Your message dated Fri, 25 Mar 2016 06:39:57 +1300
with message-id <[email protected]>
and subject line
has caused the Debian Bug report #819102,
regarding squid3: Negotiate Wrapper returns AF = on Debian Jessie
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
819102: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819102
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: squid3
Version: 3.4.8-6+deb8u1
Severity: normal
Dear Maintainer,
I have Squid 3.4.8 installed on Debian Jessie.
I’m using the negotiate wrapper configured like this:
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \
--kerberos /usr/lib/squid3/negotiate_kerberos_auth -s
HTTP/[email protected] \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=DOMAIN.LOCAL
The proxy works as intended – authentication happens, and usernames are logged
for users that authenticate via Kerberos.
However my logs don’t show user names for anyone that authenticates via NTLM.
The user name is replaced with an asterisk.
I am testing by configuring my browser to use the FQDN of the proxy (which
results in Kerberos authentication) or by using the IP address (which results
in NTLM).
Anyway, cache log does show the username but it is apparently in the wrong
location to be parsed into the access log:
2016/03/16 16:38:29| negotiate_wrapper: Return 'AF = * james_zuelow
‘
The correct format for this entry should be:
2000/01/01 12:00:00 negotiate_wrapper: Return 'AF * james_zuelow'
This is a problem for me, as my organization wants the username in the log.
Researching the issue I found this:
http://squid-web-proxy-cache.1019090.n4.nabble.com/negotiate-wrapper-Return-AF-username-td4674765.html
In which Amos says this was fixed “a long while back.” My google-fu is not
strong enough to discover an upstream fix for this issue though.
the NTLM auth binary is part of Winbind, which wasn't picked up by reportbug (I
see it says "none" below looking for winbindd vs. winbind).
My Samba/Winbind versions are:
ii python-samba 2:4.1.17+dfsg-2+deb8u2 amd64
Python bindings for Samba
ii samba 2:4.1.17+dfsg-2+deb8u2 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.1.17+dfsg-2+deb8u2 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.1.17+dfsg-2+deb8u2 amd64
Samba common files used by both the server and the client
ii samba-doc 2:4.1.17+dfsg-2+deb8u2 all
Samba documentation
ii samba-dsdb-modules 2:4.1.17+dfsg-2+deb8u2 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.1.17+dfsg-2+deb8u2 amd64
Samba core libraries
ii samba-vfs-modules 2:4.1.17+dfsg-2+deb8u2 amd64
Samba Virtual FileSystem plugins
ii libnss-winbind:amd64 2:4.1.17+dfsg-2+deb8u2 amd64
Samba nameservice integration plugins
ii libwbclient0:amd64 2:4.1.17+dfsg-2+deb8u2 amd64
Samba winbind client library
ii winbind 2:4.1.17+dfsg-2+deb8u2 amd64
service to resolve user and group information from Windows NT servers
-- System Information:
Debian Release: 8.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.7-ckt9 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages squid3 depends on:
ii adduser 3.113+nmu3
ii libc6 2.19-18+deb8u3
ii libcap2 1:2.24-8
ii libcomerr2 1.42.12-1.1
ii libdb5.3 5.3.28-9
ii libecap2 0.2.0-3
ii libexpat1 2.1.0-6+deb8u1
ii libgcc1 1:4.9.2-10
ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2
ii libk5crypto3 1.12.1+dfsg-19+deb8u2
ii libkrb5-3 1.12.1+dfsg-19+deb8u2
ii libldap-2.4-2 2.4.40+dfsg-1+deb8u2
ii libltdl7 2.4.2-1.11
ii libnetfilter-conntrack3 1.0.4-1
ii libnettle4 2.7.1-5
ii libpam0g 1.1.8-3.1+deb8u1
ii libsasl2-2 2.1.26.dfsg1-13+deb8u1
ii libstdc++6 4.9.2-10
ii libxml2 2.9.1+dfsg1-5+deb8u1
ii logrotate 3.8.7-1+b1
ii lsb-base 4.1+Debian13+nmu1
ii netbase 5.3
ii squid3-common 3.4.8-6+deb8u1
squid3 recommends no packages.
