[squid-users] [Squid 4.x]: Truncated accounts when there is spaces in usernames

Amos Jeffries squid3 at treenet.co.nz
Sun Oct 25 08:29:08 UTC 2015 

On 25/10/2015 9:01 p.m., Amos Jeffries wrote:
> On 25/10/2015 5:47 a.m., David Touzeau wrote:
>>
>> auth_param ntlm program /usr/bin/ntlm_auth  --domain=TOUZEAU.BIZ
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 20 startup=5 idle=3
>> auth_param ntlm keep_alive on
>> authenticate_ttl 14400 seconds
>> authenticate_cache_garbage_interval 18000 seconds
>> authenticate_ip_ttl 14400 seconds
>>
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 10 startup=5 idle=1
>> auth_param basic realm Basic Identification
>> auth_param basic credentialsttl 4 hours
>>
>> here a debug log with an account logged as "david touzeau"
>>
>>
>> Proxy-Authorization: NTLM
>> TlRMTVNTUAADAAAAGAAYAJAAAAAYABgAqAAAAA4ADgBYAAAAGgAaAGYAAAAQABAAgAAAAAAAAADAAAAABYKIogYBsR0AAAAPudyEOYFjFhMW+qrJNxLkdlQATwBVAFoARQBBAFUAZABhAHYAaQBkACAAdABvAHUAegBlAGEAdQBXAEkATgA3AFUAUwAtADEAkZrVyKTcrdAAAAAAAAAAAAAAAAAAAAAA/wlnYT2Q+F
>>
>> 2015/10/24 12:34:58.089 kid1| 84,5| helper.cc(1384)
>> helperStatefulDispatch: helperStatefulDispatch: Request sent to
>> ntlmauthenticator #Hlpr65, 260 bytes
>> 2015/10/24 12:34:58.092 kid1| 84,5| helper.cc(1000)
>> helperStatefulHandleRead: helperStatefulHandleRead: 17 bytes from
>> ntlmauthenticator #Hlpr65
>> 2015/10/24 12:34:58.092 kid1| 29,6| UserRequest.cc(171)
>> releaseAuthServer: releasing NTLM auth server '0x1d91cd8'
>> 2015/10/24 12:34:58.092 kid1| 29,4| UserRequest.cc(327) HandleReply:
>> Successfully validated user via NTLM. Username 'touzeau'
>>
> 
> Okay. I think there is nothing we can do about it except to say you
> can't have whitespace in usernames when using the old-style helpers.
> That currently still includes ntlm_auth from Samba.
> 
> It is not a new problem. The NTLM/Negotiate helper response lines have
> an optional token field before the username and the line is whitespace
> delimited. If the username has whitespace inside it, then the first part
> is parsed as being that field. It should be %-encoding the username,
> which seems not to be happening.
> 
> We moved to the key=value protocol as the solution to avoid that in
> future. But it requires the helper(s) to be using the new protocol. And
> this one is not doing that either.

This is being tracked at:
 <https://bugzilla.samba.org/show_bug.cgi?id=10959>

Amos

More information about the squid-users mailing list