On 2023-11-21 23:05, Andrey K wrote:
I have posted a PR: https://github.com/squid-cache/squid/pull/1597
This is my first contribution to open source. Could you please verify if
everything is OK.
Thank you for posting that pull request! Let's continue this
conversation on GitHub since
Hello, Alex,
I have posted a PR: https://github.com/squid-cache/squid/pull/1597
This is my first contribution to open source. Could you please verify if
everything is OK.
Kind regards,
Ankor.
чт, 16 нояб. 2023 г. в 17:01, Alex Rousskov <
rouss...@measurement-factory.com>:
> On 2023-11-16
On 2023-11-16 07:48, Andrey K wrote:
I have slightly patched the negotiate_kerberos_pac.cc to
implement ResourceGropIds-block parsing.
Please consider posting tested changes as a GitHub Pull Request:
https://wiki.squid-cache.org/MergeProcedure#pull-request
Thank you,
Alex.
Maybe it will
Hello,
I found that negotiate_kerberos_auth helper does not see domain local AD
groups.
As it turned out, helper parses only GroupIds and ExtraSids pac-blocks,
while the information about domain local groups is placed in the
ResourceGropIds pac-block.
I have slightly patched the
I have one question (issue) and I hope that you can help me.
Kerberos authentication works perfectly fine when the PC is connected to
Domain and the user is authenticated.
auth_param negotiate program
/usr/local/libexec/squid/negotiate_kerberos_auth -r -d -k
/event_14_kerberos_key_distribution_center.html
Best regards,
rafael
-Original Message-
From: squid-users On Behalf Of
Klaus Brandl
Sent: Friday, November 18, 2022 3:23 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Kerberos - Cannot decrypt ticket for HTTP
which options do you have configured
which options do you have configured for the auth helper?
Something like:
auth_param negotiate program
/usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -i
Best regards
Klaus
Am Freitag, dem 18.11.2022 um 10:54 +0800 schrieb Михаил:
> Hi David,
>
> Thanks for your advice but
Hi David, Thanks for your advice but it doesn't help me. I use AD account which haven't set these parameters. Misha. 17.11.2022, 10:07, "David Touzeau" :Hiperhaps this onehttps://wiki.articatech.com/en/proxy-service/troubleshooting/gss-cannot-decrypt-ticket Le 16/11/2022 à 05:11, Михаил a écrit
Hi
perhaps this one
https://wiki.articatech.com/en/proxy-service/troubleshooting/gss-cannot-decrypt-ticket
Le 16/11/2022 à 05:11, Михаил a écrit :
Hi everybody,
Could you help me to setup my new squid server? I have a problem with
keytab authorization.
2022/11/16 11:35:39| ERROR: Negotiate
Hi everybody, Could you help me to setup my new squid server? I have a problem with keytab authorization. 2022/11/16 11:35:39| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more
On 10/17/21 10:57 AM, Grant Taylor wrote:
My understanding is that you can use Kerberos from clinet0 to proxy1 and
that proxy1 can use the same mechanism to get a special ticket to
communicate from proxy1 to proxy2 as the original user.
I looked at my copy of Kerberos - The Definitive Guide
On 10/17/21 10:46 AM, Markus Moeller wrote:
I see, I think this would mean using Basic Auth to proxy1 which then
gets a Kerberos ticket for the user to authenticate to proxy2. This is
possible, but I would not think it is a good secure option.
I think that we're now talking about the same
I see, I think this would mean using Basic Auth to proxy1 which then gets a
Kerberos ticket for the user to authenticate to proxy2. This is possible,
but I would not think it is a good secure option.
Regards
Markus
"Grant Taylor" wrote in message
On 10/16/21 1:31 PM, Markus Moeller wrote:
I think you talk about a kdc proxy, which is for another case.
I don't think so. I'm not talking about using a proxy to access the KDC.
I'm talking about using a component of the following scenario:
1) Client uses traditional username and password
Hi Amos,
If you let me know where exactly I can add a few lines.
