Re: [PATCH] Kerberos configure patch + some cleanup
Apologies. I must have overlooked it. Here is the updated patch Markus "Amos Jeffries" wrote in message news:53e5c2df.3080...@treenet.co.nz... On 9/08/2014 8:32 a.m., Markus Moeller wrote: It should be in there or did I miss some ? The original bits are still there in the patch copy mailed to the list. Specifically in helpers/external_acl/kerberos_ldap_group/support_ldap.cc get_bin_attributes() bits I can see : * redux function setup: +LDAPMessage *msg; +char **attr_value = NULL; +int *attr_len=NULL; +size_t max_attr = 0; + +attr_value = *ret_value; +attr_len = *ret_len; should be: +char **attr_value = *ret_value; +int *attr_len = *ret_len; +size_t max_attr = 0; * main for loop: - for (msg = ldap_first_entry + for (LDAPMessage *msg = ldap_first_entry * drop these: BerElement *b; char *attr; * switch case should be: case LDAP_RES_SEARCH_ENTRY: { BerElement *b = NULL; ... ber_free(b, 0); } break; * for loops inside that switch case should be: - for (attr = ldap_first_attribute... + for (char *attr = ldap_first_attribute... - int il; for (il = 0; ... + for (int il = 0; ... Otherwise it looks okay. Amos Markus -Original Message- From: Amos Jeffries Sent: Friday, August 08, 2014 1:28 PM To: squid-dev@squid-cache.org ; Markus Moeller Subject: Re: [PATCH] Kerberos configure patch + some cleanup On 8/08/2014 8:02 a.m., Markus Moeller wrote: Are there any objections to this patch ? The audit results from me I accidentally sent in private. Do you have an updated patch with those fixes? Amos trunk_kerberos_cleanup_8.patch Description: Binary data
Re: [PATCH] Kerberos configure patch + some cleanup
It should be in there or did I miss some ? Markus -Original Message- From: Amos Jeffries Sent: Friday, August 08, 2014 1:28 PM To: squid-dev@squid-cache.org ; Markus Moeller Subject: Re: [PATCH] Kerberos configure patch + some cleanup On 8/08/2014 8:02 a.m., Markus Moeller wrote: Are there any objections to this patch ? The audit results from me I accidentally sent in private. Do you have an updated patch with those fixes? Amos
Re: [PATCH] Kerberos configure patch + some cleanup
Are there any objections to this patch ? Thank you Markus "Markus Moeller" wrote in message news:lr0vsn$jd$1...@ger.gmane.org... Hi Here is a patch which does rewrite the configure.ac and cleans up some code in the kerberos auth and kerberos ldap helper. Additionally the kerberos ldap helper checks now for AD primary group membership too. Markus
[PATCH] Kerberos configure patch + some cleanup
Hi Here is a patch which does rewrite the configure.ac and cleans up some code in the kerberos auth and kerberos ldap helper. Additionally the kerberos ldap helper checks now for AD primary group membership too. Markus trunk_kerberos_cleanup_6.patch Description: Binary data
[PATCH] This is a patch for support_ldap.cc in kerberos_ldap_group fro squid 3.4
Hi Amos, Apologies, I seem to have missed this. Could you please add it ? Thank you Markus support_ldap.patch Description: Binary data
key-value pair in helper protocol
Hi, Is there a sample code for the 3.4 key-value pair ? Or is it still work in progress ? Thank you Markus
Re: [PATCH] Fix leaks and check for newer libraries in Kerberos related helpers
Sounds like a good idea. Thanks for spotting it Markus "Amos Jeffries" wrote in message news:5245a336.1070...@treenet.co.nz... This has now been applied to trunk. I just noticed that the helper versions have not been bumped. Shall we update these to 1.3.1sq and 3.0.5sq ? Amos
Re: [PATCH] Fix leaks and check for newer libraries in Kerberos related helpers
Hi Amos, I accept your changes. Thank you Markus "Amos Jeffries" wrote in message news:52446934.3040...@treenet.co.nz... On 23/09/2013 12:58 a.m., Markus Moeller wrote: Hi Amos, I did some cleanup. I think I moved all variables I could to sub scopes. Thank you Markus This one looks much better thank you. Still some minor nits itching at my perfectionist side but I can suppress that for now. in helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc: * at the chunk for line 285 you still seem to have: if (spegnoToken) xfree(spegnoToken) * same at line 485 in src/peer_proxy_negotiate_auth.cc: * those defined() are still present. If you want make a new patch or provide reasons for those please do. Otherwise I will fix those and apply this patch after a good sleep. FYI: I will also be running the source maintenance script on it to cleanup large sections of weird whitespace alignment, so what appears in trunk after the merge may clash with your copy. Thank you Amos
Re: [PATCH] Fix leaks and check for newer libraries in Kerberos related helpers
Thank you for the review. I'll try to improve. Markus "Amos Jeffries" wrote in message news:523dc8ff.4030...@treenet.co.nz... On 26/08/2013 3:17 a.m., Markus Moeller wrote: Hi please find a patch for squid 3.4 trunk for: peer_proxy_negotiate_auth.cc negotiate_auth/kerberos external_acl/kerberos_ldap_group Please ignore my previous patch. Thank you Markus In helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc * There are some if-conditions which look like thay are wrongly being converted to safe_free(). The first is: -if (p == gdsp) { -xfree(gdsp); -gdsp = NULL; -} +safe_free(gdsp); p = gdsp; these will cause the loop to exit after freeing only one entry as gdsp gets unconditionally free+NULL'd and p set to NULL via the resulting gdsp value. * The same issue exists in the ndsp and lssp blocks below that. In helpers/external_acl/kerberos_ldap_group/support_group.cc * there are still a number of unnecessary safe_free() conversions done on local variables before return statements. In helpers/external_acl/kerberos_ldap_group/support_krb5.cc * the xfree(service) can stay as xfree(service) but without the if(service) conditional. * The tgt_creds and creds code for krb5_free*() should look like this (note the {} positioning to allow optimized skipping of the z=NULL assignment): +if (tgt_creds) { +krb5_free_creds(kparam.context, tgt_creds); +tgt_creds = NULL; +} ++ the tgt_creds appears like it can be made local to the "if (!principal_name) {" code block and does not need setting to NULL after free. * in the krb5_create_cache() "cleanup:" section most of the xfree() were correct, but had unnecessary if() conditions. Now they have unnecessary =NULL assignment from the safe_free(). In helpers/external_acl/kerberos_ldap_group/support_ldap.cc * the xfree(attr_value[j]); in for-loop was correct. I only got as far as that before running out of time today. Can you fix those please and go through the rest of the xfree/safe_free changes and make sure that the other files are similarly optimized. As a guide: * xfree() is faster and should be preferred over safe_free() when possible. * but safe_free() is required if the variable or member is possibly going to be read later in the code without being set to a new value. Also, FYI in C++ variables may be declared at point of first use or inside any {} to increase compiler checks usefulness. We are making use of that property extensively in new Squid code to harden local variables and assist with ensuring guarantees like variables with undefined contents not being re-used accidentally outside their intended scope. You may want to consider polishing up some of the long functions in support_*.cc to make use of the sub-scopes. Amos
Re: [PATCH] Fix leaks and check for newer libraries in Kerberos related helpers
Hi Amos, Could this go into 3.4 now ? Do you have a roadmap when the helper protocol extension will be available ? Thank you Markus "Markus Moeller" wrote in message news:kvjavu$dgo$1...@ger.gmane.org... This should be better now. Markus "Alex Rousskov" wrote in message news:521d0b73.3090...@measurement-factory.com... On 08/26/2013 03:38 PM, Markus Moeller wrote: Here is the update patch. -if (pp && pp->next) { -xfree(pp->next); -pp->next = NULL; -} +safe_free(pp->next); This change will cause crashes on single-entry lists where pp is NULL. -if (p == gdsp) { -xfree(gdsp); -gdsp = NULL; -} +safe_free(gdsp); p = gdsp; This change will prevent cleanup of all entries except the very first one because the outer p-loop will terminate with p=gdsp making p NULL. Similar problems in another, similar part of the patch. You can completely remove an if-statement when using safe_free, but only where the if guard is the same as the one provided by safe_free: if (p) { xfree(p); p = NULL; } can be replaced with safe_free(p); However, if (something && p) { xfree(p); p = NULL; } can only be replaced with if (something) safe_free(p); Similarly, if (something) { xfree(p); p = NULL; } can only be replaced with if (something) safe_free(p); HTH, Alex.
Re: [PATCH] Fix leaks and check for newer libraries in Kerberos related helpers
Thank you for pointing this out. I was too radical :-(. Markus "Alex Rousskov" wrote in message news:521d0b73.3090...@measurement-factory.com... On 08/26/2013 03:38 PM, Markus Moeller wrote: Here is the update patch. -if (pp && pp->next) { -xfree(pp->next); -pp->next = NULL; -} +safe_free(pp->next); This change will cause crashes on single-entry lists where pp is NULL. -if (p == gdsp) { -xfree(gdsp); -gdsp = NULL; -} +safe_free(gdsp); p = gdsp; This change will prevent cleanup of all entries except the very first one because the outer p-loop will terminate with p=gdsp making p NULL. Similar problems in another, similar part of the patch. You can completely remove an if-statement when using safe_free, but only where the if guard is the same as the one provided by safe_free: if (p) { xfree(p); p = NULL; } can be replaced with safe_free(p); However, if (something && p) { xfree(p); p = NULL; } can only be replaced with if (something) safe_free(p); Similarly, if (something) { xfree(p); p = NULL; } can only be replaced with if (something) safe_free(p); HTH, Alex.
Re: helper protocol in 3.4
Apologies, I had a minor error for Heimdal detection. Markus "Markus Moeller" wrote in message news:kv7ku6$e5f$1...@ger.gmane.org... Hi Amos, I have a very new update to the negotiate helper which should make it unnecessary to do any ldap group lookups for MS Active Directory environments. It would require the new protocol and I would appreciate if you coule dlet me know how to read the kv pairs in an external ACL helper I still need to write. As you may know MS adds SIDS of the groups to a Kerberos ticket. I can now extract these groups as a base 64 encoded string, which just need to be compared with in the external ACL helper. Here is an example debug output: negotiate_kerberos_pac.cc(358): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got PAC data of lengh 512 negotiate_kerberos_pac.cc(177): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Found 5 rids negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 513 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1132 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1141 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1207 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1142 negotiate_kerberos_pac.cc(247): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-1828870822-1098772068-2592627279 negotiate_kerberos_pac.cc(268): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs negotiate_kerberos_pac.cc(316): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got ExtraSid S-1-5-21-1828870822-1098772068-2592627279-1107 negotiate_kerberos_pac.cc(438): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Read 512 of 512 bytes negotiate_kerberos_auth.cc(431): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAUVploCbWTufUFPWoiaAQIAAA== group=AQUAAAUVploCbWTufUFPWoiabAQAAA== group=AQUAAAUVploCbWTufUFPWoiadQQAAA== group=AQUAAAUVploCbWTufUFPWoiatwQAAA== group=AQUAAAUVploCbWTufUFPWoiadgQAAA== group=AQUAAAUVploCbWTufUFPWoiaUwQ= AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== m...@win2003r2.home negotiate_kerberos_auth.cc(436): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: DEBUG: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== m...@win2003r2.home As you can see I create a list of base64 encoded SIDS ( I have attached also some code to convert it if you want to) e.g. ./convert_sid AQUAAAUVploCbWTufUFPWoiadgQAAA== argc: 2 argv: AQUAAAUVploCbWTufUFPWoiadgQAAA== S-1-5-21-1828870822-1098772068--1702340017-1142 To configure an external ACL helper a Adminstrator need to list the groups(MS only adds Security groups to the ticket afaik) of a user. As example my mm id has: ldapsearch -H ldap://w2k3r2.win2003r2.home:389 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)" memberof SASL/GSSAPI authentication started SASL username: m...@win2003r2.home SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: (samaccountname=mm) # requesting: memberof # # Markus Moeller, HomeUsers, win2003r2.home dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home memberOf:: Q0490L/QtdGB0L3RjyxPVT1Hcm91cHMsREM9d2luMjAwM3IyLERDPWhvbWU= memberOf: CN=Group2,OU=Groups,DC=win2003r2,DC=home memberOf: CN=Group1,OU=Groups,DC=win2003r2,DC=home memberOf: CN=Administrators,CN=Builtin,DC=win2003r2,DC=home # search reference ref: ldap://ForestDnsZones.win2003r2.home/DC=ForestDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://DomainDnsZones.win2003r2.home/DC=DomainDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://win2003r2.home/CN=Configuration,DC=win2003r2,DC=home # search result search: 5 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 For example the objectsid ( This is what is in the kerberos ticket) is also base63 encoded in ldap (this is my I choose to use the encoded form to make the helper a cut and paste exercise) ldapsearch -H ldap://w2k3r2.win2003r2.home:389 -s sub -b DC=WIN2003R2,DC=HOME "(cn=Group2)" objectsid SASL/GSSAPI authentication started SASL username: m...@win2003r2.home SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: (cn=Group2) # requesting: objectsid # # Group2, Groups, win2003r2.home dn: CN=Group2,OU=Groups,DC=win2003r2,DC=home objectSid:: AQUAAAUVploCbWTufUFPWoiadgQAAA== # search reference ref: ldap://Fo
Re: helper protocol in 3.4
Hi Amos, I have a very new update to the negotiate helper which should make it unnecessary to do any ldap group lookups for MS Active Directory environments. It would require the new protocol and I would appreciate if you coule dlet me know how to read the kv pairs in an external ACL helper I still need to write. As you may know MS adds SIDS of the groups to a Kerberos ticket. I can now extract these groups as a base 64 encoded string, which just need to be compared with in the external ACL helper. Here is an example debug output: negotiate_kerberos_pac.cc(358): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got PAC data of lengh 512 negotiate_kerberos_pac.cc(177): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Found 5 rids negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 513 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1132 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1141 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1207 negotiate_kerberos_pac.cc(184): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: Info: Got rid: 1142 negotiate_kerberos_pac.cc(247): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-1828870822-1098772068-2592627279 negotiate_kerberos_pac.cc(268): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs negotiate_kerberos_pac.cc(316): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Got ExtraSid S-1-5-21-1828870822-1098772068-2592627279-1107 negotiate_kerberos_pac.cc(438): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: INFO: Read 512 of 512 bytes negotiate_kerberos_auth.cc(431): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAUVploCbWTufUFPWoiaAQIAAA== group=AQUAAAUVploCbWTufUFPWoiabAQAAA== group=AQUAAAUVploCbWTufUFPWoiadQQAAA== group=AQUAAAUVploCbWTufUFPWoiatwQAAA== group=AQUAAAUVploCbWTufUFPWoiadgQAAA== group=AQUAAAUVploCbWTufUFPWoiaUwQ= AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== m...@win2003r2.home negotiate_kerberos_auth.cc(436): pid=8653 :2013/08/23 12:39:26| negotiate_kerberos_auth: DEBUG: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== m...@win2003r2.home As you can see I create a list of base64 encoded SIDS ( I have attached also some code to convert it if you want to) e.g. ./convert_sid AQUAAAUVploCbWTufUFPWoiadgQAAA== argc: 2 argv: AQUAAAUVploCbWTufUFPWoiadgQAAA== S-1-5-21-1828870822-1098772068--1702340017-1142 To configure an external ACL helper a Adminstrator need to list the groups(MS only adds Security groups to the ticket afaik) of a user. As example my mm id has: ldapsearch -H ldap://w2k3r2.win2003r2.home:389 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)" memberof SASL/GSSAPI authentication started SASL username: m...@win2003r2.home SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: (samaccountname=mm) # requesting: memberof # # Markus Moeller, HomeUsers, win2003r2.home dn: CN=Markus Moeller,OU=HomeUsers,DC=win2003r2,DC=home memberOf:: Q0490L/QtdGB0L3RjyxPVT1Hcm91cHMsREM9d2luMjAwM3IyLERDPWhvbWU= memberOf: CN=Group2,OU=Groups,DC=win2003r2,DC=home memberOf: CN=Group1,OU=Groups,DC=win2003r2,DC=home memberOf: CN=Administrators,CN=Builtin,DC=win2003r2,DC=home # search reference ref: ldap://ForestDnsZones.win2003r2.home/DC=ForestDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://DomainDnsZones.win2003r2.home/DC=DomainDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://win2003r2.home/CN=Configuration,DC=win2003r2,DC=home # search result search: 5 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 For example the objectsid ( This is what is in the kerberos ticket) is also base63 encoded in ldap (this is my I choose to use the encoded form to make the helper a cut and paste exercise) ldapsearch -H ldap://w2k3r2.win2003r2.home:389 -s sub -b DC=WIN2003R2,DC=HOME "(cn=Group2)" objectsid SASL/GSSAPI authentication started SASL username: m...@win2003r2.home SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: (cn=Group2) # requesting: objectsid # # Group2, Groups, win2003r2.home dn: CN=Group2,OU=Groups,DC=win2003r2,DC=home objectSid:: AQUAAAUVploCbWTufUFPWoiadgQAAA== # search reference ref: ldap://ForestDnsZones.win2003r2.home/DC=ForestDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://DomainDnsZones.win2003r2.home/DC=DomainDnsZones,DC=win2003r2,DC=ho me # search reference ref: ldap://win2003r2.home/CN=Configuration,DC=win2003r2,DC=home # search result search: 5 result: 0 Suc
Re: helper protocol in 3.4
Hi Amos, I may have a helper for that case soon. Thank you Markus "Amos Jeffries" wrote in message news:52106190.2030...@treenet.co.nz... On 18/08/2013 9:32 a.m., Markus Moeller wrote: Hi, I am look at a way to provide information in addition to the username from the auth helper to the external acl helper Can I use kv pairs in squid 3.4 ? I see there is a kv pair group= . Does it mean the auth helper can return details which will be used by the external acl helper ? Thank you Markus Yes kv-pairs are supported in 3.4. I reserved group= so the auth helper can do exactly that. For usage in either external ACL helpers, or in a "group" type ACL. However, at present the internal parts of Squid do not exist to do anything with it. The planned definition is to have helpers return one "group=" kv-pair for each group the auth helper can identify and attach them as annotation data to the credentials pair. Amos
helper protocol in 3.4
Hi, I am look at a way to provide information in addition to the username from the auth helper to the external acl helper Can I use kv pairs in squid 3.4 ? I see there is a kv pair group= . Does it mean the auth helper can return details which will be used by the external acl helper ? Thank you Markus
Re: [PATCH] SQUID 3.3 ext_kerberos_ldap_group_acl
And to the trunk please. Markus "Markus Moeller" wrote in message news:kmlb8g$n29$1...@ger.gmane.org... Hi Amos, Could you apply this patch to version 3.3 please ? Thank you Markus
[PATCH] SQUID 3.3 ext_kerberos_ldap_group_acl
Hi Amos, Could you apply this patch to version 3.3 please ? Thank you Markus kerberos_ldap_group.patch Description: Binary data
Re: squid as a socks server
What is wrong with the dante socks server ? Why the effort with squid supporting socks ? Markus "James Harper" wrote in message news:6035a0d088a63a46850c3988ed045a4b3878a...@bitcom1.int.sbss.com.au... Having a look at this page http://wiki.squid-cache.org/Features/Socks I can't tell for sure if this project is talking about a socks server, socks client, or both. I think it's both but the two functions are different enough they should probably be separate projects... I like the idea of squid as a socks server because it already has all the authentication and logging infrastructure, even though it probably can't actually cache anything via socks. The problem I'm trying to solve is what to do with all the protocols that I want to police that aren't http/https, and what to do with applications that don't know how to authenticate to proxies but could authenticate to a socks server via a socks client. Is anyone working on this? OK so not a lot of interest? Suppose I wanted to implement this... it's been over a decade since I last looked at the squid code in any detail but looking around now I think I would need to do something like: . add socks_port configuration option to cf.data.pre . add code to parsePortCfg to detect socks_port params . tune parsePortSpecification to validate options At this stage I think socks is quite similar to CONNECT for the outgoing port case (bind and udp are completely different obviously), so I'm assuming that reusing the existing code around PortCfg is a good start. Any tips on where to go next would be appreciated. Thanks James
[PATCH] Patch for squid 3.2 and trunk to use rfc1738 escapes
Hi Amos, I am resending this with [PATCH] in subject. Please find attached a patch which uses rfc1738 escapes for negotiate_kerberos logging and kerberos_ldap_group. It also includes the option for kerberos_ldap_group to read group information from stdin instead of a command line argument. Regards Markus rfc1738-trunk.patch Description: Binary data rfc1738.patch Description: Binary data
Patch for squid 3.2 and trunk to use rfc1738 escapes
Hi Amos, Please find attached a patch which uses rfc1738 escapes for negotiate_kerberos logging and kerberos_ldap_group. It also includes the option for kerberos_ldap_group to read group information from stdin instead of a command line argument. Regards Markus rfc1738-trunk.patch Description: Binary data rfc1738.patch Description: Binary data
Re: Question about rfc1738_escape
Is that a general problem or just with printf ? Markus "Henrik Nordström" wrote in message news:1346007797.22656.1.ca...@home.hno.se... sön 2012-08-26 klockan 19:28 +0100 skrev Markus Moeller: Why can't I use the function multiple times in a printf line ? because it uses a static return buffer, you need to copy the resulting string somewhere before making the next call. Regards Henrik
Question about rfc1738_escape
Why can't I use the function multiple times in a printf line ? Example: #include #include #include "rfc1738.h" int main(int argc, char *const argv[]) { char *user1,*user2,*user3; user2=strdup("0123456789ABCDEFG"); user1=strdup("abcd"); user3=strdup("abcdefghijklmnopqrst"); printf("User1: %s\n",rfc1738_escape(user1)); printf("User2: %s\n",rfc1738_escape(user2)); printf("User3: %s\n",rfc1738_escape(user3)); printf("All Users: %s|%s|%s\n",rfc1738_escape(user1),rfc1738_escape(user2),rfc1738_escape(user3)); } gives (last line for All Users is wrong): Output: User1: abcd User2: 0123456789ABCDEFG User3: abcdefghijklmnopqrst All Users: abcd|abcd|abcd Thank you Markus
Bug in commBind ?
