Re: New external_acl helper squid_kerb_ldap from Markus Moeller on 2011-03-11 (squid-dev)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 11 Mar 2011 22:12:49 -0000

I think I identified my problem. The negotiate helper require a blob in an
AF or NA response. I know add a dummy blob.

Markus

"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
news:ild3k6$d8s$1_at_dough.gmane.org...
> Hi Amos,
>
> Could you let me know what are valid respones from the negotiate helper
> compared to ntlm helper ? It seems I have to translate them.
>
> Thank you
> Markus
>
>
> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
> news:ilcv9m$kra$1_at_dough.gmane.org...
>> Hi Amos,
>>
>> When I use my wrapper I had to modify the samba ntlm_auth helper to
>> return another AF string. I run 3.0.STABLE25 and
>> /usr/bin/ntlm_auth -V
>> Version 3.5.4-2489-SUSE-SL11.3
>>
>>
>> FATAL: authenticateNegotiateHandleReply: *** Unsupported helper response
>> ***, 'AF WIN2003R2\administrator'
>>
>> Would it be possible that the Negotiate reply handler accepts both
>> formats ? I used
>>
>> auth_param negotiate program /usr/sbin/negotiate_wrapper -d --ntlm
>> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos
>> /usr/sbin/squid_kerb_auth -d -s GSS_C_NO_NAME
>>
>>
>> Thank you
>> Markus
>>
>>
>> 2011/03/10 22:44:34| negotiate_wrapper: Got 'YR
>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==' from squid
>> (length: 59).
>> 2011/03/10 22:44:34| negotiate_wrapper: Decode
>> 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==' (decoded
>> length: 40).
>> 2011/03/10 22:44:34| negotiate_wrapper: received type 1 NTLM token
>> 2011/03/10 22:44:34| negotiate_wrapper: Got 'KK
>> TlRMTVNTUAADAAAAGAAYAIAAAAAYABgAmAAAABIAEgBIAAAAGgAaAFoAAAAMAAwAdAAAAAAAAACwAAAABYKIogUCzg4AAAAPVwBJAE4AMgAwADAAMwBSADIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBXADIASwAzAFIAMgCkBlG0MZTzRwAAAAAAAAAAAAAAAAAAAABFkwULOmCaiWNR/69aXr44O8ZJJ/pEwzE='
>> from squid (length: 239).
>> 2011/03/10 22:44:34| negotiate_wrapper: Decode
>> 'TlRMTVNTUAADAAAAGAAYAIAAAAAYABgAmAAAABIAEgBIAAAAGgAaAFoAAAAMAAwAdAAAAAAAAACwAAAABYKIogUCzg4AAAAPVwBJAE4AMgAwADAAMwBSADIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBXADIASwAzAFIAMgCkBlG0MZTzRwAAAAAAAAAAAAAAAAAAAABFkwULOmCaiWNR/69aXr44O8ZJJ/pEwzE='
>> (decoded length: 176).
>> 2011/03/10 22:44:34| negotiate_wrapper: received type 3 NTLM token
>> 2011/03/10 22:44:35| storeDirWriteCleanLogs: Starting...
>> 2011/03/10 22:44:35| WARNING: Closing open FD 25
>> 2011/03/10 22:44:35| Finished. Wrote 2747 entries.
>> 2011/03/10 22:44:35| Took 0.00 seconds (1852326.37 entries/sec).
>> FATAL: authenticateNegotiateHandleReply: *** Unsupported helper response
>> ***, 'AF WIN2003R2\administrator'
>>
>> Squid Cache (Version 3.0.STABLE25): Terminated abnormally.
>> CPU Usage: 0.225 seconds = 0.017 user + 0.208 sys
>> Maximum Resident Size: 39392 KB
>> Page faults with physical i/o: 0
>> Memory usage for squid via mallinfo():
>> total space in arena: 3244 KB
>> Ordinary blocks: 3163 KB 7 blks
>> Small blocks: 0 KB 0 blks
>> Holding blocks: 3664 KB 13 blks
>> Free Small blocks: 0 KB
>> Free Ordinary blocks: 80 KB
>> Total in use: 6827 KB 210%
>> Total free: 80 KB 2%
>> 2011/03/10 22:44:38| Starting Squid Cache version 3.0.STABLE25 for
>> i686-suse-linux-gnu...
>>
>>
>>
>> "Amos Jeffries" <squid3_at_treenet.co.nz> wrote in message
>> news:4C651EB3.6020604_at_treenet.co.nz...
>>> Markus Moeller wrote:
>>>>
>>>> "Amos Jeffries" <squid3_at_treenet.co.nz> wrote in message
>>>> news:4C5187D2.5010203_at_treenet.co.nz...
>>>>> Markus Moeller wrote:
>>>>>> Hi Amos,
>>>>
>>>> Hi Amos
>>>>
>>>>>>
>>>>>> How does your time look like now ?
>>>>>>
>>>>>> Regards
>>>>>> Markus
>>>>>>
>>>>>
>>>>> Looks passable. I have not had time for a detailed view of the logics.
>>>>> I'll commit this tomorrow with a name tweak, the naming scheme has
>>>>> been through the external acl helpers too now. I'll just tack ext_ on
>>>>> the front and _acl on the back of the existing binary name and update
>>>>> the docs to match.
>>>>>
>>>>> One thing that worries me still is the RUN_IFELSE autoconf macros
>>>>> still being added to configure.in. I'm sure there is a macro that
>>>>> checked for defined values of things inside headers without running
>>>>> stuff. If you can try and find that it would be great not to have to
>>>>> run anything on build.
>>>>>
>>>>
>>>> I have 4 RUN_IFELSE.
>>>>
>>>> The first is to check to check that ldap works with the provided
>>>> libraries. Is that unusual ? Any other suggestion how to check ?
>>>
>>> Um, okay. Thats reasonable on build. Duplicating at run-time may also be
>>> useful since the particular run-time libraries are not always the ones
>>> built against.
>>>
>>>> The other three are to determine the LDAP vendor, which is a define
>>>> statement in one of the ldap header files and as it is a string in a
>>>> define I can not use any header grep nor proprocessor checks ( at least
>>>> I do not know of any).
>>>
>>> Nasty. Oh well.
>>>
>>>
>>> Okay. Have applied to Squid-3.HEAD with the extra ext_*_acl bits on the
>>> binary name and docs for the current naming style.
>>>
>>> Amos
>>> --
>>> Please be using
>>> Current Stable Squid 2.7.STABLE9 or 3.1.6
>>> Beta testers wanted for 3.2.0.1
>>>
>>
>>
>>
>
>
>

application/x-gzip attachment: negotiate_wrapper-1.0.1.tar.gz

Received on Fri Mar 11 2011 - 22:13:13 MST

This archive was generated by hypermail 2.2.0 : Sat Mar 12 2011 - 12:00:03 MST