On Mon, 29 Aug 2011 22:07:15 +0200, Rafal Zawierta wrote:
> Hello,
>
> I've noticed, that in one setup of Squid3 (+kerb auth against AD),
> when user changes his password (at that moment I'm not sure when he
> make that change) he receives such message:
> Sorry, you are not currently allowed to request http://google.com/
> from this cache until you have authenticated yourself.
>
> Where should I look for solution of that issue? In ttl param of
> authentication helper? I haven't tried yet, but probably restarting
> squid after user changes his password solves that problem.
>
> Regars
> Rafal
One of the effects of NTLM and Negotiate attempting stateful
authentication of low level TCP connections via a stateless HTTP upper
layer protocol (HTTP). The client is attempting to send new credentials
over a connection which is already has different ones set as read-only
and pinning multiple TCP server connections together. What it needs to
be doing to avoid problems is closing any old/existing connections from
before the password change and opening new ones with the fresh
credentials.
The error message is Squid detecting that and performing the
connection flush on the clients behalf. It should be accompanied by a
"Connection: close" and a list of auth protocols the browser may open a
new connection with credentials for.
Like Marcus said, this is a client problem. If that message reaches
user visibility it is failing at both the flush and the recovery after
flush fails.
Amos
Received on Tue Aug 30 2011 - 03:40:26 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 30 2011 - 12:00:02 MDT