[squid-users] slow response for cached objects
Hi, Sometimes I see squid is taking time in delivering contents even if object is available in its cache. Any idea what could be the reason? I used external url rewrite program to strip the query string. Is it slowing down serving process ? First 2 line shows squid took 703 milliseconds to deliver the contents and rest of the url shows 0 milliseconds 1225272393.185703 81.52.249.107TCP_MEM_HIT/200 1547 GET http://s2.xyz.com/1699/563/i0.js?z=5002 - NONE/- application/x-javascript 1225272393.185703 168.143.241.52 TCP_MEM_HIT/200 2230 GET http://s5.xyz.com/496/111/109/i30.js?z=6718 - NONE/- application/x-javascript 1225272393.375 081.52.249.100TCP_MEM_HIT/200 1418 GET http://s2.xyz.com/371/9/i10.js?z=148 - NONE/- application/x-javascript 1225272393.375 0 168.143.241.12 TCP_MEM_HIT/200 1361 GET http://s5.xyz.com/670/28/i6.js?z=5812 - NONE/- application/x-javascript 1225272393.381 081.52.249.101TCP_MEM_HIT/200 1288 GET http://s1.xyz.com/558/622/9/i0.js?z=4158 - NONE/- application/x-javascript Following is rewrite url helper program I use which was sent by Henrik and I have modified it bit to strip the query string. #!/usr/bin/perl -an BEGIN { $|=1; } $id = $F[0]; $id =~ s/\?.*//; print $id\n; next; Regards Nitesh
Re: [squid-users] slow response for cached objects
On ons, 2008-10-29 at 15:08 +0530, nitesh naik wrote: Hi, Sometimes I see squid is taking time in delivering contents even if object is available in its cache. Any idea what could be the reason? I used external url rewrite program to strip the query string. Is it slowing down serving process ? First 2 line shows squid took 703 milliseconds to deliver the contents and rest of the url shows 0 milliseconds 1225272393.185703 81.52.249.107TCP_MEM_HIT/200 1547 GET http://s2.xyz.com/1699/563/i0.js?z=5002 - NONE/- application/x-javascript Just discovered that there is a noticeable measurement error in the response time in Squid-2 which may add up to a second.. may be this. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
Hi, At 14.00 28/10/2008, Josh Haft wrote: Firefox can't grab NTLM creds like IE does. This is really a VERY wrong assertion. Firefox supports all Squid authentication schema (Basic, Digest NTLM and Negotiate) starting from version 1.5, while this is true for Internet Explorer starting from 7.0 version Regards Guido On 10/28/08, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. I have also notioced that if I clic on cancel twice, than I can see tha internet page someon can help me?!?! thanks in advance - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
How can I solve my problem? what's wrong? Have I to post my squid.conf? thanks Guido Serassio wrote: Hi, At 14.00 28/10/2008, Josh Haft wrote: Firefox can't grab NTLM creds like IE does. This is really a VERY wrong assertion. Firefox supports all Squid authentication schema (Basic, Digest NTLM and Negotiate) starting from version 1.5, while this is true for Internet Explorer starting from 7.0 version Regards Guido On 10/28/08, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. I have also notioced that if I clic on cancel twice, than I can see tha internet page someon can help me?!?! thanks in advance - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/ -- View this message in context: http://www.nabble.com/SQUID-%2B-FIREFOX-%2B-ACTIVE-DIRECTORY-tp20204501p20226556.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do transparent auth as IE does. Hence the prompting for username/password. Furthermore, due to M$ having a broken implementation of NTLM, FF will at times repeatedly prompt ad infinitum. There is an open bug on this at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but action on it is understandably slow. You can mess with FF's NTLM related settings under 'about:config' to gain some respite. You can also run a basic auth that authenticates against NTLM which for some reason seems to avoid the multi-prompt issue. Something like: auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm somerealm auth_param basic credentialsttl 2 hours auth_param basic casesensitive off Regards, Chris
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak [EMAIL PROTECTED] wrote: I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox I'd be very interested in knowing what is different about your setup. I have fought this problem for several years now. - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: matlor [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 8:48:39 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do transparent auth as IE does. Hence the prompting for username/password. Furthermore, due to M$ having a broken implementation of NTLM, FF will at times repeatedly prompt ad infinitum. There is an open bug on this at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but action on it is understandably slow. You can mess with FF's NTLM related settings under 'about:config' to gain some respite. You can also run a basic auth that authenticates against NTLM which for some reason seems to avoid the multi-prompt issue. Something like: auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm somerealm auth_param basic credentialsttl 2 hours auth_param basic casesensitive off Regards, Chris
Re: [squid-users] slow response for cached objects
Henrik, We use Squid 3 version and I could see these delays at client end also. Direct request to origin hands out object much faster as compared to squid. Squid is holding up the connections and I could see 3000+ connections on loadbalancer when squid is used and 500 connection when origin is requested directly bypassing squid. Regards Nitesh On Wed, Oct 29, 2008 at 4:03 PM, Henrik Nordstrom [EMAIL PROTECTED] wrote: On ons, 2008-10-29 at 15:08 +0530, nitesh naik wrote: Hi, Sometimes I see squid is taking time in delivering contents even if object is available in its cache. Any idea what could be the reason? I used external url rewrite program to strip the query string. Is it slowing down serving process ? First 2 line shows squid took 703 milliseconds to deliver the contents and rest of the url shows 0 milliseconds 1225272393.185703 81.52.249.107TCP_MEM_HIT/200 1547 GET http://s2.xyz.com/1699/563/i0.js?z=5002 - NONE/- application/x-javascript Just discovered that there is a noticeable measurement error in the response time in Squid-2 which may add up to a second.. may be this. Regards Henrik -- Regards Nitesh
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox. - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: matlor [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 8:48:39 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do transparent auth as IE does. Hence the prompting for username/password. Furthermore, due to M$ having a broken implementation of NTLM, FF will at times repeatedly prompt ad infinitum. There is an open bug on this at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but action on it is understandably slow. You can mess with FF's NTLM related settings under 'about:config' to gain some respite. You can also run a basic auth that authenticates against NTLM which for some reason seems to avoid the multi-prompt issue. Something like: auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm somerealm auth_param basic credentialsttl 2 hours auth_param basic casesensitive off Regards, Chris
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
On Wed, Oct 29, 2008 at 9:31 AM, Chris Nighswonger [EMAIL PROTECTED] wrote: On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak [EMAIL PROTECTED] wrote: I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox I'd be very interested in knowing what is different about your setup. I have fought this problem for several years now. I second that and would welcome any configs you'd care to share! :) - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: matlor [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 8:48:39 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do transparent auth as IE does. Hence the prompting for username/password. Furthermore, due to M$ having a broken implementation of NTLM, FF will at times repeatedly prompt ad infinitum. There is an open bug on this at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but action on it is understandably slow. You can mess with FF's NTLM related settings under 'about:config' to gain some respite. You can also run a basic auth that authenticates against NTLM which for some reason seems to avoid the multi-prompt issue. Something like: auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm somerealm auth_param basic credentialsttl 2 hours auth_param basic casesensitive off Regards, Chris
[squid-users] NTLMv2 issue caused by Samba's Winbind helper
Hi, One of my customers has had issues with authentication Vista machines when using the Samba 2.0 winbind authenticator program in Squid. The NTLM authenticator returned: Login for user [EMAIL PROTECTED] failed due to [Invalid parameter] auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp The issue is that the KK string sent by the client can, if the DNS name of the AD domain is quite long, contain an NTLM response section 256 bytes, which can't be copied into the buffer space in the external program. This is only an issue if NTLMv2 authentication is the minimum negotiated with the client (i.e. Vista default). I ended up writing a hack in Squid's auth_ntlm.cc to trim the packet back as some of the fields in the packet sent by IE are optional and could be removed. (http://linux-blog.project76.co.uk/archives/2008_10_01_archive.html) This is caused by Samba - does anyone know if this will ever be fixed properly? Kind regards Jamie Stallwood -- Jamie Stallwood Security Specialist Imerja Ltd [EMAIL PROTECTED] Public Key: RSA/4096 31D0 4975 29BD CAB5 ABD5 5345 E8E2 7BBD 41FA DC77 Available from http://pgp.mit.edu:11371/ (0x41FADC77) PGP.sig Description: PGP signature
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
Are you using any type of auth with your squid setup? I don't see it mentioned in your post. I too would be interested in knowing how you got integrated NTLM auth through firefox, if indeed you have. On Wed, Oct 29, 2008 at 9:31 AM, Chris Nighswonger [EMAIL PROTECTED] wrote: On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak [EMAIL PROTECTED] wrote: I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox I'd be very interested in knowing what is different about your setup. I have fought this problem for several years now. - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: matlor [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 8:48:39 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do transparent auth as IE does. Hence the prompting for username/password. Furthermore, due to M$ having a broken implementation of NTLM, FF will at times repeatedly prompt ad infinitum. There is an open bug on this at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but action on it is understandably slow. You can mess with FF's NTLM related settings under 'about:config' to gain some respite. You can also run a basic auth that authenticates against NTLM which for some reason seems to avoid the multi-prompt issue. Something like: auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm somerealm auth_param basic credentialsttl 2 hours auth_param basic casesensitive off Regards, Chris
RE: [squid-users] Override the Accept-Encoding value
On Tue, 2008-10-21 at 20:19 +0200, Henrik Nordstrom wrote: On tis, 2008-10-21 at 20:09 +0200, Christian Tzolov wrote: Hi Henrik, Thank you for the clarification. Do you know any other approach (or tool) that can help me to replace the accept-encoding header before it is processed by Squid? Two Squids. or An ICAP server (together with squid-3). or A modified Squid or An eCAP module (together with Squid-3.1) The details and trade-offs of the above choices are documented at http://wiki.squid-cache.org/SquidFaq/ContentAdaptation Alex.
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
Always forget to hit the 'reply to all' instead of the 'reply'.. sorry.. below is what I sent Chris: Below is for w2k3 AD and Ubuntu 6.06.1: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes #auth_param ntlm use_ntlm_negotiate off auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl NTLMUsers proxy_auth REQUIRED acl our_networks src 192.168.0.0/16 http_access allow all NTLMUsers http_access allow our_networks Here is our current setup (w2k8 and Ubuntu 8.04.1): auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm keep_alive on acl our_networks src 192.168.0.0/16 acl NTLMUsers proxy_auth REQUIRED external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl acl NOINTERNET external ntgroup no-internet http_access deny NOINTERNET http_access allow all NTLMUsers http_access allow our_networks http_access allow localhost We have a group policy do the IE browser, but with Firefox, we have to set it manually. Once it is set, there is no prompt... I use SARG to get the results.. Been doing it for almost three years.. I would get evangelical on people using iPrism/Barracuda/Websense.. but now I figure I will just let them spend the money.. ;-) - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: nairb rotsak [EMAIL PROTECTED] Cc: matlor [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 9:31:32 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak [EMAIL PROTECTED] wrote: I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox I'd be very interested in knowing what is different about your setup. I have fought this problem for several years now. - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: matlor [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 8:48:39 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do transparent auth as IE does. Hence the prompting for username/password. Furthermore, due to M$ having a broken implementation of NTLM, FF will at times repeatedly prompt ad infinitum. There is an open bug on this at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but action on it is understandably slow. You can mess with FF's NTLM related settings under 'about:config' to gain some respite. You can also run a basic auth that authenticates against NTLM which for some reason seems to avoid the multi-prompt issue. Something like: auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm somerealm auth_param basic credentialsttl 2 hours auth_param basic casesensitive off Regards, Chris
Re: [squid-users] Authentication between Samba 3 and Squid
Alright, but is there any good source on a Samba 3 + Squid 2.7 + Firefox/IE. I have tried tons at Google, and many are just flat out outdated and others just don't seem to work right, no matter how many times I double check my steps. On Tue, Oct 28, 2008 at 4:16 PM, Kinkie [EMAIL PROTECTED] wrote: On Tue, Oct 28, 2008 at 6:24 PM, Adam McCarthy [EMAIL PROTECTED] wrote: Alright, but how are you to make sure the proxy was part of the domain? I mean is that why people run Samba on the same machine as the proxy to do that? Yes. The minimum requirement is to have winbindd running on the proxy and joined to the domain. Really, there should be no difference in the proxy setup between a MSAD-backed Windows domain and a Samba-backed domain. -- /kinkie
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
On Wed, Oct 29, 2008 at 5:16 PM, nairb rotsak [EMAIL PROTECTED] wrote: http_access allow all NTLMUsers Does the 'all' trump the 'NTLMUsers' acl here? Chris - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: nairb rotsak [EMAIL PROTECTED] Cc: matlor [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 9:31:32 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak [EMAIL PROTECTED] wrote: I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox I'd be very interested in knowing what is different about your setup. I have fought this problem for several years now. - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: matlor [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 8:48:39 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do transparent auth as IE does. Hence the prompting for username/password. Furthermore, due to M$ having a broken implementation of NTLM, FF will at times repeatedly prompt ad infinitum. There is an open bug on this at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but action on it is understandably slow. You can mess with FF's NTLM related settings under 'about:config' to gain some respite. You can also run a basic auth that authenticates against NTLM which for some reason seems to avoid the multi-prompt issue. Something like: auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm somerealm auth_param basic credentialsttl 2 hours auth_param basic casesensitive off Regards, Chris -- Christopher Nighswonger Faculty Member Network Systems Director Foundations Bible College Seminary www.foundations.edu www.fbcradio.org - NOTICE: The information contained in this electronic mail message is intended only for the use of the intended recipient, and may also be protected by the Electronic Communications Privacy Act, 18 USC Sections 2510-2521. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please reply to the sender, and delete the original message. Thank you.