One way to make this setup work would be to add proxy1 also to AD like
proxy2 and then merge the keytab for proxy1 into the keytab of proxy2 using
ktutil. The negotiate_kerberos_auth handle would require the -s
I think you talk about a kdc proxy, which is for another case.
Regards
Markus
"Grant Taylor" wrote in message
news:b815528d-34ff-0fed-3194-dc6f34199...@spamtrap.tnetconsulting.net...
On 10/13/21 1:48 PM, Markus Moeller wrote:
The problem lies more in the way how Kerberos proxy
On 10/13/21 1:48 PM, Markus Moeller wrote:
The problem lies more in the way how Kerberos proxy authentication
works. The client uses the proxy name to create a ticket and in this
case it would be the name of the first proxy e.g. proxy1.internal. The
first proxy will pass it through to the
On 14/10/21 8:48 am, Markus Moeller wrote:
The problem lies more in the way how Kerberos proxy authentication
works. The client uses the proxy name to create a ticket and in this
case it would be the name of the first proxy e.g. proxy1.internal. The
first proxy will pass it through to the
The problem lies more in the way how Kerberos proxy authentication works.
The client uses the proxy name to create a ticket and in this case it would
be the name of the first proxy e.g. proxy1.internal. The first proxy will
pass it through to the authenticating proxy for authentication
On 12/10/21 9:33 pm, 森 隆聡 wrote:
I made Single Sign On environment with AD+Squid and it worked fine.
[It works]
Client(Windows) -> Squid(CentOS) -> Internet
* Client is joined the domain and Squid configured Kerberos Authentication with
AD.
But after add another squid, it didn't work.
...
I made Single Sign On environment with AD+Squid and it worked fine.
[It works]
Client(Windows) -> Squid(CentOS) -> Internet
* Client is joined the domain and Squid configured Kerberos Authentication with
AD.
But after add another squid, it didn't work.
[Not works]
Client -> Squid(No Auth.) ->
: L.P.H. van Belle; squid-users@lists.squid-cache.org
Onderwerp: RE: [squid-users] Kerberos nad keytab problem
Hello everyone,
Just my two cents too. Note you can map the *user* to the Kerberos SPN – this
lets you have your squid proxy live outside of the AD.
Just setup the dedicated user
. van Belle
Sent: Wednesday, 25 September 2019 17:02
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Kerberos nad keytab problem
I also had problems with msktutil.. so i suggest you try this, see below..
Im using it for few years and it always works (for me offcourse)..
It should
On 9/25/19 11:01 AM, L.P.H. van Belle wrote:
> I also had problems with msktutil.. so i suggest you try this, see below..
> Im using it for few years and it always works (for me offcourse)..
>
> It should be pretty simple, but the site squid-cache (wiki) is in my
> opinion a bit outdated.
log
Now go configure the other parts you need of squid.
And enjoy.. :-)
Greetz,
Louis
Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
Tevfik Ceydeliler
Verzonden: woensdag 25 september 2019 13:59
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-u
Hi, I try to use kerberos in my squid. Nut I get an error message :
33
msktutil --auto-update --verbose --computer-name suqidpnb1 --server
dctoyo1.toyo.grp -k /etc/squid/PROXY.keytab
-- init_password: Wiping the computer password structure
-- generate_new_password:
Thanks again for your support Mr. Jeffries, My proxy only contains of 1
GB of memory :-(
Here i leave my squid.conf
###
###
On 30/03/19 3:30 am, Alex Gutiérrez Martínez wrote:
> Hello Community, I just compiled my squid 4. Everything works fine
> except integration to the Kerberos authentication server.
>
> I have already managed to integrate my ubuntu with the kerberos and the
> tickets are created correctly. Here i
Hello Community, I just compiled my squid 4. Everything works fine
except integration to the Kerberos authentication server.
I have already managed to integrate my ubuntu with the kerberos and the
tickets are created correctly. Here i leave my configuration of the auth
in the squid
On 19/07/18 03:41, Victor Sudakov wrote:
>
> If there were an option to debug which "http_access" line rejects him
> I could try it.
