[squid-dev] Heimdal 7.5.0 memory leaks
Hi, I looked at memory leaks for the squid negotiate_kerberos helper and found issues with the following in the heimdal code: ==9424== 16 bytes in 1 blocks are definitely lost in loss record 13 of 64 ==9424==at 0x4C2A110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==9424==by 0x52ACF9C: set_etypes (context.c:74) ==9424==by 0x52ADE8F: init_context_from_config_file (context.c:161) ==9424==by 0x52ADE8F: krb5_set_config_files (context.c:692) ==9424==by 0x52AE49C: krb5_init_context (context.c:451) ==9424==by 0x4023C1: main (negotiate_kerberos_auth.cc:549) which should be fixed with --- lib/krb5/context.c 2017-12-07 04:11:23.0 + +++ lib/krb5/context_new.c 2018-09-15 18:45:40.715744342 +0100 @@ -622,6 +622,9 @@ free(context->etypes); free(context->cfg_etypes); free(context->etypes_des); +free(context->permitted_enctypes); +free(context->tgs_etypes); +free(context->as_etypes); krb5_free_host_realm (context, context->default_realms); krb5_config_file_free (context, context->cf); free_error_table (context->et_list); and ==9424== 13,200 bytes in 6 blocks are definitely lost in loss record 63 of 64 ==9424==at 0x4C2C240: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==9424==by 0x4E5E01A: _gss_ntlm_allocate_ctx (accept_sec_context.c:52) ==9424==by 0x4E5E5B4: _gss_ntlm_acquire_cred (acquire_cred.c:60) ==9424==by 0x4E55779: gss_acquire_cred (gss_acquire_cred.c:125) ==9424==by 0x4E635AB: _gss_spnego_acquire_cred (cred_stubs.c:109) ==9424==by 0x4E55779: gss_acquire_cred (gss_acquire_cred.c:125) ==9424==by 0x403227: main (negotiate_kerberos_auth.cc:721) Which could be fixed with --- ./lib/gssapi/ntlm/acquire_cred.c2016-12-20 14:23:06.0 + +++ ./lib/gssapi/ntlm/acquire_cred_new.c2018-09-15 18:09:04.436985518 +0100 @@ -58,8 +58,10 @@ if (cred_usage == GSS_C_BOTH || cred_usage == GSS_C_ACCEPT) { maj_stat = _gss_ntlm_allocate_ctx(min_stat, ); - if (maj_stat != GSS_S_COMPLETE) + if (maj_stat != GSS_S_COMPLETE) { + if (ctx) free(ctx); return maj_stat; +} domain = name != NULL ? name->domain : NULL; maj_stat = (*ctx->server->nsi_probe)(min_stat, ctx->ictx, domain); Markus ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
[squid-dev] [PATCH] Add an option to kerberos_ldap group to select principal from keytab
Hi, The patch allows to select a specific keytab entry for the ldap authentication instead of the automated process. It may make the processing faster for large not cleaned up keytabs. Markus squid-kerb-ldap-princ.patch Description: Binary data ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
[squid-dev] [PATCH] Update negotiate_kerberos_auth helper protocol
Hi, This patch should update the helper protocol to allow spaces in user names. It also adds a "external acl" helper example which uses the Kerberos group information. Markus squid-protocol-fix.patch Description: Binary data ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] Fix ssl use for kerberos_ldap_group
Hi Amos, I fixed the free_path following your suggestion. I run also indent -br -ce -i4 -ci4 -l80 -nlp -npcs -npsl -d0 -sc -di0 -psl over it as it is C based code. Is that the correct or is there another tool to format the code. Not sure which debug message lines you meant. Thank you Markus -Original Message- From: Amos Jeffries Sent: Thursday, July 14, 2016 12:58 PM To: Markus Moeller ; squid-dev@lists.squid-cache.org Subject: Re: [squid-dev] [PATCH] Fix ssl use for kerberos_ldap_group On 3/07/2016 4:57 a.m., Markus Moeller wrote: Hi Amos, Here is a small patch for cases SSL must be used to connect to an ldap server. Looks okay, except for two minor things. * some debug messages are missing a space between end of one sentence and the '(' starting the next. Search for ".(" * what about xstrdup()'ing the output of getenv() so you can drop the free_path variable and if-statements wrapping xfree() ? Cheers Amos squid-trunk-klg-2.patch Description: Binary data ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
[squid-dev] [PATCH] Fix ssl use for kerberos_ldap_group
Hi Amos, Here is a small patch for cases SSL must be used to connect to an ldap server. Markus squid-trunk-klg.patch Description: Binary data ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] MacOS MIT Kerberos requires libresolv
Hi Kinkie, I wonder against which Kerberos library SASL is linked against. You may get strange errors if SASL which is used by ldap is linked against the native Kerberos libraries. So the kerberos_ldap_group helper may not work correctly for SASL/GSSAPI based authentication to the ldap server. Markus "Amos Jeffries" wrote in message news:568a3df0.9040...@treenet.co.nz... On 4/01/2016 8:59 p.m., Kinkie wrote: Just for clarity: Squid isn't failing. The issue is in the kerberos_ldap_group helper. Aha. So the check should be in that helpers requires.m4 file and only run if the helper is to be built. It can also set an AC_SUBST variable LIBRESOLV="-lresolv". Amos ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] MacOS MIT Kerberos requires libresolv
Hi Francesco, The SASL gssapi library is /usr/lib/sasl2/libgssapiv2.2.0.18.so ~ markus$ otool -L /usr/lib/sasl2/libgssapiv2.2.0.18.so /usr/lib/sasl2/libgssapiv2.2.0.18.so: /usr/lib/sasl2/libgssapiv2.2.0.18.so (compatibility version 1.0.0, current version 1.0.0) /System/Library/Frameworks/Kerberos.framework/Versions/A/Kerberos (compatibility version 5.0.0, current version 6.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1213.0.0) Markus "Kinkie" wrote in message news:ca+y8hcox8ae5szxb1f+qnrqsx9qyjz7-vlj9o_uzffa9k6x...@mail.gmail.com... On Mon, Jan 4, 2016 at 2:29 PM, Markus Moeller <hua...@moeller.plus.com> wrote: Hi Kinkie, I wonder against which Kerberos library SASL is linked against. You may get strange errors if SASL which is used by ldap is linked against the native Kerberos libraries. So the kerberos_ldap_group helper may not work correctly for SASL/GSSAPI based authentication to the ldap server. Hi, $ otool -L /usr/lib/libsasl2.2.dylib /usr/lib/libsasl2.2.dylib: /usr/lib/libsasl2.2.dylib (compatibility version 3.0.0, current version 3.15.0) /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1) System kerberos seems to be in /usr/lib and /System/Library/Frameworks/Kerberos.framework/Versions/A/Kerberos . I can't find the SASL libraries; they must be embedded somewhere else :\ -- Francesco ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] Add support for MAC OS X 10.x
It should, but I didn't verify against the latest trunk. I will get back to you. Markus -Original Message- From: Amos Jeffries Sent: Monday, April 20, 2015 3:26 AM To: Markus Moeller ; squid-...@squid-cache.org Subject: Re: [squid-dev] [PATCH] Add support for MAC OS X 10.x On 7/03/2015 11:31 a.m., Markus Moeller wrote: Apologies, but here is a bit cleaner patch. Markus Hi Markus, Apologies this taken so long. Is this patch still relevant and working? Amos ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] remove error_message fromkerberos_ldap_group
Hi Amos, Apologies this based on an observation that if KRB5 checks are fine but GSSAPI not the PAC section would be compiled but the main part of the helper not which did not make sense. in helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc * whats this? I hope I addressed the rest in the attached. Markus Amos Jeffries wrote in message news:54e28fbb.9090...@treenet.co.nz... On 17/02/2015 11:57 a.m., Markus Moeller wrote: Hi Amos, Please find attached a patch to replace error_message with krb5_get_error_message. in .../ext_kerberos_ldap_group_acl.8: * just a note that the - characters need to be \-escaped. Ican do a followup docs patch on this since all the other options need it as well. in .../kerberos_ldap_group/support_krb5.cc * missing whitespace empty line after k5_error2() * please deduplicate shared code betweenk5_error2() and k5_error() and make them static: +static void +k5_error(const char* msg, krb5_error_code code) +{ +k5_error(msg, , code); +} + +static void +k5_error2(const char* msg, char* msg2, krb5_error_code code) +{ +const char *errmsg; +errmsg = krb5_get_error_message(kparam.context, code); +error((char *) %s| %s: ERROR: %s%s : %s\n, LogTime(), PROGRAM, msg, msg2, errmsg); +#if HAVE_KRB5_FREE_ERROR_MESSAGE +krb5_free_error_message(kparam.context, errmsg); +#elif HAVE_KRB5_FREE_ERROR_STRING +krb5_free_error_string(kparam.context, (char *)errmsg); +#else +xfree(errmsg); +#endif +} ... and the code calling k5_error2() place the trailing SP character inside their msg1 parameter string. in helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc * whats this? Amos ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev krb5_error_message_2.patch Description: Binary data ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
[squid-dev] [PATCH] remove error_message from kerberos_ldap_group
Spam detection software, running on the system master.squid-cache.org, has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Hi Amos, Please find attached a patch to replace error_message with krb5_get_error_message. Regards Markus [...] Content analysis details: (5.7 points, 5.0 required) pts rule name description -- -- 0.9 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=gcwsd-squid-dev%40m.gmane.org;ip=81.174.172.105;r=master.squid-cache.org] 0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS 3.5 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft tool The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. ---BeginMessage--- Hi Amos, Please find attached a patch to replace error_message with krb5_get_error_message. Regards Markus krb5_error_message.patch Description: Binary data ---End Message--- ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] small kerberos fixes for trunk
Amos Jeffries wrote in message news:54d49300.1080...@treenet.co.nz... On 6/02/2015 12:03 p.m., Markus Moeller wrote: To: squid-...@squid-cache.org Please update your contact to the @lists domain. That will get you past the spam filters more often than not. PS. the gmane administrators have been contacted but not responded. Sorry which @lists domain ? Hi Amos, I have attached a small patch for the following: 1) Hardcode Solaris 10 gss library flags as the Solaris version still does not support krb5-config --libs gssapi I'm having big doubts about that particular change. It makes little sense to me using krb5-config at all if hard-coding the library linkage is required anyway. Particularly given the brokenness of krb5-config. The Solaris 10update11 box donated to me has unrelated issues that prevent me cheking if the above is actually needed. So I'm going to hold off on accepting this for now. I know Solaris so far does not support krb5-config for gssapi, why it needs hardcoding. ( I worked on Solaris for many years and know this is required). I still have the hope a future package will support a gssapi option for krb5-config. 2) Fix for negotiate authentication helper tobe backward compatible with krb5.conf settings 3) Some variable checks in kerberos ldap helper. Looks fine. Applied. In other kerberos issues, can this bug be closed now? and which release? http://bugs.squid-cache.org/show_bug.cgi?id=4042 Amos Thank you Markus ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev markus@opensuse13:~/bazaar/squid-3-bzr ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] Authentication-Info and Negotiate
On 29/01/2015 8:43 a.m., Markus wrote: Hi Amos, I never heard about squid Negotiate being non standard. Can you point me to the reference please ? The header syntax is defined in RFC 2617 (http://tools.ietf.org/html/rfc2617#section-3.2.3) This RFC is only for Basic and Digest Access Authentication isn't it? It defines the WWW-Authenticate: and Authorization: headers for the two auth schemes. Negotiate with NTLM or Kerberos token was defined in http://www.ietf.org/rfc/rfc4559.txt with challenge = Negotiate auth-data auth-data = 1#( [gssapi-data] ) So the rfc does not define kv pairs. Julian Reschke has a new draft out for clarifying the syntax which makes it plainy obvious as key=value [ ',' key=value ]* : http://tools.ietf.org/html/draft-reschke-httpauth-auth-info-00 http://tools.ietf.org/html/rfc7235 tries to define a standard for all Authentication methods but seems to ignore rfc4559 as it refers only to rfc2617. The Reschke draft deals only with a new Authentication-Info header, so has nothing directly to do with the other rfcs. ... by comparison Squid just dumps Negotiate then base64 token into the header like it was using WWW-/Proxy-Authenticate syntax. Amos Regards Markus ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] Base64 crypto replacement
Hi Amos, My helper does not work with it. I get negotiate_kerberos_auth.cc(670): pid=17860 :2015/01/03 16:01:43| negotiate_kerberos_auth: ERROR: Invalid base64 token [YIIE6QYGKwYB...] from here: struct base64_decode_ctx ctx; base64_decode_init(ctx); size_t dstLen = 0; if (!base64_decode_update(ctx, dstLen, static_castuint8_t*(input_token.value), input_token.length, b64Token) || !base64_decode_final(ctx)) { debug((char *) %s| %s: ERROR: Invalid base64 token [%s]\n, LogTime(), PROGRAM, b64Token); fprintf(stdout, BH Invalid negotiate request token\n); continue; } I'll see if I can find the reason. Markus Amos Jeffries wrote in message news:54a26caf.9050...@treenet.co.nz... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This has now been merged to trunk as rev.13785. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUomyuAAoJELJo5wb/XPRj05cH/jRTRdAsoYxSBSi12qrRKta5 LbCQpPHYPJNEhRYatYCa4yKI2TOnuoWlPFE1llfAmy0kjfQfxktjundMpmU0qolb ZRSbEKSbmvDylGTf9FnBmzxLNSyM0ymYbi6yAe7Q6QM2qecSxc+eIutjDWkEOKgZ 8ycRVd7r1RmMqot0arZpgc+uIxoCVoLk3j3FSKOJ8tzlAjexivy+hx3E/C3YTQpz /bENEPJ5H2SHVx2PontZaBc3cFr9eLNLQiaCX8Bf4O/a694YAy+DbkMtFn6WVDUc S7Ihtw9UVp0dI7sqyu7mNKFXJVW8OQkD7XDNLgXJ5kNcp40tXPTt4c/Yi7S2AEE= =RKON -END PGP SIGNATURE- ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] Base64 crypto replacement
Hi Amos, The problem is that the wrong input size is used for the decoding. base64_decode_update(ctx, dstLen, static_castuint8_t*(input_token.value), input_token.length, b64Token) You need to use strlen(b64Token) not input_token.length. What I wonder is why dstLen is different to input_token.length ( at least in my tests dstLen was 2 smaller than input_token.length) Shouldn't input_token.length = BASE64_DECODE_LENGTH(strlen(buf+3)); be the same as dstLen (I haven't yet time to analyse the code) ? Markus Markus Moeller wrote in message news:m8945o$tta$1...@ger.gmane.org... Hi Amos, My helper does not work with it. I get negotiate_kerberos_auth.cc(670): pid=17860 :2015/01/03 16:01:43| negotiate_kerberos_auth: ERROR: Invalid base64 token [YIIE6QYGKwYB...] from here: struct base64_decode_ctx ctx; base64_decode_init(ctx); size_t dstLen = 0; if (!base64_decode_update(ctx, dstLen, static_castuint8_t*(input_token.value), input_token.length, b64Token) || !base64_decode_final(ctx)) { debug((char *) %s| %s: ERROR: Invalid base64 token [%s]\n, LogTime(), PROGRAM, b64Token); fprintf(stdout, BH Invalid negotiate request token\n); continue; } I'll see if I can find the reason. Markus Amos Jeffries wrote in message news:54a26caf.9050...@treenet.co.nz... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This has now been merged to trunk as rev.13785. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUomyuAAoJELJo5wb/XPRj05cH/jRTRdAsoYxSBSi12qrRKta5 LbCQpPHYPJNEhRYatYCa4yKI2TOnuoWlPFE1llfAmy0kjfQfxktjundMpmU0qolb ZRSbEKSbmvDylGTf9FnBmzxLNSyM0ymYbi6yAe7Q6QM2qecSxc+eIutjDWkEOKgZ 8ycRVd7r1RmMqot0arZpgc+uIxoCVoLk3j3FSKOJ8tzlAjexivy+hx3E/C3YTQpz /bENEPJ5H2SHVx2PontZaBc3cFr9eLNLQiaCX8Bf4O/a694YAy+DbkMtFn6WVDUc S7Ihtw9UVp0dI7sqyu7mNKFXJVW8OQkD7XDNLgXJ5kNcp40tXPTt4c/Yi7S2AEE= =RKON -END PGP SIGNATURE- ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] add memory keytab option
Hi Amos, Amos Jeffries wrote in message news:54901257.6050...@treenet.co.nz... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 16/12/2014 1:16 p.m., Markus Moeller wrote: Hi Amos, Thank you for the feedback and suggestions.I did some cleanup using cppcheck too. Regarding the optarg check I was under the impression that getopt just makes sure optarg is never NULL. Isn't that the case ? Thank you Markus Amos Jeffries wrote in message news:548e20c8.1030...@treenet.co.nz... On 15/12/2014 8:31 a.m., Markus Moeller wrote: Hi Amos, Could you check and add the following patch please ? They should improve performance on high load systems by reducing disk access The patch does the following: [...] in helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8: * all instances if hypen (-) in man pages must be \-escaped. If any are missed out the mand and groff tools corrupt the page contents. NP: you can test syntax without having to install the script by running man ./negotiate_kerberos_auth.8 from the helper directory. You still have several of these unprotected hyphens in the SYNOPSIS and OPTIONS sections inside the parameter labels like Keytab-Name OK. The man command worked fine, so I didn't notice the unprotected hyphens. * krb5_free_kt_list() - lp and prev locals can be defined on first use This is not done. Though taking another look it seems the for() loop should probably be replaced with a while()-loop : + krb5_kt_list lp = list; + while (lp) { +krb5_error_code retval = krb5_kt_free_entry(context, lp-entry); +safe_free(lp-entry); +if (retval) + return retval; +krb5_kt_list prev = lp; +lp = lp-next; +xfree(prev); + } + return retval; I was wrong about the first of the free() though, there is a possibility the loop may stop releasing memory between the free(entry) and free(lp) so the first needs to be safe_free() to ensure the invalid entry pointer is cleared. Is that actually desirable behaviour? What happens to the rest of the lp list memory and entries? Is it possible that lp-entry was NULL/invalid before the loop operations started? I have to admit I took this section from the MIT ktutil tool * Should at least display some debug info/warning about when krb5_kt_free_entry() returns non-0 / error. NP: I see in the MIT documentation DEPRECATED Use krb5_free_keytab_entry_contents instead.. That will probably lead to bug reports soon. though I am NOT asking for that to be fixed in this patch. I had this check already in my other helper. So did the same here. Once those bits are sorted I will apply. Amos Thank you for the quick response Markus -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUkBJXAAoJELJo5wb/XPRjQnMH/3pZKsGJyx7NLtQNYi9zyg5K UwrlKVlr11CNPrxhlc23LrUQeS5mqoxBPlkGNzkuq0vSqSweWNw6kVaqr2KdoIOs FBp0FoxKvx55w7K12xtzMeruf4bYOj5BofgQCKr/WunSYsiL2hQxRxRYu0xzbmoF tIb6A4ls9qOuW+Hv7W45koG6ZckosQdILLOCM4BkMbxL6mM0VWpz9sDAJ64NaOjA mHlJ128MV9kOMnx7d+Sy86D5dL7PVZhX5qscNzL7N6cQft5YG0lDIh5cKUTeJa67 sR+WJZaMcHe+uIlhvb2iE3kQPbZNyxVwL1S3y8vZ0ABimYEe79K5OosyHByrrTw= =W6nr -END PGP SIGNATURE- ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev trunk_kerberos_memory_keytab_3.patch Description: Binary data ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] add memory keytab option
