On 13/02/2013 11:33 a.m., Henrik Nordström wrote:
> tis 2013-02-12 klockan 14:41 -0700 skrev Alex Rousskov:
>> Hello,
>> Could somebody with better authentication and helper knowledge clarify
>> whether the token field is indeed required for Nagotiate ERR and NA
>> responses? If not, can we just remove the above quoted fatalf() blob and
>> make the following line conditional on the token presence?
> Squid-2 negotiate expects
>
> NA<SPACE>blob<SPACE>message<NEWLINE>
>
> but do not require any of them to be present. It accepts
>
> NA<SPACE><NEWLINE>
>
> as valid response.
>
> NTLM is slightly different and do not expect a blob. Simply
>
> NA<SPACE>message<NEWLINE>
>
> where message may be blank.
>
> Regards
> Henrik
>
Squid-3 should be identical. The token is required for Authenticate-Info
to supply client with keytab identification in the reponse headers. A
missing token= on the Negotiate response normally indicates that an NTLM
helper has been wrongly configured on the Negotiate auth interface.
Markus' negotiate_wrapper helper presents a dummy token when mapping
NTLM responses to Squid.
Yes you can remove these fatal() if you want, but it needs to result in
authentication failure and squid.conf ERROR messages if you do so. The
code for triggering all that side-effect is in the BrokenHelper use case
which might need to become a separate error handling method. This also
goes for the other identical fatal("Unsupported helper response") in
Negotiate auth which would be worth removing in the same way.
Amos
Received on Wed Feb 13 2013 - 01:41:29 MST
This archive was generated by hypermail 2.2.0 : Wed Feb 13 2013 - 12:00:08 MST