>
Please try:
debug_options ALL,1 28,5
... and have them login. Your cache.log should then list the ACLs being
tested and what their results are.
Amos
Amos Jeffries wrote:
> >>>
> >>> After upgrading to Squid 4.1 (from FreeBSD ports) I started having
> >>> problems
> >>> with Kerberos authentication.
> >>>
> >>> A user complained about being denied access. The strange things are that:
> >>>
> >>> 1. There was only one such user, others seemed
On 18/07/18 19:16, Victor Sudakov wrote:
> Amos Jeffries wrote:
>> On 17/07/18 14:20, Victor Sudakov wrote:
>>>
>>> After upgrading to Squid 4.1 (from FreeBSD ports) I started having problems
>>> with Kerberos authentication.
>>>
>>> A user complained about being denied access. The strange
Amos Jeffries wrote:
> On 17/07/18 14:20, Victor Sudakov wrote:
> >
> > After upgrading to Squid 4.1 (from FreeBSD ports) I started having problems
> > with Kerberos authentication.
> >
> > A user complained about being denied access. The strange things are that:
> >
> > 1. There was only one
On 17/07/18 14:20, Victor Sudakov wrote:
> Dear Colleagues,
>
> After upgrading to Squid 4.1 (from FreeBSD ports) I started having problems
> with Kerberos authentication.
>
> A user complained about being denied access. The strange things are that:
>
> 1. There was only one such user, others
Dear Colleagues,
After upgrading to Squid 4.1 (from FreeBSD ports) I started having problems
with Kerberos authentication.
A user complained about being denied access. The strange things are that:
1. There was only one such user, others seemed to be authenticating
properly (or just did not
You don't have to join a domain. You only need a Kerberos authentication
server to get a ticket.
You only need AD (or Samba) if you want also authorisation (PAC data) in you
Kerberos ticket.
As Amos said you need a Kerberos client and a Browser supporting
Proxy-Negotiate.
Markus
"Amos
Can you capture the traffic on port 88 ? Heimdal has not helpful messages, so
seeing the real traffic may help identifying the issue.
Kinit should create an AS req/rep
the test program creates a TGS req/rep
Example attached if it gets through.
Markus
"Panagiotis Bariamis"
You don't have to join a domain. You only need a Kerberos authentication
server to get a ticket.
You only need AD (or Samba) if you want also authorisation (PAC data) in you
Kerberos ticket.
As Amos said you need a Kerberos client and a Browser supporting
Proxy-Negotiate.
Markus
"Amos
Hello my setup is as follows :
Freebsd 11 Heimdal Kerberos Server and DNS properly configured (testlab
enviroment for example.com domain)
Freebsd 11 squid proxy server
Windows Client
I have created a keytab from the Kerberos Server for http/squid.example.com
Proxy server machine has no problem
On Tue, May 8, 2018 at 9:03 AM, Amos Jeffries wrote:
> On 08/05/18 10:22, Panagiotis Bariamis wrote:
>
>
>
> >> A second question. If a non domain joined machine tries to use the proxy
> >> will there be a username password prompt where if correct credentials
> >> are
On 08/05/18 10:22, Panagiotis Bariamis wrote:
> Hello,
> Is it possible with a squid kerberos only authentication setup be able
> to authenticate ie android phones to squid?
I don't have an answer for that, maybe someone else has experience. If
you have the environment available you could try it
Hello,
Is it possible with a squid kerberos only authentication setup be able to
authenticate ie android phones to squid?
A second question. If a non domain joined machine tries to use the proxy
will there be a username password prompt where if correct credentials are
presented he will be able to
On 28/02/18 07:43, erdosain9 wrote:
> Thank you Amos (sorry again Yuri).
>
> And yes, the user are complains.
>
> The problem is this (and sorry for be recurrent with this).
>
> That value avg ms for some times goes up to 3000... and in that moment all
> stop.