Hi Amos, Thank you for the feedback and suggestions.I did some cleanup using cppcheck too. Regarding the optarg check I was under the impression that getopt just makes sure optarg is never NULL. Isn't that the case ? Thank you Markus Amos Jeffries wrote in message news:548e20c8.1030...@treenet.co.nz... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 15/12/2014 8:31 a.m., Markus Moeller wrote: Hi Amos, Could you check and add the following patch please ? They should improve performance on high load systems by reducing disk access The patch does the following: [...] in helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8: * all instances if hypen (-) in man pages must be \-escaped. If any are missed out the mand and groff tools corrupt the page contents. NP: you can test syntax without having to install the script by running man ./negotiate_kerberos_auth.8 from the helper directory. * s/alos/also/ in helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc: * check_k5_err() - errmsg can be defined on first use rather than pre-defined. * krb5_free_kt_list() - call xfree() instead of free() - lp and prev locals can be defined on first use * rkrb5_read_keytab() - use xcalloc() to allocate 'entry =' instead of malloc() followed by memset(). - the other two malloc() calls should be xmalloc(). - if (entry) free(entry); pair of lines can be one xfree(). * krb5_write_keytab() - for (krb5_kt_list lp = list; ... instead of pre-defining the loop iterator. - lp and retval locals can be defined on first use * in main() (...I think) - setting keybat_name - use xstrdup() instead of strdup() - when using optarg, please check if its NULL first and display an appropriate FATAL: error message if it is missing. - any syntax validation possible should be done before accepting optarg. eg HTTP/ prefix on keytab names, dir path exists with stat() etc. in helpers/negotiate_auth/kerberos/test_negotiate_auth.sh: * please use portable shell code. - the if [[ ... ]]; then should be written if test ... ; then Thats all I have today. I've probably missed lots of opportunities for please define on first use for local variables, so please check and see if you can find any more in the new code. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUjiDIAAoJELJo5wb/XPRj0wwH/3KSBxKin4X2x5FPUUP5SAcE 8PE033fEiVsT+MArR8f7OxlLb3rRmFC9FCoOCzQ+rJW0Vz6SE636Q17HsCznXsY1 qJDqraOlu6Pmu+D+eywn62LkL+HfA63juyJamQl9Uac1iUaDRTHiE5RUisnBnqK/ ZFgFdlY14Bmlug4aPZA4IZ347MO7Glp65cKLuFDImdNXR+somYHzL9NXff1PCdQD BQl/A0CsCanw1Ayh6/DSibRQzKokBQTiMdfvo0mLwhYz5VumO551FP21C668tLmm 2vgR70G3Rd69rLojTtA/J+U4E6+K5xhTxFhgAmDq648v5SdIN1EOE3c/NGqcHCY= =szlQ -END PGP SIGNATURE- ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev trunk_kerberos_memory_keytab_2.patch Description: Binary data ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] Testing kerb_auth helper + 2012r2 and bug 4129
Hi Eliezer, Please let me know how I can help and what needs updating on http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos ( I know msktutil has moved ownership). I can't read russian so I can't comment on it, but I am not a fan of using ktpass ( I prefer msktutil ) What is bug 4129 exactly ? Using wrong encryption types with AD 2008/2012 ? Kind Regards Markus Eliezer Croitoru wrote in message news:54764879.2060...@ngtech.co.il... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 As part of the effort to make it possible to test kerb_auth helpers and related issues that was reported in the users list I have built a testing environment. The testing environment structure: - - The realm\domain: LOCAL.LAN - - 192.168.11.100 = windows 8 user in the domain elicro - - 192.168.11.1(master.local.lan) = windows server 2012r2, dns, AD - - 192.168.11.254(proxy1.local.lan) = CentOS 6.6, GW, squid I am unsure about the details but as I understood from the MS nice sysadmin somewhere in a chat it's very simple to implement. He explained to me that I only need a basic domain AD(which must have a DNS) and a basic user. In: http://bugs.squid-cache.org/show_bug.cgi?id=4129 I responded with an article link: http://www.theadmin.ru/linux/squid/proksi-server-squid-v-active-directory-s-kerberos-autentifikaciej/ (I have not used the group external_acl just the auth) Which demonstrates how to make it work with WS 2008r2. The last article I was reading about the concept was: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos But it's updated to 2013 and leaves couple things open which I am unsure about. I would like to dedicate this thread for 2012r2 + kerb_auth. My last debug output after the above mentioned Russian written tutorial was: 2014/11/26 23:35:44 kid1| Starting new negotiateauthenticator helpers... 2014/11/26 23:35:44 kid1| helperOpenServers: Starting 1/10 'negotiate_kerberos_auth' processes negotiate_kerberos_auth.cc(212): pid=1921 :2014/11/26 23:35:44| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq negotiate_kerberos_auth.cc(258): pid=1921 :2014/11/26 23:35:44| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABl4II4gAGA4AlDw==' from squid (length: 59). negotiate_kerberos_auth.cc(311): pid=1921 :2014/11/26 23:35:44| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABl4II4gAGA4AlDw==' (decoded length: 40). negotiate_kerberos_auth.cc(321): pid=1921 :2014/11/26 23:35:44| negotiate_kerberos_auth: WARNING: received type 1 NTLM token 2014/11/26 23:35:44 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }} 2014/11/26 23:35:44 kid1| Starting new negotiateauthenticator helpers... 2014/11/26 23:35:44 kid1| helperOpenServers: Starting 1/10 'negotiate_kerberos_auth' processes negotiate_kerberos_auth.cc(258): pid=1921 :2014/11/26 23:35:44| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABl4II4gAGA4AlDw==' from squid (length: 59). negotiate_kerberos_auth.cc(311): pid=1921 :2014/11/26 23:35:44| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABl4II4gAGA4AlDw==' (decoded length: 40). negotiate_kerberos_auth.cc(321): pid=1921 :2014/11/26 23:35:44| negotiate_kerberos_auth: WARNING: received type 1 NTLM token 2014/11/26 23:35:44 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }} negotiate_kerberos_auth.cc(258): pid=1921 :2014/11/26 23:35:44| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABl4II4gAGA4AlDw==' from squid (length: 59). negotiate_kerberos_auth.cc(311): pid=1921 :2014/11/26 23:35:44| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABl4II4gAGA4AlDw==' (decoded length: 40). negotiate_kerberos_auth.cc(321): pid=1921 :2014/11/26 23:35:44| negotiate_kerberos_auth: WARNING: received type 1 NTLM token 2014/11/26 23:35:44 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }} negotiate_kerberos_auth.cc(212): pid=1922 :2014/11/26 23:35:44| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq negotiate_kerberos_auth.cc(258): pid=1922 :2014/11/26 23:35:44| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABl4II4gAGA4AlDw==' from squid (length: 59). negotiate_kerberos_auth.cc(311): pid=1922 :2014/11/26 23:35:44| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABl4II4gAGA4AlDw==' (decoded length: 40). negotiate_kerberos_auth.cc(321): pid=1922 :2014/11/26 23:35:44| negotiate_kerberos_auth: WARNING: received type 1 NTLM token 2014/11/26 23:35:44 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }} negotiate_kerberos_auth.cc(258): pid=1921 :2014/11/26 23:36:01|
Re: [PATCH] Kerberos configure patch + some cleanup
Apologies. I must have overlooked it. Here is the updated patch Markus Amos Jeffries wrote in message news:53e5c2df.3080...@treenet.co.nz... On 9/08/2014 8:32 a.m., Markus Moeller wrote: It should be in there or did I miss some ? The original bits are still there in the patch copy mailed to the list. Specifically in helpers/external_acl/kerberos_ldap_group/support_ldap.cc get_bin_attributes() bits I can see : * redux function setup: +LDAPMessage *msg; +char **attr_value = NULL; +int *attr_len=NULL; +size_t max_attr = 0; + +attr_value = *ret_value; +attr_len = *ret_len; should be: +char **attr_value = *ret_value; +int *attr_len = *ret_len; +size_t max_attr = 0; * main for loop: - for (msg = ldap_first_entry + for (LDAPMessage *msg = ldap_first_entry * drop these: BerElement *b; char *attr; * switch case should be: case LDAP_RES_SEARCH_ENTRY: { BerElement *b = NULL; ... ber_free(b, 0); } break; * for loops inside that switch case should be: - for (attr = ldap_first_attribute... + for (char *attr = ldap_first_attribute... - int il; for (il = 0; ... + for (int il = 0; ... Otherwise it looks okay. Amos Markus -Original Message- From: Amos Jeffries Sent: Friday, August 08, 2014 1:28 PM To: squid-dev@squid-cache.org ; Markus Moeller Subject: Re: [PATCH] Kerberos configure patch + some cleanup On 8/08/2014 8:02 a.m., Markus Moeller wrote: Are there any objections to this patch ? The audit results from me I accidentally sent in private. Do you have an updated patch with those fixes? Amos trunk_kerberos_cleanup_8.patch Description: Binary data
Re: [PATCH] Kerberos configure patch + some cleanup
It should be in there or did I miss some ? Markus -Original Message- From: Amos Jeffries Sent: Friday, August 08, 2014 1:28 PM To: squid-dev@squid-cache.org ; Markus Moeller Subject: Re: [PATCH] Kerberos configure patch + some cleanup On 8/08/2014 8:02 a.m., Markus Moeller wrote: Are there any objections to this patch ? The audit results from me I accidentally sent in private. Do you have an updated patch with those fixes? Amos
Re: [PATCH] Kerberos configure patch + some cleanup
Are there any objections to this patch ? Thank you Markus Markus Moeller wrote in message news:lr0vsn$jd$1...@ger.gmane.org... Hi Here is a patch which does rewrite the configure.ac and cleans up some code in the kerberos auth and kerberos ldap helper. Additionally the kerberos ldap helper checks now for AD primary group membership too. Markus
[PATCH] Kerberos configure patch + some cleanup
Hi Here is a patch which does rewrite the configure.ac and cleans up some code in the kerberos auth and kerberos ldap helper. Additionally the kerberos ldap helper checks now for AD primary group membership too. Markus trunk_kerberos_cleanup_6.patch Description: Binary data
[PATCH] This is a patch for support_ldap.cc in kerberos_ldap_group fro squid 3.4
Hi Amos, Apologies, I seem to have missed this. Could you please add it ? Thank you Markus support_ldap.patch Description: Binary data
key-value pair in helper protocol
Hi, Is there a sample code for the 3.4 key-value pair ? Or is it still work in progress ? Thank you Markus
Re: [PATCH] Fix leaks and check for newer libraries in Kerberos related helpers
Sounds like a good idea. Thanks for spotting it Markus Amos Jeffries wrote in message news:5245a336.1070...@treenet.co.nz... This has now been applied to trunk. I just noticed that the helper versions have not been bumped. Shall we update these to 1.3.1sq and 3.0.5sq ? Amos
Re: [PATCH] Fix leaks and check for newer libraries in Kerberos related helpers
Hi Amos, I accept your changes. Thank you Markus Amos Jeffries wrote in message news:52446934.3040...@treenet.co.nz... On 23/09/2013 12:58 a.m., Markus Moeller wrote: Hi Amos, I did some cleanup. I think I moved all variables I could to sub scopes. Thank you Markus This one looks much better thank you. Still some minor nits itching at my perfectionist side but I can suppress that for now. in helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc: * at the chunk for line 285 you still seem to have: if (spegnoToken) xfree(spegnoToken) * same at line 485 in src/peer_proxy_negotiate_auth.cc: * those defined() are still present. If you want make a new patch or provide reasons for those please do. Otherwise I will fix those and apply this patch after a good sleep. FYI: I will also be running the source maintenance script on it to cleanup large sections of weird whitespace alignment, so what appears in trunk after the merge may clash with your copy. Thank you Amos
Re: [PATCH] Fix leaks and check for newer libraries in Kerberos related helpers
Thank you for the review. I'll try to improve. Markus Amos Jeffries wrote in message news:523dc8ff.4030...@treenet.co.nz... On 26/08/2013 3:17 a.m., Markus Moeller wrote: Hi please find a patch for squid 3.4 trunk for: peer_proxy_negotiate_auth.cc negotiate_auth/kerberos external_acl/kerberos_ldap_group Please ignore my previous patch. Thank you Markus In helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc * There are some if-conditions which look like thay are wrongly being converted to safe_free(). The first is: -if (p == gdsp) { -xfree(gdsp); -gdsp = NULL; -} +safe_free(gdsp); p = gdsp; these will cause the loop to exit after freeing only one entry as gdsp gets unconditionally free+NULL'd and p set to NULL via the resulting gdsp value. * The same issue exists in the ndsp and lssp blocks below that. In helpers/external_acl/kerberos_ldap_group/support_group.cc * there are still a number of unnecessary safe_free() conversions done on local variables before return statements. In helpers/external_acl/kerberos_ldap_group/support_krb5.cc * the xfree(service) can stay as xfree(service) but without the if(service) conditional. * The tgt_creds and creds code for krb5_free*() should look like this (note the {} positioning to allow optimized skipping of the z=NULL assignment): +if (tgt_creds) { +krb5_free_creds(kparam.context, tgt_creds); +tgt_creds = NULL; +} ++ the tgt_creds appears like it can be made local to the if (!principal_name) { code block and does not need setting to NULL after free. * in the krb5_create_cache() cleanup: section most of the xfree() were correct, but had unnecessary if() conditions. Now they have unnecessary =NULL assignment from the safe_free(). In helpers/external_acl/kerberos_ldap_group/support_ldap.cc * the xfree(attr_value[j]); in for-loop was correct. I only got as far as that before running out of time today. Can you fix those please and go through the rest of the xfree/safe_free changes and make sure that the other files are similarly optimized. As a guide: * xfree() is faster and should be preferred over safe_free() when possible. * but safe_free() is required if the variable or member is possibly going to be read later in the code without being set to a new value. Also, FYI in C++ variables may be declared at point of first use or inside any {} to increase compiler checks usefulness. We are making use of that property extensively in new Squid code to harden local variables and assist with ensuring guarantees like variables with undefined contents not being re-used accidentally outside their intended scope. You may want to consider polishing up some of the long functions in support_*.cc to make use of the sub-scopes. Amos
Re: [PATCH] Fix leaks and check for newer libraries in Kerberos related helpers
Hi Amos, Could this go into 3.4 now ? Do you have a roadmap when the helper protocol extension will be available ? Thank you Markus Markus Moeller wrote in message news:kvjavu$dgo$1...@ger.gmane.org... This should be better now. Markus Alex Rousskov rouss...@measurement-factory.com wrote in message news:521d0b73.3090...@measurement-factory.com... On 08/26/2013 03:38 PM, Markus Moeller wrote: Here is the update patch. -if (pp pp-next) { -xfree(pp-next); -pp-next = NULL; -} +safe_free(pp-next); This change will cause crashes on single-entry lists where pp is NULL. -if (p == gdsp) { -xfree(gdsp); -gdsp = NULL; -} +safe_free(gdsp); p = gdsp; This change will prevent cleanup of all entries except the very first one because the outer p-loop will terminate with p=gdsp making p NULL. Similar problems in another, similar part of the patch. You can completely remove an if-statement when using safe_free, but only where the if guard is the same as the one provided by safe_free: if (p) { xfree(p); p = NULL; } can be replaced with safe_free(p); However, if (something p) { xfree(p); p = NULL; } can only be replaced with if (something) safe_free(p); Similarly, if (something) { xfree(p); p = NULL; } can only be replaced with if (something) safe_free(p); HTH, Alex.
