Do not FATAL and quit when handling an NA or ERR negotiate helper response without a challenge token. === modified file 'src/auth/negotiate/UserRequest.cc' --- src/auth/negotiate/UserRequest.cc 2013-01-28 16:56:05 +0000 +++ src/auth/negotiate/UserRequest.cc 2013-02-13 00:30:07 +0000 @@ -310,53 +310,51 @@ * challenge-response nature of the protocol. * Just free the temporary auth_user after merging as * much of it new state into the existing one as possible */ usernamehash->user()->absorb(local_auth_user); /* from here on we are working with the original cached credentials. */ local_auth_user = usernamehash->user(); auth_user_request->user(local_auth_user); } else { /* store user in hash's */ local_auth_user->addToNameCache(); } /* set these to now because this is either a new login from an * existing user or a new user */ local_auth_user->expiretime = current_time.tv_sec; auth_user_request->user()->credentials(Auth::Ok); debugs(29, 4, HERE << "Successfully validated user via Negotiate. Username '" << auth_user_request->user()->username() << "'"); } break; case HelperReply::Error: { - Note::Pointer messageNote = reply.notes.find("message"); - Note::Pointer tokenNote = reply.notes.find("token"); - if (tokenNote == NULL) { - /* protocol error */ - fatalf("authenticateNegotiateHandleReply: *** Unsupported helper response ***, '%s'\n", reply.other().content()); - break; - } - /* authentication failure (wrong password, etc.) */ + + Note::Pointer messageNote = reply.notes.find("message"); auth_user_request->denyMessage(messageNote->firstValue()); auth_user_request->user()->credentials(Auth::Failed); + safe_free(lm_request->server_blob); - lm_request->server_blob = xstrdup(tokenNote->firstValue()); + Note::Pointer tokenNote = reply.notes.find("token"); + if (tokenNote != NULL) + lm_request->server_blob = xstrdup(tokenNote->firstValue()); + lm_request->releaseAuthServer(); debugs(29, 4, HERE << "Failed validating user via Negotiate. Error returned '" << reply << "'"); } break; case HelperReply::Unknown: debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication Helper '" << reply.whichServer << "' crashed!."); /* continue to the next case */ case HelperReply::BrokenHelper: { /* TODO kick off a refresh process. This can occur after a YR or after * a KK. If after a YR release the helper and resubmit the request via * Authenticate Negotiate start. * If after a KK deny the user's request w/ 407 and mark the helper as * Needing YR. */ Note::Pointer errNote = reply.notes.find("message"); if (reply.result == HelperReply::Unknown) auth_user_request->denyMessage("Internal Error"); else if (errNote != NULL) auth_user_request->denyMessage(errNote->firstValue());