Re: Patch to authenticate securely to upstream ISA server(or others)
The mentioned exec_prefix dependent thing was the culpit now.. I ended up removing that, resulting in the attached patch, but that CPPFLAGS and LDFLAGS segment looks to me like it belongs in Makefile.am rather than configure.. Regards Henrik tis 2009-09-08 klockan 16:32 +0200 skrev Henrik Nordstrom: Looks promising. but I still don't understand why you are testing for $exec_path.. what does $exec_path (where binaries is to be installed, --exec-path configure argument) have to do with the path to Kerberos libraries? Build finished, and it's indeed getting a lot closer. But still some issues.. ERROR 0001: file '/usr/lib64/squid/negotiate_kerb_auth' contains a standard rpath '/usr/lib64' in [/usr/lib64] ERROR 0001: file '/usr/lib64/squid/squid_kerb_auth_test' contains a standard rpath '/usr/lib64' in [/usr/lib64] ERROR 0001: file '/usr/lib64/squid/squid_kerb_auth' contains a standard rpath '/usr/lib64' in [/usr/lib64] ERROR 0001: file '/usr/lib64/squid/negotiate_kerb_auth_test' contains a standard rpath '/usr/lib64' in [/usr/lib64] squid_kerb_auth configure options: '--disable-option-checking' '--prefix=/usr' '--build=x86_64-unknown-linux-gnu' '--host=x86_64-unknown-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' '--enable-digest-auth-helpers=password,ldap,eDirectory' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-unknown-linux-gnu' 'host_alias=x86_64-unknown-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-fPIE -Os -g -pipe -fsigned-char -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'LDFLAGS=-pie' 'CXXFLAGS=-fPIE -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'FFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -I/usr/lib64/gfortran/modules' '--with-squid=/home/henrik/build/fedora/squid/devel/squid-3.1.0.13' '--enable-ltdl-convenience' '--cache-file=/dev/null' '--srcdir=.' (called from Squid configure) And it set LDFLAGS CPPFLAGS to LDFLAGS='-pie -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -L../../../lib -L/usr/lib64 -Wl,-R/usr/lib64' CPPFLAGS=' -I/usr/include -I/usr/include -I../../../ -I../../../include/ -I/home/henrik/build/fedora/squid/devel/squid-3.1.0.13/include -I/home/henrik/build/fedora/squid/devel/squid-3.1.0.13/src -I/home/henrik/build/fedora/squid/devel/squid-3.1.0.13' The -R/usr/lib64 and -I/usr/include options are both unasked for. Regards Henrik tis 2009-09-08 klockan 01:01 +0100 skrev Markus Moeller: How about the attached ? Markus Henrik Nordstrom hen...@henriknordstrom.net wrote in message news:1252272029.23776.54.ca...@henriknordstrom.net... The patch had been somewhat corrupted in flight so had to apply it by hand, but running a test now. It's no/lib it is complaining on. Seem it comes from the system default test where check_mit / check_heimdal is called with a random $enableval from being called outside any AC_ARG_ENABLE macro.. (value in previous AC_ARG_ENABLE macro, i.e. the seam-64 one..) Hmm.. looking at the patch I don't think it's correct. The issue is that -L, -R and -I should only be set if there actually is any paths to set it to, not if the user uses ./configure --exec-prefix=... But it does hide the problem in my case with system integrated kerberos libs, but I guess it also breaks installs needing a
Re: Patch to authenticate securely to upstream ISA server(or others)
I don't remember exactly why I added it. I think it was because I originally had it as a standalone configure with the option to have libs and includes in exec_prefix/lib and exec_prefix/include where exec_prefix is the squid install path. So I think for the squid inclusion the patch is fine. Regards Markus - Original Message - From: Henrik Nordstrom hen...@henriknordstrom.net To: Markus Moeller hua...@moeller.plus.com Cc: Squid Developers squid-dev@squid-cache.org Sent: Tuesday, September 08, 2009 4:56 PM Subject: Re: Patch to authenticate securely to upstream ISA server(or others) The mentioned exec_prefix dependent thing was the culpit now.. I ended up removing that, resulting in the attached patch, but that CPPFLAGS and LDFLAGS segment looks to me like it belongs in Makefile.am rather than configure.. Regards Henrik tis 2009-09-08 klockan 16:32 +0200 skrev Henrik Nordstrom: Looks promising. but I still don't understand why you are testing for $exec_path.. what does $exec_path (where binaries is to be installed, --exec-path configure argument) have to do with the path to Kerberos libraries? Build finished, and it's indeed getting a lot closer. But