Re: [PATCH] Fix leaks and check for newer libraries in Kerberos related helpers
Thank you for pointing this out. I was too radical :-(. Markus Alex Rousskov rouss...@measurement-factory.com wrote in message news:521d0b73.3090...@measurement-factory.com... On 08/26/2013 03:38 PM, Markus Moeller wrote: Here is the update patch. -if (pp pp-next) { -xfree(pp-next); -pp-next = NULL; -} +safe_free(pp-next); This change will cause crashes on single-entry lists where pp is NULL. -if (p == gdsp) { -xfree(gdsp); -gdsp = NULL; -} +safe_free(gdsp); p = gdsp; This change will prevent cleanup of all entries except the very first one because the outer p-loop will terminate with p=gdsp making p NULL. Similar problems in another, similar part of the patch. You can completely remove an if-statement when using safe_free, but only where the if guard is the same as the one provided by safe_free: if (p) { xfree(p); p = NULL; } can be replaced with safe_free(p); However, if (something p) { xfree(p); p = NULL; } can only be replaced with if (something) safe_free(p); Similarly, if (something) { xfree(p); p = NULL; } can only be replaced with if (something) safe_free(p); HTH, Alex.
Re: helper protocol in 3.4
Hi Amos, I have a very new update to the negotiate helper which should make it unnecessary to do any ldap group lookups for MS Active Directory environments. It would require the new protocol and I would appreciate if you coule dlet me know how to read the kv pairs in an external ACL helper I still need to write. As you may know MS adds SIDS of the groups to a Kerberos ticket. I can now extract these groups as a base 64 encoded string, which just need to be compared with in the external ACL helper. Here is an example debug output: negotiate_kerberos_pac.cc(358): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got PAC data of lengh 512 negotiate_kerberos_pac.cc(177): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Found 5 rids negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 513 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1132 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1141 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1207 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1142 negotiate_kerberos_pac.cc(247): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-1828870822-1098772068-2592627279 negotiate_kerberos_pac.cc(268): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs negotiate_kerberos_pac.cc(316): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got ExtraSid S-1-5-21-1828870822-1098772068-2592627279-1107 negotiate_kerberos_pac.cc(438): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Read 512 of 512 bytes negotiate_kerberos_auth.cc(431): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAUVploCbWTufUFPWoiaAQIAAA== group=AQUAAAUVploCbWTufUFPWoiabAQAAA== group=AQUAAAUVploCbWTufUFPWoiadQQAAA== group=AQUAAAUVploCbWTufUFPWoiatwQAAA== group=AQUAAAUVploCbWTufUFPWoiadgQAAA== group=AQUAAAUVploCbWTufUFPWoiaUwQ= AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== m...@win2003r2.home negotiate_kerberos_auth.cc(436): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: DEBUG: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== m...@win2003r2.home As you can see I create a list of base64 encoded SIDS ( I have attached also some code to convert it if you want to) e.g. ./convert_sid AQUAAAUVploCbWTufUFPWoiadgQAAA== argc: 2 argv: AQUAAAUVploCbWTufUFPWoiadgQAAA== S-1-5-21-1828870822-1098772068--1702340017-1142 To configure an external ACL helper a Adminstrator need to list the groups(MS only adds Security groups to the ticket afaik) of a user. As example my mm id has: ldapsearch -H ldap://w2k3r2.win2003r2.home:389 -s sub -b DC=WIN2003R2,DC=HOME (samaccountname=mm) memberof SASL/GSSAPI authentication started SASL username: m...@win2003r2.home SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base DC=WIN2003R2,DC=HOME with scope subtree # filter: (samaccountname=mm) # requesting: memberof # # Markus Moeller, HomeUsers, win2003r2.home dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home memberOf:: Q0490L/QtdGB0L3RjyxPVT1Hcm91cHMsREM9d2luMjAwM3IyLERDPWhvbWU= memberOf: CN=Group2,OU=Groups,DC=win2003r2,DC=home memberOf: CN=Group1,OU=Groups,DC=win2003r2,DC=home memberOf: CN=Administrators,CN=Builtin,DC=win2003r2,DC=home # search reference ref: ldap://ForestDnsZones.win2003r2.home/DC=ForestDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://DomainDnsZones.win2003r2.home/DC=DomainDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://win2003r2.home/CN=Configuration,DC=win2003r2,DC=home # search result search: 5 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 For example the objectsid ( This is what is in the kerberos ticket) is also base63 encoded in ldap (this is my I choose to use the encoded form to make the helper a cut and paste exercise) ldapsearch -H ldap://w2k3r2.win2003r2.home:389 -s sub -b DC=WIN2003R2,DC=HOME (cn=Group2) objectsid SASL/GSSAPI authentication started SASL username: m...@win2003r2.home SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base DC=WIN2003R2,DC=HOME with scope subtree # filter: (cn=Group2) # requesting: objectsid # # Group2, Groups, win2003r2.home dn: CN=Group2,OU=Groups,DC=win2003r2,DC=home objectSid:: AQUAAAUVploCbWTufUFPWoiadgQAAA== # search reference ref: ldap://ForestDnsZones.win2003r2.home/DC=ForestDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://DomainDnsZones.win2003r2.home/DC=DomainDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://win2003r2.home/CN=Configuration,DC=win2003r2,DC=home # search result search
Re: helper protocol in 3.4
Apologies, I had a minor error for Heimdal detection. Markus Markus Moeller hua...@moeller.plus.com wrote in message news:kv7ku6$e5f$1...@ger.gmane.org... Hi Amos, I have a very new update to the negotiate helper which should make it unnecessary to do any ldap group lookups for MS Active Directory environments. It would require the new protocol and I would appreciate if you coule dlet me know how to read the kv pairs in an external ACL helper I still need to write. As you may know MS adds SIDS of the groups to a Kerberos ticket. I can now extract these groups as a base 64 encoded string, which just need to be compared with in the external ACL helper. Here is an example debug output: negotiate_kerberos_pac.cc(358): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got PAC data of lengh 512 negotiate_kerberos_pac.cc(177): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Found 5 rids negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 513 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1132 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1141 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1207 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1142 negotiate_kerberos_pac.cc(247): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-1828870822-1098772068-2592627279 negotiate_kerberos_pac.cc(268): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs negotiate_kerberos_pac.cc(316): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got ExtraSid S-1-5-21-1828870822-1098772068-2592627279-1107 negotiate_kerberos_pac.cc(438): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Read 512 of 512 bytes negotiate_kerberos_auth.cc(431): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAUVploCbWTufUFPWoiaAQIAAA== group=AQUAAAUVploCbWTufUFPWoiabAQAAA== group=AQUAAAUVploCbWTufUFPWoiadQQAAA== group=AQUAAAUVploCbWTufUFPWoiatwQAAA== group=AQUAAAUVploCbWTufUFPWoiadgQAAA== group=AQUAAAUVploCbWTufUFPWoiaUwQ= AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== m...@win2003r2.home negotiate_kerberos_auth.cc(436): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: DEBUG: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== m...@win2003r2.home As you can see I create a list of base64 encoded SIDS ( I have attached also some code to convert it if you want to) e.g. ./convert_sid AQUAAAUVploCbWTufUFPWoiadgQAAA== argc: 2 argv: AQUAAAUVploCbWTufUFPWoiadgQAAA== S-1-5-21-1828870822-1098772068--1702340017-1142 To configure an external ACL helper a Adminstrator need to list the groups(MS only adds Security groups to the ticket afaik) of a user. As example my mm id has: ldapsearch -H ldap://w2k3r2.win2003r2.home:389 -s sub -b DC=WIN2003R2,DC=HOME (samaccountname=mm) memberof SASL/GSSAPI authentication started SASL username: m...@win2003r2.home SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base DC=WIN2003R2,DC=HOME with scope subtree # filter: (samaccountname=mm) # requesting: memberof # # Markus Moeller, HomeUsers, win2003r2.home dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home memberOf:: Q0490L/QtdGB0L3RjyxPVT1Hcm91cHMsREM9d2luMjAwM3IyLERDPWhvbWU= memberOf: CN=Group2,OU=Groups,DC=win2003r2,DC=home memberOf: CN=Group1,OU=Groups,DC=win2003r2,DC=home memberOf: CN=Administrators,CN=Builtin,DC=win2003r2,DC=home # search reference ref: ldap://ForestDnsZones.win2003r2.home/DC=ForestDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://DomainDnsZones.win2003r2.home/DC=DomainDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://win2003r2.home/CN=Configuration,DC=win2003r2,DC=home # search result search: 5 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 For example the objectsid ( This is what is in the kerberos ticket) is also base63 encoded in ldap (this is my I choose to use the encoded form to make the helper a cut and paste exercise) ldapsearch -H ldap://w2k3r2.win2003r2.home:389 -s sub -b DC=WIN2003R2,DC=HOME (cn=Group2) objectsid SASL/GSSAPI authentication started SASL username: m...@win2003r2.home SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base DC=WIN2003R2,DC=HOME with scope subtree # filter: (cn=Group2) # requesting: objectsid # # Group2, Groups, win2003r2.home dn: CN=Group2,OU=Groups,DC=win2003r2,DC=home objectSid:: AQUAAAUVploCbWTufUFPWoiadgQAAA== # search
Re: helper protocol in 3.4
Hi Amos, I may have a helper for that case soon. Thank you Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:52106190.2030...@treenet.co.nz... On 18/08/2013 9:32 a.m., Markus Moeller wrote: Hi, I am look at a way to provide information in addition to the username from the auth helper to the external acl helper Can I use kv pairs in squid 3.4 ? I see there is a kv pair group= . Does it mean the auth helper can return details which will be used by the external acl helper ? Thank you Markus Yes kv-pairs are supported in 3.4. I reserved group= so the auth helper can do exactly that. For usage in either external ACL helpers, or in a group type ACL. However, at present the internal parts of Squid do not exist to do anything with it. The planned definition is to have helpers return one group= kv-pair for each group the auth helper can identify and attach them as annotation data to the credentials pair. Amos
helper protocol in 3.4
Hi, I am look at a way to provide information in addition to the username from the auth helper to the external acl helper Can I use kv pairs in squid 3.4 ? I see there is a kv pair group= . Does it mean the auth helper can return details which will be used by the external acl helper ? Thank you Markus
Re: [PATCH] SQUID 3.3 ext_kerberos_ldap_group_acl
And to the trunk please. Markus Markus Moeller hua...@moeller.plus.com wrote in message news:kmlb8g$n29$1...@ger.gmane.org... Hi Amos, Could you apply this patch to version 3.3 please ? Thank you Markus
Re: squid as a socks server
What is wrong with the dante socks server ? Why the effort with squid supporting socks ? Markus James Harper james.har...@bendigoit.com.au wrote in message news:6035a0d088a63a46850c3988ed045a4b3878a...@bitcom1.int.sbss.com.au... Having a look at this page http://wiki.squid-cache.org/Features/Socks I can't tell for sure if this project is talking about a socks server, socks client, or both. I think it's both but the two functions are different enough they should probably be separate projects... I like the idea of squid as a socks server because it already has all the authentication and logging infrastructure, even though it probably can't actually cache anything via socks. The problem I'm trying to solve is what to do with all the protocols that I want to police that aren't http/https, and what to do with applications that don't know how to authenticate to proxies but could authenticate to a socks server via a socks client. Is anyone working on this? OK so not a lot of interest? Suppose I wanted to implement this... it's been over a decade since I last looked at the squid code in any detail but looking around now I think I would need to do something like: . add socks_port configuration option to cf.data.pre . add code to parsePortCfg to detect socks_port params . tune parsePortSpecification to validate options At this stage I think socks is quite similar to CONNECT for the outgoing port case (bind and udp are completely different obviously), so I'm assuming that reusing the existing code around PortCfg is a good start. Any tips on where to go next would be appreciated. Thanks James
[PATCH] Patch for squid 3.2 and trunk to use rfc1738 escapes
Hi Amos, I am resending this with [PATCH] in subject. Please find attached a patch which uses rfc1738 escapes for negotiate_kerberos logging and kerberos_ldap_group. It also includes the option for kerberos_ldap_group to read group information from stdin instead of a command line argument. Regards Markus rfc1738-trunk.patch Description: Binary data rfc1738.patch Description: Binary data
Patch for squid 3.2 and trunk to use rfc1738 escapes
Hi Amos, Please find attached a patch which uses rfc1738 escapes for negotiate_kerberos logging and kerberos_ldap_group. It also includes the option for kerberos_ldap_group to read group information from stdin instead of a command line argument. Regards Markus rfc1738-trunk.patch Description: Binary data rfc1738.patch Description: Binary data
Question about rfc1738_escape
Why can't I use the function multiple times in a printf line ? Example: #include stdio.h #include string.h #include rfc1738.h int main(int argc, char *const argv[]) { char *user1,*user2,*user3; user2=strdup(0123456789ABCDEFG); user1=strdup(abcd); user3=strdup(abcdefghijklmnopqrst); printf(User1: %s\n,rfc1738_escape(user1)); printf(User2: %s\n,rfc1738_escape(user2)); printf(User3: %s\n,rfc1738_escape(user3)); printf(All Users: %s|%s|%s\n,rfc1738_escape(user1),rfc1738_escape(user2),rfc1738_escape(user3)); } gives (last line for All Users is wrong): Output: User1: abcd User2: 0123456789ABCDEFG User3: abcdefghijklmnopqrst All Users: abcd|abcd|abcd Thank you Markus
Re: Question about rfc1738_escape
Is that a general problem or just with printf ? Markus Henrik Nordström hen...@henriknordstrom.net wrote in message news:1346007797.22656.1.ca...@home.hno.se... sön 2012-08-26 klockan 19:28 +0100 skrev Markus Moeller: Why can't I use the function multiple times in a printf line ? because it uses a static return buffer, you need to copy the resulting string somewhere before making the next call. Regards Henrik
Bug in commBind ?
