[squid-users] Negotiate wrappter returns AF = on Debian Jessie
Amos Jeffries
squid3 at treenet.co.nz
Thu Mar 24 09:55:39 UTC 2016
On 24/03/2016 10:08 p.m., L.P.H. van Belle wrote:
> Hello Amos,
>
> I was missing in my setup also, now i know the problem where that was comming from. Can you help me a bit with explaining the diffence in these base on below example. Because if i post somewhere, i want to be sure the setup is correct. And it was not, :-(, im thinking, what i missed here in my understanding.
>
> --helper-protocol=gss-spnego
> --helper-protocol=gss-spnego-client
> --helper-protocol=squid-2.5-ntlmssp
>
Squid used to have different helper protocols for each interface.
--helper-protocol=squid-2.5-ntlmssp make it communicate with Squid using
the old "auth_param ntlm" helper interface protocol.
--helper-protocol=gss-spnego makes it communicate with Squid using the
old "auth_param negotiate" helper interface protocol. When NTLM
handshake is happening the helper auto-converts between NTLM and
Negoiate interface protocols by prefixing the username with "* ".
The wrapper helper also will attempt to auto-convert old protocol syntax
into the current (Squid-3.4+) protocol syntax. BUT, it can only do so
properly if the expected old syntax was being sent for the relevant
helper (--ntlm vs --kerberos arguments to wrapper).
The result is that ntlm_auth helper auto-converts the result by
prefixing with "* ". Then the wrapper helper also auto-converts that
result by prefixing _that_ with "= ".
Ending with the strange "AF = * username" output.
--helper-protocol=gss-spnego-client is for something unrelated to Squid.
> I was in belief the following.
>
> With use of auth_param negotiate and i wanted to have full kerberos auth.
> --helper-protocol=gss-spnego is needed, but i dont know it this is correct.
That is correct for the Samba ntlm_auth helper operating *by itself* on
the "authparam negotiate" interface of Squid.
--> Not when using the wrapper helpers --ntlm interface.
NP: when using the wrapper helpers --kerberos interface it *is* correct.
> And i had also * as username.
> --helper-protocol=squid-2.5-ntlmssp works fine also and i now see the username.
>
> And more one question.
>
> The log now show for :
> Kerberos authenticated users : username at REALM
> NTLM authenticated users : username
>
> Is there a way to log users with only username, for both authentications?
>
That depends on whether the Kerberos helper you are using can strip the
realm name. Squid is simply logging the label it gets told by the helper.
Amos
More information about the squid-users
mailing list