still some issues.. ERROR 0001: file '/usr/lib64/squid/negotiate_kerb_auth' contains a standard rpath '/usr/lib64' in [/usr/lib64] ERROR 0001: file '/usr/lib64/squid/squid_kerb_auth_test' contains a standard rpath '/usr/lib64' in [/usr/lib64] ERROR 0001: file '/usr/lib64/squid/squid_kerb_auth' contains a standard rpath '/usr/lib64' in [/usr/lib64] ERROR 0001: file '/usr/lib64/squid/negotiate_kerb_auth_test' contains a standard rpath '/usr/lib64' in [/usr/lib64] squid_kerb_auth configure options: '--disable-option-checking' '--prefix=/usr' '--build=x86_64-unknown-linux-gnu' '--host=x86_64-unknown-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' '--enable-digest-auth-helpers=password,ldap,eDirectory' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-unknown-linux-gnu' 'host_alias=x86_64-unknown-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-fPIE -Os -g -pipe -fsigned-char -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'LDFLAGS=-pie' 'CXXFLAGS=-fPIE -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'FFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -I/usr/lib64/gfortran/modules' '--with-squid=/home/henrik/build/fedora/squid/devel/squid-3.1.0.13' '--enable-ltdl-convenience' '--cache-file=/dev/null' '--srcdir=.' (called from Squid configure) And it set LDFLAGS CPPFLAGS to LDFLAGS='-pie -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -L../../../lib -L/usr/lib64 -Wl,-R/usr/lib64' CPPFLAGS=' -I/usr/include -I/usr/include -I../../../ -I../../../include/ -I/home/henrik/build/fedora/squid/devel/squid-3.1.0.13/include -I/home/henrik/build/fedora/squid/devel/squid-3.1.0.13/src -I/home/henrik/build/fedora/squid/devel/squid-3.1.0.13' The -R/usr/lib64 and -I/usr/include options are both unasked for. Regards Henrik tis 2009-09-08 klockan 01:01 +0100 skrev Markus Moeller: How about the attached ? Markus Henrik Nordstrom hen...@henriknordstrom.net wrote in message news:1252272029.23776.54.ca...@henriknordstrom.net... The patch had been somewhat corrupted in flight so had to apply it by hand, but running a test now. It's no/lib it is complaining on. Seem it comes from the system default test where
Re: Patch to authenticate securely to upstream ISA server(or others)
tis 2009-09-08 klockan 19:05 +0100 skrev Markus Moeller: I don't remember exactly why I added it. I think it was because I originally had it as a standalone configure with the option to have libs and includes in exec_prefix/lib and exec_prefix/include where exec_prefix is the squid install path. So I think for the squid inclusion the patch is fine. Applied to 3.1. Regards Henrik
Re: Patch to authenticate securely to upstream ISA server(or others)
How about the attached ? Markus Henrik Nordstrom hen...@henriknordstrom.net wrote in message news:1252272029.23776.54.ca...@henriknordstrom.net... The patch had been somewhat corrupted in flight so had to apply it by hand, but running a test now. It's no/lib it is complaining on. Seem it comes from the system default test where check_mit / check_heimdal is called with a random $enableval from being called outside any AC_ARG_ENABLE macro.. (value in previous AC_ARG_ENABLE macro, i.e. the seam-64 one..) Hmm.. looking at the patch I don't think it's correct. The issue is that -L, -R and -I should only be set if there actually is any paths to set it to, not if the user uses ./configure --exec-prefix=... But it does hide the problem in my case with system integrated kerberos libs, but I guess it also breaks installs needing a non-system path to the kerberos installation. Regards Henrik sön 2009-09-06 klockan 14:37 +0100 skrev Markus Moeller: Did this fix it ? You talk about -Rno/lib. I only saw -RNONE/lib. If there is the case of no then I need to check for no in the two ifs. Markus Markus Moeller hua...@moeller.plus.com wrote in message news:h7scl8$r2...@ger.gmane.org... This should fix it: --- configure.in2009-09-04 02:06:24.0 +0100 +++ configure.in.new2009-09-05 01:47:34.875859258 +0100 @@ -424,8 +424,12 @@ [ squid_dir=$withval ] ) +if test x$exec_prefix != xNONE; then eval ac_p_include=$includedir CPPFLAGS=$CPPFLAGS -I$ac_p_include -I../../../ -I../../../include/ -I$squid_dir/include -I$squid_dir/src -I$squid_dir +else +CPPFLAGS=$CPPFLAGS -I../../../ -I../../../include/ -I$squid_dir/include -I$squid_dir/src -I$squid_dir +fi AC_CACHE_CHECK([for SQUID at '$squid_dir' ],ac_cv_have_squid,[ AC_TRY_RUN([ #include config.h @@ -439,8 +443,12 @@ ac_cv_have_squid=yes, ac_cv_have_squid=no) ]) +if test x$exec_prefix != xNONE; then eval ac_p_lib=$libdir LDFLAGS=$LDFLAGS -L../../../lib -L$ac_p_lib $w_flag$ac_p_lib$w_flag_2 +else +LDFLAGS=$LDFLAGS -L../../../lib +fi if test x$ac_cv_have_squid = xyes; then AC_DEFINE(HAVE_SQUID,1, [Define to 1 if you have SQUID]) AC_CHECK_HEADERS(getaddrinfo.h getnameinfo.h util.h) Marksu Henrik Nordstrom hen...