If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Proxy: slackware ident returns "UNKNOWN-ERROR" for Mozilla




17 years ago
15 years ago


(Reporter: cynic, Assigned: neeti)



Firefox Tracking Flags

(Not tracked)



(7 attachments)



17 years ago
Many universities (such as the one I'm at) use an ident daemon to track bandwidth consumption on a per-user basis.  The unix daemon is called "pidentd", and is freely available (try getting it from ftp://rucus.ru.ac.za/pub/.2/FreeBSD/ports/distfiles/pidentd-2.8.5.tar.gz).

Other browsers for Linux (lynx, Konqueror, Netscape 4.xx) work perfectly with this ident daemon.  However, Mozilla does not, and attempting to access any external site using Mozilla results in an error message since my University does not allow anyone access to external sites if they haven't been cleared by ident.

Is ident support going to ever make it into Mozilla builds?

Comment 1

17 years ago
I'm unsure exactly what you're asking for. Are you saying that on the same
computer mozilla doesn't work, but netscape/lynx/etc do?

Do you normally have to give a username/password to a proxy server of some sort?
If you do, does mozilla ask you for this information?

Mozilla doesn't come with an ident daemon - thats a function of the operating
system's network utilities.

(Also, you don't have to cc yourself on bugs you file - by default the reporter
gets sent any changes)

Comment 2

17 years ago
Sorry, I wasn't very clear, I see that now.

Yes, Netscape, Lynx, Konqueror, and utilities like ftp/ncftp, wget etc, work perfectly on the same computer - but mozilla doesn't.  I do go through a proxy server, and I've placed that proxy server in Mozilla's preferences section.

Mozilla simply doesn't seem to go through the ident daemon, or it doesn't pick up Mozilla's activity.

To make matters somewhat more complex, Mozilla works fine on Win2K with an ident daemon running in the background there.

Comment 3

17 years ago
I doubt that its the ident server. Do you have to give a user name and password
to the proxy server (and the ident server is used to verify that the user of the
computer is the person they say they are)? Or is this done transparently?

I'm guessing a incompatability with the proxy server of some sort. Do you know
what type of server it is/version/etc?

Although you said it runs on W2K. Does it still work if you don't have the ident
server running on W2K? I think mozilla supports using the windows domain logins
as proxy server authenticaion. I'm not sure though.

Comment 4

17 years ago
No, it's done completely transparently.  No user name and password required.  The ident client (read up on the protocol if you wish, it's available as an RFC) returns the username of the logged-in user, as well as the Operating System name, to the ident server.  All completely transparent.  The web request goes through to a proxy server; the proxy server asks the ident server to query my computer, which it does; the ident daemon on my computer returns the appropriate information; based on this information, the proxy server decides what to do with my request.  This should work with any setup, as the browser has no direct interaction with the ident server at all .... unless it's somehow interfering with the ident daemon, which listens to port 113.

It doesn't work if the ident client is not running on Win2K.  The ident daemon *must* be active for any web or ftp request to get to any external sites.

Our proxy server is Squid 2.3.STABLE4. (wwwproxy.ru.ac.za, port 3128).  A very well-known proxy server indeed; if Mozilla was not compatible with it, I'm guessing you'd have had lots and lots of bug reports flooding in ...

Comment 5

17 years ago
I'm sure squid works :) Can you try getting some network traces of both ns4 and
mozilla, connecting to the same site, and attaching them to this bug?

What does telnetting to the proxy server manually do:

~$ telnet wwwproxy.ru.ac.za 3128
Connected to turtle.ru.ac.za.
Escape character is '^]'.
GET http://www.google.com/ HTTP/1.0
Host: www.google.com

HTTP/1.0 403 Forbidden
Server: Squid/2.3.STABLE4
... (I obviously get a permission denied error)

For mozilla, you can set the environment variables:

before running mozilla (That will only work if you have a debug build, I think)
and then attach nspr.log to the bug.

What version of mozilla are you using?

One other thing - are you trying to use autoproxy? That doesn't work yet - try
manual proxies instead. I don't think thats the problem, because then you
probably wouldn't get an error message at all.

Comment 6

17 years ago
as for pidentd, it can be configured with a limit to how many sockets it will
accept from one client. Mozilla can be rather generous at opening sockets. Can
that be the culprit?
Which build is reporter using?
There's been bugged builds opening sockets almost ad infinitum..