I run OpenSuse 21.1 with squid3-3.1.16-2.3.1.x86_64 and have disabled ipv6, but commBind tries to bind to the ipv6 loopback instead of ipv4 when starting an external helper. Is this a bug or an OpenSuse package issue ? 2012/04/06 19:03:27| helperOpenServers: Starting 5/5 'ext_kerberos_ldap_group_acl' processes 2012/04/06 19:03:27| commBind: Cannot bind socket FD 90 to [::1]: (99) Cannot assign requested address 2012/04/06 19:03:27| commBind: Cannot bind socket FD 91 to [::1]: (99) Cannot assign requested address 2012/04/06 19:03:27| ipcCreate: Failed to create child FD. Markus
Re: [RFC] merging NTLM and Negotiate scheme components
squid_kerb_auth should be able to handle pure GSSAPI as well as SPNEGO blobs. I did see in in some Windows environments, but is there an RFC for Kerberos like there is for Negotiate ? Markus Henrik Nordström hen...@henriknordstrom.net wrote in message news:1324342293.21380.5.ca...@henriknordstrom.net... lör 2011-12-17 klockan 16:09 +1300 skrev Amos Jeffries: It seems we should be relaying Kerberos but not advertising (lack of specific module). Should it be advertised as a separate mechanism to Negotiate? Yes it's a separate scheme named Kerberos. But other than that it can share all of negotiate. The same helper protocol states. And quite likely even same helper in several cases even if the blobs differ. (helper dependent if it accepts both SPNEGO wrapped GSSAPI and bare GSSAPI) Regards Henrik
Re: [RFC] merging NTLM and Negotiate scheme components
Hi Amos, I assume this will also eliminate the need of my negotiate_wrapper helper. Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4eec0ce8.9040...@treenet.co.nz... On 17/12/2011 3:31 p.m., Henrik Nordström wrote: And a sligthly better cleaned up patch. Basically it boils down to a different form of AF/NA responses where the negotiate/kerberos responses includes a blob that needs to be sent to the requesting client, while ntlm just has username or message in the helper response. Regards Henrik lör 2011-12-17 klockan 03:12 +0100 skrev Henrik Nordström: Attached is a patch showing the tiny differences between Negotiate and NTLM in the 3.0 sources. Have not attempted doing the same in later sources as I expect they have drifted further apart there when restructured a bit. Regards Henrik Omitting symbol names, the difference should now be that blob, the virtual type() function used to generate headers, and fixHeaders emitting Authentication-Info details fror Negotiate. Amos
Re: Patch for kerberos_ldap_group helper
Could you let me know which platform / gcc version ? Thank you Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4e1fcf62.5060...@treenet.co.nz... On 12/07/11 18:21, Amos Jeffries wrote: On 08/07/11 09:10, Markus Moeller wrote: Hi Amos, Could you please add this to the trunk. Thank you Markus Sorry, I thought I got that one in already. Applied now. Also applied the fix for bug 3195. Recent versions of GCC have started failing with unused variable warnings in the SASL support files. Is this attached patch okay? or should something actually be happening with the related flags? Amos Hmm, k. This is blocking some distros. I'm going to have to drop them anyway for now. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.9
Re: Patch for kerberos_ldap_group helper
Hi Amos, Could you please add this to the trunk. Thank you Markus Markus Moeller hua...@moeller.plus.com wrote in message news:iru0kr$bm1$1...@dough.gmane.org... Hi, Here is a small patch against the trunk to fix some minor issues. Markus
Patch for kerberos_ldap_group helper
Hi, Here is a small patch against the trunk to fix some minor issues. Markus kerberos_ldap_group_2.patch Description: Binary data
cc file names
Hi would it be possible to avoid naming source files in different directories the same. It confuses my ddd/gdb debugger and it will always pickup for example ./src/auth/UserRequest.cc instead of ./src/auth/negotiate/UserRequest.cc. find . -name UserRequest.cc ./src/auth/ntlm/UserRequest.cc ./src/auth/negotiate/UserRequest.cc ./src/auth/basic/UserRequest.cc ./src/auth/digest/UserRequest.cc ./src/auth/UserRequest.cc or is this a ddd issue ? Markus
Re: [PATCH] pinning cleanup (testers wanted)
Hi Amos, Using the latest trunk version squid crashes when I use negotiate wrapper and Kerberos. It did not do so before. (gdb) where #0 0xe424 in __kernel_vsyscall () #1 0xb71e77ff in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #2 0xb71e9140 in abort () at abort.c:92 #3 0x0812f9e8 in xassert (msg=0x82bf30c request-clientConnectionManager == http_conn, file=0x82bee62 client_side_request.cc, line=836) at debug.cc:567 #4 0x08124fc3 in clientCheckPinning (this=0x84cb7f8) at client_side_request.cc:836 #5 clientInterpretRequestHeaders (this=0x84cb7f8) at client_side_request.cc:945 #6 ClientHttpRequest::doCallouts (this=0x84cb7f8) at client_side_request.cc:1335 #7 0x08126548 in ClientRequestContext::clientAccessCheckDone (this=0x84d0860, answer=1) at client_side_request.cc:659 #8 0x08126823 in ClientRequestContext::clientAccessCheck2 (this=0x84d0860) at client_side_request.cc:555 #9 0x081246c3 in ClientHttpRequest::doCallouts (this=0x84cb7f8) at client_side_request.cc:1328 #10 0x08126548 in ClientRequestContext::clientAccessCheckDone (this=0x84d0860, answer=1) at client_side_request.cc:659 #11 0x08227825 in ACLChecklist::checkCallback (this=0x84d0a08, answer=ACCESS_ALLOWED) at Checklist.cc:194 #12 0x08208c8f in ACLFilledChecklist::checkCallback (this=0x84d0a08, answer=ACCESS_ALLOWED) at FilledChecklist.cc:32 #13 0x0822845b in ACLChecklist::check (this=0x84d0a08) at Checklist.cc:105 #14 0x081f2c32 in ProxyAuthLookup::LookupDone (data=0x84d0a08, result=0x0) at AclProxyAuth.cc:173 #15 0x0821d075 in AuthNegotiateUserRequest::HandleReply (data=0x848c3b0, lastserver=0x848d870, reply=value optimized out) at UserRequest.cc:399 #16 0x0816baac in helperStatefulHandleRead (fd=10, buf=0x8496970 AF oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWq1L/YTAWybqyPUgTY241MqX/0T0hOW8P0hkAceWJ+9eziWLZiEtX70GvOB1kxvSDZYAbM0cAsw/rd4tcdz8ULyl1jeUsjqey0+vs..., len=253, flag=COMM_OK, xerrno=0, data=0x848d870) at helper.cc:959 #17 0x0823a625 in CommIoCbPtrFun::dial (this=0x848d904) at CommCalls.cc:183 #18 0x08228e4b in AsyncCall::make (this=0x848d8e8) at AsyncCall.cc:34 #19 0x0822c3e7 in AsyncCallQueue::fireNext (this=0x848d268) at AsyncCallQueue.cc:54 #20 0x0822c560 in AsyncCallQueue::fire (this=0x848d268) at AsyncCallQueue.cc:40 #21 0x08146cf5 in EventLoop::runOnce (this=0xbfb417d4) at EventLoop.cc:131 #22 0x08146df0 in EventLoop::run (this=0xbfb417d4) at EventLoop.cc:95 #23 0x0819cc00 in SquidMain (argc=4, argv=0xbfb41904) at main.cc:1496 #24 0x0819d9bc in SquidMainSafe (argc=4, argv=0xbfb41904) at main.cc:1229 ---Type return to continue, or q return to quit--- #25 main (argc=4, argv=0xbfb41904) at main.cc:1221 Amos Jeffries squ...@treenet.co.nz wrote in message news:4dc6352a.3030...@treenet.co.nz... On 11/02/11 02:38, Amos Jeffries wrote: Since 1xx handing went in HttpRequest has had two links to the one ConnStateData managing its client connection. * Rename the 1xx link to clientConnectionManager (since it is not actually the connection, but the manager object controlling the FD usage and stats. * Convert the pinning code to using the permanent clientConnectionManager link instead of a temporary pinned_connection link. This moves all connection pinning state fully into the ConnStateData manager objects scope. Side changes that appear to be buggy code previously: * do not alter pinning state at the point where the pinned connection is about to start being used. Changes are only relevant at the point of pinning or unpinning. * unpin operation now closes the Server FD if still open. Previously there was the possibility that some code paths would leave server FD open and pconn it. (especially since the above mentioned state alteration cleared the pinned flag). Applied to trunk. revno 11419 Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
Re: [PATCH] base-64 encoder upgrade
Hi Amos, Sure. How do I get the changes ? Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4dbcc67d.7080...@treenet.co.nz... Markus, would you be happy to run some tests before this goes in and check that I have not screwed anything up? Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
Re: [PATCH] base-64 encoder upgrade
Sorry I did, but I wasn't sure if that was the latest. Thank you Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4dbd4a1a.6000...@treenet.co.nz... On 01/05/11 22:49, Markus Moeller wrote: Hi Amos, Sure. How do I get the changes ? Markus Did you not get the .patch file attached to the earlier email? (attaching again anyways) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
Re: [PATCH] base-64 encoder upgrade
I get a compile error against the trunk version make[3]: Entering directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/smb_lm' g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../../include-I../../../lib -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT ntlm_smb_lm_auth.o -MD -MP -MF .deps/ntlm_smb_lm_auth.Tpo -c -o ntlm_smb_lm_auth.o ntlm_smb_lm_auth.cc cc1plus: warnings being treated as errors ntlm_smb_lm_auth.cc: In function âvoid manage_request()â: ntlm_smb_lm_auth.cc:530:40: error: comparison between signed and unsigned integer expressions make[3]: *** [ntlm_smb_lm_auth.o] Error 1 make[3]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/smb_lm' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers' Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4dbd4a1a.6000...@treenet.co.nz... On 01/05/11 22:49, Markus Moeller wrote: Hi Amos, Sure. How do I get the changes ? Markus Did you not get the .patch file attached to the earlier email? (attaching again anyways) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
Re: [PATCH] base-64 encoder upgrade
And this is a second error (or at least treated as one) make[3]: Entering directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/fake' g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../../include-I../../../lib -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT ntlm_fake_auth.o -MD -MP -MF .deps/ntlm_fake_auth.Tpo -c -o ntlm_fake_auth.o ntlm_fake_auth.cc cc1plus: warnings being treated as errors ntlm_fake_auth.cc: In function âint main(int, char**)â: ntlm_fake_auth.cc:154:9: error: âdecodedLenâ may be used uninitialized in this function make[3]: *** [ntlm_fake_auth.o] Error 1 make[3]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/fake' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers' make: *** [all-recursive] Error 1 Markus Markus Moeller hua...@moeller.plus.com wrote in message news:ipjlcl$qfu$1...@dough.gmane.org... I get a compile error against the trunk version make[3]: Entering directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/smb_lm' g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../../include-I../../../lib -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT ntlm_smb_lm_auth.o -MD -MP -MF .deps/ntlm_smb_lm_auth.Tpo -c -o ntlm_smb_lm_auth.o ntlm_smb_lm_auth.cc cc1plus: warnings being treated as errors ntlm_smb_lm_auth.cc: In function âvoid manage_request()â: ntlm_smb_lm_auth.cc:530:40: error: comparison between signed and unsigned integer expressions make[3]: *** [ntlm_smb_lm_auth.o] Error 1 make[3]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/smb_lm' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers' Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4dbd4a1a.6000...@treenet.co.nz... On 01/05/11 22:49, Markus Moeller wrote: Hi Amos, Sure. How do I get the changes ? Markus Did you not get the .patch file attached to the earlier email? (attaching again anyways) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
Re: [PATCH] base-64 encoder upgrade
The negotiate wrapper and negotiate_kerberos_auth seem to work fine (with the known problem that NTLM does not work with the trunk version and negotiate_wrapper) Markus Markus Moeller hua...@moeller.plus.com wrote in message news:ipk6oe$h43$1...@dough.gmane.org... And this is a second error (or at least treated as one) make[3]: Entering directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/fake' g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../../include-I../../../lib -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT ntlm_fake_auth.o -MD -MP -MF .deps/ntlm_fake_auth.Tpo -c -o ntlm_fake_auth.o ntlm_fake_auth.cc cc1plus: warnings being treated as errors ntlm_fake_auth.cc: In function âint main(int, char**)â: ntlm_fake_auth.cc:154:9: error: âdecodedLenâ may be used uninitialized in this function make[3]: *** [ntlm_fake_auth.o] Error 1 make[3]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/fake' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers' make: *** [all-recursive] Error 1 Markus Markus Moeller hua...@moeller.plus.com wrote in message news:ipjlcl$qfu$1...@dough.gmane.org... I get a compile error against the trunk version make[3]: Entering directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/smb_lm' g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../../include-I../../../lib -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT ntlm_smb_lm_auth.o -MD -MP -MF .deps/ntlm_smb_lm_auth.Tpo -c -o ntlm_smb_lm_auth.o ntlm_smb_lm_auth.cc cc1plus: warnings being treated as errors ntlm_smb_lm_auth.cc: In function âvoid manage_request()â: ntlm_smb_lm_auth.cc:530:40: error: comparison between signed and unsigned integer expressions make[3]: *** [ntlm_smb_lm_auth.o] Error 1 make[3]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/smb_lm' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers' Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4dbd4a1a.6000...@treenet.co.nz... On 01/05/11 22:49, Markus Moeller wrote: Hi Amos, Sure. How do I get the changes ? Markus Did you not get the .patch file attached to the earlier email? (attaching again anyways) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
Re: Problem authenticating with Negotiate-NTLM
Hi Amos, Where is the 3.2 squid code will the Proxy-Authorization: line be added ? I can see that the negotiate-wrapper correctly returns the TT and I see in the logs: 2011/04/10 01:07:43.849 kid1| negotiate/negotiateUserRequest.cc(272) HandleReply: helper: '0x84886f0' sent us 'TT TlRMTVNTUAACCQAJADAGgokAT7KQwRyCYyIAAHQAdAA5V0lOMjAwM1IyAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAA=' 2011/04/10 01:07:43.849 kid1| cbdataReferenceValid: 0x84cb4d0 2011/04/10 01:07:43.849 kid1| negotiate/negotiateUserRequest.cc(325) HandleReply: Need to challenge the client with a server blob 'TlRMTVNTUAACCQAJADAGgokAT7KQwRyCYyIAAHQAdAA5V0lOMjAwM1IyAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAA=' 2011/04/10 01:07:43.849 kid1| UserRequest.cc(80) valid: Validating AuthUserRequest '0x871dc88'. 2011/04/10 01:07:43.849 kid1| UserRequest.cc(100) valid: Validated. AuthUserRequest '0x871dc88'. 2011/04/10 01:07:43.849 kid1| ACLChecklist::asyncInProgress: 0x84cb4d0 async set to 0 2011/04/10 01:07:43.849 kid1| cbdataReferenceValid: 0x84cb3e0 2011/04/10 01:07:43.849 kid1| cbdataReferenceValid: 0x8457df8 2011/04/10 01:07:43.849 kid1| ACLChecklist::preCheck: 0x84cb4d0 checking 'http_access allow authenticate' 2011/04/10 01:07:43.850 kid1| ACLList::matches: checking authenticate 2011/04/10 01:07:43.850 kid1| ACL::checklistMatches: checking 'authenticate' 2011/04/10 01:07:43.850 kid1| UserRequest.cc(80) valid: Validating AuthUserRequest '0x871dc88'. 2011/04/10 01:07:43.850 kid1| UserRequest.cc(100) valid: Validated. AuthUserRequest '0x871dc88'. 2011/04/10 01:07:43.850 kid1| negotiate/negotiateUserRequest.cc(56) authenticated: user not fully authenticated. 2011/04/10 01:07:43.850 kid1| UserRequest.cc(345) authenticate: header Negotiate TlRMTVNTUAABBoIIAAA=. 2011/04/10 01:07:43.850 kid1| UserRequest.cc(80) valid: Validating AuthUserRequest '0x871dc88'. 2011/04/10 01:07:43.850 kid1| UserRequest.cc(100) valid: Validated. AuthUserRequest '0x871dc88'. 2011/04/10 01:07:43.850 kid1| negotiate/negotiateUserRequest.cc(56) authenticated: user not fully authenticated. 2011/04/10 01:07:43.850 kid1| negotiate/negotiateUserRequest.cc(201) authenticate: need to challenge client 'TlRMTVNTUAACCQAJADAGgokAT7KQwRyCYyIAAHQAdAA5V0lOMjAwM1IyAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAA='! but the client never receives the Proxy-Authorization: line. I gets lost somewhere in the squid code. It works for pure NTLM. Thank you Markus Markus Moeller hua...@moeller.plus.com wrote in message news:inn1ro$qnh$2...@dough.gmane.org... Markus Moeller hua...@moeller.plus.com wrote in message news:im5hrq$vbr$1...@dough.gmane.org... I did some further tests and noticed the following: 1) IE with squid 3.0 works using my wrapper (See ie-nego-3.0.tgz) 2) Polygraph with squid 3.0 fails for ntlm (either via negotiate-ntlm or pure ntlm) ( See polygraph-4.3.1-3.0.tgz I can get 3.0 to work by adding Connection: Keep-Alive to Polygraphs client code. 3) Polygraph with squid 3.2 works for ntlm but fails negotiate-ntlm (See polygraph-4.3.1-3.2.tgz) 3.2 need still further analysis Markus Markus Moeller hua...@moeller.plus.com wrote in message news:im4v3n$374$1...@dough.gmane.org... Hi, I try to use my negotiate-wrapper with auth_ntlm and squid-3.2 and see that the helper returns TT ... and squid logs 2011/03/20 13:08:19.544 kid1| negotiate/negotiateUserRequest.cc(201) authenticate: need to challenge client 'TlRMTVNTUAACEgASADAFgomivxsqHXpxr1kAAHQAdABCVwBJAE4AMgAwADAAMwBSADIAAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAA='! but in the wireshark log I don't see a proxy-authenticate header line to challenge the client. What could be the reason ? When I switch to Negotiate-Kerberos everything works. Attached are the config and log files. Markus Markus
Re: Problem authenticating with Negotiate-NTLM