I run OpenSuse 21.1 with squid3-3.1.16-2.3.1.x86_64 and have disabled ipv6, but commBind tries to bind to the ipv6 loopback instead of ipv4 when starting an external helper. Is this a bug or an OpenSuse package issue ? 2012/04/06 19:03:27| helperOpenServers: Starting 5/5 'ext_kerberos_ldap_group_acl' processes 2012/04/06 19:03:27| commBind: Cannot bind socket FD 90 to [::1]: (99) Cannot assign requested address 2012/04/06 19:03:27| commBind: Cannot bind socket FD 91 to [::1]: (99) Cannot assign requested address 2012/04/06 19:03:27| ipcCreate: Failed to create child FD. Markus
Re: [RFC] merging NTLM and Negotiate scheme components
squid_kerb_auth should be able to handle pure GSSAPI as well as SPNEGO blobs. I did see in in some Windows environments, but is there an RFC for Kerberos like there is for Negotiate ? Markus "Henrik Nordström" wrote in message news:1324342293.21380.5.ca...@henriknordstrom.net... lör 2011-12-17 klockan 16:09 +1300 skrev Amos Jeffries: It seems we should be relaying Kerberos but not advertising (lack of specific module). Should it be advertised as a separate mechanism to Negotiate? Yes it's a separate scheme named Kerberos. But other than that it can share all of negotiate. The same helper protocol & states. And quite likely even same helper in several cases even if the blobs differ. (helper dependent if it accepts both SPNEGO wrapped GSSAPI and bare GSSAPI) Regards Henrik
Re: [RFC] merging NTLM and Negotiate scheme components
Hi Amos, I assume this will also eliminate the need of my negotiate_wrapper helper. Markus "Amos Jeffries" wrote in message news:4eec0ce8.9040...@treenet.co.nz... On 17/12/2011 3:31 p.m., Henrik Nordström wrote: And a sligthly better cleaned up patch. Basically it boils down to a different form of AF/NA responses where the negotiate/kerberos responses includes a blob that needs to be sent to the requesting client, while ntlm just has username or message in the helper response. Regards Henrik lör 2011-12-17 klockan 03:12 +0100 skrev Henrik Nordström: Attached is a patch showing the tiny differences between Negotiate and NTLM in the 3.0 sources. Have not attempted doing the same in later sources as I expect they have drifted further apart there when restructured a bit. Regards Henrik Omitting symbol names, the difference should now be that blob, the virtual type() function used to generate headers, and fixHeaders emitting Authentication-Info details fror Negotiate. Amos
Re: Patch for kerberos_ldap_group helper
Could you let me know which platform / gcc version ? Thank you Markus "Amos Jeffries" wrote in message news:4e1fcf62.5060...@treenet.co.nz... On 12/07/11 18:21, Amos Jeffries wrote: On 08/07/11 09:10, Markus Moeller wrote: Hi Amos, Could you please add this to the trunk. Thank you Markus Sorry, I thought I got that one in already. Applied now. Also applied the fix for bug 3195. Recent versions of GCC have started failing with unused variable warnings in the SASL support files. Is this attached patch okay? or should something actually be happening with the related flags? Amos Hmm, k. This is blocking some distros. I'm going to have to drop them anyway for now. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.9
Re: Patch for kerberos_ldap_group helper
Hi Amos, Could you please add this to the trunk. Thank you Markus "Markus Moeller" wrote in message news:iru0kr$bm1$1...@dough.gmane.org... Hi, Here is a small patch against the trunk to fix some minor issues. Markus
Patch for kerberos_ldap_group helper
Hi, Here is a small patch against the trunk to fix some minor issues. Markus kerberos_ldap_group_2.patch Description: Binary data
cc file names
Hi would it be possible to avoid naming source files in different directories the same. It confuses my ddd/gdb debugger and it will always pickup for example ./src/auth/UserRequest.cc instead of ./src/auth/negotiate/UserRequest.cc. find . -name UserRequest.cc ./src/auth/ntlm/UserRequest.cc ./src/auth/negotiate/UserRequest.cc ./src/auth/basic/UserRequest.cc ./src/auth/digest/UserRequest.cc ./src/auth/UserRequest.cc or is this a ddd issue ? Markus
Re: [PATCH] pinning cleanup (testers wanted)
Hi Amos, Using the latest trunk version squid crashes when I use negotiate wrapper and Kerberos. It did not do so before. (gdb) where #0 0xe424 in __kernel_vsyscall () #1 0xb71e77ff in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #2 0xb71e9140 in abort () at abort.c:92 #3 0x0812f9e8 in xassert (msg=0x82bf30c "request->clientConnectionManager == http_conn", file=0x82bee62 "client_side_request.cc", line=836) at debug.cc:567 #4 0x08124fc3 in clientCheckPinning (this=0x84cb7f8) at client_side_request.cc:836 #5 clientInterpretRequestHeaders (this=0x84cb7f8) at client_side_request.cc:945 #6 ClientHttpRequest::doCallouts (this=0x84cb7f8) at client_side_request.cc:1335 #7 0x08126548 in ClientRequestContext::clientAccessCheckDone (this=0x84d0860, answer=1) at client_side_request.cc:659 #8 0x08126823 in ClientRequestContext::clientAccessCheck2 (this=0x84d0860) at client_side_request.cc:555 #9 0x081246c3 in ClientHttpRequest::doCallouts (this=0x84cb7f8) at client_side_request.cc:1328 #10 0x08126548 in ClientRequestContext::clientAccessCheckDone (this=0x84d0860, answer=1) at client_side_request.cc:659 #11 0x08227825 in ACLChecklist::checkCallback (this=0x84d0a08, answer=ACCESS_ALLOWED) at Checklist.cc:194 #12 0x08208c8f in ACLFilledChecklist::checkCallback (this=0x84d0a08, answer=ACCESS_ALLOWED) at FilledChecklist.cc:32 #13 0x0822845b in ACLChecklist::check (this=0x84d0a08) at Checklist.cc:105 #14 0x081f2c32 in ProxyAuthLookup::LookupDone (data=0x84d0a08, result=0x0) at AclProxyAuth.cc:173 #15 0x0821d075 in AuthNegotiateUserRequest::HandleReply (data=0x848c3b0, lastserver=0x848d870, reply=) at UserRequest.cc:399 #16 0x0816baac in helperStatefulHandleRead (fd=10, buf=0x8496970 "AF oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWq1L/YTAWybqyPUgTY241MqX/0T0hOW8P0hkAceWJ+9eziWLZiEtX70GvOB1kxvSDZYAbM0cAsw/rd4tcdz8ULyl1jeUsjqey0+vs"..., len=253, flag=COMM_OK, xerrno=0, data=0x848d870) at helper.cc:959 #17 0x0823a625 in CommIoCbPtrFun::dial (this=0x848d904) at CommCalls.cc:183 #18 0x08228e4b in AsyncCall::make (this=0x848d8e8) at AsyncCall.cc:34 #19 0x0822c3e7 in AsyncCallQueue::fireNext (this=0x848d268) at AsyncCallQueue.cc:54 #20 0x0822c560 in AsyncCallQueue::fire (this=0x848d268) at AsyncCallQueue.cc:40 #21 0x08146cf5 in EventLoop::runOnce (this=0xbfb417d4) at EventLoop.cc:131 #22 0x08146df0 in EventLoop::run (this=0xbfb417d4) at EventLoop.cc:95 #23 0x0819cc00 in SquidMain (argc=4, argv=0xbfb41904) at main.cc:1496 #24 0x0819d9bc in SquidMainSafe (argc=4, argv=0xbfb41904) at main.cc:1229 ---Type to continue, or q to quit--- #25 main (argc=4, argv=0xbfb41904) at main.cc:1221 "Amos Jeffries" wrote in message news:4dc6352a.3030...@treenet.co.nz... On 11/02/11 02:38, Amos Jeffries wrote: Since 1xx handing went in HttpRequest has had two links to the one ConnStateData managing its client connection. * Rename the 1xx link to clientConnectionManager (since it is not actually the connection, but the manager object controlling the FD usage and stats. * Convert the pinning code to using the permanent clientConnectionManager link instead of a temporary pinned_connection link. This moves all connection pinning state fully into the ConnStateData manager objects scope. Side changes that appear to be buggy code previously: * do not alter pinning state at the point where the pinned connection is about to start being used. Changes are only relevant at the point of pinning or unpinning. * unpin operation now closes the Server FD if still open. Previously there was the possibility that some code paths would leave server FD open and pconn it. (especially since the above mentioned state alteration cleared the "pinned" flag). Applied to trunk. revno 11419 Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
Re: [PATCH] base-64 encoder upgrade
The negotiate wrapper and negotiate_kerberos_auth seem to work fine (with the known problem that NTLM does not work with the trunk version and negotiate_wrapper) Markus "Markus Moeller" wrote in message news:ipk6oe$h43$1...@dough.gmane.org... And this is a second error (or at least treated as one) make[3]: Entering directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/fake' g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../../include-I../../../lib -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT ntlm_fake_auth.o -MD -MP -MF .deps/ntlm_fake_auth.Tpo -c -o ntlm_fake_auth.o ntlm_fake_auth.cc cc1plus: warnings being treated as errors ntlm_fake_auth.cc: In function âint main(int, char**)â: ntlm_fake_auth.cc:154:9: error: âdecodedLenâ may be used uninitialized in this function make[3]: *** [ntlm_fake_auth.o] Error 1 make[3]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/fake' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers' make: *** [all-recursive] Error 1 Markus "Markus Moeller" wrote in message news:ipjlcl$qfu$1...@dough.gmane.org... I get a compile error against the trunk version make[3]: Entering directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/smb_lm' g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../../include-I../../../lib -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT ntlm_smb_lm_auth.o -MD -MP -MF .deps/ntlm_smb_lm_auth.Tpo -c -o ntlm_smb_lm_auth.o ntlm_smb_lm_auth.cc cc1plus: warnings being treated as errors ntlm_smb_lm_auth.cc: In function âvoid manage_request()â: ntlm_smb_lm_auth.cc:530:40: error: comparison between signed and unsigned integer expressions make[3]: *** [ntlm_smb_lm_auth.o] Error 1 make[3]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/smb_lm' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers' Markus "Amos Jeffries" wrote in message news:4dbd4a1a.6000...@treenet.co.nz... On 01/05/11 22:49, Markus Moeller wrote: Hi Amos, Sure. How do I get the changes ? Markus Did you not get the .patch file attached to the earlier email? (attaching again anyways) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
Re: [PATCH] base-64 encoder upgrade
And this is a second error (or at least treated as one) make[3]: Entering directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/fake' g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../../include-I../../../lib -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT ntlm_fake_auth.o -MD -MP -MF .deps/ntlm_fake_auth.Tpo -c -o ntlm_fake_auth.o ntlm_fake_auth.cc cc1plus: warnings being treated as errors ntlm_fake_auth.cc: In function âint main(int, char**)â: ntlm_fake_auth.cc:154:9: error: âdecodedLenâ may be used uninitialized in this function make[3]: *** [ntlm_fake_auth.o] Error 1 make[3]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/fake' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers' make: *** [all-recursive] Error 1 Markus "Markus Moeller" wrote in message news:ipjlcl$qfu$1...@dough.gmane.org... I get a compile error against the trunk version make[3]: Entering directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/smb_lm' g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../../include-I../../../lib -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT ntlm_smb_lm_auth.o -MD -MP -MF .deps/ntlm_smb_lm_auth.Tpo -c -o ntlm_smb_lm_auth.o ntlm_smb_lm_auth.cc cc1plus: warnings being treated as errors ntlm_smb_lm_auth.cc: In function âvoid manage_request()â: ntlm_smb_lm_auth.cc:530:40: error: comparison between signed and unsigned integer expressions make[3]: *** [ntlm_smb_lm_auth.o] Error 1 make[3]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/smb_lm' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers' Markus "Amos Jeffries" wrote in message news:4dbd4a1a.6000...@treenet.co.nz... On 01/05/11 22:49, Markus Moeller wrote: Hi Amos, Sure. How do I get the changes ? Markus Did you not get the .patch file attached to the earlier email? (attaching again anyways) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
Re: [PATCH] base-64 encoder upgrade
I get a compile error against the trunk version make[3]: Entering directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/smb_lm' g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../../include-I../../../lib -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT ntlm_smb_lm_auth.o -MD -MP -MF .deps/ntlm_smb_lm_auth.Tpo -c -o ntlm_smb_lm_auth.o ntlm_smb_lm_auth.cc cc1plus: warnings being treated as errors ntlm_smb_lm_auth.cc: In function âvoid manage_request()â: ntlm_smb_lm_auth.cc:530:40: error: comparison between signed and unsigned integer expressions make[3]: *** [ntlm_smb_lm_auth.o] Error 1 make[3]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth/smb_lm' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers/ntlm_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/backup/bazaar/squid-3-bzr/squid-3.2-comp/helpers' Markus "Amos Jeffries" wrote in message news:4dbd4a1a.6000...@treenet.co.nz... On 01/05/11 22:49, Markus Moeller wrote: Hi Amos, Sure. How do I get the changes ? Markus Did you not get the .patch file attached to the earlier email? (attaching again anyways) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
Re: [PATCH] base-64 encoder upgrade
Sorry I did, but I wasn't sure if that was the latest. Thank you Markus "Amos Jeffries" wrote in message news:4dbd4a1a.6000...@treenet.co.nz... On 01/05/11 22:49, Markus Moeller wrote: Hi Amos, Sure. How do I get the changes ? Markus Did you not get the .patch file attached to the earlier email? (attaching again anyways) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
Re: [PATCH] base-64 encoder upgrade
Hi Amos, Sure. How do I get the changes ? Markus "Amos Jeffries" wrote in message news:4dbcc67d.7080...@treenet.co.nz... Markus, would you be happy to run some tests before this goes in and check that I have not screwed anything up? Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1
Re: Problem authenticating with Negotiate-NTLM
Hi Amos, Where is the 3.2 squid code will the Proxy-Authorization: line be added ? I can see that the negotiate-wrapper correctly returns the TT and I see in the logs: 2011/04/10 01:07:43.849 kid1| negotiate/negotiateUserRequest.cc(272) HandleReply: helper: '0x84886f0' sent us 'TT TlRMTVNTUAACCQAJADAGgokAT7KQwRyCYyIAAHQAdAA5V0lOMjAwM1IyAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAA=' 2011/04/10 01:07:43.849 kid1| cbdataReferenceValid: 0x84cb4d0 2011/04/10 01:07:43.849 kid1| negotiate/negotiateUserRequest.cc(325) HandleReply: Need to challenge the client with a server blob 'TlRMTVNTUAACCQAJADAGgokAT7KQwRyCYyIAAHQAdAA5V0lOMjAwM1IyAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAA=' 2011/04/10 01:07:43.849 kid1| UserRequest.cc(80) valid: Validating AuthUserRequest '0x871dc88'. 2011/04/10 01:07:43.849 kid1| UserRequest.cc(100) valid: Validated. AuthUserRequest '0x871dc88'. 2011/04/10 01:07:43.849 kid1| ACLChecklist::asyncInProgress: 0x84cb4d0 async set to 0 2011/04/10 01:07:43.849 kid1| cbdataReferenceValid: 0x84cb3e0 2011/04/10 01:07:43.849 kid1| cbdataReferenceValid: 0x8457df8 2011/04/10 01:07:43.849 kid1| ACLChecklist::preCheck: 0x84cb4d0 checking 'http_access allow authenticate' 2011/04/10 01:07:43.850 kid1| ACLList::matches: checking authenticate 2011/04/10 01:07:43.850 kid1| ACL::checklistMatches: checking 'authenticate' 2011/04/10 01:07:43.850 kid1| UserRequest.cc(80) valid: Validating AuthUserRequest '0x871dc88'. 2011/04/10 01:07:43.850 kid1| UserRequest.cc(100) valid: Validated. AuthUserRequest '0x871dc88'. 2011/04/10 01:07:43.850 kid1| negotiate/negotiateUserRequest.cc(56) authenticated: user not fully authenticated. 2011/04/10 01:07:43.850 kid1| UserRequest.cc(345) authenticate: header Negotiate TlRMTVNTUAABBoIIAAA=. 2011/04/10 01:07:43.850 kid1| UserRequest.cc(80) valid: Validating AuthUserRequest '0x871dc88'. 2011/04/10 01:07:43.850 kid1| UserRequest.cc(100) valid: Validated. AuthUserRequest '0x871dc88'. 2011/04/10 01:07:43.850 kid1| negotiate/negotiateUserRequest.cc(56) authenticated: user not fully authenticated. 2011/04/10 01:07:43.850 kid1| negotiate/negotiateUserRequest.cc(201) authenticate: need to challenge client 'TlRMTVNTUAACCQAJADAGgokAT7KQwRyCYyIAAHQAdAA5V0lOMjAwM1IyAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAA='! but the client never receives the Proxy-Authorization: line. I gets lost somewhere in the squid code. It works for pure NTLM. Thank you Markus "Markus Moeller" wrote in message news:inn1ro$qnh$2...@dough.gmane.org... "Markus Moeller" wrote in message news:im5hrq$vbr$1...@dough.gmane.org... I did some further tests and noticed the following: 1) IE with squid 3.0 works using my wrapper (See ie-nego-3.0.tgz) 2) Polygraph with squid 3.0 fails for ntlm (either via negotiate-ntlm or pure ntlm) ( See polygraph-4.3.1-3.0.tgz I can get 3.0 to work by adding Connection: Keep-Alive to Polygraphs client code. 3) Polygraph with squid 3.2 works for ntlm but fails negotiate-ntlm (See polygraph-4.3.1-3.2.tgz) 3.2 need still further analysis Markus "Markus Moeller" wrote in message news:im4v3n$374$1...@dough.gmane.org... Hi, I try to use my negotiate-wrapper with auth_ntlm and squid-3.2 and see that the helper returns TT ... and squid logs 2011/03/20 13:08:19.544 kid1| negotiate/negotiateUserRequest.cc(201) authenticate: need to challenge client 'TlRMTVNTUAACEgASADAFgomivxsqHXpxr1kAAHQAdABCVwBJAE4AMgAwADAAMwBSADIAAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAA='! but in the wireshark log I don't see a proxy-authenticate header line to challenge the client. What could be the reason ? When I switch to Negotiate-Kerberos everything works. Attached are the config and log files. Markus Markus