Versions of packages squid3 suggests:
pn resolvconf <none>
ii smbclient 2:4.1.17+dfsg-2+deb8u2
ii squid-cgi 3.4.8-6+deb8u1
pn squid-purge <none>
ii squidclient 3.4.8-6+deb8u1
pn ufw <none>
pn winbindd <none>
-- Configuration Files:
/etc/init.d/squid3 changed:
NAME=squid3
DESC="Squid HTTP Proxy 3.x"
DAEMON=/usr/sbin/squid3
PIDFILE=/var/run/$NAME.pid
CONFIG=/etc/squid3/squid.conf
SQUID_ARGS="-YC -f $CONFIG"
[ ! -f /etc/default/squid3 ] || . /etc/default/squid3
. /lib/lsb/init-functions
PATH=/bin:/usr/bin:/sbin:/usr/sbin
[ -x $DAEMON ] || exit 0
ulimit -n 65535
find_cache_dir () {
w=" " # space tab
res=`$DAEMON -k parse -f $CONFIG 2>&1 |
grep "Processing:" |
sed s/.*Processing:\ // |
sed -ne '
s/^['"$w"']*'$1'['"$w"']\+[^'"$w"']\+['"$w"']\+\([^'"$w"']\+\).*$/\1/p;
t end;
d;
:end q'`
[ -n "$res" ] || res=$2
echo "$res"
}
grepconf () {
w=" " # space tab
res=`$DAEMON -k parse -f $CONFIG 2>&1 |
grep "Processing:" |
sed s/.*Processing:\ // |
sed -ne '
s/^['"$w"']*'$1'['"$w"']\+\([^'"$w"']\+\).*$/\1/p;
t end;
d;
:end q'`
[ -n "$res" ] || res=$2
echo "$res"
}
create_run_dir () {
run_dir=/var/run/squid3
usr=`grepconf cache_effective_user proxy`
grp=`grepconf cache_effective_group proxy`
if [ "$(dpkg-statoverride --list $run_dir)" = "" ] &&
[ ! -e $run_dir ] ; then
mkdir -p $run_dir
chown $usr:$grp $run_dir
fi
}
start () {
cache_dir=`find_cache_dir cache_dir`
cache_type=`grepconf cache_dir`
KRB5_KTNAME=/etc/squid3/proxy-keytab
export KRB5_KTNAME
kinit -k -t proxy-keytab HTTP/[email protected]
#
# Create run dir (needed for several workers on SMP)
#
create_run_dir
#
# Create spool dirs if they don't exist.
#
if test -d "$cache_dir" -a ! -d "$cache_dir/00"
then
log_warning_msg "Creating $DESC cache structure"
$DAEMON -z -f $CONFIG
fi
umask 027
ulimit -n 65535
cd $cache_dir
start-stop-daemon --quiet --start \
--pidfile $PIDFILE \
--exec $DAEMON -- $SQUID_ARGS < /dev/null
return $?
}
stop () {
PID=`cat $PIDFILE 2>/dev/null`
start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
#
# Now we have to wait until squid has _really_ stopped.
#
sleep 2
if test -n "$PID" && kill -0 $PID 2>/dev/null
then
log_action_begin_msg " Waiting"
cnt=0
while kill -0 $PID 2>/dev/null
do
cnt=`expr $cnt + 1`
if [ $cnt -gt 24 ]
then
log_action_end_msg 1
return 1
fi
sleep 5
log_action_cont_msg ""
done
log_action_end_msg 0
return 0
else
return 0
fi
}
case "$1" in
start)
res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL .*"`
if test -n "$res";
then
log_failure_msg "$res"
exit 3
else
log_daemon_msg "Starting $DESC" "$NAME"
if start ; then
log_end_msg $?
else
log_end_msg $?
fi
fi
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
if stop ; then
log_end_msg $?
else
log_end_msg $?
fi
;;
reload|force-reload)
res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL .*"`
if test -n "$res";
then
log_failure_msg "$res"
exit 3
else
log_action_msg "Reloading $DESC configuration files"
start-stop-daemon --stop --signal 1 \
--pidfile $PIDFILE --quiet --exec $DAEMON
log_action_end_msg 0
fi
;;
restart)
res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL .*"`
if test -n "$res";
then
log_failure_msg "$res"
exit 3
else
log_daemon_msg "Restarting $DESC" "$NAME"
stop
if start ; then
log_end_msg $?
else
log_end_msg $?
fi
fi
;;
status)
status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit 3
;;
*)
echo "Usage: /etc/init.d/$NAME
{start|stop|reload|force-reload|restart|status}"
exit 3
;;
esac
exit 0
/etc/squid3/squid.conf [Errno 13] Permission denied: u'/etc/squid3/squid.conf'
-- no debconf information
--- End Message ---
--- Begin Message ---
Closing since this is confirmed a config mistake.
Amos
--- End Message ---
