Closed Bug 72387 Opened 23 years ago Closed 23 years ago

Proxy: slackware ident returns "UNKNOWN-ERROR" for Mozilla

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: cynic, Assigned: neeti)

Details

Attachments

(7 files)

The tcpdump from using mozilla
2.94 KB, text/plain
Details
The tcpdump from using lynx
4.03 KB, text/plain
Details
tcpdump -w mozilla.tcpdump port 3128 (as requested :))
1020 bytes, application/octet-stream
Details
tcpdump -w lynx.tcpdump port 3128 (the lynx tcpdump)
1.73 KB, application/octet-stream
Details
Ethereal output (lynx, listening to port 3128)
12.82 KB, application/octet-stream
Details
Ehtereal output (mozilla, listening to port 3128)
5.42 KB, application/octet-stream
Details
"netstat -a" output shortly after an access-denied message.
16.87 KB, text/plain
Details 
Many universities (such as the one I'm at) use an ident daemon to track bandwidth consumption on a per-user basis.  The unix daemon is called "pidentd", and is freely available (try getting it from ftp://rucus.ru.ac.za/pub/.2/FreeBSD/ports/distfiles/pidentd-2.8.5.tar.gz).

Other browsers for Linux (lynx, Konqueror, Netscape 4.xx) work perfectly with this ident daemon.  However, Mozilla does not, and attempting to access any external site using Mozilla results in an error message since my University does not allow anyone access to external sites if they haven't been cleared by ident.

Is ident support going to ever make it into Mozilla builds?
I'm unsure exactly what you're asking for. Are you saying that on the same
computer mozilla doesn't work, but netscape/lynx/etc do?

Do you normally have to give a username/password to a proxy server of some sort?
If you do, does mozilla ask you for this information?

Mozilla doesn't come with an ident daemon - thats a function of the operating
system's network utilities.

(Also, you don't have to cc yourself on bugs you file - by default the reporter
gets sent any changes)
Sorry, I wasn't very clear, I see that now.

Yes, Netscape, Lynx, Konqueror, and utilities like ftp/ncftp, wget etc, work perfectly on the same computer - but mozilla doesn't.  I do go through a proxy server, and I've placed that proxy server in Mozilla's preferences section.

Mozilla simply doesn't seem to go through the ident daemon, or it doesn't pick up Mozilla's activity.

To make matters somewhat more complex, Mozilla works fine on Win2K with an ident daemon running in the background there.
I doubt that its the ident server. Do you have to give a user name and password
to the proxy server (and the ident server is used to verify that the user of the
computer is the person they say they are)? Or is this done transparently?

I'm guessing a incompatability with the proxy server of some sort. Do you know
what type of server it is/version/etc?

Although you said it runs on W2K. Does it still work if you don't have the ident
server running on W2K? I think mozilla supports using the windows domain logins
as proxy server authenticaion. I'm not sure though.
No, it's done completely transparently.  No user name and password required.  The ident client (read up on the protocol if you wish, it's available as an RFC) returns the username of the logged-in user, as well as the Operating System name, to the ident server.  All completely transparent.  The web request goes through to a proxy server; the proxy server asks the ident server to query my computer, which it does; the ident daemon on my computer returns the appropriate information; based on this information, the proxy server decides what to do with my request.  This should work with any setup, as the browser has no direct interaction with the ident server at all .... unless it's somehow interfering with the ident daemon, which listens to port 113.

It doesn't work if the ident client is not running on Win2K.  The ident daemon *must* be active for any web or ftp request to get to any external sites.

Our proxy server is Squid 2.3.STABLE4. (wwwproxy.ru.ac.za, port 3128).  A very well-known proxy server indeed; if Mozilla was not compatible with it, I'm guessing you'd have had lots and lots of bug reports flooding in ...
I'm sure squid works :) Can you try getting some network traces of both ns4 and
mozilla, connecting to the same site, and attaching them to this bug?

What does telnetting to the proxy server manually do:

~$ telnet wwwproxy.ru.ac.za 3128
Trying 146.231.128.8...
Connected to turtle.ru.ac.za.
Escape character is '^]'.
GET http://www.google.com/ HTTP/1.0
Host: www.google.com

HTTP/1.0 403 Forbidden
Server: Squid/2.3.STABLE4
... (I obviously get a permission denied error)

For mozilla, you can set the environment variables:
NSPR_LOG_MODULES=nsHTTPProtocol:5
NSPR_LOG_FILE=nspr.log

before running mozilla (That will only work if you have a debug build, I think)
and then attach nspr.log to the bug.