Re: Problem authenticating with Negotiate-NTLM
"Markus Moeller" wrote in message news:im5hrq$vbr$1...@dough.gmane.org... I did some further tests and noticed the following: 1) IE with squid 3.0 works using my wrapper (See ie-nego-3.0.tgz) 2) Polygraph with squid 3.0 fails for ntlm (either via negotiate-ntlm or pure ntlm) ( See polygraph-4.3.1-3.0.tgz I can get 3.0 to work by adding Connection: Keep-Alive to Polygraphs client code. 3) Polygraph with squid 3.2 works for ntlm but fails negotiate-ntlm (See polygraph-4.3.1-3.2.tgz) 3.2 need still further analysis Markus "Markus Moeller" wrote in message news:im4v3n$374$1...@dough.gmane.org... Hi, I try to use my negotiate-wrapper with auth_ntlm and squid-3.2 and see that the helper returns TT ... and squid logs 2011/03/20 13:08:19.544 kid1| negotiate/negotiateUserRequest.cc(201) authenticate: need to challenge client 'TlRMTVNTUAACEgASADAFgomivxsqHXpxr1kAAHQAdABCVwBJAE4AMgAwADAAMwBSADIAAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAA='! but in the wireshark log I don't see a proxy-authenticate header line to challenge the client. What could be the reason ? When I switch to Negotiate-Kerberos everything works. Attached are the config and log files. Markus Markus
Re: Problem authenticating with Negotiate-NTLM
Can someone confirm this or has an idea what I could check for ? Thank you Markus "Markus Moeller" wrote in message news:im5hrq$vbr$1...@dough.gmane.org... I did some further tests and noticed the following: 1) IE with squid 3.0 works using my wrapper (See ie-nego-3.0.tgz) 2) Polygraph with squid 3.0 fails for ntlm (either via negotiate-ntlm or pure ntlm) ( See polygraph-4.3.1-3.0.tgz 3) Polygraph with squid 3.2 works for ntlm but fails negotiate-ntlm (See polygraph-4.3.1-3.2.tgz) Markus "Markus Moeller" wrote in message news:im4v3n$374$1...@dough.gmane.org... Hi, I try to use my negotiate-wrapper with auth_ntlm and squid-3.2 and see that the helper returns TT ... and squid logs 2011/03/20 13:08:19.544 kid1| negotiate/negotiateUserRequest.cc(201) authenticate: need to challenge client 'TlRMTVNTUAACEgASADAFgomivxsqHXpxr1kAAHQAdABCVwBJAE4AMgAwADAAMwBSADIAAgASAFcASQBOADIAMAAwADMAUgAyAAEAFABPAFAARQBOAFMAVQBTAEUAMQAxAAQAEgBzAHUAcwBlAC4AaABvAG0AZQADACgAbwBwAGUAbgBzAHUAcwBlADEAMQAuAHMAdQBzAGUALgBoAG8AbQBlAAA='! but in the wireshark log I don't see a proxy-authenticate header line to challenge the client. What could be the reason ? When I switch to Negotiate-Kerberos everything works. Attached are the config and log files. Markus
Re: Patches for squid 3.2
"Amos Jeffries" wrote in message news:4d7db5d4.3080...@treenet.co.nz... On 14/03/11 12:34, Markus Moeller wrote: Hi, I have three patches for the squid trunk version. 1) A patch for negotiate_kerberos_auth to fix a minor error in printinh gss errors 2) A patch for kerberos_ldap_group which adds a -S server option 3) A patch to add negotiate_wrapper In addition I indented all with: indent -br -ce -i4 -ci4 -l80 -nlp -npcs -npsl -d0 -sc -di0 -psl as documented for C sources. Regards Markus Patch (1) and (2) checked and merged. NP: the formatting needs to be done with scripts/formater.pl for squid-3. (No matter though, easily redone) Sorry. Will remember for next time. The wrapper helper held back a few days so I can play with it some more. Sure. It is quite new. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5 Thank you Markus
Re: New external_acl helper squid_kerb_ldap
Hi Amos, Could you let me know what are valid respones from the negotiate helper compared to ntlm helper ? It seems I have to translate them. Thank you Markus "Markus Moeller" wrote in message news:ilcv9m$kra$1...@dough.gmane.org... Hi Amos, When I use my wrapper I had to modify the samba ntlm_auth helper to return another AF string. I run 3.0.STABLE25 and /usr/bin/ntlm_auth -V Version 3.5.4-2489-SUSE-SL11.3 FATAL: authenticateNegotiateHandleReply: *** Unsupported helper response ***, 'AF WIN2003R2\administrator' Would it be possible that the Negotiate reply handler accepts both formats ? I used auth_param negotiate program /usr/sbin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/sbin/squid_kerb_auth -d -s GSS_C_NO_NAME Thank you Markus 2011/03/10 22:44:34| negotiate_wrapper: Got 'YR TlRMTVNTUAABB4IIogAFAs4ODw==' from squid (length: 59). 2011/03/10 22:44:34| negotiate_wrapper: Decode 'TlRMTVNTUAABB4IIogAFAs4ODw==' (decoded length: 40). 2011/03/10 22:44:34| negotiate_wrapper: received type 1 NTLM token 2011/03/10 22:44:34| negotiate_wrapper: Got 'KK TlRMTVNTUAADGAAYAIAYABgAmBIAEgBIGgAaAFoMAAwAdACwBYKIogUCzg4PVwBJAE4AMgAwADAAMwBSADIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBXADIASwAzAFIAMgCkBlG0MZTzRwBFkwULOmCaiWNR/69aXr44O8ZJJ/pEwzE=' from squid (length: 239). 2011/03/10 22:44:34| negotiate_wrapper: Decode 'TlRMTVNTUAADGAAYAIAYABgAmBIAEgBIGgAaAFoMAAwAdACwBYKIogUCzg4PVwBJAE4AMgAwADAAMwBSADIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBXADIASwAzAFIAMgCkBlG0MZTzRwBFkwULOmCaiWNR/69aXr44O8ZJJ/pEwzE=' (decoded length: 176). 2011/03/10 22:44:34| negotiate_wrapper: received type 3 NTLM token 2011/03/10 22:44:35| storeDirWriteCleanLogs: Starting... 2011/03/10 22:44:35| WARNING: Closing open FD 25 2011/03/10 22:44:35| Finished. Wrote 2747 entries. 2011/03/10 22:44:35| Took 0.00 seconds (1852326.37 entries/sec). FATAL: authenticateNegotiateHandleReply: *** Unsupported helper response ***, 'AF WIN2003R2\administrator' Squid Cache (Version 3.0.STABLE25): Terminated abnormally. CPU Usage: 0.225 seconds = 0.017 user + 0.208 sys Maximum Resident Size: 39392 KB Page faults with physical i/o: 0 Memory usage for squid via mallinfo(): total space in arena:3244 KB Ordinary blocks: 3163 KB 7 blks Small blocks: 0 KB 0 blks Holding blocks: 3664 KB 13 blks Free Small blocks: 0 KB Free Ordinary blocks: 80 KB Total in use:6827 KB 210% Total free:80 KB 2% 2011/03/10 22:44:38| Starting Squid Cache version 3.0.STABLE25 for i686-suse-linux-gnu... "Amos Jeffries" wrote in message news:4c651eb3.6020...@treenet.co.nz... Markus Moeller wrote: "Amos Jeffries" wrote in message news:4c5187d2.5010...@treenet.co.nz... Markus Moeller wrote: Hi Amos, Hi Amos How does your time look like now ? Regards Markus Looks passable. I have not had time for a detailed view of the logics. I'll commit this tomorrow with a name tweak, the naming scheme has been through the external acl helpers too now. I'll just tack ext_ on the front and _acl on the back of the existing binary name and update the docs to match. One thing that worries me still is the RUN_IFELSE autoconf macros still being added to configure.in. I'm sure there is a macro that checked for defined values of things inside headers without running stuff. If you can try and find that it would be great not to have to run anything on build. I have 4 RUN_IFELSE. The first is to check to check that ldap works with the provided libraries. Is that unusual ? Any other suggestion how to check ? Um, okay. Thats reasonable on build. Duplicating at run-time may also be useful since the particular run-time libraries are not always the ones built against. The other three are to determine the LDAP vendor, which is a define statement in one of the ldap header files and as it is a string in a define I can not use any header grep nor proprocessor checks ( at least I do not know of any). Nasty. Oh well. Okay. Have applied to Squid-3.HEAD with the extra ext_*_acl bits on the binary name and docs for the current naming style. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1
Re: New external_acl helper squid_kerb_ldap
Hi Amos, When I use my wrapper I had to modify the samba ntlm_auth helper to return another AF string. I run 3.0.STABLE25 and /usr/bin/ntlm_auth -V Version 3.5.4-2489-SUSE-SL11.3 FATAL: authenticateNegotiateHandleReply: *** Unsupported helper response ***, 'AF WIN2003R2\administrator' Would it be possible that the Negotiate reply handler accepts both formats ? I used auth_param negotiate program /usr/sbin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/sbin/squid_kerb_auth -d -s GSS_C_NO_NAME Thank you Markus 2011/03/10 22:44:34| negotiate_wrapper: Got 'YR TlRMTVNTUAABB4IIogAFAs4ODw==' from squid (length: 59). 2011/03/10 22:44:34| negotiate_wrapper: Decode 'TlRMTVNTUAABB4IIogAFAs4ODw==' (decoded length: 40). 2011/03/10 22:44:34| negotiate_wrapper: received type 1 NTLM token 2011/03/10 22:44:34| negotiate_wrapper: Got 'KK TlRMTVNTUAADGAAYAIAYABgAmBIAEgBIGgAaAFoMAAwAdACwBYKIogUCzg4PVwBJAE4AMgAwADAAMwBSADIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBXADIASwAzAFIAMgCkBlG0MZTzRwBFkwULOmCaiWNR/69aXr44O8ZJJ/pEwzE=' from squid (length: 239). 2011/03/10 22:44:34| negotiate_wrapper: Decode 'TlRMTVNTUAADGAAYAIAYABgAmBIAEgBIGgAaAFoMAAwAdACwBYKIogUCzg4PVwBJAE4AMgAwADAAMwBSADIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBXADIASwAzAFIAMgCkBlG0MZTzRwBFkwULOmCaiWNR/69aXr44O8ZJJ/pEwzE=' (decoded length: 176). 2011/03/10 22:44:34| negotiate_wrapper: received type 3 NTLM token 2011/03/10 22:44:35| storeDirWriteCleanLogs: Starting... 2011/03/10 22:44:35| WARNING: Closing open FD 25 2011/03/10 22:44:35| Finished. Wrote 2747 entries. 2011/03/10 22:44:35| Took 0.00 seconds (1852326.37 entries/sec). FATAL: authenticateNegotiateHandleReply: *** Unsupported helper response ***, 'AF WIN2003R2\administrator' Squid Cache (Version 3.0.STABLE25): Terminated abnormally. CPU Usage: 0.225 seconds = 0.017 user + 0.208 sys Maximum Resident Size: 39392 KB Page faults with physical i/o: 0 Memory usage for squid via mallinfo(): total space in arena:3244 KB Ordinary blocks: 3163 KB 7 blks Small blocks: 0 KB 0 blks Holding blocks: 3664 KB 13 blks Free Small blocks: 0 KB Free Ordinary blocks: 80 KB Total in use:6827 KB 210% Total free:80 KB 2% 2011/03/10 22:44:38| Starting Squid Cache version 3.0.STABLE25 for i686-suse-linux-gnu... "Amos Jeffries" wrote in message news:4c651eb3.6020...@treenet.co.nz... Markus Moeller wrote: "Amos Jeffries" wrote in message news:4c5187d2.5010...@treenet.co.nz... Markus Moeller wrote: Hi Amos, Hi Amos How does your time look like now ? Regards Markus Looks passable. I have not had time for a detailed view of the logics. I'll commit this tomorrow with a name tweak, the naming scheme has been through the external acl helpers too now. I'll just tack ext_ on the front and _acl on the back of the existing binary name and update the docs to match. One thing that worries me still is the RUN_IFELSE autoconf macros still being added to configure.in. I'm sure there is a macro that checked for defined values of things inside headers without running stuff. If you can try and find that it would be great not to have to run anything on build. I have 4 RUN_IFELSE. The first is to check to check that ldap works with the provided libraries. Is that unusual ? Any other suggestion how to check ? Um, okay. Thats reasonable on build. Duplicating at run-time may also be useful since the particular run-time libraries are not always the ones built against. The other three are to determine the LDAP vendor, which is a define statement in one of the ldap header files and as it is a string in a define I can not use any header grep nor proprocessor checks ( at least I do not know of any). Nasty. Oh well. Okay. Have applied to Squid-3.HEAD with the extra ext_*_acl bits on the binary name and docs for the current naming style. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1
Re: New Auth configuration options
"Amos Jeffries" wrote in message news:6a344dc47f7a230a7cf24e0a5bed7...@treenet.co.nz... On Sun, 6 Mar 2011 12:39:28 -0000, Markus Moeller wrote: "Amos Jeffries" wrote in message news:4d73721e.4000...@treenet.co.nz... On 06/03/11 00:46, Markus Moeller wrote: "Amos Jeffries" wrote in message news:4d718401.6050...@treenet.co.nz... On 05/03/11 05:41, Markus Moeller wrote: Do you have an idea how such a wrapper would work ? The issue I see is that the wrapper helper must do the same process management as squid. Which I think is quite some duplication. Markus Squid already does the tri-state response handling similarly for Negoatite and NTLM auth schemes. The blob decoding and response state is entirely up to the helper. I think the wrapper just needs to decode the blob and do either NTLM challenge+validate or Kerberos validate on the result depending on what detail it gets. So squid keeps state to which helper instance the NTLM challenge was send too ? Yes, and whether there is a challenge pending blocking it from other uses. Good A flag internally to determine that an NTLM validate is the next state after challenge will be needed to avoid sending NTLM challenge then validating the follow-up with Kerberos. I really don't want to program all of that. I just would like to hand it over to the existing squid_kerb_auth or ntlm_auth helper after identification of the blob beeing NTLM or not. But if I hand the token over squid_kerb_auth or ntlm_auth will get into an endless loop and won't return to my wrapper. Does that make sense ? Nope. Sorry. Is the wrapper calling itself recursively when the first sub-lookup results in failure? The only loop I can see is when Negotiate/NTLM challenge-response arrives. If the wrapper pases it to Kerberos it may have bad consequences, though I'm not certain. If Kerberos can validate the NTLM challenge responses safely that simplifies things a lot. As for programming, we have a libntlmauth library bundled with Squid which has NTLM decoder functions and "struct ntlmhdr" definitions in it. Code would be something like: flag = unset while(fgets(input)) { base64decode(input, output); validation_reply = ntlm_validate_packet((struct ntlmhdr*)output, ); if (validation_reply && flag != doing_ntlm) { ... get result form kerberos ... Here I see a problem. I asume I can re-use the existing helpers. How do I start it and get data to and from it ? That would be via fork() or vfork() earlier during startup setting up a pair of pipes to the other helper. OK. That is what I thought might work. } else { flag = unset ... get result or challenge from NTLM ... Same here. if result is challenge flag = doing_ntlm } ... pass result to squid } Amos Markus
Re: New Auth configuration options
"Amos Jeffries" wrote in message news:4d73721e.4000...@treenet.co.nz... On 06/03/11 00:46, Markus Moeller wrote: "Amos Jeffries" wrote in message news:4d718401.6050...@treenet.co.nz... On 05/03/11 05:41, Markus Moeller wrote: Do you have an idea how such a wrapper would work ? The issue I see is that the wrapper helper must do the same process management as squid. Which I think is quite some duplication. Markus Squid already does the tri-state response handling similarly for Negoatite and NTLM auth schemes. The blob decoding and response state is entirely up to the helper. I think the wrapper just needs to decode the blob and do either NTLM challenge+validate or Kerberos validate on the result depending on what detail it gets. So squid keeps state to which helper instance the NTLM challenge was send too ? Yes, and whether there is a challenge pending blocking it from other uses. Good A flag internally to determine that an NTLM validate is the next state after challenge will be needed to avoid sending NTLM challenge then validating the follow-up with Kerberos. I really don't want to program all of that. I just would like to hand it over to the existing squid_kerb_auth or ntlm_auth helper after identification of the blob beeing NTLM or not. But if I hand the token over squid_kerb_auth or ntlm_auth will get into an endless loop and won't return to my wrapper. Does that make sense ? Nope. Sorry. Is the wrapper calling itself recursively when the first sub-lookup results in failure? The only loop I can see is when Negotiate/NTLM challenge-response arrives. If the wrapper pases it to Kerberos it may have bad consequences, though I'm not certain. If Kerberos can validate the NTLM challenge responses safely that simplifies things a lot. As for programming, we have a libntlmauth library bundled with Squid which has NTLM decoder functions and "struct ntlmhdr" definitions in it. Code would be something like: flag = unset while(fgets(input)) { base64decode(input, output); validation_reply = ntlm_validate_packet((struct ntlmhdr*)output, ); if (validation_reply && flag != doing_ntlm) { ... get result form kerberos ... Here I see a problem. I asume I can re-use the existing helpers. How do I start it and get data to and from it ? } else { flag = unset ... get result or challenge from NTLM ... Same here. if result is challenge flag = doing_ntlm } ... pass result to squid } "Simples", as the rat said to the piper. Amos -Messaggio originale- Da: Henrik Nordström ons 2010-04-07 klockan 20:27 +0100 skrev Markus Moeller: > Would it make sense to define in squid two new configuration options > to > control Negotiate authentication ? I am thinking of adding > > Negotiate-NTLM > > and > > Negotiate-Kerberos I would prefer a wrapper helper doing this selection. Regards Henrik Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5
