There has been some confusion about what --helper-protocol parameters
the Samba ntlm_auth helper needs when used with negotiate_wrapper helper.
This adds checks and warnings to the ensure the protocol used matches
the --ntlm or --kerberos section.
Amos
=== modified file 'src/auth/negotiate/wrapper/negotiate_wrapper.cc'
--- src/auth/negotiate/wrapper/negotiate_wrapper.cc 2017-01-01 00:12:22 +0000
+++ src/auth/negotiate/wrapper/negotiate_wrapper.cc 2017-05-05 07:59:21 +0000
@@ -40,41 +40,41 @@
#if HAVE_NETDB_H
#include <netdb.h>
#endif
#if HAVE_UNISTD_H
#include <unistd.h>
#endif
#if !defined(HAVE_DECL_XMALLOC) || !HAVE_DECL_XMALLOC
#define xmalloc malloc
#endif
#if !defined(HAVE_DECL_XSTRDUP) || !HAVE_DECL_XSTRDUP
#define xstrdup strdup
#endif
#if !defined(HAVE_DECL_XFREE) || !HAVE_DECL_XFREE
#define xfree free
#endif
#undef PROGRAM
#define PROGRAM "negotiate_wrapper"
#undef VERSION
-#define VERSION "1.0.1"
+#define VERSION "1.0.2"
#ifndef MAX_AUTHTOKEN_LEN
#define MAX_AUTHTOKEN_LEN 65535
#endif
static const unsigned char ntlmProtocol[] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
static const char *
LogTime()
{
struct timeval now;
static time_t last_t = 0;
static char buf[128];
gettimeofday(&now, NULL);
if (now.tv_sec != last_t) {
time_t *tmp = (time_t *) & now.tv_sec;
struct tm *tm = localtime(tmp);
strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
last_t = now.tv_sec;
@@ -274,45 +274,66 @@
int fpid;
int pkin[2];
int pkout[2];
int pnin[2];
int pnout[2];
setbuf(stdout, NULL);
setbuf(stdin, NULL);
if (argc ==1 || !strncasecmp(argv[1],"-h",2)) {
usage();
return 0;
}
int j = 1;
if (!strncasecmp(argv[1],"-d",2)) {
debug_enabled = 1;
j = 2;
}
+ bool inNtlmParams = false;
+ bool inKerberosParams = false;
+
for (int i=j; i<argc; ++i) {
- if (!strncasecmp(argv[i],"--ntlm",6))
+ if (strncasecmp(argv[i],"--ntlm",6) == 0) {
nstart = i;
- if (!strncasecmp(argv[i],"--kerberos",10))
+ inNtlmParams = true;
+ inKerberosParams = false;
+ }
+ if (strncasecmp(argv[i],"--kerberos",10) == 0) {
kstart = i;
+ inKerberosParams = true;
+ inNtlmParams = false;
+ }
+ // Samba ntlm_auth helper can use several protocols.
+ // Check that the one used matches the wraper I/O handling.
+ if (strncasecmp(argv[i],"--helper-protocol=",18) == 0) {
+ // --ntlm requires protocol squid-2.5-ntlmssp
+ if (inNtlmParams && strncasecmp(argv[i],"--helper-protocol=squid-2.5-ntlmssp",35) != 0) {
+ fprintf(stderr, "%s| %s: WARNING: Samba helper in --ntlm requires --helper-protocol=squid-2.5-ntlmssp\n", LogTime(), PROGRAM);
+ }
+ // --kerberos requires protocol gss-spnego
+ if (inKerberosParams && strncasecmp(argv[i],"--helper-protocol=gss-spnego",28) != 0) {
+ fprintf(stderr, "%s| %s: WARNING: Samba helper in --kerberos requires --helper-protocol=gss-spnego\n", LogTime(), PROGRAM);
+ }
+ }
}
if (nstart > kstart) {
kend = nstart-1;
nend = argc-1;
} else {
kend = argc-1;
nend = kstart-1;
}
if (nstart == 0 || kstart == 0 || kend-kstart <= 0 || nend-nstart <= 0 ) {
usage();
return 0;
}
if (debug_enabled)
fprintf(stderr, "%s| %s: Starting version %s\n", LogTime(), PROGRAM,
VERSION);
if ((nargs = (char **)xmalloc((nend-nstart+1)*sizeof(char *))) == NULL) {
fprintf(stderr, "%s| %s: Error allocating memory for ntlm helper\n", LogTime(), PROGRAM);
return 1;
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