Markus Moeller hua...@moeller.plus.com wrote in message news:im5hrq$vbr$1...@dough.gmane.org... I did some further tests and noticed the following: 1) IE with squid 3.0 works using my wrapper (See ie-nego-3.0.tgz) 2) Polygraph with squid 3.0 fails for ntlm (either via negotiate-ntlm or pure ntlm) ( See polygraph-4.3.1-3.0.tgz I can get 3.0 to work by adding Connection: Keep-Alive to Polygraphs client code. 3) Polygraph with squid 3.2 works for ntlm but fails negotiate-ntlm (See polygraph-4.3.1-3.2.tgz) 3.2 need still further analysis Markus Markus Moeller hua...@moeller.plus.com wrote in message news:im4v3n$374$1...@dough.gmane.org... Hi, I try to use my negotiate-wrapper with auth_ntlm and squid-3.2 and see that the helper returns TT ... and squid logs 2011/03/20 13:08:19.544 kid1| negotiate/negotiateUserRequest.cc(201) authenticate: need to challenge client 'TlRMTVNTUAACEgASADAFgomivxsqHXpxr1kAAHQAdABCVwBJAE4AMgAwADAAMwBSADIAAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAA='! but in the wireshark log I don't see a proxy-authenticate header line to challenge the client. What could be the reason ? When I switch to Negotiate-Kerberos everything works. Attached are the config and log files. Markus Markus
Re: Patches for squid 3.2
Amos Jeffries squ...@treenet.co.nz wrote in message news:4d7db5d4.3080...@treenet.co.nz... On 14/03/11 12:34, Markus Moeller wrote: Hi, I have three patches for the squid trunk version. 1) A patch for negotiate_kerberos_auth to fix a minor error in printinh gss errors 2) A patch for kerberos_ldap_group which adds a -S server option 3) A patch to add negotiate_wrapper In addition I indented all with: indent -br -ce -i4 -ci4 -l80 -nlp -npcs -npsl -d0 -sc -di0 -psl as documented for C sources. Regards Markus Patch (1) and (2) checked and merged. NP: the formatting needs to be done with scripts/formater.pl for squid-3. (No matter though, easily redone) Sorry. Will remember for next time. The wrapper helper held back a few days so I can play with it some more. Sure. It is quite new. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5 Thank you Markus
Re: New external_acl helper squid_kerb_ldap
Hi Amos, When I use my wrapper I had to modify the samba ntlm_auth helper to return another AF string. I run 3.0.STABLE25 and /usr/bin/ntlm_auth -V Version 3.5.4-2489-SUSE-SL11.3 FATAL: authenticateNegotiateHandleReply: *** Unsupported helper response ***, 'AF WIN2003R2\administrator' Would it be possible that the Negotiate reply handler accepts both formats ? I used auth_param negotiate program /usr/sbin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/sbin/squid_kerb_auth -d -s GSS_C_NO_NAME Thank you Markus 2011/03/10 22:44:34| negotiate_wrapper: Got 'YR TlRMTVNTUAABB4IIogAFAs4ODw==' from squid (length: 59). 2011/03/10 22:44:34| negotiate_wrapper: Decode 'TlRMTVNTUAABB4IIogAFAs4ODw==' (decoded length: 40). 2011/03/10 22:44:34| negotiate_wrapper: received type 1 NTLM token 2011/03/10 22:44:34| negotiate_wrapper: Got 'KK TlRMTVNTUAADGAAYAIAYABgAmBIAEgBIGgAaAFoMAAwAdACwBYKIogUCzg4PVwBJAE4AMgAwADAAMwBSADIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBXADIASwAzAFIAMgCkBlG0MZTzRwBFkwULOmCaiWNR/69aXr44O8ZJJ/pEwzE=' from squid (length: 239). 2011/03/10 22:44:34| negotiate_wrapper: Decode 'TlRMTVNTUAADGAAYAIAYABgAmBIAEgBIGgAaAFoMAAwAdACwBYKIogUCzg4PVwBJAE4AMgAwADAAMwBSADIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBXADIASwAzAFIAMgCkBlG0MZTzRwBFkwULOmCaiWNR/69aXr44O8ZJJ/pEwzE=' (decoded length: 176). 2011/03/10 22:44:34| negotiate_wrapper: received type 3 NTLM token 2011/03/10 22:44:35| storeDirWriteCleanLogs: Starting... 2011/03/10 22:44:35| WARNING: Closing open FD 25 2011/03/10 22:44:35| Finished. Wrote 2747 entries. 2011/03/10 22:44:35| Took 0.00 seconds (1852326.37 entries/sec). FATAL: authenticateNegotiateHandleReply: *** Unsupported helper response ***, 'AF WIN2003R2\administrator' Squid Cache (Version 3.0.STABLE25): Terminated abnormally. CPU Usage: 0.225 seconds = 0.017 user + 0.208 sys Maximum Resident Size: 39392 KB Page faults with physical i/o: 0 Memory usage for squid via mallinfo(): total space in arena:3244 KB Ordinary blocks: 3163 KB 7 blks Small blocks: 0 KB 0 blks Holding blocks: 3664 KB 13 blks Free Small blocks: 0 KB Free Ordinary blocks: 80 KB Total in use:6827 KB 210% Total free:80 KB 2% 2011/03/10 22:44:38| Starting Squid Cache version 3.0.STABLE25 for i686-suse-linux-gnu... Amos Jeffries squ...@treenet.co.nz wrote in message news:4c651eb3.6020...@treenet.co.nz... Markus Moeller wrote: Amos Jeffries squ...@treenet.co.nz wrote in message news:4c5187d2.5010...@treenet.co.nz... Markus Moeller wrote: Hi Amos, Hi Amos How does your time look like now ? Regards Markus Looks passable. I have not had time for a detailed view of the logics. I'll commit this tomorrow with a name tweak, the naming scheme has been through the external acl helpers too now. I'll just tack ext_ on the front and _acl on the back of the existing binary name and update the docs to match. One thing that worries me still is the RUN_IFELSE autoconf macros still being added to configure.in. I'm sure there is a macro that checked for defined values of things inside headers without running stuff. If you can try and find that it would be great not to have to run anything on build. I have 4 RUN_IFELSE. The first is to check to check that ldap works with the provided libraries. Is that unusual ? Any other suggestion how to check ? Um, okay. Thats reasonable on build. Duplicating at run-time may also be useful since the particular run-time libraries are not always the ones built against. The other three are to determine the LDAP vendor, which is a define statement in one of the ldap header files and as it is a string in a define I can not use any header grep nor proprocessor checks ( at least I do not know of any). Nasty. Oh well. Okay. Have applied to Squid-3.HEAD with the extra ext_*_acl bits on the binary name and docs for the current naming style. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1
Re: New external_acl helper squid_kerb_ldap
Hi Amos, Could you let me know what are valid respones from the negotiate helper compared to ntlm helper ? It seems I have to translate them. Thank you Markus Markus Moeller hua...@moeller.plus.com wrote in message news:ilcv9m$kra$1...@dough.gmane.org... Hi Amos, When I use my wrapper I had to modify the samba ntlm_auth helper to return another AF string. I run 3.0.STABLE25 and /usr/bin/ntlm_auth -V Version 3.5.4-2489-SUSE-SL11.3 FATAL: authenticateNegotiateHandleReply: *** Unsupported helper response ***, 'AF WIN2003R2\administrator' Would it be possible that the Negotiate reply handler accepts both formats ? I used auth_param negotiate program /usr/sbin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/sbin/squid_kerb_auth -d -s GSS_C_NO_NAME Thank you Markus 2011/03/10 22:44:34| negotiate_wrapper: Got 'YR TlRMTVNTUAABB4IIogAFAs4ODw==' from squid (length: 59). 2011/03/10 22:44:34| negotiate_wrapper: Decode 'TlRMTVNTUAABB4IIogAFAs4ODw==' (decoded length: 40). 2011/03/10 22:44:34| negotiate_wrapper: received type 1 NTLM token 2011/03/10 22:44:34| negotiate_wrapper: Got 'KK TlRMTVNTUAADGAAYAIAYABgAmBIAEgBIGgAaAFoMAAwAdACwBYKIogUCzg4PVwBJAE4AMgAwADAAMwBSADIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBXADIASwAzAFIAMgCkBlG0MZTzRwBFkwULOmCaiWNR/69aXr44O8ZJJ/pEwzE=' from squid (length: 239). 2011/03/10 22:44:34| negotiate_wrapper: Decode 'TlRMTVNTUAADGAAYAIAYABgAmBIAEgBIGgAaAFoMAAwAdACwBYKIogUCzg4PVwBJAE4AMgAwADAAMwBSADIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBXADIASwAzAFIAMgCkBlG0MZTzRwBFkwULOmCaiWNR/69aXr44O8ZJJ/pEwzE=' (decoded length: 176). 2011/03/10 22:44:34| negotiate_wrapper: received type 3 NTLM token 2011/03/10 22:44:35| storeDirWriteCleanLogs: Starting... 2011/03/10 22:44:35| WARNING: Closing open FD 25 2011/03/10 22:44:35| Finished. Wrote 2747 entries. 2011/03/10 22:44:35| Took 0.00 seconds (1852326.37 entries/sec). FATAL: authenticateNegotiateHandleReply: *** Unsupported helper response ***, 'AF WIN2003R2\administrator' Squid Cache (Version 3.0.STABLE25): Terminated abnormally. CPU Usage: 0.225 seconds = 0.017 user + 0.208 sys Maximum Resident Size: 39392 KB Page faults with physical i/o: 0 Memory usage for squid via mallinfo(): total space in arena:3244 KB Ordinary blocks: 3163 KB 7 blks Small blocks: 0 KB 0 blks Holding blocks: 3664 KB 13 blks Free Small blocks: 0 KB Free Ordinary blocks: 80 KB Total in use:6827 KB 210% Total free:80 KB 2% 2011/03/10 22:44:38| Starting Squid Cache version 3.0.STABLE25 for i686-suse-linux-gnu... Amos Jeffries squ...@treenet.co.nz wrote in message news:4c651eb3.6020...@treenet.co.nz... Markus Moeller wrote: Amos Jeffries squ...@treenet.co.nz wrote in message news:4c5187d2.5010...@treenet.co.nz... Markus Moeller wrote: Hi Amos, Hi Amos How does your time look like now ? Regards Markus Looks passable. I have not had time for a detailed view of the logics. I'll commit this tomorrow with a name tweak, the naming scheme has been through the external acl helpers too now. I'll just tack ext_ on the front and _acl on the back of the existing binary name and update the docs to match. One thing that worries me still is the RUN_IFELSE autoconf macros still being added to configure.in. I'm sure there is a macro that checked for defined values of things inside headers without running stuff. If you can try and find that it would be great not to have to run anything on build. I have 4 RUN_IFELSE. The first is to check to check that ldap works with the provided libraries. Is that unusual ? Any other suggestion how to check ? Um, okay. Thats reasonable on build. Duplicating at run-time may also be useful since the particular run-time libraries are not always the ones built against. The other three are to determine the LDAP vendor, which is a define statement in one of the ldap header files and as it is a string in a define I can not use any header grep nor proprocessor checks ( at least I do not know of any). Nasty. Oh well. Okay. Have applied to Squid-3.HEAD with the extra ext_*_acl bits on the binary name and docs for the current naming style. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1
Re: New Auth configuration options
Amos Jeffries squ...@treenet.co.nz wrote in message news:6a344dc47f7a230a7cf24e0a5bed7...@treenet.co.nz... On Sun, 6 Mar 2011 12:39:28 -, Markus Moeller wrote: Amos Jeffries squ...@treenet.co.nz wrote in message news:4d73721e.4000...@treenet.co.nz... On 06/03/11 00:46, Markus Moeller wrote: Amos Jeffries squ...@treenet.co.nz wrote in message news:4d718401.6050...@treenet.co.nz... On 05/03/11 05:41, Markus Moeller wrote: Do you have an idea how such a wrapper would work ? The issue I see is that the wrapper helper must do the same process management as squid. Which I think is quite some duplication. Markus Squid already does the tri-state response handling similarly for Negoatite and NTLM auth schemes. The blob decoding and response state is entirely up to the helper. I think the wrapper just needs to decode the blob and do either NTLM challenge+validate or Kerberos validate on the result depending on what detail it gets. So squid keeps state to which helper instance the NTLM challenge was send too ? Yes, and whether there is a challenge pending blocking it from other uses. Good A flag internally to determine that an NTLM validate is the next state after challenge will be needed to avoid sending NTLM challenge then validating the follow-up with Kerberos. I really don't want to program all of that. I just would like to hand it over to the existing squid_kerb_auth or ntlm_auth helper after identification of the blob beeing NTLM or not. But if I hand the token over squid_kerb_auth or ntlm_auth will get into an endless loop and won't return to my wrapper. Does that make sense ? Nope. Sorry. Is the wrapper calling itself recursively when the first sub-lookup results in failure? The only loop I can see is when Negotiate/NTLM challenge-response arrives. If the wrapper pases it to Kerberos it may have bad consequences, though I'm not certain. If Kerberos can validate the NTLM challenge responses safely that simplifies things a lot. As for programming, we have a libntlmauth library bundled with Squid which has NTLM decoder functions and struct ntlmhdr definitions in it. Code would be something like: flag = unset while(fgets(input)) { base64decode(input, output); validation_reply = ntlm_validate_packet((struct ntlmhdr*)output, type 3 packet); if (validation_reply flag != doing_ntlm) { ... get result form kerberos ... Here I see a problem. I asume I can re-use the existing helpers. How do I start it and get data to and from it ? That would be via fork() or vfork() earlier during startup setting up a pair of pipes to the other helper. OK. That is what I thought might work. } else { flag = unset ... get result or challenge from NTLM ... Same here. if result is challenge flag = doing_ntlm } ... pass result to squid } Amos Markus
Re: New Auth configuration options
Do you have an idea how such a wrapper would work ? The issue I see is that the wrapper helper must do the same process management as squid. Which I think is quite some duplication. Markus Guido Serassio guido.seras...@acmeconsulting.it wrote in message news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc... Hi Henrik, I was thinking about the same thing few minutes ago ... :-) +1 Regards Guido Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Henrik Nordström [mailto:hen...@henriknordstrom.net] Inviato: giovedì 8 aprile 2010 21.47 A: Markus Moeller Cc: squid-dev@squid-cache.org Oggetto: Re: New Auth configuration options ons 2010-04-07 klockan 20:27 +0100 skrev Markus Moeller: Would it make sense to define in squid two new configuration options to control Negotiate authentication ? I am thinking of adding Negotiate-NTLM and Negotiate-Kerberos I would prefer a wrapper helper doing this selection. Regards Henrik
Re: Two patches for better heimdal support
Hi Henrik, That seems to be from another patch: bzr log -p -r11090 helpers/external_acl/kerberos_ldap_group/support_log.cc revno: 11090 committer: Amos Jeffries squ...@treenet.co.nz branch nick: trunk timestamp: Sat 2010-12-04 23:14:11 -0700 message: Fix invalid conversion 'long int' to 'time_t' diff: === modified file 'helpers/external_acl/kerberos_ldap_group/support_log.cc' --- helpers/external_acl/kerberos_ldap_group/support_log.cc 2010-08-14 00:12:49 + +++ helpers/external_acl/kerberos_ldap_group/support_log.cc 2010-12-05 06:14:11 + @@ -41,7 +41,8 @@ gettimeofday(now, NULL); if (now.tv_sec != last_t) { -tm = localtime(now.tv_sec); +time_t tmp = now.tv_sec; +tm = localtime(tmp); strftime(buf, 127, %Y/%m/%d %H:%M:%S, tm); last_t = now.tv_sec; } Henrik Nordström hen...@henriknordstrom.net wrote in message news:1291657930.10525.625.ca...@henriknordstrom.net... The build farm now on kerberos_ldap_group due to int/time_t type mismatches ../../../../helpers/external_acl/kerberos_ldap_group/support_log.cc: In function `const char* LogTime()': ../../../../helpers/external_acl/kerberos_ldap_group/support_log.cc:44: error: invalid conversion from `long int*' to `const time_t*' ../../../../helpers/external_acl/kerberos_ldap_group/support_log.cc:44: error: initializing argument 1 of `tm* localtime(const time_t*)' I assume this is related to the heimdal support patches. Regards Henrik
Re: Two patches for better heimdal support
Sorry I have another addition for config.test === modified file 'helpers/external_acl/kerberos_ldap_group/config.test' --- helpers/external_acl/kerberos_ldap_group/config.test2010-12-05 00:25:25 + +++ helpers/external_acl/kerberos_ldap_group/config.test2010-12-06 21:09:15 + @@ -9,6 +9,9 @@ if [ -f /usr/lib/libsasl.la -o -f /usr/lib/libsasl2.la ]; then exit 0 fi + if [ -f /usr/lib/libsasl.so -o -f /usr/lib/libsasl2.so ]; then + exit 0 + fi if [ -f /usr/local/lib/libsasl.so -o -f /usr/local/lib/libsasl2.so ]; then exit 0 fi Markus Markus Moeller hua...@moeller.plus.com wrote in message news:idde7p$8a...@dough.gmane.org... Hi Amos, Please find attached more patches for better heimdal support as new heimdal version have gssapi_krb5 header files which were in the past only in older MIT releases available. 1) kerberos_ldap_group_header.diff fixes the gssapi_krb5 header issue Secondly to use kerberos_ldap_group on freebsd config.test has to be changed as freebsd installs additional packages in /usr/local. The following patch addresses this 2) kerberos_ldap_group_config.diff Thirdly on freebsd 7 the krb5.h file does not work with C++. This patch checks for it 3) kerberos_ldap_group_freebsd.diff (it includes the kerberos_ldap_group_header.diff patch) Regards Markus Markus Moeller hua...@moeller.plus.com wrote in message news:ibpome$ps...@dough.gmane.org... Here is an update using only #if / #elif and changed the order a bit. Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:104be24899d2c3a232288ea0fa5a7...@mail.treenet.co.nz... On Sun, 14 Nov 2010 18:37:39 -, Markus Moeller hua...@moeller.plus.com wrote: Hi I noticed that the trunk does not compile on FreeBSD with Heimdal. Here are two patches against the trunk. Markus These appear to be reversions of the file-based inclusions. Would it not be better just to add: +#if HAVE_GSSAPI_GSSAPI_EXT_H +#include gssapi/gssapi_ext.h +#endif to the end of the include lists? Also, it is adding quite a messy mix of ifdef and if defined(). Please just use #if / #elif either way. Amos
Re: Two patches for better heimdal support
I can have a look into it. The setup described is definitely not the norm. Most people want automated setups and not use config files. Regards Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4cfaea4c.8020...@treenet.co.nz... Re-applied. In other details, are you able to respond to this? http://bugs.squid-cache.org/show_bug.cgi?id=3075 Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
Re: Two patches for better heimdal support
Hi Amos, I don't see that these two have been applied. Heimdal introduced a header file gssapi_krb5.h which was previously only available in some older MIT releases. To avoid issues on for example FreeBSD 8.1 I had to change the include checks. Markus Markus Moeller hua...@moeller.plus.com wrote in message news:ibpome$ps...@dough.gmane.org... Here is an update using only #if / #elif and changed the order a bit. Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:104be24899d2c3a232288ea0fa5a7...@mail.treenet.co.nz... On Sun, 14 Nov 2010 18:37:39 -, Markus Moeller hua...@moeller.plus.com wrote: Hi I noticed that the trunk does not compile on FreeBSD with Heimdal. Here are two patches against the trunk. Markus These appear to be reversions of the file-based inclusions. Would it not be better just to add: +#if HAVE_GSSAPI_GSSAPI_EXT_H +#include gssapi/gssapi_ext.h +#endif to the end of the include lists? Also, it is adding quite a messy mix of ifdef and if defined(). Please just use #if / #elif either way. Amos
