Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 516245

Summary: negotiate support not enabled in squid (for kerberized sso)
Product: Red Hat Enterprise Linux 5 Reporter: Buchan Milne <bgmilne>
Component: squidAssignee: Jiri Skala <jskala>
Status: CLOSED ERRATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: low    
Version: 5.3CC: aglotov, cward, ebenes, ovasik, zmraz
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 445337 Environment:
Last Closed: 2010-03-30 08:18:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed patch against squid.spec none

Description Buchan Milne 2009-08-07 16:24:55 UTC
Description of problem:
squid in RHEL5.3 can't provide single-sign-on authentication via Kerberos, as negotiate authentication is not enabled.

Version-Release number of selected component (if applicable):
squid-2.6.STABLE21-3.el5

How reproducible:
Always

Steps to Reproduce:
1. Install squid
2. Compile squid_auth_kerb
3. Add the following to squid.conf:

auth_param negotiate program /usr/lib/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
  
Actual results:
# /etc/init.d/squid restart
Stopping squid: 2009/08/07 17:22:46| Parsing Config File: Unknown authentication scheme 'negotiate'.
2009/08/07 17:22:46| Parsing Config File: Unknown authentication scheme 'negotiate'.
2009/08/07 17:22:46| Parsing Config File: Unknown authentication scheme 'negotiate'.


Expected results:
Squid should start, and assuming all other conditions are satisfied, transparently authenticated access control should be possible.

Additional info:
This was enabled for Fedora 8 and 10 in bug #445337, but should be available in RHEL5.

Comment 1 Zoltan Mezei 2009-09-24 15:33:20 UTC
Created attachment 362517 [details]
Proposed patch against squid.spec

Proposed naive patch against squid.spec that enables negotiate support.

Comment 5 Zbysek MRAZ 2010-02-10 08:55:51 UTC
The option within squid configuration was enabled thus is supported now. Nevertheless we are not able to verify it. Still getting authentication failures.
The env. was set on kerberos enabled system with keytab (with HTTP/$HOSTNAME principals) properly exported and with ownership set permissions set.

This settings was used
auth_param negotiate program /usr/<lib_pth>/squid/squid_kerb_auth -d 
auth_param negotiate children 5 
auth_param negotiate keep_alive on 

This defines helper for authentication. Then squid.conf should contain necessary acl: 
... 
acl auth proxy_auth REQUIRED 
... 
http_access deny !auth 
http_access allow auth 

Can you please test it in your environment and if you are using different setup put your configuration files?

Comment 8 Chris Ward 2010-02-10 09:35:39 UTC
@Buchan Milne

Please grab the latest 5.5 Beta bits from RHN, test for the resolution of this request and report your results back here.

Also, in the future, when reporting feature requests or defect reports it is critical that you escalate your issues through Red Hat Support.

Comment 10 Chris Ward 2010-02-11 10:30:15 UTC
~~ Attention Customers and Partners - RHEL 5.5 Beta is now available on RHN ~~

RHEL 5.5 Beta has been released! There should be a fix present in this 
release that addresses your request. Please test and report back results 
here, by March 3rd 2010 (2010-03-03) or sooner.

Upon successful verification of this request, post your results and update 
the Verified field in Bugzilla with the appropriate value.

If you encounter any issues while testing, please describe them and set 
this bug into NEED_INFO. If you encounter new defects or have additional 
patch(es) to request for inclusion, please clone this bug per each request
and escalate through your support representative.

Comment 12 errata-xmlrpc 2010-03-30 08:18:32 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0221.html