>
> in the cache.log sometimes,
Thank you Amos (sorry again Yuri).
And yes, the user are complains.
The problem is this (and sorry for be recurrent with this).
That value avg ms for some times goes up to 3000... and in that moment all
stop.
in the cache.log sometimes, im getting this.
support_sasl.cc(276): pid=3729
pid=2951 :2018/02/20 17:02:27|
kerberos_ldap_group: DEBUG: ERR
-Oorspronkelijk bericht-
Van: Jeroen Ruijter
Verzonden: maandag 19 februari 2018 11:19
Aan: 'Amos Jeffries'; squid-users@lists.squid-cache.org
Onderwerp: RE: [squid-users] kerberos authentication with kerberos groups
Do you advise to us
On 24/02/18 06:29, erdosain9 wrote:
> Hi to all.
> I dont know why i have this bad values. My network is woking fine. How i can
> do to fix this. I think is a high value.
>
> HTTP/1.1 200 OK
> Server: squid/3.5.27
> Mime-Version: 1.0
> Date: Fri, 23 Feb 2018 17:16:25 GMT
> Content-Type:
Users complains?
23.02.2018 23:29, erdosain9 пишет:
> Hi to all.
> I dont know why i have this bad values. My network is woking fine. How i can
> do to fix this. I think is a high value.
>
> HTTP/1.1 200 OK
> Server: squid/3.5.27
> Mime-Version: 1.0
> Date: Fri, 23 Feb 2018 17:16:25 GMT
>
Hi to all.
I dont know why i have this bad values. My network is woking fine. How i can
do to fix this. I think is a high value.
HTTP/1.1 200 OK
Server: squid/3.5.27
Mime-Version: 1.0
Date: Fri, 23 Feb 2018 17:16:25 GMT
Content-Type: text/plain;charset=utf-8
Expires: Fri, 23 Feb 2018 17:16:25 GMT
A new problem popped up in the last couple of days in an otherwise working
environment.
Active Directory running on 2008r2
Windows 10 client
Squid 3.5.12
# squid -v
Squid Cache: Version 3.5.12
Service Name: squid
Ubuntu linux
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
februari 2018 11:19
Aan: 'Amos Jeffries'; squid-users@lists.squid-cache.org
Onderwerp: RE: [squid-users] kerberos authentication with kerberos groups
Do you advise to use capitals or small characters for the domain name?
-Oorspronkelijk bericht-
Van: squid-users [mailto:squid-users
-users] kerberos authentication with kerberos groups
On 17/02/18 02:02, Jeroen Ruijter wrote:
> I'm trying to replace my basic ldap authentication by kerberos single
> sign on.
>
NP: Despite what some claim, SSO is not unique to NTLM and Kerberos
authentication. It is a behaviour of
'
-Oorspronkelijk bericht-
Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Amos
Jeffries
Verzonden: vrijdag 16 februari 2018 18:58
Aan: squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] kerberos authentication with kerberos groups
On 17/02/18 02:02, Jeroen
On 17/02/18 02:02, Jeroen Ruijter wrote:
> I'm trying to replace my basic ldap authentication by kerberos single
> sign on.
>
NP: Despite what some claim, SSO is not unique to NTLM and Kerberos
authentication. It is a behaviour of the tools used. As such it can be
done with *any* authentication
I'm trying to replace my basic ldap authentication by kerberos single sign on.
The user can succesfully login with single sign on, but I have restriction on
groups and that is where it goes wrong.
I would like to use -r to trim the domain name, but when I do so it seems to
work even less.
Looks like since posting the log the problem has disappeared for all 5 of my
test users; since nothing has been changed on the network, could it have
been caused by a Firefox and Chrome bug that has been recently fixed (I
don't recall ever seeing the problem on IE)? Does anyone know of the
I've just had the problem happen again (usually it happens after a long
period of inactivity, e.g. when trying to load the first web page in the
morning).
