Re: New external_acl helper squid_kerb_ldap

Hi Amos,

   When I use my wrapper I had to modify the samba ntlm_auth helper to
return another AF string. I run 3.0.STABLE25 and
/usr/bin/ntlm_auth -V
Version 3.5.4-2489-SUSE-SL11.3

FATAL: authenticateNegotiateHandleReply: *** Unsupported helper response
***, 'AF WIN2003R2\administrator'

Would it be possible that the Negotiate reply handler accepts both formats ?
I used

auth_param negotiate program /usr/sbin/negotiate_wrapper -d --ntlm
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos
/usr/sbin/squid_kerb_auth -d -s GSS_C_NO_NAME

Thank you
Markus

2011/03/10 22:44:34| negotiate_wrapper: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==' from squid
(length: 59).
2011/03/10 22:44:34| negotiate_wrapper: Decode
'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==' (decoded length:
40).
2011/03/10 22:44:34| negotiate_wrapper: received type 1 NTLM token
2011/03/10 22:44:34| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIAAAAAYABgAmAAAABIAEgBIAAAAGgAaAFoAAAAMAAwAdAAAAAAAAACwAAAABYKIogUCzg4AAAAPVwBJAE4AMgAwADAAMwBSADIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBXADIASwAzAFIAMgCkBlG0MZTzRwAAAAAAAAAAAAAAAAAAAABFkwULOmCaiWNR/69aXr44O8ZJJ/pEwzE='
from squid (length: 239).
2011/03/10 22:44:34| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIAAAAAYABgAmAAAABIAEgBIAAAAGgAaAFoAAAAMAAwAdAAAAAAAAACwAAAABYKIogUCzg4AAAAPVwBJAE4AMgAwADAAMwBSADIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBXADIASwAzAFIAMgCkBlG0MZTzRwAAAAAAAAAAAAAAAAAAAABFkwULOmCaiWNR/69aXr44O8ZJJ/pEwzE='
(decoded length: 176).
2011/03/10 22:44:34| negotiate_wrapper: received type 3 NTLM token
2011/03/10 22:44:35| storeDirWriteCleanLogs: Starting...
2011/03/10 22:44:35| WARNING: Closing open FD 25
2011/03/10 22:44:35| Finished. Wrote 2747 entries.
2011/03/10 22:44:35| Took 0.00 seconds (1852326.37 entries/sec).
FATAL: authenticateNegotiateHandleReply: *** Unsupported helper response
***, 'AF WIN2003R2\administrator'

Squid Cache (Version 3.0.STABLE25): Terminated abnormally.
CPU Usage: 0.225 seconds = 0.017 user + 0.208 sys
Maximum Resident Size: 39392 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
        total space in arena: 3244 KB
        Ordinary blocks: 3163 KB 7 blks
        Small blocks: 0 KB 0 blks
        Holding blocks: 3664 KB 13 blks
        Free Small blocks: 0 KB
        Free Ordinary blocks: 80 KB
        Total in use: 6827 KB 210%
        Total free: 80 KB 2%
2011/03/10 22:44:38| Starting Squid Cache version 3.0.STABLE25 for
i686-suse-linux-gnu...

"Amos Jeffries" <squid3_at_treenet.co.nz> wrote in message
news:4C651EB3.6020604_at_treenet.co.nz...
> Markus Moeller wrote:
>>
>> "Amos Jeffries" <squid3_at_treenet.co.nz> wrote in message
>> news:4C5187D2.5010203_at_treenet.co.nz...
>>> Markus Moeller wrote:
>>>> Hi Amos,
>>
>> Hi Amos
>>
>>>>
>>>> How does your time look like now ?
>>>>
>>>> Regards
>>>> Markus
>>>>
>>>
>>> Looks passable. I have not had time for a detailed view of the logics.
>>> I'll commit this tomorrow with a name tweak, the naming scheme has been
>>> through the external acl helpers too now. I'll just tack ext_ on the
>>> front and _acl on the back of the existing binary name and update the
>>> docs to match.
>>>
>>> One thing that worries me still is the RUN_IFELSE autoconf macros still
>>> being added to configure.in. I'm sure there is a macro that checked for
>>> defined values of things inside headers without running stuff. If you
>>> can try and find that it would be great not to have to run anything on
>>> build.
>>>
>>
>> I have 4 RUN_IFELSE.
>>
>> The first is to check to check that ldap works with the provided
>> libraries. Is that unusual ? Any other suggestion how to check ?
>
> Um, okay. Thats reasonable on build. Duplicating at run-time may also be
> useful since the particular run-time libraries are not always the ones
> built against.
>
>> The other three are to determine the LDAP vendor, which is a define
>> statement in one of the ldap header files and as it is a string in a
>> define I can not use any header grep nor proprocessor checks ( at least I
>> do not know of any).
>
> Nasty. Oh well.
>
>
> Okay. Have applied to Squid-3.HEAD with the extra ext_*_acl bits on the
> binary name and docs for the current naming style.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.6
> Beta testers wanted for 3.2.0.1
>
Received on Fri Mar 11 2011 - 10:59:18 MST