--------------------- PatchSet 2362 Date: 2001/05/20 22:24:48 Author: rbcollins Branch: auth_rewrite Tag: (none) Log: disable pipelining when NTLM is enabled -to prevent authentication race Members: src/auth/basic/helpers/multi-domain-NTLM/README.txt:1.1.2.1->1.1.2.2 src/auth/basic/helpers/multi-domain-NTLM/smb_auth.pl:1.1.2.2->1.1.2.3 src/auth/ntlm/auth_ntlm.c:1.1.2.40->1.1.2.41 Index: squid/src/auth/basic/helpers/multi-domain-NTLM/README.txt =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/basic/helpers/multi-domain-NTLM/Attic/README.txt,v retrieving revision 1.1.2.1 retrieving revision 1.1.2.2 diff -u -r1.1.2.1 -r1.1.2.2 --- squid/src/auth/basic/helpers/multi-domain-NTLM/README.txt 7 Jan 2001 14:52:25 -0000 1.1.2.1 +++ squid/src/auth/basic/helpers/multi-domain-NTLM/README.txt 20 May 2001 22:24:48 -0000 1.1.2.2 @@ -1,5 +1,5 @@ -From: "Chemolli Francesco (USI)" +From: "Francesco Chemolli" Subject: Multiple NT domains authenticator Date: Fri, 7 Jul 2000 15:37:32 +0200 Index: squid/src/auth/basic/helpers/multi-domain-NTLM/smb_auth.pl =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/basic/helpers/multi-domain-NTLM/Attic/smb_auth.pl,v retrieving revision 1.1.2.2 retrieving revision 1.1.2.3 diff -u -r1.1.2.2 -r1.1.2.3 --- squid/src/auth/basic/helpers/multi-domain-NTLM/smb_auth.pl 9 Apr 2001 13:36:13 -0000 1.1.2.2 +++ squid/src/auth/basic/helpers/multi-domain-NTLM/smb_auth.pl 20 May 2001 22:24:48 -0000 1.1.2.3 @@ -1,7 +1,8 @@ #!/usr/bin/perl +# $Id$ #if you define this, debugging output will be printed to STDERR. -$debug=1; +#$debug=1; #to force using some DC for some domains, fill in this hash. #the key is a regexp matched against the domain name @@ -14,7 +15,7 @@ #define this if you wish to use a WINS server. If undefined, broadcast # will be attempted. -$wins_server="winsservername"; +#$wins_server="winsservername"; # Some servers (at least mine) really really want to be called by address. # If this variable is defined, we'll ask nmblookup to do a reverse DNS on the Index: squid/src/auth/ntlm/auth_ntlm.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/auth_ntlm.c,v retrieving revision 1.1.2.40 retrieving revision 1.1.2.41 diff -u -r1.1.2.40 -r1.1.2.41 --- squid/src/auth/ntlm/auth_ntlm.c 10 Mar 2001 00:40:10 -0000 1.1.2.40 +++ squid/src/auth/ntlm/auth_ntlm.c 20 May 2001 22:24:48 -0000 1.1.2.41 @@ -180,6 +180,16 @@ } else { debug(28, 0) ("unrecognised ntlm auth scheme parameter '%s'\n", param_str); } + /* disable client side request pipelining. There is a race with NTLM when the client + * sends a second request on an NTLM connection before the authenticate challenge is + * sent. + * With this patch, the client may fail to authenticate, but squid's state will be + * preserved. + * Caveats: this should be a post-parse test, but that can wait for the modular + * parser to be integrated. + */ + if (ntlmConfig->authenticate) + Config.onoff.pipeline_prefetch=0; }