Here's the log: https://pastebin.com/fFTJNiKf
I'm looking into getting the output from squidclient but I have to try and
reproduce the
W dniu 28.07.2017 o 10:46, Grey pisze:
Shoul I wait for the error to appear and post the section relevant to the
time when it occurs?
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-access-denied-and-reauthentication-tp4683224p4683232.html
Sent
Shoul I wait for the error to appear and post the section relevant to the
time when it occurs?
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-access-denied-and-reauthentication-tp4683224p4683232.html
Sent from the Squid - Users mailing list archive
On 2017-07-27 10:27, Grey wrote:
Hi,
I'm trying to setup a proxy server using Squid 3.5.23 on Debian 9; I've
successfully setup Kerberos authentication generating the keytab file with
ktutil and manually setting the required SPN on my Windows domain
controller.
The problem I'm encountering is
Hi,
I'm trying to setup a proxy server using Squid 3.5.23 on Debian 9; I've
successfully setup Kerberos authentication generating the keytab file with
ktutil and manually setting the required SPN on my Windows domain
controller.
The problem I'm encountering is that sometimes (right now I'm the
On 11/11/2016 7:50 p.m., Tevfik Ceydeliler wrote:
> Here is the problem,
>
> When I set my browser proxy configuration as "squiddc1.DOMAIN.grp " and
> then start to browse, I cant see "usern...@domain.grp" log entry in
> access.log.
>
> I think, It means that kerberos not work.
>
> Have you
Hi,
I try to configure squid by using AD authentication via Kerberos.
And I have a keytab by using msktutil (PROXY.keytab)
I can run kinit, klist, wbinfo (-g, -u, -t) commands without any error.
here is my authparam configuration:
so... any advice about this??
Thanks!
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-appropriate-log-file-tp4679740p4679901.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
On 29/09/2016 3:02 a.m., erdosain9 wrote:
> Hi.
> Sorry for my ignorance, but, i have squid authentication with kerberos...
>
> all is working fine...
>
> but i have some behavior in cache.log that... i dont know if this is the
> expected, or there is some problem
>
> because the file is
On Wednesday 28 September 2016 at 16:02:42, erdosain9 wrote:
> Hi.
> Sorry for my ignorance, but, i have squid authentication with kerberos...
>
> all is working fine...
>
> but i have some behavior in cache.log that... i dont know if this is the
> expected, or there is some problem
>
>
Hi.
Sorry for my ignorance, but, i have squid authentication with kerberos...
all is working fine...
but i have some behavior in cache.log that... i dont know if this is the
expected, or there is some problem
because the file is going to be huge as put the squid in production ... this
is
Hi.
Im trying to configure SSO (single sing on) with Kerberos.
I have this error
[root@squid squid]# kinit administrator
Password for administra...@xxx.lan:
Warning: Your password will expire in 28 days on mié 21 sep 2016 12:20:39
ART
[root@squid squid]# msktutil -c -b "CN=COMPUTERS" -s
Verzonden: donderdag 18 augustus 2016 16:09
Aan: Squid Users
Onderwerp: [squid-users] Kerberos Autenthication doesn't work
I have problems with Kerberos Autenthication in Squid3 on Debian 8 and Samba4 DC
My Squid version is: 3.4.8
My Kerberos Autenthication doesn't work
Heya Amos,
The problem was the keytab that didn't work correctly. I deleted the
objects from AD db and recreated keytab from linux side. The output now
says that using HTTP/mq-sqproxy.domain.co.za is "Authenticated to
kerberos", whilst the others now fail. I guess the HTTP is the only one
On 6/04/2016 3:27 a.m., Drikus Brits wrote:
>
>
> i believe i might have fixed it
>
> will advise soonest.
>
Any update?
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
i believe i might have fixed it
will advise soonest.