Comment 7

17 years ago
R.K.Aa: Possible (if the proxy server has one ident connection per proxy
connection), but you should at least get the first page.

Comment 8

17 years ago
'k, some of this might be relevant, some of it might not; up to you guys to decide, I guess.

Creating the envoronment variables you specified *does* result in a file called "nspr.log" being created .... and it's totally blank.  Nothing in it, at all.  As a point of fact, mozilla consistently displays the diagnostic "Document <address here> loaded successfully", whether that address has resulted in a blocked page or not.

I'm not using autoproxy.  I'm using today's build, Build ID 2001031611.  I'm using http://www.mozilla.org as my homepage (for testing purposes), and it fails to load at startup.

I've searched for information everywhere - man pages, documentation, web, info - read the source code, grep'ed for the word "socket" anywhere -- nothing.  There's no option I can find to increase the number of sockets pidentd accepts from a client.  Right now, I'm open to options on this front....

I'm attaching 2 files, lynx.tcpdump and mozilla.tcpdump.  They record the traffic that goes between knight.home (my computer) and turtle (the proxy) for lynx and mozilla attempting to load the same page, http://www.mozilla.org.  Lynx succeeds; Mozilla does not.  The command used was "tcpdump host wwwproxy.ru.ac.za" (I'd have done a "tcpdump host knight.home.ru.ac.za", but I suspect irrelevant info might creep into that output!).

Comment 9

17 years ago
Created attachment 28046 [details]
The tcpdump from using mozilla

Comment 10

17 years ago
Created attachment 28047 [details]
The tcpdump from using lynx

Comment 11

17 years ago
OK, so you do need a debug build to get the logs directly from mozilla.

Those tcpdumps aren't any help, unfortunately - they don't include the actual
packet data. Try:

tcpdump -w filename port 3128

then attach the files. (You did say that port 3128 was the proxy port, right)? I
don't think that pidentd sockets is the problem - you could try:

telnet localhost 113

while mozilla is open, and see if you can connect.

Comment 12

17 years ago
Created attachment 28053 [details]
tcpdump -w mozilla.tcpdump port 3128 (as requested :))

Comment 13

17 years ago
Created attachment 28054 [details]
tcpdump -w lynx.tcpdump port 3128 (the lynx tcpdump)

Comment 14

17 years ago
All those packets are truncated (within the log file - the actual files
themselves are fine) for some reason. :(  There may be an option which my
version of tcpdump sets by default and yours doesn't.

Can you try ethereal (www.ethereal.com) instead and attach those files?

Comment 15

17 years ago
Created attachment 28083 [details]
Ethereal output (lynx, listening to port 3128)

Comment 16

17 years ago
Created attachment 28084 [details]
Ehtereal output (mozilla, listening to port 3128)

Comment 17

17 years ago
Thanks for that. Can you try manually telnetting to the port, and telling me
whether you get a forbidden response, or the correct page for the following
(with an extra blank line after each sequence of headers). I can't see anything
wrong with what mozilla is sending - my guess is that the custom authentication
handler is getting something wrong, and just sending back the default refuse

GET http://www.mozilla.org/ HTTP/1.0
Host: www.mozilla.org

GET http://www.mozilla.org/ HTTP/1.1
Host: www.mozilla.org

GET http://www.mozilla.org/ HTTP/1.1
Host: www.mozilla.org
Connection: close

GET http://www.mozilla.org/ HTTP/1.1
Host: www.mozilla.org
Connection: keep-alive
Keep-alive: 300

GET http://www.mozilla.org/ HTTP/1.0
Host: www.mozilla.org
Accept: text/html, text/plain, text/sgml, */*;q=0.01
Accept-Encoding: gzip, compress
Accept-Language: en
User-Agent: Lynx/2.8.3rel.1 libwww-FM/2.14

GET http://www.mozilla.org/ HTTP/1.1
Host: www.mozilla.org
User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2 i686; en-US; 0.8.1) Gecko/20010316
Accept: */*
Accept-Language: en
Accept-Encoding: gzip,deflate,compress,identity
Keep-Alive: 300
Connection: keep-alive

If some of these keep connected after sending the document, please mention that
as well (and quit the telnet session before trying another one)

Is there a computer somewhere which can be set up to use the proxy, but does not
require identd? Does mozilla/ns6 work on those computers?
Whiteboard: proxy issue?

