting too .... :-(
>Are you running the browser locally on the same machine? In the past
>I have found Windows SPNEGO (even SPNEGO over HTTP) to behave very
>different on local connections than network connections to remote
>servers, and in such situations using neither NTLM or Kerberos
>GSSAPI but instead some very lightweigth "local user" authentication
>model using just a single client->server packet like you describe.
No, two different machines, and with two different logged in users.
I know the "Local Call" problem, I have handled it in the NTLM native helper.
For this reason I have done some testing with different machines/users.
I don't have tried running the browser and Squid on the same machine,
I will do a test before Friday.
The interesting thing is that using Microsoft ISA Server 2004
configured for Negotiate, the packet flow is the same.
This could be related to an Active Directory accounts property called
"Kerberos preauthentication". It will be very interesting to see what
happens using Samba. This is another test that I will do before Friday.
>In any event the Negotiate patch doesn't really care how many steps
>there is. Anywhere from 1 to N steps is fine, or as many as the
>negotiated authentication system requires to finish the handshake.
The sequence YR ==> AF seems to work fine, the Squid uptime is now 6 hours.
But during a failed test, I got a neverending sequence of KK ==> TT,
and it seems to me that something is wrong here: after the second KK
==> TT, I got the following error:
2005/10/15 21:17:18| helperStatefulHandleRead: unexpected read from
negotiateauthenticator #1, 41 bytes
2005/10/15 21:17:18| helperStatefulHandleRead: unexpected read from
negotiateauthenticator #1, 41 bytes
2005/10/15 21:17:18| helperStatefulHandleRead: unexpected read from
negotiateauthenticator #1, 41 bytes
2005/10/15 21:17:18| helperStatefulHandleRead: unexpected read from
negotiateauthenticator #1, 32 bytes
>Reading Microsoft documentation. It says there will be 1-N
>exchanges taking plase until the GSSAPI context is complete. It is
>possible the first message is sufficient in some cases, but not always.
Yes, I have read (too !!!) many times this documentation before have
a running helper.
I have rearranged my code for a non fixed token exchange, it should
works in the worst case (I hope ....).
Regards
Guido
-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Sun Oct 16 2005 - 13:31:11 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:07 MST