On 2016-04-05 16:01, Drikus Brits wrote:
> Extra info :
>
> root@mw-sqproxy-test:/home/geosupport# uname -a
> Linux mw-sqproxy-test 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24
> 21:16:20 UTC 2015 x86_64 x86_64 x86_64
Extra info :
root@mw-sqproxy-test:/home/geosupport# uname -a
Linux mw-sqproxy-test 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul
24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
root@mw-sqproxy-test:/home/geosupport# squid3 -v
Squid Cache: Version 3.3.8
Ubuntu
configure options:
Hi Experts,
After much struggling it seems i've reached some point of success but
yet still not. I've checked a multitude of websites for help before
coming here, but didn't get anything valuable yet. My problem as follows
:
I have 1x win2008R2 server that works with kerberos
In case anyone reads Russian, I have covered 2 new topics (possible
problems) in the Russian Squid+Kerberos Howto:
http://tinyurl.com/h68emax
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:suda...@sibptus.tomsk.ru
___
squid-users mailing list
apologize for my mail...
Fabio
2016-01-14 6:09 GMT+01:00 LYMN :
> On Wed, Jan 13, 2016 at 09:30:46AM +0100, Fabio Bucci wrote:
>> Hi All,
>> i want to terminate a previous job did by ex colleague is changed
>> company. Now there is a cluster of 2 nodes of squid with
Hi All,
i want to terminate a previous job did by ex colleague is changed
company. Now there is a cluster of 2 nodes of squid with NTLM
transparent authentication and one spare node i'm using as test and
configured with kerberos instead. Reading a lot of info i understood
kerberos is more stable
On Wed, Jan 13, 2016 at 09:30:46AM +0100, Fabio Bucci wrote:
> Hi All,
> i want to terminate a previous job did by ex colleague is changed
> company. Now there is a cluster of 2 nodes of squid with NTLM
> transparent authentication and one spare node i'm using as test and
> configured with
On Mon, Jan 11, 2016 at 09:06:27PM +1300, Amos Jeffries wrote:
> On 11/01/2016 2:48 p.m., LYMN wrote:
> >
> > I did manage to get this working, you did mention the correct solution
> > right down the end of your message.
> >
>
> Correct for you yes. That can happen when making half-blind guesses
On 11/01/2016 2:48 p.m., LYMN wrote:
>
> I did manage to get this working, you did mention the correct solution
> right down the end of your message.
>
Correct for you yes. That can happen when making half-blind guesses at
what the problem actually is based on partial information. It might have
Firstly, let me say that whatever you are using for a mail client makes
reading/replying to your message difficult (see below for a small
sample, I will clean up the rest as best I can)...
I did manage to get this working, you did mention the correct solution
right down the end of your message.
Hi,
We have been using kerberos authentication against Active Directory here
for a long time by using a SPN attached to a user account and exporting
the keytab. The issue we have is that security policy mandates that
the password on the user account be changed which means we have to go
and
Hi,
I'm trying to build a Squid-Proxy that integrates with an Active
Directory - and I think I'm only one step from succeeding, but I still
get one error from negotiate_kerberos_auth.
Here is my config: (everything is hosted inside my VMware Workstation)
- Passwords here are only experimental.
Markus Moeller hua...@moeller.plus.com writes:
It could be the new AD server is setup to be backward compatible
meaning it use RC4 despite being able to use AES. I suggest you crate
an additional keytab entry for RC4. How did you create the keytab ?
Now it seems to work:
#
Markus Moeller hua...@moeller.plus.com writes:
It could be the new AD server is setup to be backward compatible
meaning it use RC4 despite being able to use AES. I suggest you crate
an additional keytab entry for RC4. How did you create the keytab ?