@henriknordstrom.net wrote in message news:1252072098.571.16.ca...@henriknordstrom.net... lör 2009-09-05 klockan 01:33 +1200 skrev Amos Jeffries: Markus, these changes won't help the Fedora build with Squid-3.1 frozen. That will require a minimal change of probably just the configure.in. Squid-3.1 has now been packaged for Fedora 12, but so far without squid_kerb_auth due to the configure mess adding invalid linker library path flags which the Fedora automatic package QA checks detects and barfs loudly. The helper can be enabled if the configure bits is fixed. It builds and runs, it's just that the resulting binary is rejected by Fedora QA checks (bad -R option no/lib). Regards Henrik configure.in.patch Description: Binary data
Re: Patch to authenticate securely to upstream ISA server(or others)
Did this fix it ? You talk about -Rno/lib. I only saw -RNONE/lib. If there is the case of no then I need to check for no in the two ifs. Markus Markus Moeller hua...@moeller.plus.com wrote in message news:h7scl8$r2...@ger.gmane.org... This should fix it: --- configure.in2009-09-04 02:06:24.0 +0100 +++ configure.in.new2009-09-05 01:47:34.875859258 +0100 @@ -424,8 +424,12 @@ [ squid_dir=$withval ] ) +if test x$exec_prefix != xNONE; then eval ac_p_include=$includedir CPPFLAGS=$CPPFLAGS -I$ac_p_include -I../../../ -I../../../include/ -I$squid_dir/include -I$squid_dir/src -I$squid_dir +else +CPPFLAGS=$CPPFLAGS -I../../../ -I../../../include/ -I$squid_dir/include -I$squid_dir/src -I$squid_dir +fi AC_CACHE_CHECK([for SQUID at '$squid_dir' ],ac_cv_have_squid,[ AC_TRY_RUN([ #include config.h @@ -439,8 +443,12 @@ ac_cv_have_squid=yes, ac_cv_have_squid=no) ]) +if test x$exec_prefix != xNONE; then eval ac_p_lib=$libdir LDFLAGS=$LDFLAGS -L../../../lib -L$ac_p_lib $w_flag$ac_p_lib$w_flag_2 +else +LDFLAGS=$LDFLAGS -L../../../lib +fi if test x$ac_cv_have_squid = xyes; then AC_DEFINE(HAVE_SQUID,1, [Define to 1 if you have SQUID]) AC_CHECK_HEADERS(getaddrinfo.h getnameinfo.h util.h) Marksu Henrik Nordstrom hen...@henriknordstrom.net wrote in message news:1252072098.571.16.ca...@henriknordstrom.net... lör 2009-09-05 klockan 01:33 +1200 skrev Amos Jeffries: Markus, these changes won't help the Fedora build with Squid-3.1 frozen. That will require a minimal change of probably just the configure.in. Squid-3.1 has now been packaged for Fedora 12, but so far without squid_kerb_auth due to the configure mess adding invalid linker library path flags which the Fedora automatic package QA checks detects and barfs loudly. The helper can be enabled if the configure bits is fixed. It builds and runs, it's just that the resulting binary is rejected by Fedora QA checks (bad -R option no/lib). Regards Henrik
Re: Patch to authenticate securely to upstream ISA server(or others)
The patch had been somewhat corrupted in flight so had to apply it by hand, but running a test now. It's no/lib it is complaining on. Seem it comes from the system default test where check_mit / check_heimdal is called with a random $enableval from being called outside any AC_ARG_ENABLE macro.. (value in previous AC_ARG_ENABLE macro, i.e. the seam-64 one..) Hmm.. looking at the patch I don't think it's correct. The issue is that -L, -R and -I should only be set if there actually is any paths to set it to, not if the user uses ./configure --exec-prefix=... But it does hide the problem in my case with system integrated kerberos libs, but I guess it also breaks installs needing a non-system path to the kerberos installation. Regards Henrik sön 2009-09-06 klockan 14:37 +0100 skrev Markus Moeller: Did this fix it ? You talk about -Rno/lib. I only saw -RNONE/lib. If there is the case of no then I need to check for no in the two ifs. Markus Markus Moeller hua...@moeller.plus.com wrote in message news:h7scl8$r2...