Comment 18

17 years ago
Results ("telnet wwwproxy.ru.ac.za 3128" with each test case, always closing the connection before connecting again):
(1) Page is returned, connection closed.
(2) Page is returned, connection stays open.
(3) Page is returned, connection closed.
(4) Page is returned, connection stays open.
(5) Page is returned, connection closed.
(6) Page is returned, connection stays open.

The correct page was returned at all times ... I never got the access-denied page.  There is no computer on the network which can be set up to use the proxy without using identd ... since March 1, either you use identd, or access is blocked; so I can't test if mozilla works on one...
Whiteboard: proxy issue?

Comment 19

17 years ago
Before identd was required, did mozilla work with the proxy? That last test was
exactly what mozilla sent. Are there any messages from identd in

Are you sure that you have the proxy set up correctly in the preferences?
Immediately after you get the access denied message, can you run netstat -a, and
attach the output?

Comment 20

17 years ago
Yes, mozilla worked perfectly with the proxy before ident was required.  /var/log/messages contains the interesting line "Mar 19 17:27:30 knight in.identd[23936]: reply to 2347 , 3128 : ERROR: UNKNOWN-ERROR" when mozilla tries to load a page ... the line *should* read "Mar 19 17:25:44 knight in.identd[23878]: reply to 2346 , 3128 : USERID : UNIX :cynic".  Interesting :)

The proxy is set up perfectly.  wwwproxy.ru.ac.za, port 3128, as per spec.  Nothing wrong there, exactly the same proxy setting works on Win9x and Win2K computers with no trouble.

The netstat output will be coming your way shortly....

Comment 21

17 years ago
Created attachment 28105 [details]
"netstat -a" output shortly after an access-denied message.

Comment 22

17 years ago
I think that this is a local configuration problem of some sort. I hacked up a
cgi script which simply sleeps for 30 seconds, and could connect to that using
mozilla (via localhost) and use pidentd (the same version you pointed me to)
without a problem. Are other people at your uni using linux having problems with
mozilla (but not ns4), on different computers?

Comment 23

17 years ago
Doubtful IMHO.  The problem appears on another computer, bones.graham.ru.ac.za.  We're both using Slackware, perhaps try this on a Slackware box on your side, maybe there's some misconfiguration in the distribution itself??  I'll try it tomorrow on a Red Hat system, but I think the problem will still be there ... I'll add another comment telling you of the results on that system.

It seems highly unlikely to be a misconfiguration considering that konqueror, lynx, ns4, ...heck, even the built-in StarOffice browser ... all work perfectly.  I'm tempted to assume the problem lies with Mozilla, instead of with all these other products...

Comment 24

17 years ago
Well, thats what is really strange. Mozilla is threaded though, and none of the
other apps you mentioned are. The identd source code doesn't appear to abort if
it finds more than one maching entry (it will get one for each thread), but I
only glanced at it quickly.

Whats your kernel/glibc version?

If you don't run identd with the -e option you should get a more informative
error message in your logs (identd hides it for security reasons)

Comment 25

17 years ago
Running kernel 2.4.2, using glibc 2.2.2 ... pidentd isn't running with the -e option.  The line is "in.identd -w -l -t120" (wait and listen for 2 minutes, log stuff to the system logs).  Essentially, I've got the latest version of just about everything.

Although perhaps the 2.4.0 series has a flaw in it (bones.graham is running 2.4.0).  I'll try the 2.2.x series out tomorrow, the Red Hat system is using it.

I'll post more info tomorrow, when I can get access to the Red Hat system.

Comment 26

17 years ago
You might want to try upgrading pidentd as well:


Comment 27

17 years ago
Bug does not appear when using RH Linux..... must be a Slackware-specific problem, I'll look into it.  Feel free to resolve this bug as you see fit....

Comment 28

17 years ago
Either that, or pidentd isn't working with kernel 2.4 and threads.

Marking INVALID.
Last Resolved: 17 years ago
Resolution: --- → INVALID

Comment 29

16 years ago
See bug 125214 - disabling ipv6 clears the problem.
Depends on: 125214


15 years ago
QA Contact: tever → benc

Comment 30

15 years ago


15 years ago
Summary: Mozilla does not work with Ident daemon → Proxy: slackware ident returns "UNKNOWN-ERROR" for Mozilla


15 years ago
No longer depends on: 125214
You need to log in before you can comment on or make changes to this bug.