Re: Two patches for better heimdal support
I use bazaar Updated to revision 11093 of branch http://bzr.squid-cache.org/bzr/squid3/trunk I don't see the squidclient patch noe negotiate_kerberos_auth. I attach again Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4cfb92c9.7030...@treenet.co.nz... On 06/12/10 01:22, Markus Moeller wrote: Hi Amos, I don't see that these two have been applied. Heimdal introduced a header file gssapi_krb5.h which was previously only available in some older MIT releases. To avoid issues on for example FreeBSD 8.1 I had to change the include checks. Markus revno 11082 in 3.HEAD http://master.squid-cache.org/Versions/v3/3.HEAD/changesets/squid-3-11086.patch There is some hour or so delay in www.* updating these days. I've committed an update to configure.ac to set those /usr/local paths. It looks like it may also fix several other library problems that were bugging us earlier today :) Thank you. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3 squid_negotiate.diff Description: Binary data squidclient.diff Description: Binary data
Re: Two patches for better heimdal support
Hi Amos, I added a comment to the bug note. Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4cfaea4c.8020...@treenet.co.nz... Re-applied. In other details, are you able to respond to this? http://bugs.squid-cache.org/show_bug.cgi?id=3075 Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
Re: Two patches for better heimdal support
Hi Amos, Please find attached more patches for better heimdal support as new heimdal version have gssapi_krb5 header files which were in the past only in older MIT releases available. 1) kerberos_ldap_group_header.diff fixes the gssapi_krb5 header issue Secondly to use kerberos_ldap_group on freebsd config.test has to be changed as freebsd installs additional packages in /usr/local. The following patch addresses this 2) kerberos_ldap_group_config.diff Thirdly on freebsd 7 the krb5.h file does not work with C++. This patch checks for it 3) kerberos_ldap_group_freebsd.diff (it includes the kerberos_ldap_group_header.diff patch) Regards Markus Markus Moeller hua...@moeller.plus.com wrote in message news:ibpome$ps...@dough.gmane.org... Here is an update using only #if / #elif and changed the order a bit. Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:104be24899d2c3a232288ea0fa5a7...@mail.treenet.co.nz... On Sun, 14 Nov 2010 18:37:39 -, Markus Moeller hua...@moeller.plus.com wrote: Hi I noticed that the trunk does not compile on FreeBSD with Heimdal. Here are two patches against the trunk. Markus These appear to be reversions of the file-based inclusions. Would it not be better just to add: +#if HAVE_GSSAPI_GSSAPI_EXT_H +#include gssapi/gssapi_ext.h +#endif to the end of the include lists? Also, it is adding quite a messy mix of ifdef and if defined(). Please just use #if / #elif either way. Amos kerberos_ldap_group_config.diff Description: Binary data kerberos_ldap_group_freebsd.diff Description: Binary data kerberos_ldap_group_header.diff Description: Binary data
Re: Two patches for better heimdal support
BTW to use kerberos_ldap_group on freebsd configure has to be run with CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib -Wl,-R/usr/local/lib Markus Moeller hua...@moeller.plus.com wrote in message news:idde7p$8a...@dough.gmane.org... Hi Amos, Please find attached more patches for better heimdal support as new heimdal version have gssapi_krb5 header files which were in the past only in older MIT releases available. 1) kerberos_ldap_group_header.diff fixes the gssapi_krb5 header issue Secondly to use kerberos_ldap_group on freebsd config.test has to be changed as freebsd installs additional packages in /usr/local. The following patch addresses this 2) kerberos_ldap_group_config.diff Thirdly on freebsd 7 the krb5.h file does not work with C++. This patch checks for it 3) kerberos_ldap_group_freebsd.diff (it includes the kerberos_ldap_group_header.diff patch) Regards Markus Markus Moeller hua...@moeller.plus.com wrote in message news:ibpome$ps...@dough.gmane.org... Here is an update using only #if / #elif and changed the order a bit. Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:104be24899d2c3a232288ea0fa5a7...@mail.treenet.co.nz... On Sun, 14 Nov 2010 18:37:39 -, Markus Moeller hua...@moeller.plus.com wrote: Hi I noticed that the trunk does not compile on FreeBSD with Heimdal. Here are two patches against the trunk. Markus These appear to be reversions of the file-based inclusions. Would it not be better just to add: +#if HAVE_GSSAPI_GSSAPI_EXT_H +#include gssapi/gssapi_ext.h +#endif to the end of the include lists? Also, it is adding quite a messy mix of ifdef and if defined(). Please just use #if / #elif either way. Amos
Re: Two patches for better heimdal support
I get $ uname -a FreeBSD freebsd-81-64.freebsd.home 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49 UTC 2010 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 $ krb5-config --cflags gssapi -I/usr/include $ krb5-config --libs gssapi -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lroken -lcrypt and my ldap and sasl file are in /usr/local $ pkg_info -v openldap-sasl-client-2.4.23 | less Information for openldap-sasl-client-2.4.23: Comment: Open source LDAP client implementation with SASL2 support Description: OpenLDAP is a suite of Lightweight Directory Access Protocol (v3) servers, clients, utilities and development tools. This package includes the following major components: * -lldap - a LDAP client library * -llber - a lightweight BER/DER encoding/decoding library * LDAP tools - A collection of command line LDAP utilities * documentation - man pages for all components WWW: http://www.OpenLDAP.org/ Install notice: The OpenLDAP client package has been successfully installed. Edit /usr/local/etc/openldap/ldap.conf to change the system-wide client defaults. Try `man ldap.conf' and visit the OpenLDAP FAQ-O-Matic at http://www.OpenLDAP.org/faq/index.cgi?file=3 for more information. Packing list: Comment: PKG_FORMAT_REVISION:1.1 Package name: openldap-sasl-client-2.4.23 Package origin: net/openldap24-sasl-client CWD to /usr/local Dependency: cyrus-sasl-2.1.23 dependency origin: security/cyrus-sasl2 Amos Jeffries squ...@treenet.co.nz wrote in message news:4cfa4d64.8030...@treenet.co.nz... On 05/12/10 02:49, Markus Moeller wrote: BTW to use kerberos_ldap_group on freebsd configure has to be run with CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib -Wl,-R/usr/local/lib Is that info not provided by krb5-config? On our test machine it seems to be. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
Re: Two patches for better heimdal support
Apologies Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4cfa67a6.5030...@treenet.co.nz... On 05/12/10 01:53, Markus Moeller wrote: Hi Amos, Please find attached more patches for better heimdal support as new heimdal version have gssapi_krb5 header files which were in the past only in older MIT releases available. 1) kerberos_ldap_group_header.diff fixes the gssapi_krb5 header issue Secondly to use kerberos_ldap_group on freebsd config.test has to be changed as freebsd installs additional packages in /usr/local. The following patch addresses this 2) kerberos_ldap_group_config.diff Thirdly on freebsd 7 the krb5.h file does not work with C++. This patch checks for it 3) kerberos_ldap_group_freebsd.diff (it includes the kerberos_ldap_group_header.diff patch) Regards Markus Oops the acinclude/krb5.m4 changes defining SQUID_CHECK_KRB5_HEIMDAL_BROKEN_KRB5_H were not in there. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3 kerberos_ldap_group_freebsd.diff Description: Binary data
Two patches for better heimdal support
Hi I noticed that the trunk does not compile on FreeBSD with Heimdal. Here are two patches against the trunk. Markus squid_negotiate.diff Description: Binary data squidclient.diff Description: Binary data
Re: Two patches for better heimdal support
Here is an update using only #if / #elif and changed the order a bit. Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:104be24899d2c3a232288ea0fa5a7...@mail.treenet.co.nz... On Sun, 14 Nov 2010 18:37:39 -, Markus Moeller hua...@moeller.plus.com wrote: Hi I noticed that the trunk does not compile on FreeBSD with Heimdal. Here are two patches against the trunk. Markus These appear to be reversions of the file-based inclusions. Would it not be better just to add: +#if HAVE_GSSAPI_GSSAPI_EXT_H +#include gssapi/gssapi_ext.h +#endif to the end of the include lists? Also, it is adding quite a messy mix of ifdef and if defined(). Please just use #if / #elif either way. Amos squid_negotiate.diff Description: Binary data squidclient.diff Description: Binary data
Re: [squid-users] Re: Re: Re: Re: squid_ldap_group against nested groups/Ous
How about now ? Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:10b005d2be46c33a22e6cc813b95e...@mail.treenet.co.nz... On Sun, 14 Nov 2010 18:34:48 -, Markus Moeller hua...@moeller.plus.com wrote: Here is a patch for the squid trunk. Markus The patch seems not to have come through. Amos Amos Jeffries squ...@treenet.co.nz wrote in message news:4cdf2628.2050...@treenet.co.nz... On 13/11/10 22:30, Eugene M. Zheganin wrote: Hi. On 05.11.2010 21:01, Markus Moeller wrote: Hi I get the same successful results on 64 bit FreeBSD 8.0. $ uname -a FreeBSD freebsd-80-64.freebsd.home 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 $ ldd squid_kerb_ldap squid_kerb_ldap: libgssapi.so.10 = /usr/lib/libgssapi.so.10 (0x800652000) libheimntlm.so.10 = /usr/lib/libheimntlm.so.10 (0x80075b000) libkrb5.so.10 = /usr/lib/libkrb5.so.10 (0x80086) libhx509.so.10 = /usr/lib/libhx509.so.10 (0x8009cd000) libcom_err.so.5 = /usr/lib/libcom_err.so.5 (0x800b0c000) libcrypto.so.6 = /lib/libcrypto.so.6 (0x800c0e000) libasn1.so.10 = /usr/lib/libasn1.so.10 (0x800ea6000) libroken.so.10 = /usr/lib/libroken.so.10 (0x801025000) libcrypt.so.5 = /lib/libcrypt.so.5 (0x801136000) libldap-2.4.so.7 = /usr/local/lib/libldap-2.4.so.7 (0x80124f000) liblber-2.4.so.7 = /usr/local/lib/liblber-2.4.so.7 (0x80139) libc.so.7 = /lib/libc.so.7 (0x80149d000) libsasl2.so.2 = /usr/local/lib/libsasl2.so.2 (0x8016d7000) libssl.so.6 = /usr/lib/libssl.so.6 (0x8017ef000) Is it possible that you have another kerberos package installed ? How does your ldd look ? I installed a standard freebsd 8.0 84 bit plus ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/8.0-RELEASE/packages/net/openldap-sasl-client-2.4.18.tbz for ldap with sasl support. First of all, sorry for a delayed answer, I'm not of that kind of persons that ask for help and never read answers. I had a couple of harsh weeks with crashes and late working. :) Yes, I have multiple krb5 installations on machines where the build didn't succeed due to incompatible types, you were right. Also I have updated the production proxy that was on FreeBSD 7.2 to 8.1 (and had a harsh week due to wonderful em(4) issue, fixed in -STABLE), but now the building on this machine is fine, except one warning that can be easily fixed by removing -Werror (once again, why -Werror ?). If you're interested the warning is about: [...] gcc -DHAVE_CONFIG_H -I. -I/usr/include -I/usr/local/include -g -O2 -Wall -Wno-unknown-pragmas -Wextra -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -MT support_group.o -MD -MP -MF .deps/support_group.Tpo -c -o support_group.o support_group.c support_group.c: In function 'utf8dup': support_group.c:43: warning: declaration of 'dup' shadows a global declaration /usr/include/unistd.h:330: warning: shadowed declaration is here [...] Because warnings indicate problems as much as errors. Ignoring them in leads to major problems later. We depend on people like yourself reporting them at the warning stage before that happens. In this case its warning about some confusion between a system dup() and a second local one which may differ in some critical way on some systems. Thanks for the report. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3 support_group_dup_fix.diff Description: Binary data
Re: Squidclient doesn't build in head
Kinkie gkin...@gmail.com wrote in message news:aanlktikt2zra7o+s8zrjj2abs==jbiw3dl8xtxnrb...@mail.gmail.com... Hi all, Kerberos integration in squidclient has caused some problems with squidclient; Ubuntu 10.4 fails with /home/kinkie/squid/workspace/stringng/tools/squidclient.cc:857: undefined reference to `gss_release_buffer' /home/kinkie/squid/workspace/stringng/tools/squidclient.cc:850: undefined reference to `gss_display_status' /home/kinkie/squid/workspace/stringng/tools/squidclient.cc:854: undefined reference to `gss_release_buffer' What does configure say about HAVE_GSSAPI ? Can I see the config.log ? Opensolaris instead complains that ../../tools/squidclient.cc: In function `char* GSSAPI_token(const char*)': ../../tools/squidclient.cc:912: error: `gss_nt_service_name' undeclared (first use this function) I will check this. I couldn't find a simple way to fix this.. any hints? Thanks -- /kinkie Markus
Re: Squidclient doesn't build in head
Kinkie gkin...@gmail.com wrote in message news:aanlktikt2zra7o+s8zrjj2abs==jbiw3dl8xtxnrb...@mail.gmail.com... Hi all, Kerberos integration in squidclient has caused some problems with squidclient; Ubuntu 10.4 fails with /home/kinkie/squid/workspace/stringng/tools/squidclient.cc:857: undefined reference to `gss_release_buffer' /home/kinkie/squid/workspace/stringng/tools/squidclient.cc:850: undefined reference to `gss_display_status' /home/kinkie/squid/workspace/stringng/tools/squidclient.cc:854: undefined reference to `gss_release_buffer' Opensolaris instead complains that ../../tools/squidclient.cc: In function `char* GSSAPI_token(const char*)': ../../tools/squidclient.cc:912: error: `gss_nt_service_name' undeclared (first use this function) I couldn't find a simple way to fix this.. any hints? Does this fix it ? # bzr diff -r submit: Using parent branch http://bzr.squid-cache.org/bzr/squid3/trunk/ === modified file 'tools/squidclient.cc' --- tools/squidclient.cc2010-08-25 03:10:45 + +++ tools/squidclient.cc2010-08-28 12:42:07 + @@ -80,43 +80,23 @@ #endif #if HAVE_GSSAPI -#ifdef HAVE_HEIMDAL_KERBEROS -#ifdef HAVE_GSSAPI_GSSAPI_H -#include gssapi/gssapi.h -#elif defined(HAVE_GSSAPI_H) -#include gssapi.h -#else -#error GSSAPI header required -#endif -#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE -#else -#ifdef HAVE_SEAM_KERBEROS -#ifdef HAVE_GSSAPI_GSSAPI_H -#include gssapi/gssapi.h -#elif defined(HAVE_GSSAPI_H) -#include gssapi.h -#else -#error GSSAPI header required -#endif -#ifdef HAVE_GSSAPI_GSSAPI_EXT_H +#if HAVE_GSSAPI_GSSAPI_H +#include gssapi/gssapi.h +#elif HAVE_GSSAPI_H +#include gssapi.h +#endif /* HAVE_GSSAPI_H */ +#if HAVE_GSSAPI_GSSAPI_EXT_H #include gssapi/gssapi_ext.h -#endif -#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE -#else /*MIT */ -#ifdef HAVE_GSSAPI_GSSAPI_H -#include gssapi/gssapi.h -#elif defined(HAVE_GSSAPI_H) -#include gssapi.h -#else -#error GSSAPI header required -#endif -#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H +#endif /* HAVE_GSSAPI_GSSAPI_EXT_H */ +#if HAVE_GSSAPI_GSSAPI_KRB5_H #include gssapi/gssapi_krb5.h -#endif -#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H +#endif /* HAVE_GSSAPI_GSSAPI_KRB5_H */ +#if HAVE_GSSAPI_GSSAPI_GENERIC_H #include gssapi/gssapi_generic.h -#endif -#endif +#endif /* HAVE_GSSAPI_GSSAPI_GENERIC_H */ + +#ifndef gss_nt_service_name +#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE #endif #ifndef gss_mech_spnego Thanks -- /kinkie Markus
Re: Patch for squidclient
Amos Jeffries squ...@treenet.co.nz wrote in message news:4c68dbc6.30...@treenet.co.nz... Markus Moeller wrote: Alex Rousskov rouss...@measurement-factory.com wrote in message news:4c67f515.6080...@measurement-factory.com... On 08/14/2010 02:10 PM, Markus Moeller wrote: Please find attached a patch to add Proxy- and WWW-Authenticate. * GSSAPI_token not documented. * check_gss_err not documented. I did not see any function with documentation. I have added some lines now. What should be the format ? Doxygen please: /** * description... * * \retval 1 gssapi error * \retval 0 successful, no gssapi error. */ * It would be nice to remove gotos from the new code. Done * porxy misspelled; did not check for other typos Fixed * Please try to remove whitespace modifications that are unrelated to your patch. I used formater.pl, which must have introduced them. * Is tools/Makefile.in under revision control? If not, it should not be in the patch. Not sure if it is under revision control, but I get it with rsync. I have removed it from the patch The -h help text is mean to list the options in alphabetical order. Also on the Usage: line. You can split at -m and -p like so: [-k] [-l local-host] [-m method] +#if HAVE_GSSAPI + [-n] [-N] +#endif [-p port] [-P file] [-t count] [-T timeout] [-u proxy-user] [-U www-user] Ok. Done Please update the src/tools/squidclient.1 manual page with the new options. Done The if (www_neg || proxy_neg) around separate if for each case is redundant. True. Sorry In check_gss_err please use snprintf instead of sprintf. Use of a #define'd buffer size comes in handy here to replace sizeof(buf) and calculate with when needing ie snprintf(buf+len, BUFFER_SIZE-len, %s Thank you Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1 Markus squid-3-head-tools-20100816.diff Description: Binary data
Re: Patch for squidclient
Henrik Nordström hen...@henriknordstrom.net wrote in message news:1281821946.9220.16.ca...@henriknordstrom.net... lör 2010-08-14 klockan 21:10 +0100 skrev Markus Moeller: Hi, Please find attached a patch to add Proxy- and WWW-Authenticate. Regards Markus Looks fine, but need to be wrapped up in kerberos ifdefs, same as used for the main code kerberos client. Oh yes. Here it is. I have also a WIN32 version, but I can't get squid-3-head compiled under cygwin to test. $ make Making all in compat make[1]: Entering directory `/home/markus/squid-3/compat' /bin/sh ../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I.. -I../include -I../src -I../include -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT assert.lo -MD -MP -MF .deps/assert.Tpo -c -o assert.lo assert.cc libtool: compile: g++ -DHAVE_CONFIG_H -I.. -I../include -I../src -I../include -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wer ror -pipe -D_REENTRANT -g -O2 -MT assert.lo -MD -MP -MF .deps/assert.Tpo -c assert.cc -DDLL_EXPORT -DPIC -o .libs/assert.o In file included from /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/ws2tcpip.h:19, from ../compat/os/mswin.h:221, from ../compat/compat.h:69, from ../include/config.h:68, from assert.cc:34: /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/winsock2.h:103:2: error: #warning fd_set and associated macros have be en defined in sys/types. This may cause runtime problems with W32 sockets In file included from /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/ws2tcpip.h:19, from ../compat/os/mswin.h:221, from ../compat/compat.h:69, from ../include/config.h:68, from assert.cc:34: /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/winsock2.h:632: error: declaration of C function 'int select(int, _type s_fd_set*, _types_fd_set*, _types_fd_set*, const timeval*)' conflicts with /usr/include/sys/select.h:31: error: previous declaration 'int select(int, _types_fd_set*, _types_fd_set*, _types_fd_set*, timeval*) ' here In file included from ../compat/compat.h:69, from ../include/config.h:68, from assert.cc:34: ../compat/os/mswin.h: In function 'int close(int)': ../compat/os/mswin.h:358: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h:366: error: '_free_osfhnd' was not declared in this scope ../compat/os/mswin.h:367: error: '__pioinfo' was not declared in this scope ../compat/os/mswin.h:370: error: '_close' was not declared in this scope ../compat/os/mswin.h: In function 'int read(int, void*, size_t)': ../compat/os/mswin.h:395: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h:400: error: '_read' was not declared in this scope ../compat/os/mswin.h: In function 'int write(int, const void*, size_t)': ../compat/os/mswin.h:408: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h:413: error: '_write' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::accept(int, sockaddr*, size_t*)': ../compat/os/mswin.h:431: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h:436: error: '_open_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::bind(int, sockaddr*, int)': ../compat/os/mswin.h:442: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::connect(int, const sockaddr*, int)': ../compat/os/mswin.h:452: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::getsockname(int, sockaddr*, size_t*)': ../compat/os/mswin.h:492: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::getsockopt(int, int, int, void*, int*)': ../compat/os/mswin.h:514: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::ioctl(int, int, void*)': ../compat/os/mswin.h:525: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::ioctlsocket(int, long int, u_long*)': ../compat/os/mswin.h:535: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::listen(int, int)': ../compat/os/mswin.h:545: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::recv(int, void*, size_t, int)': ../compat/os/mswin.h:558: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::recvfrom(int, void*, size_t, int, sockaddr*, size_t*)': ../compat/os/mswin.h:569: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::send(int, const void*, size_t, int)': ../compat/os/mswin.h:592: error
Re: Patch for squidclient
Alex Rousskov rouss...@measurement-factory.com wrote in message news:4c67f515.6080...@measurement-factory.com... On 08/14/2010 02:10 PM, Markus Moeller wrote: Please find attached a patch to add Proxy- and WWW-Authenticate. * GSSAPI_token not documented. * check_gss_err not documented. I did not see any function with documentation. I have added some lines now. What should be the format ? * It would be nice to remove gotos from the new code. Done * porxy misspelled; did not check for other typos Fixed * Please try to remove whitespace modifications that are unrelated to your patch. I used formater.pl, which must have introduced them. * Is tools/Makefile.in under revision control? If not, it should not be in the patch. Not sure if it is under revision control, but I get it with rsync. I have removed it from the patch Thank you, Alex. Thank you Markus squid-3-head-tools-20100815-2.diff Description: Binary data
Re: Patch for squidclient
Henrik Nordström hen...@henriknordstrom.net wrote in message news:1281901198.9220.102.ca...@henriknordstrom.net... sön 2010-08-15 klockan 19:01 +0100 skrev Markus Moeller: Not sure if it is under revision control, but I get it with rsync. I have removed it from the patch If you can then it's better to access the sources using bzr. http://wiki.squid-cache.org/Squid3VCS I can't. At least I have no idea why, but the command listed don't work. (It is also getting quite confusing to deal with cvs, svn. hg(mercury), bazaar, git, ) I run OpenSuse 11.1 and I get: mar...@opensuse11:~/sources/squid-3 bzr branch --bind http://bzr.squid-cache.org/bzr/squid3/trunk bzr: ERROR: no such option: --bind mar...@opensuse11:~/sources/squid-3 bzr --version Bazaar (bzr) 2.0.5 Python interpreter: /usr/bin/python 2.6.0 Python standard library: /usr/lib/python2.6 Platform: Linux-2.6.27.45-0.1-pae-i686-with-SuSE-11.1-i586 bzrlib: /usr/lib/python2.6/site-packages/bzrlib Bazaar configuration: /home/markus/.bazaar Bazaar log file: /home/markus/.bzr.log Copyright 2005-2010 Canonical Ltd. http://bazaar-vcs.org/ bzr comes with ABSOLUTELY NO WARRANTY. bzr is free software, and you may use, modify and redistribute it under the terms of the GNU General Public License version 2 or later. Regards Henrik
Patch for squidclient
Hi, Please find attached a patch to add Proxy- and WWW-Authenticate. Regards Markus squid-3-head-tools-20100814.diff Description: Binary data
Re: New external_acl helper squid_kerb_ldap
Hi Amos, Thank you for the review. I will try to address your points over the next weeks. Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4c5187d2.5010...@treenet.co.nz... Markus Moeller wrote: Hi Amos, How does your time look like now ? Regards Markus Looks passable. I have not had time for a detailed view of the logics. I'll commit this tomorrow with a name tweak, the naming scheme has been through the external acl helpers too now. I'll just tack ext_ on the front and _acl on the back of the existing binary name and update the docs to match. One thing that worries me still is the RUN_IFELSE autoconf macros still being added to configure.in. I'm sure there is a macro that checked for defined values of things inside headers without running stuff. If you can try and find that it would be great not to have to run anything on build. The following is optional... As always the 3.HEAD code has advanced a bit. Fallout from the helper upgrades has been the beginning of a common code API. These are the to consider updating the helper with in the current 3.HEAD: * helpers/defines.h provides a few macros that may be useful: SEND_ERR(msg) - takes a string or buffer containing the error message to be available to user and admin. May be used in cache.log and/or user displayed error pages. SEND_OK(params) - takes a string of whitespace delimited key=value pairs. Whatever the helper hook accepts, which varies with squid release. * A global variable debug_enabled is available to be set to 1 on receiving -d (debug) parameters. It controls whether the function debug(fmt,x,y,...) produces any output. debug(...) is equivalent to: if(debug_enabled) fprintf(stderr,...) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.5
Re: New external_acl helper squid_kerb_ldap
Hi Amos, did you have time to review the updated patch ? Thank you Markus Markus Moeller hua...@moeller.plus.com wrote in message news:hudjud$3i...@dough.gmane.org... Hi Amos, I updated the patch. Regards Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:9b92235f13abdaf1c87f73c73c732...@mail.treenet.co.nz... On Mon, 31 May 2010 23:47:40 +0100, Markus Moeller hua...@moeller.plus.com wrote: Amos Jeffries squ...@treenet.co.nz wrote in message news:90351e19016110c5e9fd1699187b5...@mail.treenet.co.nz... On Sun, 30 May 2010 16:15:14 +0100, Markus Moeller hua...@moeller.plus.com wrote: Hi, I have converted my helper to kerberos_ldap_group ( not sure if that is the best name) and created a patch for inclusion into the head revision. Please review and let me know any feedback. Thank you Markus Hi Markus, Okay, some more checks. configure.in: * According to the GNU docs pre-processor only directives are to be avoided when possible since they do not guarantee a working binary. Could you use AC_COMPILE_IFELSE instead of the AC_EGREP_CPP and AC_EGREP_HEADER ? kerberos_ldap_group/README: * Would you mind converting the README file to a man.8 page? There is a template at th bottom of http://wiki.squid-cache.org/ProgrammingGuide/ManualDocumentation Amos
Re: CC configure (AC_CHECK_LIB macro) problem on Solaris
Henrik Nordström hen...@henriknordstrom.net wrote in message news:1275667169.12858.2.ca...@henriknordstrom.net... fre 2010-06-04 klockan 00:19 +0100 skrev Markus Moeller: What is the recommended way of doing it as I am adding a module which requires library checks and I don't know always what function is best to check on ? A function you know is implemented by the named library. That is a bit my problem. For example if I use heimdal kerberos libraries version 1.3.1 I need -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lwind -lroken -lcrypt -ldl -lresolv -pthread for older 0.7.2 I need -lgssapi -lkrb5 -lasn1 -lcom_err -lcrypto -lroken -lcrypt -ldl -lresolv -pthread but I have no idea for which function I have to test each library for. Luckily most platform use krb5-config to tell me which libraies I need, but for example OpenBSD doesn't. Note: watch out for macros. Need to be a actual function. Regards Henrik Regards Markus
Re: CC configure (AC_CHECK_LIB macro) problem on Solaris
Also the existing configure. has AC_CHECK_LIB(lber, main, [LBERLIB=-llber]) which will fail on Solaris with CC. Do you know which function to check in libber ? Regards Markus Markus Moeller hua...@moeller.plus.com wrote in message news:huba99$tl...@dough.gmane.org... Henrik Nordström hen...@henriknordstrom.net wrote in message news:1275667169.12858.2.ca...@henriknordstrom.net... fre 2010-06-04 klockan 00:19 +0100 skrev Markus Moeller: What is the recommended way of doing it as I am adding a module which requires library checks and I don't know always what function is best to check on ? A function you know is implemented by the named library. That is a bit my problem. For example if I use heimdal kerberos libraries version 1.3.1 I need -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lwind -lroken -lcrypt -ldl -lresolv -pthread for older 0.7.2 I need -lgssapi -lkrb5 -lasn1 -lcom_err -lcrypto -lroken -lcrypt -ldl -lresolv -pthread but I have no idea for which function I have to test each library for. Luckily most platform use krb5-config to tell me which libraies I need, but for example OpenBSD doesn't. Note: watch out for macros. Need to be a actual function. Regards Henrik Regards Markus
CC configure (AC_CHECK_LIB macro) problem on Solaris
Hi, I have a problem with CC=cc CXX=CC ./configure; because any check like AC_CHECK_LIB(malloc, main) fails. Is there a known workaround ? Thank you Markus from 3-HEAD I get: ... configure:48735: checking for main in -lmalloc configure:48764: CC -o conftest -g -I/usr/include/gssapi -I/usr/include/kerberosv5 -g conftest.cpp -lmalloc -lsocket -lresolv -lnsl 5 conftest.cpp, line 224: Error: Cannot have a recursive call of main(). 1 Error(s) detected. configure:48770: $? = 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME Squid Web Proxy | #define PACKAGE_TARNAME squid | #define PACKAGE_VERSION 3.HEAD-20100601 | #define PACKAGE_STRING Squid Web Proxy 3.HEAD-20100601 | #define PACKAGE_BUGREPORT http://www.squid-cache.org/bugs/; | #define PACKAGE squid | #define VERSION 3.HEAD-20100601 | #define USE_LOADABLE_MODULES 1 | int | main () | { | return main (); | ; | return 0; | }
Re: CC configure (AC_CHECK_LIB macro) problem on Solaris
What is the recommended way of doing it as I am adding a module which requires library checks and I don't know always what function is best to check on ? Thank you Markus Kinkie gkin...@gmail.com wrote in message news:aanlktikfyn1ibt7hjof1j0znzyofhywmgcigfqcaf...@mail.gmail.com... On Thu, Jun 3, 2010 at 8:36 PM, Markus Moeller hua...@moeller.plus.com wrote: Hi, I have a problem with CC=cc CXX=CC ./configure; because any check like AC_CHECK_LIB(malloc, main) fails. Is there a known workaround ? Interesting.. Those kinds of checks ae being phased out of the configure.in script, unless they are hidden by other macros. In general using main to test for lib existence is IIRC not recommended by autoconf docs.. I find it fascinating that those bugs are not caught on OpenSolaris (we have build-hosts running SunStudio cc) -- /kinkie
New Auth configuration options
Hi, Would it make sense to define in squid two new configuration options to control Negotiate authentication ? I am thinking of adding Negotiate-NTLM and Negotiate-Kerberos with the same options as Negotiate. Once squid receives a Negotiate response quid has to base64 decode the token and check for the NTLM string before invoking the Negotiate-NTLM or Negotiate-Kerberos helper. Does that break a concept in squid to analyse a token before selecting the helper ? Thank you Markus
Re: negotiate auth with fallback to other schemes
- Original Message - From: Henrik Nordstrom hen...@henriknordstrom.net To: Markus Moeller hua...@moeller.plus.com Cc: squid-dev@squid-cache.org Sent: Saturday, March 06, 2010 10:26 AM Subject: Re: negotiate auth with fallback to other schemes fre 2010-03-05 klockan 20:44 + skrev Markus Moeller: I don't understand this part. Usually the kdc is on AD so how can NTLM work and Kerberos not ? The NTLM client just needs the local computer configuration + credentials entered interactively by the user. All communication with the AD is indirect via the proxy. The client do not need any form of ticked before trying to authenticate via NTLM, just the username + domain + password. For similar reasons NTLM also do not have any protection from mitm session theft. Meaning that the auth exchange done to the proxy may just as well be used by a mitm attacker to authenticate as that client to any server in the network for any purpose. So it makes the statement Kerberos may fail just because the client has no connectivity with the KDC, and in this case NTLM could be a useful second choice false. Since in the case of NTLM will fail too as the kdc (AD) is unavailable Regards Henrik Regards Markus
Re: negotiate auth with fallback to other schemes
Livio B lbs...@gmail.com wrote in message news:31f0d2c51003050619o6d3a78b9uaf319d8e63aa7...@mail.gmail.com... Hi, In particular, if I want only transparent auth, it wouldn't make sense to retry the authentication because either the helper would get the same SSO (denied) credentials or the user would get prompted (which I don't want). On a different scenario, where it is ok to prompt the user for alternative credentials, it would make sense to retry the negotiate. Yes, and how would the helper know when this is? That knowledge is better in Squid.. Well that would have to be a parameter to the helper command. So, to summarize, adding this fall-back option would either require 1) a backward compatible protocol update, or 2) a backward compatible auth_param syntax extension. Option 1) would have the advantage that the helper could behave differently basing on client responses; option 2) would have the advantage that it doesn't require changes to helpers. You are clearly advocating option 2. This seem a little unflexible. For example, currently there is no helper that can handle both negotiate/kerberos and negotiate/ntlm so if I need to support both I need a negotiate helper and a NTLM helper and might want to disable just one. And of course new protocols can eventually surface. Is the flexibility really needed in this case? Negotiate and NTLM is very closely related, and will always connect to the same backend (windows ADS / domain controller) at least in sane setups. If one fails then there is very limited use of trying the other. This is not completely fair. Kerberos may fail just because the client has no connectivity with the KDC, and in this case NTLM could be a useful second choice. I don't understand this part. Usually the kdc is on AD so how can NTLM work and Kerberos not ? Additionally I as a user and network admin would not be comfortable with digest auth automatically falling back on basic on authentication failure, due to the non-existing security of basic auth. If the client supports digest then it should stick to that until the user says otherwise. Agree. So I'll work on a patch to support a new auth_param option (any suggested syntax?) and tracking the list of disabled protocols in the request or connection object, keeping the connection open even when authentication fails. Regards, Livio
squid_kerb_auth logging patch
Hi Amos, Here are patched for squid 3.1 and squid 3-head to add ERROR, WARNING, etc to the logging messages. Regards Markus squid_kerb_auth-logging.patch Description: Binary data negotiate_kerberos_auth-logging.patch Description: Binary data
Re: [2.HEAD patch] Fix compilation on opensolaris
That should be OK. Markus Kinkie gkin...@gmail.com wrote in message news:f4ad058f0910090839m3164a807qdf3dc2b4f7820...@mail.gmail.com... Hi all, 2.HEAD currently doesn't build on opensolaris, in at least some cases due to it not properly detecting kerberosv5 variants. The attached patch is a backport of some 3.HEAD changes which allows 2.HEAD to build on opensolaris Please review and, if it seems OK to you, apply. -- /kinkie