@ger.gmane.org... This should fix it: --- configure.in2009-09-04 02:06:24.0 +0100 +++ configure.in.new2009-09-05 01:47:34.875859258 +0100 @@ -424,8 +424,12 @@ [ squid_dir=$withval ] ) +if test x$exec_prefix != xNONE; then eval ac_p_include=$includedir CPPFLAGS=$CPPFLAGS -I$ac_p_include -I../../../ -I../../../include/ -I$squid_dir/include -I$squid_dir/src -I$squid_dir +else +CPPFLAGS=$CPPFLAGS -I../../../ -I../../../include/ -I$squid_dir/include -I$squid_dir/src -I$squid_dir +fi AC_CACHE_CHECK([for SQUID at '$squid_dir' ],ac_cv_have_squid,[ AC_TRY_RUN([ #include config.h @@ -439,8 +443,12 @@ ac_cv_have_squid=yes, ac_cv_have_squid=no) ]) +if test x$exec_prefix != xNONE; then eval ac_p_lib=$libdir LDFLAGS=$LDFLAGS -L../../../lib -L$ac_p_lib $w_flag$ac_p_lib$w_flag_2 +else +LDFLAGS=$LDFLAGS -L../../../lib +fi if test x$ac_cv_have_squid = xyes; then AC_DEFINE(HAVE_SQUID,1, [Define to 1 if you have SQUID]) AC_CHECK_HEADERS(getaddrinfo.h getnameinfo.h util.h) Marksu Henrik Nordstrom hen...@henriknordstrom.net wrote in message news:1252072098.571.16.ca...@henriknordstrom.net... lör 2009-09-05 klockan 01:33 +1200 skrev Amos Jeffries: Markus, these changes won't help the Fedora build with Squid-3.1 frozen. That will require a minimal change of probably just the configure.in. Squid-3.1 has now been packaged for Fedora 12, but so far without squid_kerb_auth due to the configure mess adding invalid linker library path flags which the Fedora automatic package QA checks detects and barfs loudly. The helper can be enabled if the configure bits is fixed. It builds and runs, it's just that the resulting binary is rejected by Fedora QA checks (bad -R option no/lib). Regards Henrik
Re: Patch to authenticate securely to upstream ISA server(or others)
Thank you for the info. I tested on FreeBSD 7/Fedora 11/OpenSuse 11.1 and I didn't see it, but I'll check. Markus - Original Message - From: Henrik Nordstrom hen...@henriknordstrom.net To: Markus Moeller hua...@moeller.plus.com Cc: squid-dev@squid-cache.org Sent: Sunday, September 06, 2009 10:20 PM Subject: Re: Patch to authenticate securely to upstream ISA server(or others) The patch had been somewhat corrupted in flight so had to apply it by hand, but running a test now. It's no/lib it is complaining on. Seem it comes from the system default test where check_mit / check_heimdal is called with a random $enableval from being called outside any AC_ARG_ENABLE macro.. (value in previous AC_ARG_ENABLE macro, i.e. the seam-64 one..) Hmm.. looking at the patch I don't think it's correct. The issue is that -L, -R and -I should only be set if there actually is any paths to set it to, not if the user uses ./configure --exec-prefix=... But it does hide the problem in my case with system integrated kerberos libs, but I guess it also breaks installs needing a non-system path to the kerberos installation. Regards Henrik sön 2009-09-06 klockan 14:37 +0100 skrev Markus Moeller: Did this fix it ? You talk about -Rno/lib. I only saw -RNONE/lib. If there is the case of no then I need to check for no in the two ifs. Markus Markus Moeller hua...@moeller.plus.com wrote in message news:h7scl8$r2...@ger.gmane.org... This should fix it: --- configure.in2009-09-04 02:06:24.0 +0100 +++ configure.in.new2009-09-05 01:47:34.875859258 +0100 @@ -424,8 +424,12 @@ [ squid_dir=$withval ] ) +if test x$exec_prefix != xNONE; then eval ac_p_include=$includedir CPPFLAGS=$CPPFLAGS -I$ac_p_include -I../../../ -I../../../include/ -I$squid_dir/include -I$squid_dir/src -I$squid_dir +else +CPPFLAGS=$CPPFLAGS -I../../../ -I../../../include/ -I$squid_dir/include -I$squid_dir/src -I$squid_dir +fi AC_CACHE_CHECK([for SQUID at '$squid_dir' ],ac_cv_have_squid,[ AC_TRY_RUN([ #include config.h @@ -439,8 +443,12 @@ ac_cv_have_squid=yes, ac_cv_have_squid=no) ]) +if test x$exec_prefix != xNONE; then eval ac_p_lib=$libdir LDFLAGS=$LDFLAGS -L../../../lib -L$ac_p_lib $w_flag$ac_p_lib$w_flag_2 +else +LDFLAGS=$LDFLAGS -L../../../lib +fi if test x$ac_cv_have_squid = xyes; then AC_DEFINE(HAVE_SQUID,1, [Define to 1 if you have SQUID]) AC_CHECK_HEADERS(getaddrinfo.h getnameinfo.h util.h) Marksu Henrik Nordstrom hen...@henriknordstrom.net wrote in message news:1252072098.571.16.ca...@henriknordstrom.net... lör 2009-09-05 klockan 01:33 +1200 skrev Amos Jeffries: Markus, these changes won't help the Fedora build with Squid-3.1 frozen. That will require a minimal change of probably just the configure.in. Squid-3.1 has now been packaged for Fedora 12, but so far without squid_kerb_auth due to the configure mess adding invalid linker library path flags which the Fedora automatic package QA checks detects and barfs loudly. The helper can be enabled if the configure bits is fixed. It builds and runs, it's just that the resulting binary is rejected by Fedora QA checks (bad -R option no/lib). Regards Henrik
Re: Patch to authenticate securely to upstream ISA server(or others)
