Re: NA - token = fatalf

On 02/12/2013 06:41 PM, Amos Jeffries wrote:
> On 13/02/2013 11:33 a.m., Henrik Nordström wrote:
>> tis 2013-02-12 klockan 14:41 -0700 skrev Alex Rousskov:
>>> Hello,
>>> Could somebody with better authentication and helper knowledge clarify
>>> whether the token field is indeed required for Nagotiate ERR and NA
>>> responses? If not, can we just remove the above quoted fatalf() blob and
>>> make the following line conditional on the token presence?
>> Squid-2 negotiate expects
>>
>> NA<SPACE>blob<SPACE>message<NEWLINE>
>>
>> but do not require any of them to be present. It accepts
>>
>> NA<SPACE><NEWLINE>
>>
>> as valid response.
>>
>> NTLM is slightly different and do not expect a blob. Simply
>>
>> NA<SPACE>message<NEWLINE>
>>
>> where message may be blank.
>>
>> Regards
>> Henrik
>>
>
> Squid-3 should be identical. The token is required for Authenticate-Info
> to supply client with keytab identification in the reponse headers.

Can you clarify (for those who do not know enough about authentication)
whether the token is required only if the admin wants some optional
functionality to work? Like some optional header to be sent by Squid to
the user? Or is it required for the error page to be reliably displayed
to the authenticating user at all?

My understanding is that the admin does not want authentication to
continue in this NA/ERR case.

> A
> missing token= on the Negotiate response normally indicates that an NTLM
> helper has been wrongly configured on the Negotiate auth interface.
> Markus' negotiate_wrapper helper presents a dummy token when mapping
> NTLM responses to Squid.

I do not know whether this particular helper is misconfigured. And I
cannot tell by reading the wiki page (for the reasons discussed
earlier). I believe the helper works OK otherwise. In the NA case, the
helper returns something like NA NT_STATUS_NO_SUCH_USER *\n
Is that a valid NA response?

If the token is required for NA/ERR responses, then the helper is broken
because it does not send one. If the token is not required, then Squid
is broken because it requires one. Henrik says the token is not required
[in Squid2].

> Yes you can remove these fatal() if you want, but it needs to result in
> authentication failure

Will removal of fatal(), as in the posted patch, result in
authentication failure? I assume it will, but, again, I am not an
authentication expert.

> and squid.conf ERROR messages if you do so.

Do you mean squid.cache ERROR message? At level 1? Does that imply that
token is required? I doubt the admin would want tons of ERROR messages
in the cache.log so they would probably have to fix their helper
instead. But we should not force them to fix the helper if there is
nothing wrong with it.

> The
> code for triggering all that side-effect is in the BrokenHelper use case
> which might need to become a separate error handling method. This also
> goes for the other identical fatal("Unsupported helper response") in
> Negotiate auth which would be worth removing in the same way.

Tthis seems to imply that the helper is broken because the token should
be required in all NA/ERR responses. Is that correct?

Thank you,

Alex.
Received on Wed Feb 13 2013 - 02:00:44 MST