Re: New Auth configuration options
"Amos Jeffries" wrote in message news:4d718401.6050...@treenet.co.nz... On 05/03/11 05:41, Markus Moeller wrote: Do you have an idea how such a wrapper would work ? The issue I see is that the wrapper helper must do the same process management as squid. Which I think is quite some duplication. Markus Squid already does the tri-state response handling similarly for Negoatite and NTLM auth schemes. The blob decoding and response state is entirely up to the helper. I think the wrapper just needs to decode the blob and do either NTLM challenge+validate or Kerberos validate on the result depending on what detail it gets. So squid keeps state to which helper instance the NTLM challenge was send too ? A flag internally to determine that an NTLM validate is the next state after challenge will be needed to avoid sending NTLM challenge then validating the follow-up with Kerberos. I really don't want to program all of that. I just would like to hand it over to the existing squid_kerb_auth or ntlm_auth helper after identification of the blob beeing NTLM or not. But if I hand the token over squid_kerb_auth or ntlm_auth will get into an endless loop and won't return to my wrapper. Does that make sense ? "Simples", as the rat said to the piper. Amos -Messaggio originale- Da: Henrik Nordström ons 2010-04-07 klockan 20:27 +0100 skrev Markus Moeller: > Would it make sense to define in squid two new configuration options > to > control Negotiate authentication ? I am thinking of adding > > Negotiate-NTLM > > and > > Negotiate-Kerberos I would prefer a wrapper helper doing this selection. Regards Henrik Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5
Re: New Auth configuration options
Do you have an idea how such a wrapper would work ? The issue I see is that the wrapper helper must do the same process management as squid. Which I think is quite some duplication. Markus "Guido Serassio" wrote in message news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc... Hi Henrik, I was thinking about the same thing few minutes ago ... :-) +1 Regards Guido Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Henrik Nordström [mailto:hen...@henriknordstrom.net] Inviato: giovedì 8 aprile 2010 21.47 A: Markus Moeller Cc: squid-dev@squid-cache.org Oggetto: Re: New Auth configuration options ons 2010-04-07 klockan 20:27 +0100 skrev Markus Moeller: > Would it make sense to define in squid two new configuration options to > control Negotiate authentication ? I am thinking of adding > > Negotiate-NTLM > > and > > Negotiate-Kerberos I would prefer a wrapper helper doing this selection. Regards Henrik
Polygraph Kerberos patch
Hi Here is a patch for the latest polygraph version to perform Kerberos based performance testing. Apply attached patch and rebuild configure and other files with: aclocal autoheader automake -a autoreconf -f -i Now run ./configure ... Four new options are introduced: 1) kerberos_auth = true; Selects Kerberos over NTLM in Negotiate requests 2) kerberos_config_path = "krb5_WINDOWS.conf"; Defines the Kerberos configuration file to use 3) kerberos_clear_cache = true; Do not cache credentials but re-authenticate user for every HTTP request. Creates high amount of Keberos traffic to kdc or Active Directory and not recommended 4) kerberos_proxy_spn = "HTTP/" ( and kerberos_server_spn = "HTTP/ for testing web server performance) Setting the spn avoids DNS resolution of the proxy or web server hotsname to IP address and vice versa. Simple Polygraph configuration /* * A very simple "Hello, World!" workload */ // this is just one of the simplest workloads that can produce hits // never use this workload for benchmarking // SimpleContent defines properties of content that the server generates; // if you get no hits, set SimpleContent.obj_life_cycle to cntStatic, which // is defined in workloads/include/contents.pg Content SimpleContent = { size = exp(13KB); // response sizes distributed exponentially cachable = 80%; // 20% of content is uncachable }; // a primitive server cleverly labeled "S101" // normally, you would specify more properties, // but we will mostly rely on defaults for now Server S = { kind = "S101"; contents = [ SimpleContent ]; direct_access = contents; addresses = [ '192.168.1.12:9090' ]; // where to create these server agents }; DnsResolver dr = { servers = [ '127.0.0.1:53' ]; timeout = 5sec; }; AddrMap M = { addresses = [ '192.168.1.10' ,'192.168.1.11', '192.168.1.12' ]; names = [ 'client.suse.home' , 'proxy.suse.home', 'server.suse.home' ]; }; // a primitive robot Robot R1 = { kind = "R101"; pop_model = { pop_distr = popUnif(); }; recurrence = 55% / SimpleContent.cachable; // adjusted to get 55% DHR origins = S.addresses; // where the origin servers are addresses = [ '192.168.1.10' ]; // where these robot agents will be created //kerberos_clear_cache = true; kerberos_auth = true; kerberos_config_path = "krb5_SUSE.conf"; kerberos_proxy_spn = "HTTP/proxy.suse.home"; credentials = [ "user1:user1" ]; dns_resolver = dr; }; // a primitive robot Robot R2 = { kind = "R101"; pop_model = { pop_distr = popUnif(); }; recurrence = 55% / SimpleContent.cachable; // adjusted to get 55% DHR origins = S.addresses; // where the origin servers are addresses = [ '192.168.1.10' ]; // where these robot agents will be created //kerberos_clear_cache = true; kerberos_auth = true; kerberos_config_path = "krb5_WINDOWS.conf"; // user can be the same as in Robot R1 as the default domain in krb5 will differentiate them as user1@ and user1@ kerberos_proxy_spn = "HTTP/proxy.suse.home"; credentials = [ "user1:user1" ]; dns_resolver = dr; }; // commit to using these servers and robots use(M); use(S, R1, R2); Run the client with: /opt/polygraph-4.0.11/bin/polygraph-client --proxy 192.168.1.11:3128 --config /home/markus/mysources/polygraph/simple_proxy.pg --verb_lvl 10 --log client.log Simple Kerberos configuration file [libdefaults] default_realm = WIN2003R2.HOME default_keytab_name = /etc/krb5.keytab default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 #Heimdal settings default_etypes = arcfour-hmac-md5 des3-cbc-sha1 des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 # DNS settings to reduce DNS traffic and rely on below settings dns_lookup_kdc = no dns_lookup_realm = no [realms] WIN2003R2.HOME = { kdc = 192.168.1.10 admin_server = 192.168.1.10 } [domain_realm] .win2003r2.home = WIN2003R2.HOME win2003r2.home = WIN2003R2.HOME [logging] Using IP-addresses reduces the load on DNS !! In the case of a high number of connections you may see errors 1765328228 from krb5_get_init_creds_password. This can happen when more than FD_SETSIZE file descriptors are open. The only way to avoid this is to recompile the Kerberos library after setting with sysctl ( on Linux) a file max file descriptor number and changing the header file define for FD_SETSIZE in typesizes.h (depending on OS it is defined inother header files). Any feedback is appreciated. Regards Markus polygraph-4.0.11-kerberos-v7.patch Description: Binary data
Re: Two patches for better heimdal support
Sorry I have another addition for config.test === modified file 'helpers/external_acl/kerberos_ldap_group/config.test' --- helpers/external_acl/kerberos_ldap_group/config.test2010-12-05 00:25:25 + +++ helpers/external_acl/kerberos_ldap_group/config.test2010-12-06 21:09:15 + @@ -9,6 +9,9 @@ if [ -f /usr/lib/libsasl.la -o -f /usr/lib/libsasl2.la ]; then exit 0 fi + if [ -f /usr/lib/libsasl.so -o -f /usr/lib/libsasl2.so ]; then + exit 0 + fi if [ -f /usr/local/lib/libsasl.so -o -f /usr/local/lib/libsasl2.so ]; then exit 0 fi Markus "Markus Moeller" wrote in message news:idde7p$8a...@dough.gmane.org... Hi Amos, Please find attached more patches for better heimdal support as new heimdal version have gssapi_krb5 header files which were in the past only in older MIT releases available. 1) kerberos_ldap_group_header.diff fixes the gssapi_krb5 header issue Secondly to use kerberos_ldap_group on freebsd config.test has to be changed as freebsd installs additional packages in /usr/local. The following patch addresses this 2) kerberos_ldap_group_config.diff Thirdly on freebsd 7 the krb5.h file does not work with C++. This patch checks for it 3) kerberos_ldap_group_freebsd.diff (it includes the kerberos_ldap_group_header.diff patch) Regards Markus "Markus Moeller" wrote in message news:ibpome$ps...@dough.gmane.org... Here is an update using only #if / #elif and changed the order a bit. Markus "Amos Jeffries" wrote in message news:104be24899d2c3a232288ea0fa5a7...@mail.treenet.co.nz... On Sun, 14 Nov 2010 18:37:39 -, "Markus Moeller" wrote: Hi I noticed that the trunk does not compile on FreeBSD with Heimdal. Here are two patches against the trunk. Markus These appear to be reversions of the file-based inclusions. Would it not be better just to add: +#if HAVE_GSSAPI_GSSAPI_EXT_H +#include +#endif to the end of the include lists? Also, it is adding quite a messy mix of ifdef and if defined(). Please just use #if / #elif either way. Amos
Re: Two patches for better heimdal support
Hi Henrik, That seems to be from another patch: bzr log -p -r11090 helpers/external_acl/kerberos_ldap_group/support_log.cc revno: 11090 committer: Amos Jeffries branch nick: trunk timestamp: Sat 2010-12-04 23:14:11 -0700 message: Fix invalid conversion 'long int' to 'time_t' diff: === modified file 'helpers/external_acl/kerberos_ldap_group/support_log.cc' --- helpers/external_acl/kerberos_ldap_group/support_log.cc 2010-08-14 00:12:49 + +++ helpers/external_acl/kerberos_ldap_group/support_log.cc 2010-12-05 06:14:11 + @@ -41,7 +41,8 @@ gettimeofday(&now, NULL); if (now.tv_sec != last_t) { -tm = localtime(&now.tv_sec); +time_t tmp = now.tv_sec; +tm = localtime(&tmp); strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm); last_t = now.tv_sec; } "Henrik Nordström" wrote in message news:1291657930.10525.625.ca...@henriknordstrom.net... The build farm now on kerberos_ldap_group due to int/time_t type mismatches ../../../../helpers/external_acl/kerberos_ldap_group/support_log.cc: In function `const char* LogTime()': ../../../../helpers/external_acl/kerberos_ldap_group/support_log.cc:44: error: invalid conversion from `long int*' to `const time_t*' ../../../../helpers/external_acl/kerberos_ldap_group/support_log.cc:44: error: initializing argument 1 of `tm* localtime(const time_t*)' I assume this is related to the heimdal support patches. Regards Henrik
Re: Two patches for better heimdal support
Hi Amos, I added a comment to the bug note. Markus "Amos Jeffries" wrote in message news:4cfaea4c.8020...@treenet.co.nz... Re-applied. In other details, are you able to respond to this? http://bugs.squid-cache.org/show_bug.cgi?id=3075 Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
Re: Two patches for better heimdal support
I use bazaar Updated to revision 11093 of branch http://bzr.squid-cache.org/bzr/squid3/trunk I don't see the squidclient patch noe negotiate_kerberos_auth. I attach again Markus "Amos Jeffries" wrote in message news:4cfb92c9.7030...@treenet.co.nz... On 06/12/10 01:22, Markus Moeller wrote: Hi Amos, I don't see that these two have been applied. Heimdal introduced a header file gssapi_krb5.h which was previously only available in some older MIT releases. To avoid issues on for example FreeBSD 8.1 I had to change the include checks. Markus revno 11082 in 3.HEAD http://master.squid-cache.org/Versions/v3/3.HEAD/changesets/squid-3-11086.patch There is some hour or so delay in www.* updating these days. I've committed an update to configure.ac to set those /usr/local paths. It looks like it may also fix several other library problems that were bugging us earlier today :) Thank you. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3 squid_negotiate.diff Description: Binary data squidclient.diff Description: Binary data
Re: Two patches for better heimdal support
Hi Amos, I don't see that these two have been applied. Heimdal introduced a header file gssapi_krb5.h which was previously only available in some older MIT releases. To avoid issues on for example FreeBSD 8.1 I had to change the include checks. Markus "Markus Moeller" wrote in message news:ibpome$ps...@dough.gmane.org... Here is an update using only #if / #elif and changed the order a bit. Markus "Amos Jeffries" wrote in message news:104be24899d2c3a232288ea0fa5a7...@mail.treenet.co.nz... On Sun, 14 Nov 2010 18:37:39 -, "Markus Moeller" wrote: Hi I noticed that the trunk does not compile on FreeBSD with Heimdal. Here are two patches against the trunk. Markus These appear to be reversions of the file-based inclusions. Would it not be better just to add: +#if HAVE_GSSAPI_GSSAPI_EXT_H +#include +#endif to the end of the include lists? Also, it is adding quite a messy mix of ifdef and if defined(). Please just use #if / #elif either way. Amos
Re: Two patches for better heimdal support
I can have a look into it. The setup described is definitely not the norm. Most people want automated setups and not use config files. Regards Markus "Amos Jeffries" wrote in message news:4cfaea4c.8020...@treenet.co.nz... Re-applied. In other details, are you able to respond to this? http://bugs.squid-cache.org/show_bug.cgi?id=3075 Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
Re: Two patches for better heimdal support
Apologies Markus "Amos Jeffries" wrote in message news:4cfa67a6.5030...@treenet.co.nz... On 05/12/10 01:53, Markus Moeller wrote: Hi Amos, Please find attached more patches for better heimdal support as new heimdal version have gssapi_krb5 header files which were in the past only in older MIT releases available. 1) kerberos_ldap_group_header.diff fixes the gssapi_krb5 header issue Secondly to use kerberos_ldap_group on freebsd config.test has to be changed as freebsd installs additional packages in /usr/local. The following patch addresses this 2) kerberos_ldap_group_config.diff Thirdly on freebsd 7 the krb5.h file does not work with C++. This patch checks for it 3) kerberos_ldap_group_freebsd.diff (it includes the kerberos_ldap_group_header.diff patch) Regards Markus Oops the acinclude/krb5.m4 changes defining SQUID_CHECK_KRB5_HEIMDAL_BROKEN_KRB5_H were not in there. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3 kerberos_ldap_group_freebsd.diff Description: Binary data
Re: Two patches for better heimdal support
I get $ uname -a FreeBSD freebsd-81-64.freebsd.home 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49 UTC 2010 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 $ krb5-config --cflags gssapi -I/usr/include $ krb5-config --libs gssapi -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lroken -lcrypt and my ldap and sasl file are in /usr/local $ pkg_info -v openldap-sasl-client-2.4.23 | less Information for openldap-sasl-client-2.4.23: Comment: Open source LDAP client implementation with SASL2 support Description: OpenLDAP is a suite of Lightweight Directory Access Protocol (v3) servers, clients, utilities and development tools. This package includes the following major components: * -lldap - a LDAP client library * -llber - a lightweight BER/DER encoding/decoding library * LDAP tools - A collection of command line LDAP utilities * documentation - man pages for all components WWW: http://www.OpenLDAP.org/ Install notice: The OpenLDAP client package has been successfully installed. Edit /usr/local/etc/openldap/ldap.conf to change the system-wide client defaults. Try `man ldap.conf' and visit the OpenLDAP FAQ-O-Matic at http://www.OpenLDAP.org/faq/index.cgi?file=3 for more information. Packing list: Comment: PKG_FORMAT_REVISION:1.1 Package name: openldap-sasl-client-2.4.23 Package origin: net/openldap24-sasl-client CWD to /usr/local Dependency: cyrus-sasl-2.1.23 dependency origin: security/cyrus-sasl2 "Amos Jeffries" wrote in message news:4cfa4d64.8030...@treenet.co.nz... On 05/12/10 02:49, Markus Moeller wrote: BTW to use kerberos_ldap_group on freebsd configure has to be run with CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib -Wl,-R/usr/local/lib" Is that info not provided by krb5-config? On our test machine it seems to be. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
Re: Two patches for better heimdal support
BTW to use kerberos_ldap_group on freebsd configure has to be run with CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib -Wl,-R/usr/local/lib" "Markus Moeller" wrote in message news:idde7p$8a...@dough.gmane.org... Hi Amos, Please find attached more patches for better heimdal support as new heimdal version have gssapi_krb5 header files which were in the past only in older MIT releases available. 1) kerberos_ldap_group_header.diff fixes the gssapi_krb5 header issue Secondly to use kerberos_ldap_group on freebsd config.test has to be changed as freebsd installs additional packages in /usr/local. The following patch addresses this 2) kerberos_ldap_group_config.diff Thirdly on freebsd 7 the krb5.h file does not work with C++. This patch checks for it 3) kerberos_ldap_group_freebsd.diff (it includes the kerberos_ldap_group_header.diff patch) Regards Markus "Markus Moeller" wrote in message news:ibpome$ps...@dough.gmane.org... Here is an update using only #if / #elif and changed the order a bit. Markus "Amos Jeffries" wrote in message news:104be24899d2c3a232288ea0fa5a7...@mail.treenet.co.nz... On Sun, 14 Nov 2010 18:37:39 -, "Markus Moeller" wrote: Hi I noticed that the trunk does not compile on FreeBSD with Heimdal. Here are two patches against the trunk. Markus These appear to be reversions of the file-based inclusions. Would it not be better just to add: +#if HAVE_GSSAPI_GSSAPI_EXT_H +#include +#endif to the end of the include lists? Also, it is adding quite a messy mix of ifdef and if defined(). Please just use #if / #elif either way. Amos