Markus Moeller wrote: Henrik, I updated the patch. I also said that I removed the configure from squid_kerb_auth by replacing the whole squid_kerb_auth directory with the attached tar file (to the previous post) which hopefully fixes the fedora build. Markus, these changes won't help the Fedora build with Squid-3.1 frozen. That will require a minimal change of probably just the configure.in. Peer login bits are done and committed. I'm in the process of bumping the helpers to C++ with their new names for 3.2. Seeing as this helper change is pretty fundamental/big I'm using it as step 1 of the upgrade/rename merge. FYI: by the end of the weekend I hope to have your new code in the directory negotiate_auth/kerberos/ producing the C++ binary helper negotiate_kerberos_auth. Amos Thank you Markus Henrik Nordstrom hen...@henriknordstrom.net wrote in message news:1251770416.16800.65.ca...@henriknordstrom.net... Needs quoting: +KRB5INCS=`$krb5confpath --cflags krb5 2/dev/null` +KRB5LIBS=`$krb5confpath --libs krb5 2/dev/null` (seen twice, Solaris generic) Would also be nice if you could update squid_kerb_auth/configure with this simplified kerberos configure dance. The squid_kerb_auth/configure in Squid-3.0 adds a bit too many linker flags adding -Lno/lib -Rno/lib for me and currently prevents it from being packaged for Fedora (build QA check failure, incorrect run-path) Regards Henrik mån 2009-08-31 klockan 14:03 +0100 skrev Markus Moeller: Hi Amos, find attached a patch against the head release. since I now need Kerberos and GSSAPI for the main source I removed the squid_kerb_auth configure and replaced the squid_kerb_auth directory with the attached. I tested on OpenSuse 11 with MIT Kerberos 1.6.3(the default) and Freebsd 7.0 with Heimdal 1.2.1(added as the older freebsd base Heimdal package creates problems as squids asn1.h and krb5_asn1.h have conflicts with oid definitions) Regards Markus - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: Markus Moeller hua...@moeller.plus.com Cc: squid-dev@squid-cache.org Sent: Tuesday, August 25, 2009 12:38 PM Subject: Re: Patch to authenticate securely to upstream ISA server(or others) Markus Moeller wrote: In some setups the upstream proxy requires a secue authentication method (Negotiate, NTLM). The attached patches (2.7 and 3.0) allow this with Negotiate. Regards Markus Hi Markus, Good to see this feature appearing. Just a few things to fix up before this can go in: * Makefile.am lines for linking peer_proxy_negotiate_auth.cc seem to be indented with spaces instead of the automake required tabs. * Unfortunately 3.0 is closed for new features. Can we get a diff against 3.HEAD code please? * there is zero documentation for the new option settings. Please add to the cache_peer entry of src/cf.data.pre with the new details for login=NEGOTIATE. * there is also no documentation for any of the code. Please prefix each new function and global in your new code with at least an overview description of what it does. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13 -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
Re: Patch to authenticate securely to upstream ISA server(or others)
lör 2009-09-05 klockan 01:33 +1200 skrev Amos Jeffries: Markus, these changes won't help the Fedora build with Squid-3.1 frozen. That will require a minimal change of probably just the configure.in. Squid-3.1 has now been packaged for Fedora 12, but so far without squid_kerb_auth due to the configure mess adding invalid linker library path flags which the Fedora automatic package QA checks detects and barfs loudly. The helper can be enabled if the configure bits is fixed. It builds and runs, it's just that the resulting binary is rejected by Fedora QA checks (bad -R option no/lib). Regards Henrik
Re: Patch to authenticate securely to upstream ISA server(or others)
Henrik Nordstrom hen...@henriknordstrom.net wrote in message news:1252072098.571.16.ca...@henriknordstrom.net... lör 2009-09-05 klockan 01:33 +1200 skrev Amos Jeffries: Markus, these changes won't help the Fedora build with Squid-3.1 frozen. That will require a minimal change of probably just the configure.in. Squid-3.1 has now been packaged for Fedora 12, but so far without squid_kerb_auth due to the configure mess adding invalid linker library path flags which the Fedora automatic package QA checks detects and barfs loudly. The helper can be enabled if the configure bits is fixed. It builds and runs, it's just that the resulting binary is rejected by Fedora QA checks (bad -R option no/lib). OK I will fix it this weekend. Regards Henrik
