Source: squid3
Version: 3.4.8-6: amd64
Severity: important
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Configuring a freshly installed squid3. Users shall authenticate against a
windows domain controller
* What exactly did you do (or not do) that was effective (or
ineffective)?
Entered the following directives to /etc/squid/squid.conf, which are well
tested under 2.7 and should work under 3.x too:
auth_param basic program /usr/lib/squid3/basic_smb_auth -W windows_domain -U
domain_controller
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 60 minutes
acl domainusers proxy_auth REQUIRED
* What was the outcome of this action?
Users will be asked for credentials, but definitively correct credentials will
not be accepted. Credential dialog pops up again and again...
* What outcome did you expect instead?
Users shall be authenticated
*** End of the template - remove these template lines ***
Now for the beef: basic_smb_auth.sh delivers the credentials via environment in
a form "$USER%$PASSWORD", which is not expected from smbclient. This seem to
result from an obsolete or inferior documentation of smbclient. While it is
perfectly valid to deliver the credentials in this form via commandline
parameter -U, for example in
smbclient //domain_controller/NETLOGON -d 0 -E -W windows_domain -c "get
proxyauth -" -U herrmann%mysecurepassword 2>/dev/null
this form is not valid, when the credentials will be delivered via environment.
Via environment the credentials must be delivered in two separate variables
USER=$USER% PASSWD=$PASSWORD.
So after the following changes to basic_smb_auth.sh, the script works flawless
-USER="$SMBUSER%$SMBPASS"
+USER="$SMBUSER"
+PASSWD="$SMBPASS"
export USER
+export PASSWD
Those lines are not my invention, I just took them from squid 2.7's
smb_auth.sh. It might be a better solution, to pass the credentials via
parameters rather than via environment, i. e. to change line 66 of
basic_smb_auth.sh:
-authinfo=`smbclient "//$dcname/$AUTHSHARE" -I $dcip -d 0 -E -W "$DOMAINNAME"
-c "get $authfilebs -" 2>/dev/null`
+authinfo=`smbclient "//$dcname/$AUTHSHARE" -I $dcip -d 0 -E -W "$DOMAINNAME"
-c "get $authfilebs -" -U $SMBUSER%$SMBPASS 2>/dev/null`
-- System Information:
Debian Release: 8.1
APT prefers stable
APT policy: (700, 'stable'), (500, 'stable-updates'), (500, 'oldoldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
