[squid-users] [Squid 4.x]: Truncated accounts when there is spaces in usernames

David Touzeau david at articatech.com
Sun Oct 25 17:28:04 UTC 2015



Le 25/10/2015 09:01, Amos Jeffries a écrit :
> On 25/10/2015 5:47 a.m., David Touzeau wrote:
>> auth_param ntlm program /usr/bin/ntlm_auth  --domain=TOUZEAU.BIZ
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 20 startup=5 idle=3
>> auth_param ntlm keep_alive on
>> authenticate_ttl 14400 seconds
>> authenticate_cache_garbage_interval 18000 seconds
>> authenticate_ip_ttl 14400 seconds
>>
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 10 startup=5 idle=1
>> auth_param basic realm Basic Identification
>> auth_param basic credentialsttl 4 hours
>>
>> here a debug log with an account logged as "david touzeau"
>>
>>
>> Proxy-Authorization: NTLM
>> TlRMTVNTUAADAAAAGAAYAJAAAAAYABgAqAAAAA4ADgBYAAAAGgAaAGYAAAAQABAAgAAAAAAAAADAAAAABYKIogYBsR0AAAAPudyEOYFjFhMW+qrJNxLkdlQATwBVAFoARQBBAFUAZABhAHYAaQBkACAAdABvAHUAegBlAGEAdQBXAEkATgA3AFUAUwAtADEAkZrVyKTcrdAAAAAAAAAAAAAAAAAAAAAA/wlnYT2Q+F
>>
>> 2015/10/24 12:34:58.089 kid1| 84,5| helper.cc(1384)
>> helperStatefulDispatch: helperStatefulDispatch: Request sent to
>> ntlmauthenticator #Hlpr65, 260 bytes
>> 2015/10/24 12:34:58.092 kid1| 84,5| helper.cc(1000)
>> helperStatefulHandleRead: helperStatefulHandleRead: 17 bytes from
>> ntlmauthenticator #Hlpr65
>> 2015/10/24 12:34:58.092 kid1| 29,6| UserRequest.cc(171)
>> releaseAuthServer: releasing NTLM auth server '0x1d91cd8'
>> 2015/10/24 12:34:58.092 kid1| 29,4| UserRequest.cc(327) HandleReply:
>> Successfully validated user via NTLM. Username 'touzeau'
>>
> Okay. I think there is nothing we can do about it except to say you
> can't have whitespace in usernames when using the old-style helpers.
> That currently still includes ntlm_auth from Samba.
>
> It is not a new problem. The NTLM/Negotiate helper response lines have
> an optional token field before the username and the line is whitespace
> delimited. If the username has whitespace inside it, then the first part
> is parsed as being that field. It should be %-encoding the username,
> which seems not to be happening.
>
> We moved to the key=value protocol as the solution to avoid that in
> future. But it requires the helper(s) to be using the new protocol. And
> this one is not doing that either.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

I think you are right Amos, but could you explain why in 3.2x, 3.4x 
branchs (exactly 3.4.6 ) there is no issue.
And samba was the same version...








More information about the squid-users mailing list