Re: Patch to authenticate securely to upstream ISA server(or others)
This should fix it: --- configure.in2009-09-04 02:06:24.0 +0100 +++ configure.in.new2009-09-05 01:47:34.875859258 +0100 @@ -424,8 +424,12 @@ [ squid_dir=$withval ] ) +if test x$exec_prefix != xNONE; then eval ac_p_include=$includedir CPPFLAGS=$CPPFLAGS -I$ac_p_include -I../../../ -I../../../include/ -I$squid_dir/include -I$squid_dir/src -I$squid_dir +else +CPPFLAGS=$CPPFLAGS -I../../../ -I../../../include/ -I$squid_dir/include -I$squid_dir/src -I$squid_dir +fi AC_CACHE_CHECK([for SQUID at '$squid_dir' ],ac_cv_have_squid,[ AC_TRY_RUN([ #include config.h @@ -439,8 +443,12 @@ ac_cv_have_squid=yes, ac_cv_have_squid=no) ]) +if test x$exec_prefix != xNONE; then eval ac_p_lib=$libdir LDFLAGS=$LDFLAGS -L../../../lib -L$ac_p_lib $w_flag$ac_p_lib$w_flag_2 +else +LDFLAGS=$LDFLAGS -L../../../lib +fi if test x$ac_cv_have_squid = xyes; then AC_DEFINE(HAVE_SQUID,1, [Define to 1 if you have SQUID]) AC_CHECK_HEADERS(getaddrinfo.h getnameinfo.h util.h) Marksu Henrik Nordstrom hen...@henriknordstrom.net wrote in message news:1252072098.571.16.ca...@henriknordstrom.net... lör 2009-09-05 klockan 01:33 +1200 skrev Amos Jeffries: Markus, these changes won't help the Fedora build with Squid-3.1 frozen. That will require a minimal change of probably just the configure.in. Squid-3.1 has now been packaged for Fedora 12, but so far without squid_kerb_auth due to the configure mess adding invalid linker library path flags which the Fedora automatic package QA checks detects and barfs loudly. The helper can be enabled if the configure bits is fixed. It builds and runs, it's just that the resulting binary is rejected by Fedora QA checks (bad -R option no/lib). Regards Henrik
Re: Patch to authenticate securely to upstream ISA server(or others)
Henrik, I updated the patch. I also said that I removed the configure from squid_kerb_auth by replacing the whole squid_kerb_auth directory with the attached tar file (to the previous post) which hopefully fixes the fedora build. Thank you Markus Henrik Nordstrom hen...@henriknordstrom.net wrote in message news:1251770416.16800.65.ca...@henriknordstrom.net... Needs quoting: +KRB5INCS=`$krb5confpath --cflags krb5 2/dev/null` +KRB5LIBS=`$krb5confpath --libs krb5 2/dev/null` (seen twice, Solaris generic) Would also be nice if you could update squid_kerb_auth/configure with this simplified kerberos configure dance. The squid_kerb_auth/configure in Squid-3.0 adds a bit too many linker flags adding -Lno/lib -Rno/lib for me and currently prevents it from being packaged for Fedora (build QA check failure, incorrect run-path) Regards Henrik mån 2009-08-31 klockan 14:03 +0100 skrev Markus Moeller: Hi Amos, find attached a patch against the head release. since I now need Kerberos and GSSAPI for the main source I removed the squid_kerb_auth configure and replaced the squid_kerb_auth directory with the attached. I tested on OpenSuse 11 with MIT Kerberos 1.6.3(the default) and Freebsd 7.0 with Heimdal 1.2.1(added as the older freebsd base Heimdal package creates problems as squids asn1.h and krb5_asn1.h have conflicts with oid definitions) Regards Markus - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: Markus Moeller hua...@moeller.plus.com Cc: squid-dev@squid-cache.org Sent: Tuesday, August 25, 2009 12:38 PM Subject: Re: Patch to authenticate securely to upstream ISA server(or others) Markus Moeller wrote: In some setups the upstream proxy requires a secue authentication method (Negotiate, NTLM). The attached patches (2.7 and 3.0) allow this with Negotiate. Regards Markus Hi Markus, Good to see this feature appearing. Just a few things to fix up before this can go in: * Makefile.am lines for linking peer_proxy_negotiate_auth.cc seem to be indented with spaces instead of the automake required tabs. * Unfortunately 3.0 is closed for new features. Can we get a diff against 3.HEAD code please? * there is zero documentation for the new option settings. Please add to the cache_peer entry of src/cf.data.pre with the new details for login=NEGOTIATE. * there is also no documentation for any of the code. Please prefix each new function and global in your new code with at least an overview description of what it does. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13 squid-3-head-2.diff Description: Binary data
Re: Patch to authenticate securely to upstream ISA server(or others)