Re: Two patches for better heimdal support
Hi Amos, Please find attached more patches for better heimdal support as new heimdal version have gssapi_krb5 header files which were in the past only in older MIT releases available. 1) kerberos_ldap_group_header.diff fixes the gssapi_krb5 header issue Secondly to use kerberos_ldap_group on freebsd config.test has to be changed as freebsd installs additional packages in /usr/local. The following patch addresses this 2) kerberos_ldap_group_config.diff Thirdly on freebsd 7 the krb5.h file does not work with C++. This patch checks for it 3) kerberos_ldap_group_freebsd.diff (it includes the kerberos_ldap_group_header.diff patch) Regards Markus "Markus Moeller" wrote in message news:ibpome$ps...@dough.gmane.org... Here is an update using only #if / #elif and changed the order a bit. Markus "Amos Jeffries" wrote in message news:104be24899d2c3a232288ea0fa5a7...@mail.treenet.co.nz... On Sun, 14 Nov 2010 18:37:39 -0000, "Markus Moeller" wrote: Hi I noticed that the trunk does not compile on FreeBSD with Heimdal. Here are two patches against the trunk. Markus These appear to be reversions of the file-based inclusions. Would it not be better just to add: +#if HAVE_GSSAPI_GSSAPI_EXT_H +#include +#endif to the end of the include lists? Also, it is adding quite a messy mix of ifdef and if defined(). Please just use #if / #elif either way. Amos kerberos_ldap_group_config.diff Description: Binary data kerberos_ldap_group_freebsd.diff Description: Binary data kerberos_ldap_group_header.diff Description: Binary data
Re: [squid-users] Re: Re: Re: Re: squid_ldap_group against nested groups/Ous
How about now ? Markus "Amos Jeffries" wrote in message news:10b005d2be46c33a22e6cc813b95e...@mail.treenet.co.nz... On Sun, 14 Nov 2010 18:34:48 -0000, "Markus Moeller" wrote: Here is a patch for the squid trunk. Markus The patch seems not to have come through. Amos "Amos Jeffries" wrote in message news:4cdf2628.2050...@treenet.co.nz... On 13/11/10 22:30, Eugene M. Zheganin wrote: Hi. On 05.11.2010 21:01, Markus Moeller wrote: Hi I get the same successful results on 64 bit FreeBSD 8.0. $ uname -a FreeBSD freebsd-80-64.freebsd.home 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 $ ldd squid_kerb_ldap squid_kerb_ldap: libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800652000) libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x80075b000) libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x80086) libhx509.so.10 => /usr/lib/libhx509.so.10 (0x8009cd000) libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x800b0c000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x800c0e000) libasn1.so.10 => /usr/lib/libasn1.so.10 (0x800ea6000) libroken.so.10 => /usr/lib/libroken.so.10 (0x801025000) libcrypt.so.5 => /lib/libcrypt.so.5 (0x801136000) libldap-2.4.so.7 => /usr/local/lib/libldap-2.4.so.7 (0x80124f000) liblber-2.4.so.7 => /usr/local/lib/liblber-2.4.so.7 (0x80139) libc.so.7 => /lib/libc.so.7 (0x80149d000) libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x8016d7000) libssl.so.6 => /usr/lib/libssl.so.6 (0x8017ef000) Is it possible that you have another kerberos package installed ? How does your ldd look ? I installed a standard freebsd 8.0 84 bit plus ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/8.0-RELEASE/packages/net/openldap-sasl-client-2.4.18.tbz for ldap with sasl support. First of all, sorry for a delayed answer, I'm not of that kind of persons that ask for help and never read answers. I had a couple of harsh weeks with crashes and late working. :) Yes, I have multiple krb5 installations on machines where the build didn't succeed due to incompatible types, you were right. Also I have updated the production proxy that was on FreeBSD 7.2 to 8.1 (and had a harsh week due to wonderful em(4) issue, fixed in -STABLE), but now the building on this machine is fine, except one warning that can be easily fixed by removing -Werror (once again, why -Werror ?). If you're interested the warning is about: [...] gcc -DHAVE_CONFIG_H -I. -I/usr/include -I/usr/local/include -g -O2 -Wall -Wno-unknown-pragmas -Wextra -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -MT support_group.o -MD -MP -MF .deps/support_group.Tpo -c -o support_group.o support_group.c support_group.c: In function 'utf8dup': support_group.c:43: warning: declaration of 'dup' shadows a global declaration /usr/include/unistd.h:330: warning: shadowed declaration is here [...] Because warnings indicate problems as much as errors. Ignoring them in leads to major problems later. We depend on people like yourself reporting them at the warning stage before that happens. In this case its warning about some confusion between a system dup() and a second local one which may differ in some critical way on some systems. Thanks for the report. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3 support_group_dup_fix.diff Description: Binary data
Re: Two patches for better heimdal support
Here is an update using only #if / #elif and changed the order a bit. Markus "Amos Jeffries" wrote in message news:104be24899d2c3a232288ea0fa5a7...@mail.treenet.co.nz... On Sun, 14 Nov 2010 18:37:39 -0000, "Markus Moeller" wrote: Hi I noticed that the trunk does not compile on FreeBSD with Heimdal. Here are two patches against the trunk. Markus These appear to be reversions of the file-based inclusions. Would it not be better just to add: +#if HAVE_GSSAPI_GSSAPI_EXT_H +#include +#endif to the end of the include lists? Also, it is adding quite a messy mix of ifdef and if defined(). Please just use #if / #elif either way. Amos squid_negotiate.diff Description: Binary data squidclient.diff Description: Binary data
Two patches for better heimdal support
Hi I noticed that the trunk does not compile on FreeBSD with Heimdal. Here are two patches against the trunk. Markus squid_negotiate.diff Description: Binary data squidclient.diff Description: Binary data
Re: Squidclient doesn't build in head
"Kinkie" wrote in message news:aanlktikt2zra7o+s8zrjj2abs==jbiw3dl8xtxnrb...@mail.gmail.com... Hi all, Kerberos integration in squidclient has caused some problems with squidclient; Ubuntu 10.4 fails with /home/kinkie/squid/workspace/stringng/tools/squidclient.cc:857: undefined reference to `gss_release_buffer' /home/kinkie/squid/workspace/stringng/tools/squidclient.cc:850: undefined reference to `gss_display_status' /home/kinkie/squid/workspace/stringng/tools/squidclient.cc:854: undefined reference to `gss_release_buffer' Opensolaris instead complains that ../../tools/squidclient.cc: In function `char* GSSAPI_token(const char*)': ../../tools/squidclient.cc:912: error: `gss_nt_service_name' undeclared (first use this function) I couldn't find a simple way to fix this.. any hints? Does this fix it ? # bzr diff -r submit: Using parent branch http://bzr.squid-cache.org/bzr/squid3/trunk/ === modified file 'tools/squidclient.cc' --- tools/squidclient.cc2010-08-25 03:10:45 + +++ tools/squidclient.cc2010-08-28 12:42:07 + @@ -80,43 +80,23 @@ #endif #if HAVE_GSSAPI -#ifdef HAVE_HEIMDAL_KERBEROS -#ifdef HAVE_GSSAPI_GSSAPI_H -#include -#elif defined(HAVE_GSSAPI_H) -#include -#else -#error "GSSAPI header required" -#endif -#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE -#else -#ifdef HAVE_SEAM_KERBEROS -#ifdef HAVE_GSSAPI_GSSAPI_H -#include -#elif defined(HAVE_GSSAPI_H) -#include -#else -#error "GSSAPI header required" -#endif -#ifdef HAVE_GSSAPI_GSSAPI_EXT_H +#if HAVE_GSSAPI_GSSAPI_H +#include +#elif HAVE_GSSAPI_H +#include +#endif /* HAVE_GSSAPI_H */ +#if HAVE_GSSAPI_GSSAPI_EXT_H #include -#endif -#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE -#else /*MIT */ -#ifdef HAVE_GSSAPI_GSSAPI_H -#include -#elif defined(HAVE_GSSAPI_H) -#include -#else -#error "GSSAPI header required" -#endif -#ifdef HAVE_GSSAPI_GSSAPI_KRB5_H +#endif /* HAVE_GSSAPI_GSSAPI_EXT_H */ +#if HAVE_GSSAPI_GSSAPI_KRB5_H #include -#endif -#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H +#endif /* HAVE_GSSAPI_GSSAPI_KRB5_H */ +#if HAVE_GSSAPI_GSSAPI_GENERIC_H #include -#endif -#endif +#endif /* HAVE_GSSAPI_GSSAPI_GENERIC_H */ + +#ifndef gss_nt_service_name +#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE #endif #ifndef gss_mech_spnego Thanks -- /kinkie Markus
Re: Squidclient doesn't build in head
"Kinkie" wrote in message news:aanlktikt2zra7o+s8zrjj2abs==jbiw3dl8xtxnrb...@mail.gmail.com... Hi all, Kerberos integration in squidclient has caused some problems with squidclient; Ubuntu 10.4 fails with /home/kinkie/squid/workspace/stringng/tools/squidclient.cc:857: undefined reference to `gss_release_buffer' /home/kinkie/squid/workspace/stringng/tools/squidclient.cc:850: undefined reference to `gss_display_status' /home/kinkie/squid/workspace/stringng/tools/squidclient.cc:854: undefined reference to `gss_release_buffer' What does configure say about HAVE_GSSAPI ? Can I see the config.log ? Opensolaris instead complains that ../../tools/squidclient.cc: In function `char* GSSAPI_token(const char*)': ../../tools/squidclient.cc:912: error: `gss_nt_service_name' undeclared (first use this function) I will check this. I couldn't find a simple way to fix this.. any hints? Thanks -- /kinkie Markus
Re: Patch for squidclient
"Amos Jeffries" wrote in message news:4c68dbc6.30...@treenet.co.nz... Markus Moeller wrote: "Alex Rousskov" wrote in message news:4c67f515.6080...@measurement-factory.com... On 08/14/2010 02:10 PM, Markus Moeller wrote: Please find attached a patch to add Proxy- and WWW-Authenticate. * GSSAPI_token not documented. * check_gss_err not documented. I did not see any function with documentation. I have added some lines now. What should be the format ? Doxygen please: /** * description... * * \retval 1 gssapi error * \retval 0 successful, no gssapi error. */ * It would be nice to remove gotos from the new code. Done * porxy misspelled; did not check for other typos Fixed * Please try to remove whitespace modifications that are unrelated to your patch. I used formater.pl, which must have introduced them. * Is tools/Makefile.in under revision control? If not, it should not be in the patch. Not sure if it is under revision control, but I get it with rsync. I have removed it from the patch The -h help text is mean to list the options in alphabetical order. Also on the Usage: line. You can split at -m and -p like so: "[-k] [-l local-host] [-m method] " +#if HAVE_GSSAPI + "[-n] [-N] " +#endif "[-p port] [-P file] [-t count] [-T timeout] [-u proxy-user] [-U www-user] " Ok. Done Please update the src/tools/squidclient.1 manual page with the new options. Done The "if (www_neg || proxy_neg)" around separate if for each case is redundant. True. Sorry In check_gss_err please use snprintf instead of sprintf. Use of a #define'd buffer size comes in handy here to replace sizeof(buf) and calculate with when needing ie snprintf(buf+len, BUFFER_SIZE-len, "%s" Thank you Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1 Markus squid-3-head-tools-20100816.diff Description: Binary data
Re: Patch for squidclient
"Henrik Nordström" wrote in message news:1281901198.9220.102.ca...@henriknordstrom.net... sön 2010-08-15 klockan 19:01 +0100 skrev Markus Moeller: Not sure if it is under revision control, but I get it with rsync. I have removed it from the patch If you can then it's better to access the sources using bzr. http://wiki.squid-cache.org/Squid3VCS I can't. At least I have no idea why, but the command listed don't work. (It is also getting quite confusing to deal with cvs, svn. hg(mercury), bazaar, git, ) I run OpenSuse 11.1 and I get: mar...@opensuse11:~/sources/squid-3> bzr branch --bind http://bzr.squid-cache.org/bzr/squid3/trunk bzr: ERROR: no such option: --bind mar...@opensuse11:~/sources/squid-3> bzr --version Bazaar (bzr) 2.0.5 Python interpreter: /usr/bin/python 2.6.0 Python standard library: /usr/lib/python2.6 Platform: Linux-2.6.27.45-0.1-pae-i686-with-SuSE-11.1-i586 bzrlib: /usr/lib/python2.6/site-packages/bzrlib Bazaar configuration: /home/markus/.bazaar Bazaar log file: /home/markus/.bzr.log Copyright 2005-2010 Canonical Ltd. http://bazaar-vcs.org/ bzr comes with ABSOLUTELY NO WARRANTY. bzr is free software, and you may use, modify and redistribute it under the terms of the GNU General Public License version 2 or later. Regards Henrik
Re: Patch for squidclient
"Alex Rousskov" wrote in message news:4c67f515.6080...@measurement-factory.com... On 08/14/2010 02:10 PM, Markus Moeller wrote: Please find attached a patch to add Proxy- and WWW-Authenticate. * GSSAPI_token not documented. * check_gss_err not documented. I did not see any function with documentation. I have added some lines now. What should be the format ? * It would be nice to remove gotos from the new code. Done * porxy misspelled; did not check for other typos Fixed * Please try to remove whitespace modifications that are unrelated to your patch. I used formater.pl, which must have introduced them. * Is tools/Makefile.in under revision control? If not, it should not be in the patch. Not sure if it is under revision control, but I get it with rsync. I have removed it from the patch Thank you, Alex. Thank you Markus squid-3-head-tools-20100815-2.diff Description: Binary data
Re: Patch for squidclient
"Henrik Nordström" wrote in message news:1281821946.9220.16.ca...@henriknordstrom.net... lör 2010-08-14 klockan 21:10 +0100 skrev Markus Moeller: Hi, Please find attached a patch to add Proxy- and WWW-Authenticate. Regards Markus Looks fine, but need to be wrapped up in kerberos ifdefs, same as used for the main code kerberos client. Oh yes. Here it is. I have also a WIN32 version, but I can't get squid-3-head compiled under cygwin to test. $ make Making all in compat make[1]: Entering directory `/home/markus/squid-3/compat' /bin/sh ../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I.. -I../include -I../src -I../include -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT assert.lo -MD -MP -MF .deps/assert.Tpo -c -o assert.lo assert.cc libtool: compile: g++ -DHAVE_CONFIG_H -I.. -I../include -I../src -I../include -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wer ror -pipe -D_REENTRANT -g -O2 -MT assert.lo -MD -MP -MF .deps/assert.Tpo -c assert.cc -DDLL_EXPORT -DPIC -o .libs/assert.o In file included from /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/ws2tcpip.h:19, from ../compat/os/mswin.h:221, from ../compat/compat.h:69, from ../include/config.h:68, from assert.cc:34: /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/winsock2.h:103:2: error: #warning "fd_set and associated macros have be en defined in sys/types. This may cause runtime problems with W32 sockets" In file included from /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/ws2tcpip.h:19, from ../compat/os/mswin.h:221, from ../compat/compat.h:69, from ../include/config.h:68, from assert.cc:34: /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/winsock2.h:632: error: declaration of C function 'int select(int, _type s_fd_set*, _types_fd_set*, _types_fd_set*, const timeval*)' conflicts with /usr/include/sys/select.h:31: error: previous declaration 'int select(int, _types_fd_set*, _types_fd_set*, _types_fd_set*, timeval*) ' here In file included from ../compat/compat.h:69, from ../include/config.h:68, from assert.cc:34: ../compat/os/mswin.h: In function 'int close(int)': ../compat/os/mswin.h:358: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h:366: error: '_free_osfhnd' was not declared in this scope ../compat/os/mswin.h:367: error: '__pioinfo' was not declared in this scope ../compat/os/mswin.h:370: error: '_close' was not declared in this scope ../compat/os/mswin.h: In function 'int read(int, void*, size_t)': ../compat/os/mswin.h:395: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h:400: error: '_read' was not declared in this scope ../compat/os/mswin.h: In function 'int write(int, const void*, size_t)': ../compat/os/mswin.h:408: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h:413: error: '_write' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::accept(int, sockaddr*, size_t*)': ../compat/os/mswin.h:431: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h:436: error: '_open_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::bind(int, sockaddr*, int)': ../compat/os/mswin.h:442: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::connect(int, const sockaddr*, int)': ../compat/os/mswin.h:452: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::getsockname(int, sockaddr*, size_t*)': ../compat/os/mswin.h:492: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::getsockopt(int, int, int, void*, int*)': ../compat/os/mswin.h:514: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::ioctl(int, int, void*)': ../compat/os/mswin.h:525: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::ioctlsocket(int, long int, u_long*)': ../compat/os/mswin.h:535: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::listen(int, int)': ../compat/os/mswin.h:545: error: '_get_osfhandle' was not declared in this scope ../compat/os/mswin.h: In function 'int Squid::recv(int, void*, size_t, int)': ../compat/os/mswin.h:558: error: '_get_osfhandle' was not declared in t