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
Chris Nighswonger wrote: On Wed, Oct 29, 2008 at 5:16 PM, nairb rotsak [EMAIL PROTECTED] wrote: http_access allow all NTLMUsers Does the 'all' trump the 'NTLMUsers' acl here? Chris The all is redundant. The all ACL will always match, so the test next falls to checking the NTLMUsers ACL. See http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-af2c190759b099a7986221cd12a4066eb146a1c4 for more details. Chris
Re: [squid-users] NTLMv2 issue caused by Samba's Winbind helper
Jamie Stallwood wrote: Hi, One of my customers has had issues with authentication Vista machines when using the Samba 2.0 winbind authenticator program in Squid. The NTLM authenticator returned: Login for user [EMAIL PROTECTED] failed due to [Invalid parameter] auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp The issue is that the KK string sent by the client can, if the DNS name of the AD domain is quite long, contain an NTLM response section 256 bytes, which can't be copied into the buffer space in the external program. This is only an issue if NTLMv2 authentication is the minimum negotiated with the client (i.e. Vista default). I ended up writing a hack in Squid's auth_ntlm.cc to trim the packet back as some of the fields in the packet sent by IE are optional and could be removed. (http://linux-blog.project76.co.uk/archives/2008_10_01_archive.html) This is caused by Samba - does anyone know if this will ever be fixed properly? The Kerberos 'KK' buffers were expanded to 32KB in 3.0stable10 and 2.7stable5. The squid bundled Kerberos helper was updated to version 1.0.3 starting with the squid 3.1. Not sure about its current status in 2.x. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
Chris Robertson wrote: Chris Nighswonger wrote: On Wed, Oct 29, 2008 at 5:16 PM, nairb rotsak [EMAIL PROTECTED] wrote: http_access allow all NTLMUsers Does the 'all' trump the 'NTLMUsers' acl here? Chris The all is redundant. The all ACL will always match, so the test next falls to checking the NTLMUsers ACL. See http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-af2c190759b099a7986221cd12a4066eb146a1c4 for more details. Chris May have been trying the 'all' hack and got it backwards: http_access allow NTLMUsers all Is to prevent squid requesting auth if the auth test fails. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
On ons, 2008-10-29 at 14:16 -0700, nairb rotsak wrote: http_access allow all NTLMUsers http_access allow our_networks The our_networks line can not be reached. This should probably be http_access allow our_networks NTLMUsers http_access deny all Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] NTLMv2 issue caused by Samba's Winbind helper
On ons, 2008-10-29 at 17:23 +, Jamie Stallwood wrote: This is caused by Samba - does anyone know if this will ever be fixed properly? Have you verified that it isn't fixed already? Samba 2.0 is quite dated.. Current production Samba release is 3.2.4 and the legacy version is 3.0.32. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. Firefox can't grab NTLM creds like IE does. Yep, as FireFox is not a Microsoft product and as it tries to be platform-agnostic, by default it doesn't handle Windows-specific functions such as automatically fetching NTLM credentials. But it may be possible to get FireFox to behave the way you want anyway. Type about:config in the FireFox address bar, then try changing the settings of one or both of: network.automatic-ntlm-auth.allow-proxies true network.automatic-ntlm-auth.trusted-uris http://proxy-address -Chuck Kollars
[squid-users] Join 5 squid+ ldap server to single server
Dear All I have 5 group of internet user using ldap and we have 512Kb internet bandwith from our ISP like this 1. Diamond = 256kb bandwith 2. Gold= 128kb bandwith 3. silver = 64kb bandwith 4. Bronze = 32kb bandwith 5. other = 32kb bandwith i use squid_ldap_auth like this auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b o=tes,c=id -f ((uid=%s)(description=p6)) -h 10.1.1.1 i add attribute description=p1 until p5 to define internet group in ldap server and i set 5 proxy server for each group now i want to join 5 proxy server into single proxy server the problem parameter auth_param basic program is single line we can't add the same parameter from http://markmail.org/message/kqhn2j2wohmx4hjz#query:multiple%20squid%20ldap%20auth+page:1+mid:vgaa53tcjnol7psl+state:results i imagine that i must create 5 groups in ldap add parameter external_acl_type ldap_group %LOGIN /usr/local/squid/libexec/squid_ldap_group then create acl proxy_groups external ldap_group diamond gold silver bronze other then i create delay pools for bandwith management to each group anny suggestion for the best solusion? Thanks Regards