On Tue, 1 Sep 2009 19:55:47 +0100, Markus Moeller hua...@moeller.plus.com wrote: Henrik, I updated the patch. I also said that I removed the configure from squid_kerb_auth by replacing the whole squid_kerb_auth directory with the attached tar file (to the previous post) which hopefully fixes the fedora build. Does the directory replacement have to be done at the same time or would it cope with being split in two and done after the main change? Amos Thank you Markus Henrik Nordstrom hen...@henriknordstrom.net wrote in message news:1251770416.16800.65.ca...@henriknordstrom.net... Needs quoting: +KRB5INCS=`$krb5confpath --cflags krb5 2/dev/null` +KRB5LIBS=`$krb5confpath --libs krb5 2/dev/null` (seen twice, Solaris generic) Would also be nice if you could update squid_kerb_auth/configure with this simplified kerberos configure dance. The squid_kerb_auth/configure in Squid-3.0 adds a bit too many linker flags adding -Lno/lib -Rno/lib for me and currently prevents it from being packaged for Fedora (build QA check failure, incorrect run-path) Regards Henrik mån 2009-08-31 klockan 14:03 +0100 skrev Markus Moeller: Hi Amos, find attached a patch against the head release. since I now need Kerberos and GSSAPI for the main source I removed the squid_kerb_auth configure and replaced the squid_kerb_auth directory with the attached. I tested on OpenSuse 11 with MIT Kerberos 1.6.3(the default) and Freebsd 7.0 with Heimdal 1.2.1(added as the older freebsd base Heimdal package creates problems as squids asn1.h and krb5_asn1.h have conflicts with oid definitions) Regards Markus - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: Markus Moeller hua...@moeller.plus.com Cc: squid-dev@squid-cache.org Sent: Tuesday, August 25, 2009 12:38 PM Subject: Re: Patch to authenticate securely to upstream ISA server(or others) Markus Moeller wrote: In some setups the upstream proxy requires a secue authentication method (Negotiate, NTLM). The attached patches (2.7 and 3.0) allow this with Negotiate. Regards Markus Hi Markus, Good to see this feature appearing. Just a few things to fix up before this can go in: * Makefile.am lines for linking peer_proxy_negotiate_auth.cc seem to be indented with spaces instead of the automake required tabs. * Unfortunately 3.0 is closed for new features. Can we get a diff against 3.HEAD code please? * there is zero documentation for the new option settings. Please add to the cache_peer entry of src/cf.data.pre with the new details for login=NEGOTIATE. * there is also no documentation for any of the code. Please prefix each new function and global in your new code with at least an overview description of what it does. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
Re: Patch to authenticate securely to upstream ISA server(or others)
Amos Jeffries squ...@treenet.co.nz wrote in message news:3f72f4fcc973e75a663a72a587547...@mail.treenet.co.nz... On Tue, 1 Sep 2009 19:55:47 +0100, Markus Moeller hua...@moeller.plus.com wrote: Henrik, I updated the patch. I also said that I removed the configure from squid_kerb_auth by replacing the whole squid_kerb_auth directory with the attached tar file (to the previous post) which hopefully fixes the fedora build. Does the directory replacement have to be done at the same time or would it cope with being split in two and done after the main change? It could be done in two stages. The patch would need to be modified as it removes the execution of the squid_kerb_auth configure. Amos Markus
Re: Patch to authenticate securely to upstream ISA server(or others)
Needs quoting: +KRB5INCS=`$krb5confpath --cflags krb5 2/dev/null` +KRB5LIBS=`$krb5confpath --libs krb5 2/dev/null` (seen twice, Solaris generic) Would also be nice if you could update squid_kerb_auth/configure with this simplified kerberos configure dance. The squid_kerb_auth/configure in Squid-3.0 adds a bit too many linker flags adding -Lno/lib -Rno/lib for me and currently prevents it from being packaged for Fedora (build QA check failure, incorrect run-path) Regards Henrik mån 2009-08-31 klockan 14:03 +0100 skrev Markus Moeller: Hi Amos, find attached a patch against the head release. since I now need Kerberos and GSSAPI for the main source I removed the squid_kerb_auth configure and replaced the squid_kerb_auth directory with the attached. I tested on OpenSuse 11 with MIT Kerberos 1.6.3(the default) and Freebsd 7.0 with Heimdal 1.2.1(added as the older freebsd base Heimdal package creates problems as squids asn1.h and krb5_asn1.h have conflicts with oid definitions) Regards Markus - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: Markus Moeller hua...