Re: [squid-users] Squid, negotiate auth against AD and problem with changed password

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 30 Aug 2011 15:40:23 +1200

 On Mon, 29 Aug 2011 22:07:15 +0200, Rafal Zawierta wrote:
> Hello,
>
> I've noticed, that in one setup of Squid3 (+kerb auth against AD),
> when user changes his password (at that moment I'm not sure when he
> make that change) he receives such message:
> Sorry, you are not currently allowed to request http://google.com/
> from this cache until you have authenticated yourself.
>
> Where should I look for solution of that issue? In ttl param of
> authentication helper? I haven't tried yet, but probably restarting
> squid after user changes his password solves that problem.
>
> Regars
> Rafal

  One of the effects of NTLM and Negotiate attempting stateful
 authentication of low level TCP connections via a stateless HTTP upper
 layer protocol (HTTP). The client is attempting to send new credentials
 over a connection which is already has different ones set as read-only
 and pinning multiple TCP server connections together. What it needs to
 be doing to avoid problems is closing any old/existing connections from
 before the password change and opening new ones with the fresh
 credentials.

  The error message is Squid detecting that and performing the
 connection flush on the clients behalf. It should be accompanied by a
 "Connection: close" and a list of auth protocols the browser may open a
 new connection with credentials for.

 Like Marcus said, this is a client problem. If that message reaches
 user visibility it is failing at both the flush and the recovery after
 flush fails.

 Amos
Received on Tue Aug 30 2011 - 03:40:26 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 30 2011 - 12:00:02 MDT