On 13/02/2013 11:33 a.m., Henrik Nordström wrote:
tis 2013-02-12 klockan 14:41 -0700 skrev Alex Rousskov:
Hello,
Could somebody with better authentication and helper knowledge clarify
whether the token field is indeed required for Nagotiate ERR and NA
responses? If not, can we just remove the above quoted fatalf() blob and
make the following line conditional on the token presence?
Squid-2 negotiate expects
NA<SPACE>blob<SPACE>message<NEWLINE>
but do not require any of them to be present. It accepts
NA<SPACE><NEWLINE>
as valid response.
NTLM is slightly different and do not expect a blob. Simply
NA<SPACE>message<NEWLINE>
where message may be blank.
Regards
Henrik
Squid-3 should be identical. The token is required for Authenticate-Info
to supply client with keytab identification in the reponse headers. A
missing token= on the Negotiate response normally indicates that an NTLM
helper has been wrongly configured on the Negotiate auth interface.
Markus' negotiate_wrapper helper presents a dummy token when mapping
NTLM responses to Squid.
Yes you can remove these fatal() if you want, but it needs to result in
authentication failure and squid.conf ERROR messages if you do so. The
code for triggering all that side-effect is in the BrokenHelper use case
which might need to become a separate error handling method. This also
goes for the other identical fatal("Unsupported helper response") in
Negotiate auth which would be worth removing in the same way.
Amos