Patch for squidclient
Hi, Please find attached a patch to add Proxy- and WWW-Authenticate. Regards Markus squid-3-head-tools-20100814.diff Description: Binary data
Re: New external_acl helper squid_kerb_ldap
Hi Amos, Thank you for the review. I will try to address your points over the next weeks. Markus "Amos Jeffries" wrote in message news:4c5187d2.5010...@treenet.co.nz... Markus Moeller wrote: Hi Amos, How does your time look like now ? Regards Markus Looks passable. I have not had time for a detailed view of the logics. I'll commit this tomorrow with a name tweak, the naming scheme has been through the external acl helpers too now. I'll just tack ext_ on the front and _acl on the back of the existing binary name and update the docs to match. One thing that worries me still is the RUN_IFELSE autoconf macros still being added to configure.in. I'm sure there is a macro that checked for defined values of things inside headers without running stuff. If you can try and find that it would be great not to have to run anything on build. The following is optional... As always the 3.HEAD code has advanced a bit. Fallout from the helper upgrades has been the beginning of a common code API. These are the to consider updating the helper with in the current 3.HEAD: * helpers/defines.h provides a few macros that may be useful: SEND_ERR(msg) - takes a string or buffer containing the error message to be available to user and admin. May be used in cache.log and/or user displayed error pages. SEND_OK(params) - takes a string of whitespace delimited key=value pairs. Whatever the helper hook accepts, which varies with squid release. * A global variable "debug_enabled" is available to be set to 1 on receiving -d (debug) parameters. It controls whether the function debug("fmt",x,y,...) produces any output. debug(...) is equivalent to: if(debug_enabled) fprintf(stderr,...) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.5
Re: New external_acl helper squid_kerb_ldap
Hi Amos, did you have time to review the updated patch ? Thank you Markus "Markus Moeller" wrote in message news:hudjud$3i...@dough.gmane.org... Hi Amos, I updated the patch. Regards Markus "Amos Jeffries" wrote in message news:9b92235f13abdaf1c87f73c73c732...@mail.treenet.co.nz... On Mon, 31 May 2010 23:47:40 +0100, "Markus Moeller" wrote: "Amos Jeffries" wrote in message news:90351e19016110c5e9fd1699187b5...@mail.treenet.co.nz... On Sun, 30 May 2010 16:15:14 +0100, "Markus Moeller" wrote: Hi, I have converted my helper to kerberos_ldap_group ( not sure if that is the best name) and created a patch for inclusion into the head revision. Please review and let me know any feedback. Thank you Markus Hi Markus, Okay, some more checks. configure.in: * According to the GNU docs pre-processor only directives are to be avoided when possible since they do not guarantee a working binary. Could you use AC_COMPILE_IFELSE instead of the AC_EGREP_CPP and AC_EGREP_HEADER ? kerberos_ldap_group/README: * Would you mind converting the README file to a man.8 page? There is a template at th bottom of http://wiki.squid-cache.org/ProgrammingGuide/ManualDocumentation Amos
Re: CC configure (AC_CHECK_LIB macro) problem on Solaris
Also the existing configure. has AC_CHECK_LIB(lber, main, [LBERLIB="-llber"]) which will fail on Solaris with CC. Do you know which function to check in libber ? Regards Markus "Markus Moeller" wrote in message news:huba99$tl...@dough.gmane.org... "Henrik Nordström" wrote in message news:1275667169.12858.2.ca...@henriknordstrom.net... fre 2010-06-04 klockan 00:19 +0100 skrev Markus Moeller: What is the recommended way of doing it as I am adding a module which requires library checks and I don't know always what function is best to check on ? A function you know is implemented by the named library. That is a bit my problem. For example if I use heimdal kerberos libraries version 1.3.1 I need -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lwind -lroken -lcrypt -ldl -lresolv -pthread for older 0.7.2 I need -lgssapi -lkrb5 -lasn1 -lcom_err -lcrypto -lroken -lcrypt -ldl -lresolv -pthread but I have no idea for which function I have to test each library for. Luckily most platform use krb5-config to tell me which libraies I need, but for example OpenBSD doesn't. Note: watch out for macros. Need to be a actual function. Regards Henrik Regards Markus
Re: CC configure (AC_CHECK_LIB macro) problem on Solaris
"Henrik Nordström" wrote in message news:1275667169.12858.2.ca...@henriknordstrom.net... fre 2010-06-04 klockan 00:19 +0100 skrev Markus Moeller: What is the recommended way of doing it as I am adding a module which requires library checks and I don't know always what function is best to check on ? A function you know is implemented by the named library. That is a bit my problem. For example if I use heimdal kerberos libraries version 1.3.1 I need -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lwind -lroken -lcrypt -ldl -lresolv -pthread for older 0.7.2 I need -lgssapi -lkrb5 -lasn1 -lcom_err -lcrypto -lroken -lcrypt -ldl -lresolv -pthread but I have no idea for which function I have to test each library for. Luckily most platform use krb5-config to tell me which libraies I need, but for example OpenBSD doesn't. Note: watch out for macros. Need to be a actual function. Regards Henrik Regards Markus
Re: CC configure (AC_CHECK_LIB macro) problem on Solaris
What is the recommended way of doing it as I am adding a module which requires library checks and I don't know always what function is best to check on ? Thank you Markus "Kinkie" wrote in message news:aanlktikfyn1ibt7hjof1j0znzyofhywmgcigfqcaf...@mail.gmail.com... On Thu, Jun 3, 2010 at 8:36 PM, Markus Moeller wrote: Hi, I have a problem with CC=cc CXX=CC ./configure; because any check like AC_CHECK_LIB(malloc, main) fails. Is there a known workaround ? Interesting.. Those kinds of checks ae being phased out of the configure.in script, unless they are hidden by other macros. In general using main to test for lib existence is IIRC not recommended by autoconf docs.. I find it fascinating that those bugs are not caught on OpenSolaris (we have build-hosts running SunStudio cc) -- /kinkie
CC configure (AC_CHECK_LIB macro) problem on Solaris
Hi, I have a problem with CC=cc CXX=CC ./configure; because any check like AC_CHECK_LIB(malloc, main) fails. Is there a known workaround ? Thank you Markus from 3-HEAD I get: ... configure:48735: checking for main in -lmalloc configure:48764: CC -o conftest -g -I/usr/include/gssapi -I/usr/include/kerberosv5 -g conftest.cpp -lmalloc -lsocket -lresolv -lnsl >&5 "conftest.cpp", line 224: Error: Cannot have a recursive call of main(). 1 Error(s) detected. configure:48770: $? = 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME "Squid Web Proxy" | #define PACKAGE_TARNAME "squid" | #define PACKAGE_VERSION "3.HEAD-20100601" | #define PACKAGE_STRING "Squid Web Proxy 3.HEAD-20100601" | #define PACKAGE_BUGREPORT "http://www.squid-cache.org/bugs/"; | #define PACKAGE "squid" | #define VERSION "3.HEAD-20100601" | #define USE_LOADABLE_MODULES 1 | int | main () | { | return main (); | ; | return 0; | }
New Auth configuration options
Hi, Would it make sense to define in squid two new configuration options to control Negotiate authentication ? I am thinking of adding Negotiate-NTLM and Negotiate-Kerberos with the same options as Negotiate. Once squid receives a Negotiate response quid has to base64 decode the token and check for the NTLM string before invoking the Negotiate-NTLM or Negotiate-Kerberos helper. Does that break a concept in squid to analyse a token before selecting the helper ? Thank you Markus
Re: "negotiate" auth with fallback to other schemes
- Original Message - From: "Henrik Nordstrom" To: "Markus Moeller" Cc: Sent: Saturday, March 06, 2010 10:26 AM Subject: Re: "negotiate" auth with fallback to other schemes fre 2010-03-05 klockan 20:44 + skrev Markus Moeller: I don't understand this part. Usually the kdc is on AD so how can NTLM work and Kerberos not ? The NTLM client just needs the local computer configuration + credentials entered interactively by the user. All communication with the AD is indirect via the proxy. The client do not need any form of ticked before trying to authenticate via NTLM, just the username + domain + password. For similar reasons NTLM also do not have any protection from mitm session theft. Meaning that the auth exchange done to the proxy may just as well be used by a mitm attacker to authenticate as that client to any server in the network for any purpose. So it makes the statement "Kerberos may fail just because the client has no connectivity with the KDC, and in this case NTLM could be a useful second choice" false. Since in the case of NTLM will fail too as the kdc (AD) is unavailable Regards Henrik Regards Markus
Re: "negotiate" auth with fallback to other schemes
"Livio B" wrote in message news:31f0d2c51003050619o6d3a78b9uaf319d8e63aa7...@mail.gmail.com... Hi, In particular, if I want only transparent auth, it wouldn't make sense to retry the authentication because either the helper would get the same SSO (denied) credentials or the user would get prompted (which I don't want). On a different scenario, where it is ok to prompt the user for alternative credentials, it would make sense to retry the negotiate. Yes, and how would the helper know when this is? That knowledge is better in Squid.. Well that would have to be a parameter to the helper command. So, to summarize, adding this fall-back option would either require 1) a backward compatible protocol update, or 2) a backward compatible auth_param syntax extension. Option 1) would have the advantage that the helper could behave differently basing on client responses; option 2) would have the advantage that it doesn't require changes to helpers. You are clearly advocating option 2. This seem a little unflexible. For example, currently there is no helper that can handle both negotiate/kerberos and negotiate/ntlm so if I need to support both I need a negotiate helper and a NTLM helper and might want to disable just one. And of course new protocols can eventually surface. Is the flexibility really needed in this case? Negotiate and NTLM is very closely related, and will always connect to the same backend (windows ADS / domain controller) at least in sane setups. If one fails then there is very limited use of trying the other. This is not completely fair. Kerberos may fail just because the client has no connectivity with the KDC, and in this case NTLM could be a useful second choice. I don't understand this part. Usually the kdc is on AD so how can NTLM work and Kerberos not ? Additionally I as a user and network admin would not be comfortable with digest auth automatically falling back on basic on authentication failure, due to the non-existing security of basic auth. If the client supports digest then it should stick to that until the user says otherwise. Agree. So I'll work on a patch to support a new auth_param option (any suggested syntax?) and tracking the list of "disabled" protocols in the "request" or "connection" object, keeping the connection open even when authentication fails. Regards, Livio
squid_kerb_auth logging patch
Hi Amos, Here are patched for squid 3.1 and squid 3-head to add ERROR, WARNING, etc to the logging messages. Regards Markus squid_kerb_auth-logging.patch Description: Binary data negotiate_kerberos_auth-logging.patch Description: Binary data
Re: [2.HEAD patch] Fix compilation on opensolaris
That should be OK. Markus "Kinkie" wrote in message news:f4ad058f0910090839m3164a807qdf3dc2b4f7820...@mail.gmail.com... Hi all, 2.HEAD currently doesn't build on opensolaris, in at least some cases due to it not properly detecting kerberosv5 variants. The attached patch is a backport of some 3.HEAD changes which allows 2.HEAD to build on opensolaris Please review and, if it seems OK to you, apply. -- /kinkie
Re: Squid 3.1 kerb auth helper
rings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -L/usr/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkrb5support -lresolv -L../../../lib -o squid_kerb_auth_test squid_kerb_auth_test.o base64.o -lmiscutil -lm cp squid_kerb_auth negotiate_kerb_auth cp squid_kerb_auth_test negotiate_kerb_auth_test make[5]: Leaving directory `/home/markus/squid-3.1.0.13-20090926/helpers/negotiate_auth/squid_kerb_auth' make[4]: Leaving directory `/home/markus/squid-3.1.0.13-20090926/helpers/negotiate_auth/squid_kerb_auth' make[3]: Leaving directory `/home/markus/squid-3.1.0.13-20090926/helpers/negotiate_auth/squid_kerb_auth' - Original Message - From: "Amos Jeffries" To: "Markus Moeller" ; "Squid Developers" ; "Luigi Gangitano" Sent: Saturday, September 26, 2009 2:11 AM Subject: Squid 3.1 kerb auth helper Hi Markus, We've hit another issue with the new 3.1 helper. This time on Debian... Luigi Gangitano wrote: > > At last, I've a small issue with negotiate_auth/squid_kerb_auth, which > set RPATH in binaries. configure script adds '-Wl,-R' to the linker > under squid. This is an issue for debian (see > http://wiki.debian.org/RpathIssue). Do you think this can be fixed? I > can make a debian patch if needed. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: Squid 3.1 kerb auth helper
Is this a real issue or "just" to be compliant with debian rules ? Can you give me more details ? Thank you Markus - Original Message - From: "Amos Jeffries" To: "Markus Moeller" ; "Squid Developers" ; "Luigi Gangitano" Sent: Saturday, September 26, 2009 2:11 AM Subject: Squid 3.1 kerb auth helper Hi Markus, We've hit another issue with the new 3.1 helper. This time on Debian... Luigi Gangitano wrote: > > At last, I've a small issue with negotiate_auth/squid_kerb_auth, which > set RPATH in binaries. configure script adds '-Wl,-R' to the linker > under squid. This is an issue for debian (see > http://wiki.debian.org/RpathIssue). Do you think this can be fixed? I > can make a debian patch if needed. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: Kerberos build failures in HEAD
The test for HAVE_COM_ERR_H is based on the krb5 include path and compat_shared.h is included everywhere. So I guess the best would be to add it to src/Common.am. Markus "Amos Jeffries" wrote in message news:4ab61e03.6070...@treenet.co.nz... Markus Moeller wrote: Amos, I think you have to add also ## Kerberos headers require their include path... INCLUDES += @KRB5INCS@ to all Makefile.am s as configure uses krb5-config --cflags krb5 before testing for com_err.h. Really? *all* Makefiles? or just the ones that build binaries using krb5? Amos Markus "Amos Jeffries" wrote in message news:4aae2c01.5090...@treenet.co.nz... Alex Rousskov wrote: On Sun, 13 Sep 2009, Henrik Nordstrom wrote: s?n 2009-09-13 klockan 21:30 +0200 skrev Henrik Nordstrom: seems to build fine for me on CentOS 5.2.. but maybe something in the test builds are triggering it.. A full test is running.. Found.. it fails when used in combination with --enable-ssl. This due to OpenSSL (or actually krb5.h I think, included by openssl) ending up including com_err.h without the extern "C" wrapper, or if you prefer due to the com_err.h include not shielding itself from C++ parsing... Proposed fix: Have src/ssl_support.h include et/com_err.h in an extern "C" wrapping before OpenSSL includes... Have been bitten by this as well. The proposed fix sounds good to me. Thank you, Alex. Okay, and in light that it's a nasty hack around some brokenness. I suggest the include should go in the compat library. compat/compat_shared.h is the file for non-OS-specific bits. Simply wrapping an include of com_err.h inside there with a documentation note quoting Henriks analysis above. Should fix it for all the main Squid code and some helpers. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19 Current Beta Squid 3.1.0.13 -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: Kerberos build failures in HEAD