@moeller.plus.com Cc: squid-dev@squid-cache.org Sent: Tuesday, August 25, 2009 12:38 PM Subject: Re: Patch to authenticate securely to upstream ISA server(or others) Markus Moeller wrote: In some setups the upstream proxy requires a secue authentication method (Negotiate, NTLM). The attached patches (2.7 and 3.0) allow this with Negotiate. Regards Markus Hi Markus, Good to see this feature appearing. Just a few things to fix up before this can go in: * Makefile.am lines for linking peer_proxy_negotiate_auth.cc seem to be indented with spaces instead of the automake required tabs. * Unfortunately 3.0 is closed for new features. Can we get a diff against 3.HEAD code please? * there is zero documentation for the new option settings. Please add to the cache_peer entry of src/cf.data.pre with the new details for login=NEGOTIATE. * there is also no documentation for any of the code. Please prefix each new function and global in your new code with at least an overview description of what it does. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
Re: Patch to authenticate securely to upstream ISA server(or others)
Markus Moeller wrote: In some setups the upstream proxy requires a secue authentication method (Negotiate, NTLM). The attached patches (2.7 and 3.0) allow this with Negotiate. Regards Markus Hi Markus, Good to see this feature appearing. Just a few things to fix up before this can go in: * Makefile.am lines for linking peer_proxy_negotiate_auth.cc seem to be indented with spaces instead of the automake required tabs. * Unfortunately 3.0 is closed for new features. Can we get a diff against 3.HEAD code please? * there is zero documentation for the new option settings. Please add to the cache_peer entry of src/cf.data.pre with the new details for login=NEGOTIATE. * there is also no documentation for any of the code. Please prefix each new function and global in your new code with at least an overview description of what it does. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
Re: Patch to authenticate securely to upstream ISA server(or others)
Amos Jeffries squ...@treenet.co.nz wrote in message news:4a93cd1b.9030...@treenet.co.nz... Markus Moeller wrote: In some setups the upstream proxy requires a secue authentication method (Negotiate, NTLM). The attached patches (2.7 and 3.0) allow this with Negotiate. Regards Markus Hi Markus, Good to see this feature appearing. Just a few things to fix up before this can go in: * Makefile.am lines for linking peer_proxy_negotiate_auth.cc seem to be indented with spaces instead of the automake required tabs. * Unfortunately 3.0 is closed for new features. Can we get a diff against 3.HEAD code please? * there is zero documentation for the new option settings. Please add to the cache_peer entry of src/cf.data.pre with the new details for login=NEGOTIATE. * there is also no documentation for any of the code. Please prefix each new function and global in your new code with at least an overview description of what it does. Thank you for the feedback. I will work on your suggestions. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13 Regards Markus
Re: Patch to authenticate securely to upstream ISA server(or others)
Sorry,but I forgot to change putenv to setenv. Patches are attached. Markus Henrik Nordstrom hen...@henriknordstrom.net wrote in message news:1249178627.13368.4.ca...@henriknordstrom.net... lör 2009-08-01 klockan 16:41 +0100 skrev Markus Moeller: In some setups the upstream proxy requires a secue authentication method (Negotiate, NTLM). The attached patches (2.7 and 3.0) allow this with Negotiate. Imported to Squid-2 with the following cosmetic modifications * Your instructions added as doc/README.proxy_negotiate * extern C removed from source as this confused the old gindent we are using to format the code. * Code reformatted per Squid code style rules. Regards Henrik peer_proxy_negotiate_auth-setenv-2.patch Description: Binary data peer_proxy_negotiate_auth-setenv-3.patch Description: Binary data
Re: Patch to authenticate securely to upstream ISA server(or others)
lör 2009-08-01 klockan 16:41 +0100 skrev Markus Moeller: In some setups the upstream proxy requires a secue authentication method (Negotiate, NTLM). The attached patches (2.7 and 3.0) allow this with Negotiate. Imported to Squid-2 with the following cosmetic modifications * Your instructions added as doc/README.proxy_negotiate * extern C removed from source as this confused the old gindent we are using to format the code. * Code reformatted per Squid code style rules. Regards Henrik
