[squid-users] Negotiate NTLM authentication broken?, 3.2.3 from Steve Hill on 2012-12-07 (squid-users)

From: Steve Hill <steve_at_opendium.com>
Date: Fri, 07 Dec 2012 16:46:08 +0000

I've just upgraded a machine from Squid 3.2.0 to 3.2.3 and can't seem to
get the Negotiate authenticator to work any more.

From the traffic, I can see:
1. The client sends an unauthenticated request
2. Squid returns a 407 with "Proxy-Authenticate: Negotiate"
3. The client resends the request with "Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=="
4. Squid returns a 407 with no "Proxy-Authenticate" header

Example traffic:
-----
GET http://example.com HTTP/1.1
Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

HTTP/1.1 407 Proxy Authentication Required
Server: squid/3.2.3
Mime-Version: 1.0
Date: Fri, 07 Dec 2012 16:22:58 GMT
Content-Type: text/html
Content-Length: 3878
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from foo
X-Cache-Lookup: NONE from foo:3128
Via: 1.1 foo (squid/3.2.3)
Connection: keep-alive

-----

This does not appear to be a problem with negotiate_wrapper itself as I
can see from the logs that Squid has got a challenge string from it:
2012/12/07 16:29:39.051 kid1| UserRequest.cc(170) authenticate: need to
challenge client
'TlRMTVNTUAACAAAABgAGADAAAAAVgonifVf3m5EEkgIAAAAAAAAAAC4ALgA2AAAASwBTAEIAAgAGAEsAUwBCAAEACgBJAEMARQBOAEkABAAAAAMACgBpAGMAZQBuAGkAAAAAAA=='!

Everything I see in the logs indicates that Squid knows it has to send
the challenge to the client, but the header never makes it into the
response.

I've trimmed my configuration down to a minimum:
-----
debug_options ALL,9

auth_param negotiate program /usr/lib64/squid/negotiate_wrapper_auth -d
--ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--domain=FOO --kerberos /usr/lib64/squid/negotiate_kerberos_auth -s HTTP/foo
auth_param negotiate children 50
auth_param negotiate keep_alive off

auth_param basic program /usr/lib64/squid/basic_pam_auth
auth_param basic children 50
auth_param basic realm Iceni Web Proxy
auth_param basic credentialsttl 2 hours

acl proxy_auth proxy_auth REQUIRED

http_access allow proxy_auth
http_access deny all

icp_access deny all
htcp_access deny all

http_port 3128

hierarchy_stoplist cgi-bin ?

logformat iceni %tg.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a
%mt "%{User-Agent}>h"
access_log stdio:/var/log/squid/access.log iceni
cache_log /var/log/squid/cache.log
cache_store_log stdio:/var/log/squid/store.log
pid_filename /var/run/squid.pid

coredump_dir /var/spool/squid-nocache
-----

The appropriate parts of cache.log are available at:
http://persephone.nexusuk.org/~steve/cache.log

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com
Direct contacts:
    Instant messager: xmpp:steve_at_opendium.com
    Email:            steve_at_opendium.com
    Phone:            sip:steve_at_opendium.com
Sales / enquiries contacts:
    Email:            sales_at_opendium.com
    Phone:            +44-844-9791439 / sip:sales_at_opendium.com
Support contacts:
    Email:            support_at_opendium.com
    Phone:            +44-844-4844916 / sip:support_at_opendium.com

Received on Fri Dec 07 2012 - 16:46:16 MST

This archive was generated by hypermail 2.2.0 : Sat Dec 08 2012 - 12:00:05 MST