What version of mozilla are you using?

One other thing - are you trying to use autoproxy? That doesn't work yet - try
manual proxies instead. I don't think thats the problem, because then you
probably wouldn't get an error message at all.
as for pidentd, it can be configured with a limit to how many sockets it will
accept from one client. Mozilla can be rather generous at opening sockets. Can
that be the culprit?
Which build is reporter using?
There's been bugged builds opening sockets almost ad infinitum..
R.K.Aa: Possible (if the proxy server has one ident connection per proxy
connection), but you should at least get the first page.
'k, some of this might be relevant, some of it might not; up to you guys to decide, I guess.

Creating the envoronment variables you specified *does* result in a file called "nspr.log" being created .... and it's totally blank.  Nothing in it, at all.  As a point of fact, mozilla consistently displays the diagnostic "Document <address here> loaded successfully", whether that address has resulted in a blocked page or not.

I'm not using autoproxy.  I'm using today's build, Build ID 2001031611.  I'm using http://www.mozilla.org as my homepage (for testing purposes), and it fails to load at startup.

I've searched for information everywhere - man pages, documentation, web, info - read the source code, grep'ed for the word "socket" anywhere -- nothing.  There's no option I can find to increase the number of sockets pidentd accepts from a client.  Right now, I'm open to options on this front....

I'm attaching 2 files, lynx.tcpdump and mozilla.tcpdump.  They record the traffic that goes between knight.home (my computer) and turtle (the proxy) for lynx and mozilla attempting to load the same page, http://www.mozilla.org.  Lynx succeeds; Mozilla does not.  The command used was "tcpdump host wwwproxy.ru.ac.za" (I'd have done a "tcpdump host knight.home.ru.ac.za", but I suspect irrelevant info might creep into that output!).

    
    

    
  


  

    
    

    
  
OK, so you do need a debug build to get the logs directly from mozilla.

Those tcpdumps aren't any help, unfortunately - they don't include the actual
packet data. Try:

tcpdump -w filename port 3128

then attach the files. (You did say that port 3128 was the proxy port, right)? I
don't think that pidentd sockets is the problem - you could try:

telnet localhost 113

while mozilla is open, and see if you can connect.

    
    

    
  
All those packets are truncated (within the log file - the actual files
themselves are fine) for some reason. :(  There may be an option which my
version of tcpdump sets by default and yours doesn't.

Can you try ethereal (www.ethereal.com) instead and attach those files?

    
    

    
  


  

    
    

    
  
Thanks for that. Can you try manually telnetting to the port, and telling me
whether you get a forbidden response, or the correct page for the following
(with an extra blank line after each sequence of headers). I can't see anything
wrong with what mozilla is sending - my guess is that the custom authentication
handler is getting something wrong, and just sending back the default refuse
message.

GET http://www.mozilla.org/ HTTP/1.0
Host: www.mozilla.org

GET http://www.mozilla.org/ HTTP/1.1
Host: www.mozilla.org

GET http://www.mozilla.org/ HTTP/1.1
Host: www.mozilla.org
Connection: close

GET http://www.mozilla.org/ HTTP/1.1
Host: www.mozilla.org
Connection: keep-alive
Keep-alive: 300

GET http://www.mozilla.org/ HTTP/1.0
Host: www.mozilla.org
Accept: text/html, text/plain, text/sgml, */*;q=0.01
Accept-Encoding: gzip, compress
Accept-Language: en
User-Agent: Lynx/2.8.3rel.1 libwww-FM/2.14

GET http://www.mozilla.org/ HTTP/1.1
Host: www.mozilla.org
User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2 i686; en-US; 0.8.1) Gecko/20010316
Accept: */*
Accept-Language: en
Accept-Encoding: gzip,deflate,compress,identity
Keep-Alive: 300
Connection: keep-alive

If some of these keep connected after sending the document, please mention that
as well (and quit the telnet session before trying another one)

Is there a computer somewhere which can be set up to use the proxy, but does not
require identd? Does mozilla/ns6 work on those computers?
Whiteboard: proxy issue?