It was created with ktpass
Markus Moeller hua...@moeller.plus.com writes:
Hi Ludovit,
Which Kerberos library version do you use ?Is it possible that
the encryption types don't match ? I saw in your first email the
following:
It is standard Heimdal library on FreeBSD:
# kinit --version
kinit
Hi Ludovit,
How did you create the keytab ? Usually there is an option allowing you
to select the encryption type. The other place to check would be
/etc/krb5.conf. It can contain a list of supported encryption types. See
Hi Ludovit,
Which Kerberos library version do you use ?Is it possible that the
encryption types don't match ? I saw in your first email the following:
Your klist shows a HTTP ticket for arcfour
Server: HTTP/squid1.mdpt.local@MDPT.LOCAL
Client: HTTP/squid1.mdpt.local@MDPT.LOCAL
Ticket
Hi Ludovit,
I haven't seen that error before either, but when you test you sould have
your own user credentials in the cache. You should use kinit
user@MDPT.LOCAL and then try again the test. is the hostname correctly set
to squid1.mdpt.local ? If not try
Hi,
I have setup kerberos according to:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: HTTP/squid1.mdpt.local@MDPT.LOCAL
IssuedExpires Principal
Feb 9 14:55:18
Moeller
Cc: squid-us...@squid-cache.org
Subject: Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with
BH gss_accept_sec_context() failed
Hi Markus Moeller,
Hi Markus,
Yeah, I'm currently using that option and permissions are correct too.
On 27 Oct 2014 19:47, Markus Moeller
Victor Sudakov wrote:
However, I am eager to know what could be causing such weird tickets
to be issued, but I think only a Windows expert can tell. After all,
the key in the tickets is correct, only the principal name is changed.
I only suspect that the name is changed when the client sets
Hi Markus,
Thanks for all your help. I'll do some more testing on monday and I'll let you
know how it goes. Hopefully it'll be working as expected once having removed
the unused AD servers and sorting out and sync issues.
Cheers and have a great weekend!
Pedro
On 1 Nov 2014, at 13:11, Markus
Hi Pedro,
Did you try the –s GSS_C_NO_NAME option ?
Markus
Pedro Lobo pal...@gmail.com wrote in message
news:94f74226-f24b-4910-95b7-b86ace815...@gmail.com...
Hey Everybody,
Seems as though I celebrated too soon on Saturday. Today things are back to not
working for Windows 7+ machines and
Hi Markus Moeller,
Hi Markus,
Yeah, I'm currently using that option and permissions are correct too. ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Hi Pedro,
Can you capture the traffic from one Windows 7 on XP client on port 88 (
just after the login before access a website via squid until successful or
unsuccessful accessing the website) using wireshark ? Send me the .cap files
to check.
Markus
Pedro Lobo pal...@gmail.com wrote
Hi Markus,
When I get in to the office tomorrow, I'll do that and send you the .cap file.
Thanks for all the help so far.
Pedro Lobo
On 27 Oct 2014, at 20:53, Markus Moeller hua...@moeller.plus.com wrote:
Hi Pedro,
Can you capture the traffic from one Windows 7 on XP client on
October 2014 7:26 AM
To: Markus Moeller
Cc: squid-us...@squid-cache.org
Subject: Re: [squid-users] Kerberos Authentication Failing for Windows 7+
with BH gss_accept_sec_context() failed
Hi Markus Moeller,
Hi Markus,
Yeah, I'm currently using that option and permissions are correct too
: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
Behalf Of Pedro Lobo
Sent: Tuesday, 28 October 2014 7:26 AM
To: Markus Moeller
Cc: squid-us...@squid-cache.org
Subject: Re: [squid-users] Kerberos Authentication Failing for Windows 7+
with BH gss_accept_sec_context() failed
Hi Carlos,
Yeah, the Windows 7 machine is part of the domain. As for basic auth, I'll look
into setting that up too, although we were hoping to forgo it entirely.
On 25 Oct 2014, at 3:00, Carlos Defoe wrote:
Windows 7 inside the domain?
Anyway, you should configure a basic auth scheme as a
I was recently receiving this (incredibly vague) error. Turns out my squid user
didn’t have permission to read the keytab.
On Sat, Oct 25, 2014 at 8:37 PM, Pedro Lobo pal...@gmail.com wrote:
Hi Markus,
I used msktutil to create the keytab.
msktutil -c -s HTTP/proxy01tst.fake.net -h
1 - 100 of 104 matches
Mail list logo