Amos, I think you have to add also ## Kerberos headers require their include path... INCLUDES += @KRB5INCS@ to all Makefile.am s as configure uses krb5-config --cflags krb5 before testing for com_err.h. Markus "Amos Jeffries" wrote in message news:4aae2c01.5090...@treenet.co.nz... Alex Rousskov wrote: On Sun, 13 Sep 2009, Henrik Nordstrom wrote: s?n 2009-09-13 klockan 21:30 +0200 skrev Henrik Nordstrom: seems to build fine for me on CentOS 5.2.. but maybe something in the test builds are triggering it.. A full test is running.. Found.. it fails when used in combination with --enable-ssl. This due to OpenSSL (or actually krb5.h I think, included by openssl) ending up including com_err.h without the extern "C" wrapper, or if you prefer due to the com_err.h include not shielding itself from C++ parsing... Proposed fix: Have src/ssl_support.h include et/com_err.h in an extern "C" wrapping before OpenSSL includes... Have been bitten by this as well. The proposed fix sounds good to me. Thank you, Alex. Okay, and in light that it's a nasty hack around some brokenness. I suggest the include should go in the compat library. compat/compat_shared.h is the file for non-OS-specific bits. Simply wrapping an include of com_err.h inside there with a documentation note quoting Henriks analysis above. Should fix it for all the main Squid code and some helpers. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: Kerberos build failures in HEAD
Could this be a g++ problem ? error_messge is defined as external in et/com_err.h and I see that -lcom-err is included in the link step. So I really don't know why g++ doesn't find the symbol. I used the following on my OpenSuse box. # g++ -v Using built-in specs. Target: i586-suse-linux Configured with: ../configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --libdir=/usr/lib --libexecdir=/usr/lib --enable-languages=c,c++,objc,fortran,obj-c++,java,ada --enable-checking=release --with-gxx-include-dir=/usr/include/c++/4.3 --enable-ssp --disable-libssp --with-bugurl=http://bugs.opensuse.org/ --with-pkgversion='SUSE Linux' --disable-libgcj --disable-libmudflap --with-slibdir=/lib --with-system-zlib --enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-libstdcxx-pch --enable-version-specific-runtime-libs --program-suffix=-4.3 --enable-linux-futex --without-system-libunwind --with-cpu=generic --build=i586-suse-linux Thread model: posix gcc version 4.3.2 [gcc-4_3-branch revision 141291] (SUSE Linux) Regards Markus - Original Message - From: "Amos Jeffries" To: "Markus Moeller" Cc: Sent: Thursday, September 10, 2009 3:53 AM Subject: Re: Kerberos build failures in HEAD On Thu, 10 Sep 2009 01:03:48 +0100, "Markus Moeller" wrote: How about this then ? Please replace the squid_kerb_auth directory with the No luck with the error_message function changes yet. http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/86/ Amos attached. Markus - Original Message - From: "Amos Jeffries" To: "Markus Moeller" Cc: Sent: Wednesday, September 09, 2009 2:13 AM Subject: Re: Kerberos build failures in HEAD Okay, I see one of the changes. But the patch won't apply to HEAD any more since the old version of the patch was already applied. Please send an incremental one for just those changes. How exactly are you accessing the HEAD code to generate these patches? None of them has applied cleanly by the time they got to me. The helper update change is also causing some grief. Failing basic "make distcheck" run on the spnegohelp/ files. Amos On Tue, 8 Sep 2009 21:59:15 +0100, "Markus Moeller" wrote: Hi Amos, I did some changes in configure.in and peer_proxy_negotiate_auth.cc. Regards Markus - Original Message - From: "Amos Jeffries" To: ; Sent: Tuesday, September 08, 2009 3:13 AM Subject: Kerberos build failures in HEAD Hi Markus, can you look into this please? http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/lastFailedBuild/console
Re: Kerberos build failures in HEAD
I did anyway some changes to the configure.in to detect cases where someone selects Heimdal (which does not use com_err) from another directory instead of the default MIT Libraries. Regards Markus - Original Message - From: "Amos Jeffries" To: "Henrik Nordstrom" Cc: "Markus Moeller" ; Sent: Thursday, September 10, 2009 11:02 AM Subject: Re: Kerberos build failures in HEAD Henrik Nordstrom wrote: tor 2009-09-10 klockan 14:53 +1200 skrev Amos Jeffries: On Thu, 10 Sep 2009 01:03:48 +0100, "Markus Moeller" wrote: How about this then ? Please replace the squid_kerb_auth directory with the No luck with the error_message function changes yet. http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/86/ The failure is in src/peer_proxy_negotiate_auth.cc, not squid_kerb_auth. Centos do have /usr/include/et/com_err.h but for some reason configure is not picking this up. Regards Henrik Oh doh. I had to cut-n-paste the patch earlier. Typo'd et/comm_err.h! Sorry Markus. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13 squid-3-head-n.diff Description: Binary data
Re: Kerberos build failures in HEAD
Then I have to setup a Centos box. It seems com_err.so has error_message, but has no com_err.h file Markus - Original Message - From: "Amos Jeffries" To: "Markus Moeller" Cc: Sent: Thursday, September 10, 2009 3:53 AM Subject: Re: Kerberos build failures in HEAD On Thu, 10 Sep 2009 01:03:48 +0100, "Markus Moeller" wrote: How about this then ? Please replace the squid_kerb_auth directory with the No luck with the error_message function changes yet. http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/86/ Amos attached. Markus - Original Message - From: "Amos Jeffries" To: "Markus Moeller" Cc: Sent: Wednesday, September 09, 2009 2:13 AM Subject: Re: Kerberos build failures in HEAD Okay, I see one of the changes. But the patch won't apply to HEAD any more since the old version of the patch was already applied. Please send an incremental one for just those changes. How exactly are you accessing the HEAD code to generate these patches? None of them has applied cleanly by the time they got to me. The helper update change is also causing some grief. Failing basic "make distcheck" run on the spnegohelp/ files. Amos On Tue, 8 Sep 2009 21:59:15 +0100, "Markus Moeller" wrote: Hi Amos, I did some changes in configure.in and peer_proxy_negotiate_auth.cc. Regards Markus - Original Message - From: "Amos Jeffries" To: ; Sent: Tuesday, September 08, 2009 3:13 AM Subject: Kerberos build failures in HEAD Hi Markus, can you look into this please? http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/lastFailedBuild/console
Re: Kerberos build failures in HEAD
How about this then ? Please replace the squid_kerb_auth directory with the attached. Markus - Original Message - From: "Amos Jeffries" To: "Markus Moeller" Cc: Sent: Wednesday, September 09, 2009 2:13 AM Subject: Re: Kerberos build failures in HEAD Okay, I see one of the changes. But the patch won't apply to HEAD any more since the old version of the patch was already applied. Please send an incremental one for just those changes. How exactly are you accessing the HEAD code to generate these patches? None of them has applied cleanly by the time they got to me. The helper update change is also causing some grief. Failing basic "make distcheck" run on the spnegohelp/ files. Amos On Tue, 8 Sep 2009 21:59:15 +0100, "Markus Moeller" wrote: Hi Amos, I did some changes in configure.in and peer_proxy_negotiate_auth.cc. Regards Markus - Original Message - From: "Amos Jeffries" To: ; Sent: Tuesday, September 08, 2009 3:13 AM Subject: Kerberos build failures in HEAD Hi Markus, can you look into this please? http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/lastFailedBuild/console squid-3-head.diff Description: Binary data squid-3-head-kerb_auth.tgz Description: application/compressed
Re: Kerberos build failures in HEAD
I still see 5 Nov 2008. Regards Markus #date Wed Sep 9 19:49:46 BST 2009 # rsync -v -r rsync://squid-cache.org/source/squid-3 receiving incremental file list drwxr-xr-x1024 2008/11/08 02:00:03 squid-3 -rw-r--r--6322 2008/11/05 01:10:41 squid-3/CONTRIBUTORS -rw-r--r-- 17989 2008/11/05 01:10:41 squid-3/COPYING -rw-r--r--1015 2008/11/05 01:10:41 squid-3/COPYRIGHT -rwxr-xr-x 17069 2008/11/05 01:10:41 squid-3/CREDITS -rw-r--r-- 176980 2008/11/05 01:10:41 squid-3/ChangeLog -rw-r--r-- 523 2008/11/05 01:10:41 squid-3/INSTALL -rw-r--r--1241 2008/11/05 01:10:41 squid-3/Makefile.am -rw-r--r-- 25000 2008/11/05 01:11:36 squid-3/Makefile.in -rw-r--r--3484 2008/11/05 01:10:41 squid-3/QUICKSTART -rw-r--r--1234 2008/11/05 01:10:41 squid-3/README -rw-r--r-- 37895 2008/11/05 01:22:12 squid-3/RELEASENOTES.html -rw-r--r--2461 2008/11/05 01:10:41 squid-3/SPONSORS -rw-r--r--4674 2008/11/05 01:10:41 squid-3/acinclude.m4 -rw-r--r-- 284697 2008/11/05 01:11:04 squid-3/aclocal.m4 -rwxr-xr-x3971 2008/11/05 01:10:41 squid-3/bootstrap.sh -rwxr-xr-x 1381061 2008/11/05 01:11:56 squid-3/configure -rwxr-xr-x 112513 2008/11/05 01:11:55 squid-3/configure.in drwxr-xr-x 512 2008/11/05 01:20:03 squid-3/cfgaux Markus - Original Message - From: "Henrik Nordstrom" To: "Markus Moeller" Cc: "Amos Jeffries" ; Sent: Wednesday, September 09, 2009 8:53 AM Subject: Re: Kerberos build failures in HEAD ons 2009-09-09 klockan 06:27 +0100 skrev Markus Moeller: Sorry about that. I use rsync://squid-cache.org/source/squid-3 as noted here http://www.squid-cache.org/Versions/v3/HEAD/ .Maybe I forgot to update. Hmm.. seems that got stuck at 5 nov 2008 should be fixed now. Regards Henrik
Re: Kerberos build failures in HEAD
Sorry about that. I use rsync://squid-cache.org/source/squid-3 as noted here http://www.squid-cache.org/Versions/v3/HEAD/ .Maybe I forgot to update. Markus - Original Message - From: "Amos Jeffries" To: "Markus Moeller" Cc: Sent: Wednesday, September 09, 2009 2:13 AM Subject: Re: Kerberos build failures in HEAD Okay, I see one of the changes. But the patch won't apply to HEAD any more since the old version of the patch was already applied. Please send an incremental one for just those changes. How exactly are you accessing the HEAD code to generate these patches? None of them has applied cleanly by the time they got to me. The helper update change is also causing some grief. Failing basic "make distcheck" run on the spnegohelp/ files. Amos On Tue, 8 Sep 2009 21:59:15 +0100, "Markus Moeller" wrote: Hi Amos, I did some changes in configure.in and peer_proxy_negotiate_auth.cc. Regards Markus - Original Message - From: "Amos Jeffries" To: ; Sent: Tuesday, September 08, 2009 3:13 AM Subject: Kerberos build failures in HEAD Hi Markus, can you look into this please? http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/lastFailedBuild/console
Re: Kerberos build failures in HEAD
Hi Amos, I did some changes in configure.in and peer_proxy_negotiate_auth.cc. Regards Markus - Original Message - From: "Amos Jeffries" To: ; Sent: Tuesday, September 08, 2009 3:13 AM Subject: Kerberos build failures in HEAD Hi Markus, can you look into this please? http://build.squid-cache.org/job/3.HEAD-amd64-CentOS-5.3/lastFailedBuild/console squid-3-head-3.diff Description: Binary data
Re: Patch to authenticate securely to upstream ISA server(or others)
I don't remember exactly why I added it. I think it was because I originally had it as a standalone configure with the option to have libs and includes in exec_prefix/lib and exec_prefix/include where exec_prefix is the squid install path. So I think for the squid inclusion the patch is fine. Regards Markus - Original Message - From: "Henrik Nordstrom" To: "Markus Moeller" Cc: "Squid Developers" Sent: Tuesday, September 08, 2009 4:56 PM Subject: Re: Patch to authenticate securely to upstream ISA server(or others) The mentioned exec_prefix dependent thing was the culpit now.. I ended up removing that, resulting in the attached patch, but that CPPFLAGS and LDFLAGS segment looks to me like it belongs in Makefile.am rather than configure.. Regards Henrik tis 2009-09-08 klockan 16:32 +0200 skrev Henrik Nordstrom: Looks promising. but I still don't understand why you are testing for $exec_path.. what does $exec_path (where binaries is to be installed, --exec-path configure argument) have to do with the path to Kerberos libraries? Build finished, and it's indeed getting a lot closer. But still some issues.. ERROR 0001: file '/usr/lib64/squid/negotiate_kerb_auth' contains a standard rpath '/usr/lib64' in [/usr/lib64] ERROR 0001: file '/usr/lib64/squid/squid_kerb_auth_test' contains a standard rpath '/usr/lib64' in [/usr/lib64] ERROR 0001: file '/usr/lib64/squid/squid_kerb_auth' contains a standard rpath '/usr/lib64' in [/usr/lib64] ERROR 0001: file '/usr/lib64/squid/negotiate_kerb_auth_test' contains a standard rpath '/usr/lib64' in [/usr/lib64] squid_kerb_auth configure options: '--disable-option-checking' '--prefix=/usr' '--build=x86_64-unknown-linux-gnu' '--host=x86_64-unknown-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' '--enable-digest-auth-helpers=password,ldap,eDirectory' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-unknown-linux-gnu' 'host_alias=x86_64-unknown-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-fPIE -Os -g -pipe -fsigned-char -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'LDFLAGS=-pie' 'CXXFLAGS=-fPIE -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'FFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -I/usr/lib64/gfortran/modules' '--with-squid=/home/henrik/build/fedora/squid/devel/squid-3.1.0.13' '--enable-ltdl-convenience' '--cache-file=/dev/null' '--srcdir=.'" (called from Squid configure) And it set LDFLAGS & CPPFLAGS to LDFLAGS='-pie -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -L../../../lib -L/usr/lib64 -Wl,-R/usr/lib64' CPPFLAGS=
Re: Patch to authenticate securely to upstream ISA server(or others)
How about the attached ? Markus "Henrik Nordstrom" wrote in message news:1252272029.23776.54.ca...@henriknordstrom.net... The patch had been somewhat corrupted in flight so had to apply it by hand, but running a test now. It's "no/lib" it is complaining on. Seem it comes from the "system default" test where check_mit / check_heimdal is called with a "random" $enableval from being called outside any AC_ARG_ENABLE macro.. (value in previous AC_ARG_ENABLE macro, i.e. the seam-64 one..) Hmm.. looking at the patch I don't think it's correct. The issue is that -L, -R and -I should only be set if there actually is any paths to set it to, not if the user uses ./configure --exec-prefix=... But it does hide the problem in my case with system integrated kerberos libs, but I guess it also breaks installs needing a non-system path to the kerberos installation. Regards Henrik sön 2009-09-06 klockan 14:37 +0100 skrev Markus Moeller: Did this fix it ? You talk about -Rno/lib. I only saw -RNONE/lib. If there is the case of no then I need to check for no in the two ifs. Markus "Markus Moeller" wrote in message news:h7scl8$r2...@ger.gmane.org... > This should fix it: > > --- configure.in2009-09-04 02:06:24.0 +0100 > +++ configure.in.new2009-09-05 01:47:34.875859258 +0100 > @@ -424,8 +424,12 @@ > [ squid_dir=$withval ] > ) > > +if test "x$exec_prefix" != xNONE; then > eval ac_p_include=$includedir > CPPFLAGS="$CPPFLAGS -I$ac_p_include -I../../../ -I../../../include/ -I$squid_dir/include > -I$squid_dir/src -I$squid_dir" > +else > +CPPFLAGS="$CPPFLAGS -I../../../ -I../../../include/ -I$squid_dir/include > -I$squid_dir/src -I$squid_dir" > +fi > AC_CACHE_CHECK([for SQUID at '$squid_dir' ],ac_cv_have_squid,[ > AC_TRY_RUN([ > #include > @@ -439,8 +443,12 @@ > ac_cv_have_squid=yes, > ac_cv_have_squid=no) > ]) > +if test "x$exec_prefix" != xNONE; then > eval ac_p_lib=$libdir > LDFLAGS="$LDFLAGS -L../../../lib -L$ac_p_lib $w_flag$ac_p_lib$w_flag_2" > +else > +LDFLAGS="$LDFLAGS -L../../../lib" > +fi > if test "x$ac_cv_have_squid" = "xyes"; then > AC_DEFINE(HAVE_SQUID,1, [Define to 1 if you have SQUID]) > AC_CHECK_HEADERS(getaddrinfo.h getnameinfo.h util.h) > > > Marksu > > > "Henrik Nordstrom" wrote in message > news:1252072098.571.16.ca...@henriknordstrom.net... >> lör 2009-09-05 klockan 01:33 +1200 skrev Amos Jeffries: >> >>> Markus, >>>these changes won't help the Fedora build with Squid-3.1 frozen. >>> That >>> will require a minimal change of probably just the configure.in. >> >> Squid-3.1 has now been packaged for Fedora 12, but so far without >> squid_kerb_auth due to the configure mess adding invalid linker >> library >> path flags which the Fedora automatic package QA checks detects and >> barfs loudly. >> >> The helper can be enabled if the configure bits is fixed. It builds >> and >> runs, it's just that the resulting binary is rejected by Fedora QA >> checks (bad -R option no/lib). >> >> Regards >> Henrik >> >> > > > configure.in.patch Description: Binary data
Re: Patch to authenticate securely to upstream ISA server(or others)
