[squid-users] Re: Re: Re: Re: Squid 3.1.6, Kerberos and strange browser auth behavior from Markus Moeller on 2010-09-24 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 24 Sep 2010 18:00:12 +0100

>"Aleksandar Ciric" <aciric79_at_yahoo.com> wrote in message
>news:371632.45483.qm_at_web114211.mail.gq1.yahoo.com...
>ok, I will add timers to corelate log events with wireshark output, all
>machines sync to AD NTP.
>
>According to this, situation is clear (if one can say so).
>
>If I acknowledge the pass prompt fast 3x in a row (that is 3 GET's get
>sent), I get all 3x(DEBUG: Got / Decode / AF) lines in the cache.log the
>very moment and an OK for last GET.

That is what I don't understand. Why is it the third not the second ?

>In second test, with pause after 2 acks, on first 2 acks of pass prompt
>(each dispatches a GET request with valid kerb token) I get no reaction in
>log ... so I waited about 10 secs for 3rd ack, did it and got all 3x(DEBUG:
>Got / Decode / AF) lines at the same time according to log.
>
>Unlike the situation detailed below where I only got one (DEBUG: Got /
>Decode / AF).
>
>Point is that 3rd GET seems to trigger processing the auth momentarily, any
>less won't do. The time doesn't seem to matter.
>
>When same desktop client (I tried several just to make sure) is logged in
>with a valid domain username, none of this happens. After 1st 407 it goes
>through TGS-REQ/TGS-REP and sends GET with GSSAPI (doesn't even try NTLM)
>and receives OK.
>
>I don't know how to resolve this or what to troubleshoot further. (beside
>scrapping the Gentoo machine and trying with CentOS or Ubuntu server)
>
>desktop_wireshark:
>12:58:24.377414 1. GET google
>12:58:24.379208 2. 407, Proxy-Authenticate: Negotiate\r\n
>12:58:24.404808 3. GET google, Proxy-Authorization: Negotiate <token>,
>NTLMSSP

For the above squid_kerb_auth won't return an AF it should be a BH with
error message.

>12:58:24.406647 4. 407, Proxy-Authenticate: Negotiate\r\n (no token)
>5. Ack. the pass prompt
>12:58:36.936887-943069 6. KRB5 AS-REQ/AS-REP, TGS-REQ/TGS-REP (with AD
>server)
>12:58:37.033969 7. GET google, Proxy-Authorization: Negotiate <token>,
>GSS-API (SPNEGO)
>12:58:37.036221 8. 407, Proxy-Authenticate: Negotiate\r\n (no token)

The above should not happen. squid should authenticate the user at this
point. Can you attach the logfile ?

>9. Ack. the pass prompt again after ~5 sec pause (same user/pass, it stays
>filled in)
>12:58:43.258456-263817 10. KRB5 AS-REQ/AS-REP, TGS-REQ/TGS-REP (with AD
>server)
>12:58:43.264872 11. GET google, Proxy-Authorization: Negotiate <token>,
>GSS-API (SPNEGO)
>12:58:43.267059 12. 407, Proxy-Authenticate: Negotiate\r\n (no token)
>13. Ack. the pass prompt again after ~5 sec pause (same user/pass, it stays
>filled in)
>12:58:50.390082-395554 14. KRB5 AS-REQ/AS-REP, TGS-REQ/TGS-REP (with AD
>server)
>12:58:50.396739 15. GET google, Proxy-Authorization: Negotiate <token>,
>GSS-API (SPNEGO)
>12:58:50 DEBUG: Got / Decode / AF (squid cache log)
>12:58:50.575546 16. 200 OK, Proxy-Authentication-Info: Negotiate (token)
>
>P.S.
>I used pause cause I lack microseconds in squid cache.log
>
Received on Fri Sep 24 2010 - 17:00:32 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 24 2010 - 12:00:03 MDT