Re: Squid 3.1 kerb auth helper
Is this a real issue or just to be compliant with debian rules ? Can you give me more details ? Thank you Markus - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: Markus Moeller hua...@moeller.plus.com; Squid Developers squid-dev@squid-cache.org; Luigi Gangitano lu...@debian.org Sent: Saturday, September 26, 2009 2:11 AM Subject: Squid 3.1 kerb auth helper Hi Markus, We've hit another issue with the new 3.1 helper. This time on Debian... Luigi Gangitano wrote: At last, I've a small issue with negotiate_auth/squid_kerb_auth, which set RPATH in binaries. configure script adds '-Wl,-R' to the linker under squid. This is an issue for debian (see http://wiki.debian.org/RpathIssue). Do you think this can be fixed? I can make a debian patch if needed. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: Squid 3.1 kerb auth helper
-Wshadow -L/usr/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkrb5support -lresolv -L../../../lib -o squid_kerb_auth_test squid_kerb_auth_test.o base64.o -lmiscutil -lm cp squid_kerb_auth negotiate_kerb_auth cp squid_kerb_auth_test negotiate_kerb_auth_test make[5]: Leaving directory `/home/markus/squid-3.1.0.13-20090926/helpers/negotiate_auth/squid_kerb_auth' make[4]: Leaving directory `/home/markus/squid-3.1.0.13-20090926/helpers/negotiate_auth/squid_kerb_auth' make[3]: Leaving directory `/home/markus/squid-3.1.0.13-20090926/helpers/negotiate_auth/squid_kerb_auth' - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: Markus Moeller hua...@moeller.plus.com; Squid Developers squid-dev@squid-cache.org; Luigi Gangitano lu...@debian.org Sent: Saturday, September 26, 2009 2:11 AM Subject: Squid 3.1 kerb auth helper Hi Markus, We've hit another issue with the new 3.1 helper. This time on Debian... Luigi Gangitano wrote: At last, I've a small issue with negotiate_auth/squid_kerb_auth, which set RPATH in binaries. configure script adds '-Wl,-R' to the linker under squid. This is an issue for debian (see http://wiki.debian.org/RpathIssue). Do you think this can be fixed? I can make a debian patch if needed. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: Kerberos build failures in HEAD
Amos, I think you have to add also ## Kerberos headers require their include path... INCLUDES += @KRB5INCS@ to all Makefile.am s as configure uses krb5-config --cflags krb5 before testing for com_err.h. Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4aae2c01.5090...@treenet.co.nz... Alex Rousskov wrote: On Sun, 13 Sep 2009, Henrik Nordstrom wrote: s?n 2009-09-13 klockan 21:30 +0200 skrev Henrik Nordstrom: seems to build fine for me on CentOS 5.2.. but maybe something in the test builds are triggering it.. A full test is running.. Found.. it fails when used in combination with --enable-ssl. This due to OpenSSL (or actually krb5.h I think, included by openssl) ending up including com_err.h without the extern C wrapper, or if you prefer due to the com_err.h include not shielding itself from C++ parsing... Proposed fix: Have src/ssl_support.h include et/com_err.h in an extern C wrapping before OpenSSL includes... Have been bitten by this as well. The proposed fix sounds good to me. Thank you, Alex. Okay, and in light that it's a nasty hack around some brokenness. I suggest the include should go in the compat library. compat/compat_shared.h is the file for non-OS-specific bits. Simply wrapping an include of com_err.h inside there with a documentation note quoting Henriks analysis above. Should fix it for all the main Squid code and some helpers. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: Kerberos build failures in HEAD
The test for HAVE_COM_ERR_H is based on the krb5 include path and compat_shared.h is included everywhere. So I guess the best would be to add it to src/Common.am. Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4ab61e03.6070...@treenet.co.nz... Markus Moeller wrote: Amos, I think you have to add also ## Kerberos headers require their include path... INCLUDES += @KRB5INCS@ to all Makefile.am s as configure uses krb5-config --cflags krb5 before testing for com_err.h. Really? *all* Makefiles? or just the ones that build binaries using krb5? Amos Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4aae2c01.5090...@treenet.co.nz... Alex Rousskov wrote: On Sun, 13 Sep 2009, Henrik Nordstrom wrote: s?n 2009-09-13 klockan 21:30 +0200 skrev Henrik Nordstrom: seems to build fine for me on CentOS 5.2.. but maybe something in the test builds are triggering it.. A full test is running.. Found.. it fails when used in combination with --enable-ssl. This due to OpenSSL (or actually krb5.h I think, included by openssl) ending up including com_err.h without the extern C wrapper, or if you prefer due to the com_err.h include not shielding itself from C++ parsing... Proposed fix: Have src/ssl_support.h include et/com_err.h in an extern C wrapping before OpenSSL includes... Have been bitten by this as well. The proposed fix sounds good to me. Thank you, Alex. Okay, and in light that it's a nasty hack around some brokenness. I suggest the include should go in the compat library. compat/compat_shared.h is the file for non-OS-specific bits. Simply wrapping an include of com_err.h inside there with a documentation note quoting Henriks analysis above. Should fix it for all the main Squid code and some helpers. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19 Current Beta Squid 3.1.0.13 -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: Kerberos build failures in HEAD
Could this be a g++ problem ? error_messge is defined as external in et/com_err.h and I see that -lcom-err is included in the link step. So I really don't know why g++ doesn't find the symbol. I used the following on my OpenSuse box. # g++ -v Using built-in specs. Target: i586-suse-linux Configured with: ../configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --libdir=/usr/lib --libexecdir=/usr/lib --enable-languages=c,c++,objc,fortran,obj-c++,java,ada --enable-checking=release --with-gxx-include-dir=/usr/include/c++/4.3 --enable-ssp --disable-libssp --with-bugurl=http://bugs.opensuse.org/ --with-pkgversion='SUSE Linux' --disable-libgcj --disable-libmudflap --with-slibdir=/lib --with-system-zlib --enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-libstdcxx-pch --enable-version-specific-runtime-libs --program-suffix=-4.3 --enable-linux-futex --without-system-libunwind --with-cpu=generic --build=i586-suse-linux Thread model: posix gcc version 4.3.2 [gcc-4_3-branch revision 141291] (SUSE Linux) Regards Markus - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: Markus Moeller hua...@moeller.plus.com Cc: squid-dev@squid-cache.org Sent: Thursday, September 10, 2009 3:53 AM Subject: Re: Kerberos build failures in HEAD On Thu, 10 Sep 2009 01:03:48 +0100, Markus Moeller hua...@moeller.plus.com wrote: How about this then ? Please replace the squid_kerb_auth directory with the No luck with the error_message function changes yet. http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/86/ Amos attached. Markus - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: Markus Moeller hua...@moeller.plus.com Cc: squid-dev@squid-cache.org Sent: Wednesday, September 09, 2009 2:13 AM Subject: Re: Kerberos build failures in HEAD Okay, I see one of the changes. But the patch won't apply to HEAD any more since the old version of the patch was already applied. Please send an incremental one for just those changes. How exactly are you accessing the HEAD code to generate these patches? None of them has applied cleanly by the time they got to me. The helper update change is also causing some grief. Failing basic make distcheck run on the spnegohelp/ files. Amos On Tue, 8 Sep 2009 21:59:15 +0100, Markus Moeller hua...@moeller.plus.com wrote: Hi Amos, I did some changes in configure.in and peer_proxy_negotiate_auth.cc. Regards Markus - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: hua...@moeller.plus.com; squid-dev@squid-cache.org Sent: Tuesday, September 08, 2009 3:13 AM Subject: Kerberos build failures in HEAD Hi Markus, can you look into this please? http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/lastFailedBuild/console
Re: Kerberos build failures in HEAD
I did anyway some changes to the configure.in to detect cases where someone selects Heimdal (which does not use com_err) from another directory instead of the default MIT Libraries. Regards Markus - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: Henrik Nordstrom hen...@henriknordstrom.net Cc: Markus Moeller hua...@moeller.plus.com; squid-dev@squid-cache.org Sent: Thursday, September 10, 2009 11:02 AM Subject: Re: Kerberos build failures in HEAD Henrik Nordstrom wrote: tor 2009-09-10 klockan 14:53 +1200 skrev Amos Jeffries: On Thu, 10 Sep 2009 01:03:48 +0100, Markus Moeller hua...@moeller.plus.com wrote: How about this then ? Please replace the squid_kerb_auth directory with the No luck with the error_message function changes yet. http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/86/ The failure is in src/peer_proxy_negotiate_auth.cc, not squid_kerb_auth. Centos do have /usr/include/et/com_err.h but for some reason configure is not picking this up. Regards Henrik Oh doh. I had to cut-n-paste the patch earlier. Typo'd et/comm_err.h! Sorry Markus. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13 squid-3-head-n.diff Description: Binary data
Re: Kerberos build failures in HEAD
I still see 5 Nov 2008. Regards Markus #date Wed Sep 9 19:49:46 BST 2009 # rsync -v -r rsync://squid-cache.org/source/squid-3 receiving incremental file list drwxr-xr-x1024 2008/11/08 02:00:03 squid-3 -rw-r--r--6322 2008/11/05 01:10:41 squid-3/CONTRIBUTORS -rw-r--r-- 17989 2008/11/05 01:10:41 squid-3/COPYING -rw-r--r--1015 2008/11/05 01:10:41 squid-3/COPYRIGHT -rwxr-xr-x 17069 2008/11/05 01:10:41 squid-3/CREDITS -rw-r--r-- 176980 2008/11/05 01:10:41 squid-3/ChangeLog -rw-r--r-- 523 2008/11/05 01:10:41 squid-3/INSTALL -rw-r--r--1241 2008/11/05 01:10:41 squid-3/Makefile.am -rw-r--r-- 25000 2008/11/05 01:11:36 squid-3/Makefile.in -rw-r--r--3484 2008/11/05 01:10:41 squid-3/QUICKSTART -rw-r--r--1234 2008/11/05 01:10:41 squid-3/README -rw-r--r-- 37895 2008/11/05 01:22:12 squid-3/RELEASENOTES.html -rw-r--r--2461 2008/11/05 01:10:41 squid-3/SPONSORS -rw-r--r--4674 2008/11/05 01:10:41 squid-3/acinclude.m4 -rw-r--r-- 284697 2008/11/05 01:11:04 squid-3/aclocal.m4 -rwxr-xr-x3971 2008/11/05 01:10:41 squid-3/bootstrap.sh -rwxr-xr-x 1381061 2008/11/05 01:11:56 squid-3/configure -rwxr-xr-x 112513 2008/11/05 01:11:55 squid-3/configure.in drwxr-xr-x 512 2008/11/05 01:20:03 squid-3/cfgaux Markus - Original Message - From: Henrik Nordstrom hen...@henriknordstrom.net To: Markus Moeller hua...@moeller.plus.com Cc: Amos Jeffries squ...@treenet.co.nz; squid-dev@squid-cache.org Sent: Wednesday, September 09, 2009 8:53 AM Subject: Re: Kerberos build failures in HEAD ons 2009-09-09 klockan 06:27 +0100 skrev Markus Moeller: Sorry about that. I use rsync://squid-cache.org/source/squid-3 as noted here http://www.squid-cache.org/Versions/v3/HEAD/ .Maybe I forgot to update. Hmm.. seems that got stuck at 5 nov 2008 should be fixed now. Regards Henrik
Re: Kerberos build failures in HEAD
How about this then ? Please replace the squid_kerb_auth directory with the attached. Markus - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: Markus Moeller hua...@moeller.plus.com Cc: squid-dev@squid-cache.org Sent: Wednesday, September 09, 2009 2:13 AM Subject: Re: Kerberos build failures in HEAD Okay, I see one of the changes. But the patch won't apply to HEAD any more since the old version of the patch was already applied. Please send an incremental one for just those changes. How exactly are you accessing the HEAD code to generate these patches? None of them has applied cleanly by the time they got to me. The helper update change is also causing some grief. Failing basic make distcheck run on the spnegohelp/ files. Amos On Tue, 8 Sep 2009 21:59:15 +0100, Markus Moeller hua...@moeller.plus.com wrote: Hi Amos, I did some changes in configure.in and peer_proxy_negotiate_auth.cc. Regards Markus - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: hua...@moeller.plus.com; squid-dev@squid-cache.org Sent: Tuesday, September 08, 2009 3:13 AM Subject: Kerberos build failures in HEAD Hi Markus, can you look into this please? http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/lastFailedBuild/console squid-3-head.diff Description: Binary data squid-3-head-kerb_auth.tgz Description: application/compressed
Re: Kerberos build failures in HEAD
Then I have to setup a Centos box. It seems com_err.so has error_message, but has no com_err.h file Markus - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: Markus Moeller hua...@moeller.plus.com Cc: squid-dev@squid-cache.org Sent: Thursday, September 10, 2009 3:53 AM Subject: Re: Kerberos build failures in HEAD On Thu, 10 Sep 2009 01:03:48 +0100, Markus Moeller hua...@moeller.plus.com wrote: How about this then ? Please replace the squid_kerb_auth directory with the No luck with the error_message function changes yet. http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/86/ Amos attached. Markus - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: Markus Moeller hua...@moeller.plus.com Cc: squid-dev@squid-cache.org Sent: Wednesday, September 09, 2009 2:13 AM Subject: Re: Kerberos build failures in HEAD Okay, I see one of the changes. But the patch won't apply to HEAD any more since the old version of the patch was already applied. Please send an incremental one for just those changes. How exactly are you accessing the HEAD code to generate these patches? None of them has applied cleanly by the time they got to me. The helper update change is also causing some grief. Failing basic make distcheck run on the spnegohelp/ files. Amos On Tue, 8 Sep 2009 21:59:15 +0100, Markus Moeller hua...@moeller.plus.com wrote: Hi Amos, I did some changes in configure.in and peer_proxy_negotiate_auth.cc. Regards Markus - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: hua...@moeller.plus.com; squid-dev@squid-cache.org Sent: Tuesday, September 08, 2009 3:13 AM Subject: Kerberos build failures in HEAD Hi Markus, can you look into this please? http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/lastFailedBuild/console
Re: Patch to authenticate securely to upstream ISA server(or others)
I don't remember exactly why I added it. I think it was because I originally had it as a standalone configure with the option to have libs and includes in exec_prefix/lib and exec_prefix/include where exec_prefix is the squid install path. So I think for the squid inclusion the patch is fine. Regards Markus - Original Message - From: Henrik Nordstrom hen...@henriknordstrom.net To: Markus Moeller hua...@moeller.plus.com Cc: Squid Developers squid-dev@squid-cache.org Sent: Tuesday, September 08, 2009 4:56 PM Subject: Re: Patch to authenticate securely to upstream ISA server(or others) The mentioned exec_prefix dependent thing was the culpit now.. I ended up removing that, resulting in the attached patch, but that CPPFLAGS and LDFLAGS segment looks to me like it belongs in Makefile.am rather than configure.. Regards Henrik tis 2009-09-08 klockan 16:32 +0200 skrev Henrik Nordstrom: Looks promising. but I still don't understand why you are testing for $exec_path.. what does $exec_path (where binaries is to be installed, --exec-path configure argument) have to do with the path to Kerberos libraries? Build finished, and it's indeed getting a lot closer. But still some issues.. ERROR 0001: file '/usr/lib64/squid/negotiate_kerb_auth' contains a standard rpath '/usr/lib64' in [/usr/lib64] ERROR 0001: file '/usr/lib64/squid/squid_kerb_auth_test' contains a standard rpath '/usr/lib64' in [/usr/lib64] ERROR 0001: file '/usr/lib64/squid/squid_kerb_auth' contains a standard rpath '/usr/lib64' in [/usr/lib64] ERROR 0001: file '/usr/lib64/squid/negotiate_kerb_auth_test' contains a standard rpath '/usr/lib64' in [/usr/lib64] squid_kerb_auth configure options: '--disable-option-checking' '--prefix=/usr' '--build=x86_64-unknown-linux-gnu' '--host=x86_64-unknown-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' '--enable-digest-auth-helpers=password,ldap,eDirectory' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-unknown-linux-gnu' 'host_alias=x86_64-unknown-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-fPIE -Os -g -pipe -fsigned-char -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'LDFLAGS=-pie' 'CXXFLAGS=-fPIE -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'FFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -I/usr/lib64/gfortran/modules' '--with-squid=/home/henrik/build/fedora/squid/devel/squid-3.1.0.13' '--enable-ltdl-convenience' '--cache-file=/dev/null' '--srcdir=.' (called from Squid configure) And it set LDFLAGS CPPFLAGS to LDFLAGS='-pie -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -L../../../lib -L/usr/lib64 -Wl,-R/usr/lib64' CPPFLAGS=' -I/usr/include -I/usr/include -I../../../ -I../../../include/ -I/home/henrik/build/fedora/squid/devel/squid-3.1.0.13/include -I/home/henrik/build/fedora/squid/devel/squid-3.1.0.13/src -I/home/henrik/build/fedora/squid/devel/squid-3.1.0.13' The -R/usr/lib64 and -I/usr/include options are both unasked for. Regards Henrik tis 2009-09-08 klockan 01:01 +0100 skrev Markus Moeller: How about the attached ? Markus Henrik Nordstrom hen...@henriknordstrom.net wrote in message news:1252272029.23776.54.ca...@henriknordstrom.net... The patch had been somewhat corrupted in flight so had to apply it by hand, but running a test now. It's no/lib it is complaining on. Seem it comes from the system default test where
Re: Kerberos build failures in HEAD
Hi Amos, I did some changes in configure.in and peer_proxy_negotiate_auth.cc. Regards Markus - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: hua...@moeller.plus.com; squid-dev@squid-cache.org Sent: Tuesday, September 08, 2009 3:13 AM Subject: Kerberos build failures in HEAD Hi Markus, can you look into this please? http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/lastFailedBuild/console squid-3-head-3.diff Description: Binary data