Thank you for the info. I tested on FreeBSD 7/Fedora 11/OpenSuse 11.1 and I didn't see it, but I'll check. Markus - Original Message - From: "Henrik Nordstrom" To: "Markus Moeller" Cc: Sent: Sunday, September 06, 2009 10:20 PM Subject: Re: Patch to authenticate securely to upstream ISA server(or others) The patch had been somewhat corrupted in flight so had to apply it by hand, but running a test now. It's "no/lib" it is complaining on. Seem it comes from the "system default" test where check_mit / check_heimdal is called with a "random" $enableval from being called outside any AC_ARG_ENABLE macro.. (value in previous AC_ARG_ENABLE macro, i.e. the seam-64 one..) Hmm.. looking at the patch I don't think it's correct. The issue is that -L, -R and -I should only be set if there actually is any paths to set it to, not if the user uses ./configure --exec-prefix=... But it does hide the problem in my case with system integrated kerberos libs, but I guess it also breaks installs needing a non-system path to the kerberos installation. Regards Henrik sön 2009-09-06 klockan 14:37 +0100 skrev Markus Moeller: Did this fix it ? You talk about -Rno/lib. I only saw -RNONE/lib. If there is the case of no then I need to check for no in the two ifs. Markus "Markus Moeller" wrote in message news:h7scl8$r2...@ger.gmane.org... > This should fix it: > > --- configure.in2009-09-04 02:06:24.0 +0100 > +++ configure.in.new2009-09-05 01:47:34.875859258 +0100 > @@ -424,8 +424,12 @@ > [ squid_dir=$withval ] > ) > > +if test "x$exec_prefix" != xNONE; then > eval ac_p_include=$includedir > CPPFLAGS="$CPPFLAGS -I$ac_p_include -I../../../ -I../../../include/ -I$squid_dir/include > -I$squid_dir/src -I$squid_dir" > +else > +CPPFLAGS="$CPPFLAGS -I../../../ -I../../../include/ -I$squid_dir/include > -I$squid_dir/src -I$squid_dir" > +fi > AC_CACHE_CHECK([for SQUID at '$squid_dir' ],ac_cv_have_squid,[ > AC_TRY_RUN([ > #include > @@ -439,8 +443,12 @@ > ac_cv_have_squid=yes, > ac_cv_have_squid=no) > ]) > +if test "x$exec_prefix" != xNONE; then > eval ac_p_lib=$libdir > LDFLAGS="$LDFLAGS -L../../../lib -L$ac_p_lib $w_flag$ac_p_lib$w_flag_2" > +else > +LDFLAGS="$LDFLAGS -L../../../lib" > +fi > if test "x$ac_cv_have_squid" = "xyes"; then > AC_DEFINE(HAVE_SQUID,1, [Define to 1 if you have SQUID]) > AC_CHECK_HEADERS(getaddrinfo.h getnameinfo.h util.h) > > > Marksu > > > "Henrik Nordstrom" wrote in message > news:1252072098.571.16.ca...@henriknordstrom.net... >> lör 2009-09-05 klockan 01:33 +1200 skrev Amos Jeffries: >> >>> Markus, >>>these changes won't help the Fedora build with Squid-3.1 frozen. >>> That >>> will require a minimal change of probably just the configure.in. >> >> Squid-3.1 has now been packaged for Fedora 12, but so far without >> squid_kerb_auth due to the configure mess adding invalid linker >> library >> path flags which the Fedora automatic package QA checks detects and >> barfs loudly. >> >> The helper can be enabled if the configure bits is fixed. It builds >> and >> runs, it's just that the resulting binary is rejected by Fedora QA >> checks (bad -R option no/lib). >> >> Regards >> Henrik >> >> > > >
Re: Patch to authenticate securely to upstream ISA server(or others)
Did this fix it ? You talk about -Rno/lib. I only saw -RNONE/lib. If there is the case of no then I need to check for no in the two ifs. Markus "Markus Moeller" wrote in message news:h7scl8$r2...@ger.gmane.org... This should fix it: --- configure.in2009-09-04 02:06:24.0 +0100 +++ configure.in.new2009-09-05 01:47:34.875859258 +0100 @@ -424,8 +424,12 @@ [ squid_dir=$withval ] ) +if test "x$exec_prefix" != xNONE; then eval ac_p_include=$includedir CPPFLAGS="$CPPFLAGS -I$ac_p_include -I../../../ -I../../../include/ -I$squid_dir/include -I$squid_dir/src -I$squid_dir" +else +CPPFLAGS="$CPPFLAGS -I../../../ -I../../../include/ -I$squid_dir/include -I$squid_dir/src -I$squid_dir" +fi AC_CACHE_CHECK([for SQUID at '$squid_dir' ],ac_cv_have_squid,[ AC_TRY_RUN([ #include @@ -439,8 +443,12 @@ ac_cv_have_squid=yes, ac_cv_have_squid=no) ]) +if test "x$exec_prefix" != xNONE; then eval ac_p_lib=$libdir LDFLAGS="$LDFLAGS -L../../../lib -L$ac_p_lib $w_flag$ac_p_lib$w_flag_2" +else +LDFLAGS="$LDFLAGS -L../../../lib" +fi if test "x$ac_cv_have_squid" = "xyes"; then AC_DEFINE(HAVE_SQUID,1, [Define to 1 if you have SQUID]) AC_CHECK_HEADERS(getaddrinfo.h getnameinfo.h util.h) Marksu "Henrik Nordstrom" wrote in message news:1252072098.571.16.ca...@henriknordstrom.net... lör 2009-09-05 klockan 01:33 +1200 skrev Amos Jeffries: Markus, these changes won't help the Fedora build with Squid-3.1 frozen. That will require a minimal change of probably just the configure.in. Squid-3.1 has now been packaged for Fedora 12, but so far without squid_kerb_auth due to the configure mess adding invalid linker library path flags which the Fedora automatic package QA checks detects and barfs loudly. The helper can be enabled if the configure bits is fixed. It builds and runs, it's just that the resulting binary is rejected by Fedora QA checks (bad -R option no/lib). Regards Henrik
Re: Patch to authenticate securely to upstream ISA server(or others)
This should fix it: --- configure.in2009-09-04 02:06:24.0 +0100 +++ configure.in.new2009-09-05 01:47:34.875859258 +0100 @@ -424,8 +424,12 @@ [ squid_dir=$withval ] ) +if test "x$exec_prefix" != xNONE; then eval ac_p_include=$includedir CPPFLAGS="$CPPFLAGS -I$ac_p_include -I../../../ -I../../../include/ -I$squid_dir/include -I$squid_dir/src -I$squid_dir" +else +CPPFLAGS="$CPPFLAGS -I../../../ -I../../../include/ -I$squid_dir/include -I$squid_dir/src -I$squid_dir" +fi AC_CACHE_CHECK([for SQUID at '$squid_dir' ],ac_cv_have_squid,[ AC_TRY_RUN([ #include @@ -439,8 +443,12 @@ ac_cv_have_squid=yes, ac_cv_have_squid=no) ]) +if test "x$exec_prefix" != xNONE; then eval ac_p_lib=$libdir LDFLAGS="$LDFLAGS -L../../../lib -L$ac_p_lib $w_flag$ac_p_lib$w_flag_2" +else +LDFLAGS="$LDFLAGS -L../../../lib" +fi if test "x$ac_cv_have_squid" = "xyes"; then AC_DEFINE(HAVE_SQUID,1, [Define to 1 if you have SQUID]) AC_CHECK_HEADERS(getaddrinfo.h getnameinfo.h util.h) Marksu "Henrik Nordstrom" wrote in message news:1252072098.571.16.ca...@henriknordstrom.net... lör 2009-09-05 klockan 01:33 +1200 skrev Amos Jeffries: Markus, these changes won't help the Fedora build with Squid-3.1 frozen. That will require a minimal change of probably just the configure.in. Squid-3.1 has now been packaged for Fedora 12, but so far without squid_kerb_auth due to the configure mess adding invalid linker library path flags which the Fedora automatic package QA checks detects and barfs loudly. The helper can be enabled if the configure bits is fixed. It builds and runs, it's just that the resulting binary is rejected by Fedora QA checks (bad -R option no/lib). Regards Henrik
Re: Patch to authenticate securely to upstream ISA server(or others)
"Henrik Nordstrom" wrote in message news:1252072098.571.16.ca...@henriknordstrom.net... lör 2009-09-05 klockan 01:33 +1200 skrev Amos Jeffries: Markus, these changes won't help the Fedora build with Squid-3.1 frozen. That will require a minimal change of probably just the configure.in. Squid-3.1 has now been packaged for Fedora 12, but so far without squid_kerb_auth due to the configure mess adding invalid linker library path flags which the Fedora automatic package QA checks detects and barfs loudly. The helper can be enabled if the configure bits is fixed. It builds and runs, it's just that the resulting binary is rejected by Fedora QA checks (bad -R option no/lib). OK I will fix it this weekend. Regards Henrik
Re: [squid-users] Re: squid 2.7 - problems with kerberos authentication
This means your client does not use Kerberos but NTLM. Check that IE is configured with the fqdn. Regards Markus - Original Message - From: "Дмитрий Нестеркин" To: "Henrik Nordstrom" Cc: "Markus Moeller" Sent: Wednesday, September 02, 2009 12:36 PM Subject: Re: [squid-users] Re: squid 2.7 - problems with kerberos authentication 2 сентября 2009 г. 14:32 пользователь Дмитрий Нестеркин (undelb...@gmail.com) написал: external_acl_type ldap_check ttl=1200 %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=mydomain,dc=local" -f "(&(objectclass=user)(sAMAccountName=%v (memberof=cn=%a,ou=internet,dc=mydomain,dc=local))" -D "proxyu...@mydomain.local" -w "password" -K -d 192.168.100.42 Do this work from the command line? If it's a AD server then basic bind without TLS is generally not allowed (deemed insecure). The helper expects login group as input, and will respond with OK/ERR. But since there is no debug output from squid_ldap_group I suspect squid_kerb_auth isn't happy with something.. But it's odd there is no debug output from squid_kerb_auth either... Yes, It works from command line! And I can't understand why not with squid. $ /usr/lib/squid/squid_ldap_group -R -b "dc=teliset,dc=local" -f "(&(objectclass=user)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=teliset,dc=local))" -D "proxyu...@teliset.local" -w "password" -K -d 192.168.100.42 my_username inet_allow OK I've updated krb5-user package to latest testing version. Now cache log contain squid_kerb_auth info: 2009/09/02 15:27:46| Ready to serve requests. 2009/09/02 15:27:46| Done reading /var/spool/squid swaplog (405 entries) 2009/09/02 15:27:46| Finished rebuilding storage from disk. 2009/09/02 15:27:46| 405 Entries scanned 2009/09/02 15:27:46| 0 Invalid entries. 2009/09/02 15:27:46| 0 With invalid flags. 2009/09/02 15:27:46| 405 Objects loaded. 2009/09/02 15:27:46| 0 Objects expired. 2009/09/02 15:27:46| 0 Objects cancelled. 2009/09/02 15:27:46| 0 Duplicate URLs purged. 2009/09/02 15:27:46| 0 Swapfile clashes avoided. 2009/09/02 15:27:46| Took 0.3 seconds (1453.0 objects/sec). 2009/09/02 15:27:46| Beginning Validation Procedure 2009/09/02 15:27:46| Completed Validation Procedure 2009/09/02 15:27:46| Validated 405 Entries 2009/09/02 15:27:46| store_swap_size = 4052k 2009/09/02 15:27:46| storeLateRelease: released 0 objects 2009/09/02 15:32:48| squid_kerb_auth: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2009/09/02 15:32:48| squid_kerb_auth: received type 1 NTLM token 2009/09/02 15:32:50| squid_kerb_auth: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2009/09/02 15:32:50| squid_kerb_auth: received type 1 NTLM token 2009/09/02 15:32:50| squid_kerb_auth: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2009/09/02 15:32:50| squid_kerb_auth: received type 1 NTLM token 2009/09/02 15:32:51| squid_kerb_auth: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2009/09/02 15:32:51| squid_kerb_auth: received type 1 NTLM token
Re: Patch to authenticate securely to upstream ISA server(or others)
BTW There are files missing in the head snapshot tar file. The tar file has only ../squid-3/helpers/negotiate_auth/squid_kerb_auth ../squid-3/helpers/negotiate_auth/squid_kerb_auth/Makefile.am ../squid-3/helpers/negotiate_auth/squid_kerb_auth/depcomp ../squid-3/helpers/negotiate_auth/squid_kerb_auth/AUTHORS ../squid-3/helpers/negotiate_auth/squid_kerb_auth/install-sh ../squid-3/helpers/negotiate_auth/squid_kerb_auth/COPYING ../squid-3/helpers/negotiate_auth/squid_kerb_auth/config.guess ../squid-3/helpers/negotiate_auth/squid_kerb_auth/ltmain.sh ../squid-3/helpers/negotiate_auth/squid_kerb_auth/README ../squid-3/helpers/negotiate_auth/squid_kerb_auth/ChangeLog ../squid-3/helpers/negotiate_auth/squid_kerb_auth/config.h.in ../squid-3/helpers/negotiate_auth/squid_kerb_auth/config.sub ../squid-3/helpers/negotiate_auth/squid_kerb_auth/configure ../squid-3/helpers/negotiate_auth/squid_kerb_auth/INSTALL ../squid-3/helpers/negotiate_auth/squid_kerb_auth/configure.in ../squid-3/helpers/negotiate_auth/squid_kerb_auth/aclocal.m4 ../squid-3/helpers/negotiate_auth/squid_kerb_auth/Makefile.in ../squid-3/helpers/negotiate_auth/squid_kerb_auth/base64.c ../squid-3/helpers/negotiate_auth/squid_kerb_auth/missing ../squid-3/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c ../squid-3/helpers/negotiate_auth/squid_kerb_auth/NEWS ../squid-3/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth_test.c ../squid-3/helpers/negotiate_auth/squid_kerb_auth/spnegohelp ../squid-3/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.c ../squid-3/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/derparse.c ../squid-3/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnego.c ../squid-3/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegoparse.c but it should have these too squid-3.0.STABLE18/helpers/negotiate_auth/squid_kerb_auth/base64.h squid-3.0.STABLE18/helpers/negotiate_auth/squid_kerb_auth/spnegohelp squid-3.0.STABLE18/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnego.h squid-3.0.STABLE18/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.h squid-3.0.STABLE18/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/derparse.h squid-3.0.STABLE18/helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegoparse.h Markus
Re: Patch to authenticate securely to upstream ISA server(or others)
"Amos Jeffries" wrote in message news:3f72f4fcc973e75a663a72a587547...@mail.treenet.co.nz... On Tue, 1 Sep 2009 19:55:47 +0100, "Markus Moeller" wrote: Henrik, I updated the patch. I also said that I removed the configure from squid_kerb_auth by replacing the whole squid_kerb_auth directory with the attached tar file (to the previous post) which hopefully fixes the fedora build. Does the directory replacement have to be done at the same time or would it cope with being split in two and done after the main change? It could be done in two stages. The patch would need to be modified as it removes the execution of the squid_kerb_auth configure. Amos Markus
Re: Patch to authenticate securely to upstream ISA server(or others)
Henrik, I updated the patch. I also said that I removed the configure from squid_kerb_auth by replacing the whole squid_kerb_auth directory with the attached tar file (to the previous post) which hopefully fixes the fedora build. Thank you Markus "Henrik Nordstrom" wrote in message news:1251770416.16800.65.ca...@henriknordstrom.net... Needs quoting: +KRB5INCS=`$krb5confpath --cflags krb5 2>/dev/null` +KRB5LIBS=`$krb5confpath --libs krb5 2>/dev/null` (seen twice, Solaris & generic) Would also be nice if you could update squid_kerb_auth/configure with this simplified kerberos configure dance. The squid_kerb_auth/configure in Squid-3.0 adds a bit too many linker flags adding -Lno/lib -Rno/lib for me and currently prevents it from being packaged for Fedora (build QA check failure, incorrect run-path) Regards Henrik mån 2009-08-31 klockan 14:03 +0100 skrev Markus Moeller: Hi Amos, find attached a patch against the head release. since I now need Kerberos and GSSAPI for the main source I removed the squid_kerb_auth configure and replaced the squid_kerb_auth directory with the attached. I tested on OpenSuse 11 with MIT Kerberos 1.6.3(the default) and Freebsd 7.0 with Heimdal 1.2.1(added as the older freebsd base Heimdal package creates problems as squids asn1.h and krb5_asn1.h have conflicts with oid definitions) Regards Markus - Original Message - From: "Amos Jeffries" To: "Markus Moeller" Cc: Sent: Tuesday, August 25, 2009 12:38 PM Subject: Re: Patch to authenticate securely to upstream ISA server(or others) > Markus Moeller wrote: >> In some setups the upstream proxy requires a secue authentication >> method >> (Negotiate, NTLM). The attached patches (2.7 and 3.0) allow this with >> Negotiate. >> >> Regards >> Markus > > Hi Markus, > Good to see this feature appearing. > > Just a few things to fix up before this can go in: > > * Makefile.am lines for linking peer_proxy_negotiate_auth.cc seem to > be > indented with spaces instead of the automake required tabs. > > * Unfortunately 3.0 is closed for new features. Can we get a diff > against 3.HEAD code please? > > * there is zero documentation for the new option settings. Please add > to > the cache_peer entry of src/cf.data.pre with the new details for > login=NEGOTIATE. > > * there is also no documentation for any of the code. Please prefix > each > new function and global in your new code with at least an overview > description of what it does. > > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 > Current Beta Squid 3.1.0.13 > squid-3-head-2.diff Description: Binary data
Re: Patch to authenticate securely to upstream ISA server(or others)
"Amos Jeffries" wrote in message news:4a93cd1b.9030...@treenet.co.nz... Markus Moeller wrote: In some setups the upstream proxy requires a secue authentication method (Negotiate, NTLM). The attached patches (2.7 and 3.0) allow this with Negotiate. Regards Markus Hi Markus, Good to see this feature appearing. Just a few things to fix up before this can go in: * Makefile.am lines for linking peer_proxy_negotiate_auth.cc seem to be indented with spaces instead of the automake required tabs. * Unfortunately 3.0 is closed for new features. Can we get a diff against 3.HEAD code please? * there is zero documentation for the new option settings. Please add to the cache_peer entry of src/cf.data.pre with the new details for login=NEGOTIATE. * there is also no documentation for any of the code. Please prefix each new function and global in your new code with at least an overview description of what it does. Thank you for the feedback. I will work on your suggestions. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13 Regards Markus
Re: Patch to authenticate securely to upstream ISA server(or others)
Sorry,but I forgot to change putenv to setenv. Patches are attached. Markus "Henrik Nordstrom" wrote in message news:1249178627.13368.4.ca...@henriknordstrom.net... lör 2009-08-01 klockan 16:41 +0100 skrev Markus Moeller: In some setups the upstream proxy requires a secue authentication method (Negotiate, NTLM). The attached patches (2.7 and 3.0) allow this with Negotiate. Imported to Squid-2 with the following cosmetic modifications * Your instructions added as doc/README.proxy_negotiate * extern "C" removed from source as this confused the old gindent we are using to format the code. * Code reformatted per Squid code style rules. Regards Henrik peer_proxy_negotiate_auth-setenv-2.patch Description: Binary data peer_proxy_negotiate_auth-setenv-3.patch Description: Binary data