On Fri, 2012-06-29 at 03:57 -0400, Zdenek Pavlas wrote: > > Is there any way we can fix it, or could we just disable ntlm until > > 835869 is fixed? > > This is not (directly) related to NTLM. Curl prefers GSSNEGOTIATE > over NTLM and BASIC, so decides to try that first. If it can't find > a ticket in /tmp, it fails as though the authentication has been > attempted and has failed (or retries the request without any auth > header added, depending on curl version). > > - self.curl_obj.setopt(pycurl.PROXYAUTH, pycurl.HTTPAUTH_ANY) > + self.curl_obj.setopt(pycurl.PROXYAUTH, > pycurl.HTTPAUTH_ANY-pycurl.HTTPAUTH_GSSNEGOTIATE) > > This is reported to fix the problem, and NTLM is still supported, but:
Cool. > 1) no way to ever use kerberos Not sure I see the problem :). I mean we never have supported it, right? > 2) no way to enable only one auth scheme and save the 1st request > 3) can't disable BASIC (security) > > I'm okay with both solutions (proxy_auth env var, or disabling > kerberos the hard way). 3rd option is adding an urlgrabber + yum > option to yum.conf, but that feels an overkill to me. It feels like nobody would care if we just disable kerberos, and probably 0.001% of users will use any configuration if you add it. So I'd just go with the easiest thing and wait for someone to complain :). > > > Enabling >1 schemes results in small extra overhead > > > > I assume small here means "not really measurable"? > > One extra HTTP request/response, but that's on LAN, no big deal. > It might still be desirable to be able to enable BASIC only, > because a broken proxy might return wrong or no 407 replies. *nods*, it's possible but I'd expect most things to get the 407 reply correct ... we can always look at it again if some major vendor's firewall/proxy/whatever does the wrong thing. _______________________________________________ Yum-devel mailing list Yum-devel@lists.baseurl.org http://lists.baseurl.org/mailman/listinfo/yum-devel