    
    

    
  
Results ("telnet wwwproxy.ru.ac.za 3128" with each test case, always closing the connection before connecting again):
(1) Page is returned, connection closed.
(2) Page is returned, connection stays open.
(3) Page is returned, connection closed.
(4) Page is returned, connection stays open.
(5) Page is returned, connection closed.
(6) Page is returned, connection stays open.

The correct page was returned at all times ... I never got the access-denied page.  There is no computer on the network which can be set up to use the proxy without using identd ... since March 1, either you use identd, or access is blocked; so I can't test if mozilla works on one...
Whiteboard: proxy issue?

    
    

    
  
Before identd was required, did mozilla work with the proxy? That last test was
exactly what mozilla sent. Are there any messages from identd in
/var/log/messages?

Are you sure that you have the proxy set up correctly in the preferences?
Immediately after you get the access denied message, can you run netstat -a, and
attach the output?

    
    

    
  
Yes, mozilla worked perfectly with the proxy before ident was required.  /var/log/messages contains the interesting line "Mar 19 17:27:30 knight in.identd[23936]: reply to 146.231.128.8: 2347 , 3128 : ERROR: UNKNOWN-ERROR" when mozilla tries to load a page ... the line *should* read "Mar 19 17:25:44 knight in.identd[23878]: reply to 146.231.128.8: 2346 , 3128 : USERID : UNIX :cynic".  Interesting :)

The proxy is set up perfectly.  wwwproxy.ru.ac.za, port 3128, as per spec.  Nothing wrong there, exactly the same proxy setting works on Win9x and Win2K computers with no trouble.

The netstat output will be coming your way shortly....

    
    

    
  
I think that this is a local configuration problem of some sort. I hacked up a
cgi script which simply sleeps for 30 seconds, and could connect to that using
mozilla (via localhost) and use pidentd (the same version you pointed me to)
without a problem. Are other people at your uni using linux having problems with
mozilla (but not ns4), on different computers?

    
    

    
  
Doubtful IMHO.  The problem appears on another computer, bones.graham.ru.ac.za.  We're both using Slackware, perhaps try this on a Slackware box on your side, maybe there's some misconfiguration in the distribution itself??  I'll try it tomorrow on a Red Hat system, but I think the problem will still be there ... I'll add another comment telling you of the results on that system.

It seems highly unlikely to be a misconfiguration considering that konqueror, lynx, ns4, ...heck, even the built-in StarOffice browser ... all work perfectly.  I'm tempted to assume the problem lies with Mozilla, instead of with all these other products...

    
    

    
  
Well, thats what is really strange. Mozilla is threaded though, and none of the
other apps you mentioned are. The identd source code doesn't appear to abort if
it finds more than one maching entry (it will get one for each thread), but I
only glanced at it quickly.

Whats your kernel/glibc version?

If you don't run identd with the -e option you should get a more informative
error message in your logs (identd hides it for security reasons)

    
    

    
  
Running kernel 2.4.2, using glibc 2.2.2 ... pidentd isn't running with the -e option.  The line is "in.identd -w -l -t120" (wait and listen for 2 minutes, log stuff to the system logs).  Essentially, I've got the latest version of just about everything.

Although perhaps the 2.4.0 series has a flaw in it (bones.graham is running 2.4.0).  I'll try the 2.2.x series out tomorrow, the Red Hat system is using it.

I'll post more info tomorrow, when I can get access to the Red Hat system.

    
    

    
  
You might want to try upgrading pidentd as well:

ftp://ftp.lysator.liu.se/pub/ident/servers/

    
    

    
  
Bug does not appear when using RH Linux..... must be a Slackware-specific problem, I'll look into it.  Feel free to resolve this bug as you see fit....

    
    

    
  
Either that, or pidentd isn't working with kernel 2.4 and threads.

Marking INVALID.
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → INVALID

    
    

    
  
See bug 125214 - disabling ipv6 clears the problem.
Depends on: 125214

    
  
QA Contact: tever → benc

    
    

    
  
VERIFIED/invalid
Status: RESOLVED → VERIFIED

    
  
Summary: Mozilla does not work with Ident daemon → Proxy: slackware ident returns "UNKNOWN-ERROR" for Mozilla

    
  
No longer depends on: 125214

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: