Closed
Bug 72387
Opened 24 years ago
Closed 23 years ago
Proxy: slackware ident returns "UNKNOWN-ERROR" for Mozilla
Categories
(Core :: Networking, defect)
Tracking
()
VERIFIED
INVALID
People
(Reporter: cynic, Assigned: neeti)
Details
Attachments
(7 files)
Many universities (such as the one I'm at) use an ident daemon to track bandwidth consumption on a per-user basis. The unix daemon is called "pidentd", and is freely available (try getting it from ftp://rucus.ru.ac.za/pub/.2/FreeBSD/ports/distfiles/pidentd-2.8.5.tar.gz). Other browsers for Linux (lynx, Konqueror, Netscape 4.xx) work perfectly with this ident daemon. However, Mozilla does not, and attempting to access any external site using Mozilla results in an error message since my University does not allow anyone access to external sites if they haven't been cleared by ident. Is ident support going to ever make it into Mozilla builds?
Comment 1•24 years ago
|
||
I'm unsure exactly what you're asking for. Are you saying that on the same computer mozilla doesn't work, but netscape/lynx/etc do? Do you normally have to give a username/password to a proxy server of some sort? If you do, does mozilla ask you for this information? Mozilla doesn't come with an ident daemon - thats a function of the operating system's network utilities. (Also, you don't have to cc yourself on bugs you file - by default the reporter gets sent any changes)
Sorry, I wasn't very clear, I see that now. Yes, Netscape, Lynx, Konqueror, and utilities like ftp/ncftp, wget etc, work perfectly on the same computer - but mozilla doesn't. I do go through a proxy server, and I've placed that proxy server in Mozilla's preferences section. Mozilla simply doesn't seem to go through the ident daemon, or it doesn't pick up Mozilla's activity. To make matters somewhat more complex, Mozilla works fine on Win2K with an ident daemon running in the background there.
Comment 3•24 years ago
|
||
I doubt that its the ident server. Do you have to give a user name and password to the proxy server (and the ident server is used to verify that the user of the computer is the person they say they are)? Or is this done transparently? I'm guessing a incompatability with the proxy server of some sort. Do you know what type of server it is/version/etc? Although you said it runs on W2K. Does it still work if you don't have the ident server running on W2K? I think mozilla supports using the windows domain logins as proxy server authenticaion. I'm not sure though.
No, it's done completely transparently. No user name and password required. The ident client (read up on the protocol if you wish, it's available as an RFC) returns the username of the logged-in user, as well as the Operating System name, to the ident server. All completely transparent. The web request goes through to a proxy server; the proxy server asks the ident server to query my computer, which it does; the ident daemon on my computer returns the appropriate information; based on this information, the proxy server decides what to do with my request. This should work with any setup, as the browser has no direct interaction with the ident server at all .... unless it's somehow interfering with the ident daemon, which listens to port 113. It doesn't work if the ident client is not running on Win2K. The ident daemon *must* be active for any web or ftp request to get to any external sites. Our proxy server is Squid 2.3.STABLE4. (wwwproxy.ru.ac.za, port 3128). A very well-known proxy server indeed; if Mozilla was not compatible with it, I'm guessing you'd have had lots and lots of bug reports flooding in ...
Comment 5•24 years ago
|
||
I'm sure squid works :) Can you try getting some network traces of both ns4 and mozilla, connecting to the same site, and attaching them to this bug? What does telnetting to the proxy server manually do: ~$ telnet wwwproxy.ru.ac.za 3128 Trying 146.231.128.8... Connected to turtle.ru.ac.za. Escape character is '^]'. GET http://www.google.com/ HTTP/1.0 Host: www.google.com HTTP/1.0 403 Forbidden Server: Squid/2.3.STABLE4 ... (I obviously get a permission denied error) For mozilla, you can set the environment variables: NSPR_LOG_MODULES=nsHTTPProtocol:5 NSPR_LOG_FILE=nspr.log before running mozilla (That will only work if you have a debug build, I think) and then attach nspr.log to the bug. What version of mozilla are you using? One other thing - are you trying to use autoproxy? That doesn't work yet - try manual proxies instead. I don't think thats the problem, because then you probably wouldn't get an error message at all.
as for pidentd, it can be configured with a limit to how many sockets it will accept from one client. Mozilla can be rather generous at opening sockets. Can that be the culprit? Which build is reporter using? There's been bugged builds opening sockets almost ad infinitum..
Comment 7•24 years ago
|
||
R.K.Aa: Possible (if the proxy server has one ident connection per proxy connection), but you should at least get the first page.
'k, some of this might be relevant, some of it might not; up to you guys to decide, I guess. Creating the envoronment variables you specified *does* result in a file called "nspr.log" being created .... and it's totally blank. Nothing in it, at all. As a point of fact, mozilla consistently displays the diagnostic "Document <address here> loaded successfully", whether that address has resulted in a blocked page or not. I'm not using autoproxy. I'm using today's build, Build ID 2001031611. I'm using http://www.mozilla.org as my homepage (for testing purposes), and it fails to load at startup. I've searched for information everywhere - man pages, documentation, web, info - read the source code, grep'ed for the word "socket" anywhere -- nothing. There's no option I can find to increase the number of sockets pidentd accepts from a client. Right now, I'm open to options on this front.... I'm attaching 2 files, lynx.tcpdump and mozilla.tcpdump. They record the traffic that goes between knight.home (my computer) and turtle (the proxy) for lynx and mozilla attempting to load the same page, http://www.mozilla.org. Lynx succeeds; Mozilla does not. The command used was "tcpdump host wwwproxy.ru.ac.za" (I'd have done a "tcpdump host knight.home.ru.ac.za", but I suspect irrelevant info might creep into that output!).
Reporter | ||
Comment 10•24 years ago
|
||
Comment 11•24 years ago
|
||
OK, so you do need a debug build to get the logs directly from mozilla. Those tcpdumps aren't any help, unfortunately - they don't include the actual packet data. Try: tcpdump -w filename port 3128 then attach the files. (You did say that port 3128 was the proxy port, right)? I don't think that pidentd sockets is the problem - you could try: telnet localhost 113 while mozilla is open, and see if you can connect.
Reporter | ||
Comment 12•24 years ago
|
||
Reporter | ||
Comment 13•24 years ago
|
||
Comment 14•24 years ago
|
||
All those packets are truncated (within the log file - the actual files themselves are fine) for some reason. :( There may be an option which my version of tcpdump sets by default and yours doesn't. Can you try ethereal (www.ethereal.com) instead and attach those files?
Reporter | ||
Comment 15•24 years ago
|
||
Reporter | ||
Comment 16•24 years ago
|
||
Comment 17•24 years ago
|
||
Thanks for that. Can you try manually telnetting to the port, and telling me whether you get a forbidden response, or the correct page for the following (with an extra blank line after each sequence of headers). I can't see anything wrong with what mozilla is sending - my guess is that the custom authentication handler is getting something wrong, and just sending back the default refuse message. GET http://www.mozilla.org/ HTTP/1.0 Host: www.mozilla.org GET http://www.mozilla.org/ HTTP/1.1 Host: www.mozilla.org GET http://www.mozilla.org/ HTTP/1.1 Host: www.mozilla.org Connection: close GET http://www.mozilla.org/ HTTP/1.1 Host: www.mozilla.org Connection: keep-alive Keep-alive: 300 GET http://www.mozilla.org/ HTTP/1.0 Host: www.mozilla.org Accept: text/html, text/plain, text/sgml, */*;q=0.01 Accept-Encoding: gzip, compress Accept-Language: en User-Agent: Lynx/2.8.3rel.1 libwww-FM/2.14 GET http://www.mozilla.org/ HTTP/1.1 Host: www.mozilla.org User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2 i686; en-US; 0.8.1) Gecko/20010316 Accept: */* Accept-Language: en Accept-Encoding: gzip,deflate,compress,identity Keep-Alive: 300 Connection: keep-alive If some of these keep connected after sending the document, please mention that as well (and quit the telnet session before trying another one) Is there a computer somewhere which can be set up to use the proxy, but does not require identd? Does mozilla/ns6 work on those computers?
Whiteboard: proxy issue?
Reporter | ||
Comment 18•24 years ago
|
||
Results ("telnet wwwproxy.ru.ac.za 3128" with each test case, always closing the connection before connecting again): (1) Page is returned, connection closed. (2) Page is returned, connection stays open. (3) Page is returned, connection closed. (4) Page is returned, connection stays open. (5) Page is returned, connection closed. (6) Page is returned, connection stays open. The correct page was returned at all times ... I never got the access-denied page. There is no computer on the network which can be set up to use the proxy without using identd ... since March 1, either you use identd, or access is blocked; so I can't test if mozilla works on one...
Whiteboard: proxy issue?
Comment 19•24 years ago
|
||
Before identd was required, did mozilla work with the proxy? That last test was exactly what mozilla sent. Are there any messages from identd in /var/log/messages? Are you sure that you have the proxy set up correctly in the preferences? Immediately after you get the access denied message, can you run netstat -a, and attach the output?
Reporter | ||
Comment 20•24 years ago
|
||
Yes, mozilla worked perfectly with the proxy before ident was required. /var/log/messages contains the interesting line "Mar 19 17:27:30 knight in.identd[23936]: reply to 146.231.128.8: 2347 , 3128 : ERROR: UNKNOWN-ERROR" when mozilla tries to load a page ... the line *should* read "Mar 19 17:25:44 knight in.identd[23878]: reply to 146.231.128.8: 2346 , 3128 : USERID : UNIX :cynic". Interesting :) The proxy is set up perfectly. wwwproxy.ru.ac.za, port 3128, as per spec. Nothing wrong there, exactly the same proxy setting works on Win9x and Win2K computers with no trouble. The netstat output will be coming your way shortly....
Reporter | ||
Comment 21•24 years ago
|
||
Comment 22•24 years ago
|
||
I think that this is a local configuration problem of some sort. I hacked up a cgi script which simply sleeps for 30 seconds, and could connect to that using mozilla (via localhost) and use pidentd (the same version you pointed me to) without a problem. Are other people at your uni using linux having problems with mozilla (but not ns4), on different computers?
Reporter | ||
Comment 23•24 years ago
|
||
Doubtful IMHO. The problem appears on another computer, bones.graham.ru.ac.za. We're both using Slackware, perhaps try this on a Slackware box on your side, maybe there's some misconfiguration in the distribution itself?? I'll try it tomorrow on a Red Hat system, but I think the problem will still be there ... I'll add another comment telling you of the results on that system. It seems highly unlikely to be a misconfiguration considering that konqueror, lynx, ns4, ...heck, even the built-in StarOffice browser ... all work perfectly. I'm tempted to assume the problem lies with Mozilla, instead of with all these other products...
Comment 24•24 years ago
|
||
Well, thats what is really strange. Mozilla is threaded though, and none of the other apps you mentioned are. The identd source code doesn't appear to abort if it finds more than one maching entry (it will get one for each thread), but I only glanced at it quickly. Whats your kernel/glibc version? If you don't run identd with the -e option you should get a more informative error message in your logs (identd hides it for security reasons)
Reporter | ||
Comment 25•24 years ago
|
||
Running kernel 2.4.2, using glibc 2.2.2 ... pidentd isn't running with the -e option. The line is "in.identd -w -l -t120" (wait and listen for 2 minutes, log stuff to the system logs). Essentially, I've got the latest version of just about everything. Although perhaps the 2.4.0 series has a flaw in it (bones.graham is running 2.4.0). I'll try the 2.2.x series out tomorrow, the Red Hat system is using it. I'll post more info tomorrow, when I can get access to the Red Hat system.
Comment 26•24 years ago
|
||
You might want to try upgrading pidentd as well: ftp://ftp.lysator.liu.se/pub/ident/servers/
Reporter | ||
Comment 27•23 years ago
|
||
Bug does not appear when using RH Linux..... must be a Slackware-specific problem, I'll look into it. Feel free to resolve this bug as you see fit....
Comment 28•23 years ago
|
||
Either that, or pidentd isn't working with kernel 2.4 and threads. Marking INVALID.
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → INVALID
Summary: Mozilla does not work with Ident daemon → Proxy: slackware ident returns "UNKNOWN-ERROR" for Mozilla
You need to log in
before you can comment on or make changes to this bug.
Description
•