-551c1fe77...@spamtrap.tnetconsulting.net...
On 10/16/21 1:31 PM, Markus Moeller wrote:
I think you talk about a kdc proxy, which is for another case.
I don't think so. I'm not talking about using a proxy to access the KDC.
I'm talking about using a component of the following scenario:
1) C
GSS_C_NO_NAME option to select either key.
A second option is to add a second service principal name to the proxy2 AD
account and use -s GSS_C_NO_NAME.
Regards
Markus
"Amos Jeffries" wrote in message
news:95c70ccd-5c15-3395-2103-3025ef043...@treenet.co.nz...
On 14/10/21 8:48 am, Mark
I think you talk about a kdc proxy, which is for another case.
Regards
Markus
"Grant Taylor" wrote in message
news:b815528d-34ff-0fed-3194-dc6f34199...@spamtrap.tnetconsulting.net...
On 10/13/21 1:48 PM, Markus Moeller wrote:
The problem lies more in the way how Kerb
The problem lies more in the way how Kerberos proxy authentication works.
The client uses the proxy name to create a ticket and in this case it would
be the name of the first proxy e.g. proxy1.internal. The first proxy will
pass it through to the authenticating proxy for authentication
"Alex Rousskov" wrote in message
news:7e75c2bf-51db-f8c3-73f0-ba7fca55e...@measurement-factory.com...
On 10/9/21 1:46 PM, Markus Moeller wrote:
i try to find a way how squid can "route" all Internet
domains to a default proxy and a subset of well defined domains to
"Alex Rousskov" wrote in message
news:cbe23671-7b3c-e270-f3f4-593d4f030...@measurement-factory.com...
On 10/9/21 9:06 AM, Markus Moeller wrote:
Hi,
I have now tested with the below config and I see my first request
works, but the second fails. So I am not sure if it is still a
con
ISS from clientproxy
X-Cache-Lookup: MISS from clientproxy:3128
Connection: keep-alive
--
Thank you
Markus
"Markus Moeller" wrote in message news:sjrrhc$lat$1...@ciao.gmane.io...
I understand now better the concept.
Thank you
Markus
"Alex Rousskov" wrote in message
news:3dec
I understand now better the concept.
Thank you
Markus
"Alex Rousskov" wrote in message
news:3dec529a-b62e-1e95-6cb7-0b68f6bf3...@measurement-factory.com...
On 10/8/21 8:02 PM, Markus Moeller wrote:
I try to setup a proxy chain, but don't get the setup right. I have one
sq
Hi,
I try to setup a proxy chain, but don't get the setup right. I have one
squid with 2 parents. One with auth for domainA.com and one w/o auth for the
non local IPs (i.e. Internet).
With the below config I see domainA.com still going to the unauthenticated
parent proxy. Any hint why ?
What does he cache log show ?
Markus
"Alex Gutiérrez" wrote in message
news:acd33a78-c0dc-d539-1028-ed1c700db...@esines.cu...
HI community, reciently I install an old UBT 18.04 with squid 3. I use to
authenticate my users kerberos.
Everithing seem´s great, but my all my users are able to
Hi Klaus,
The negotiate_kerberos_auth helper is not intended to run on Windows.
How did you compile it ?
Markus
"Klaus Westkamp" wrote in message
news:8251c91f-1b08-82f2-f6ec-46ef92fe9...@westkamp.net...
Hi,
i digged a little further (but i'm no exert in WinDBG):
Attachimng to the
Hi
Maybe some general comments about LB, CNAMEs and Squid Kerberos will help. The
kerberos client will try to request a ticket based on the used hostname. e.g.
if you configure in your browser the proxy name as ha-proxy.slb.example.com
then the client will look for a serviceprincipal of
Hi Klaus,
Is the group you added a security group ? Only security groups are part
of the Kerberos ticket. Which authorisation helper do you use or is this
just based on the auth helper output ?
What do you see on the client ? e.g. in powershell run whoami /groups
Did you clear
Hi Amos,
Is there any reason that kerberos_sid_group is not included in the tar ?
Thank you
Markus
"Amos Jeffries" wrote in message
news:d6159d58-f75b-1af7-4690-5819cd465188__18406.7017086365$1546614300$gmane$o...@treenet.co.nz...
The Squid HTTP Proxy team is very pleased to announce the
You don't have to join a domain. You only need a Kerberos authentication
server to get a ticket.
You only need AD (or Samba) if you want also authorisation (PAC data) in you
Kerberos ticket.
As Amos said you need a Kerberos client and a Browser supporting
Proxy-Negotiate.
Markus
"Amos
Can you capture the traffic on port 88 ? Heimdal has not helpful messages, so
seeing the real traffic may help identifying the issue.
Kinit should create an AS req/rep
the test program creates a TGS req/rep
Example attached if it gets through.
Markus
"Panagiotis Bariamis"
You don't have to join a domain. You only need a Kerberos authentication
server to get a ticket.
You only need AD (or Samba) if you want also authorisation (PAC data) in you
Kerberos ticket.
As Amos said you need a Kerberos client and a Browser supporting
Proxy-Negotiate.
Markus
"Amos
Hi Jeroen,
Do you use Active Directory as ldap server ? My automated test says it is
not. I use this check to determine the group attribute check.
support_ldap.cc(342): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Search ldap server with bind path
Hi,
When using the latest squid 4 release you can use %note{group} to get
the group information from the Negotiate Kerberos helper to transfer the PAC
group SIDs to the external ACL helper.
squid.conf
...
external_acl_type test_acl ipv4 %LOGIN %note{group}
Hi Rick,
The log indicates that your Browser sned a NTLM token not a Kerberors
token. This can be easily seen from the first characters of the token
(TlRM). Check the Kerberos communication on the client ( i.e. port 88). The
client should request a token for HTTP/ and receive it. If not
Hi
Did you try the debug option -d for ext_kerberos_ldap_group_acl to get
some debug ? Maybe it gives some indication of the problem ?
Markus
"erdosain9" wrote in message
news:1474570767416-4679652.p...@n4.nabble.com...
So, i have a little more of info
this is config
###Kerberos Auth
Hi Silamael,
Can you perform a kinit u...@example.com ? Does the squid user have
read access to krb5.conf ?
Markus
"Silamael Darkomen" wrote in message
news:955b9071-4d07-f0a2-2925-8f63fa332...@coronamundi.de...
Hello,
I'm currently working on setting up our proxy to authenticate
---
Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
Markus Moeller
Verzonden: zaterdag 27 augustus 2016 16:52
Aan: squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] ext_kerberos_ldap_grou
have /usr/lib64/squid/negotiate_kerberos_auth_test, thus I'm using it.
My Linux distribution is CentOS 7
Regards,
Márcio
2016-08-28 15:24 GMT-03:00 Markus Moeller <hua...@moeller.plus.com>:
HI Marcio,
The helper need a Kerberos token as input. Please have a look at
test
HI Marcio,
The helper need a Kerberos token as input. Please have a look at
test_negotiate_auth.sh which is in src/auth/negotiate/kerberos of the trunk
version. The squid hostname must match the entry in your keytab and you must
have done kinit to authenticate against a Kerberos server
Hi,
I would say they are bugs. The first “issue” is as you say more about
understanding the difference between UPN and SPN and how the tools use them.
The helper tries to “authenticate” squid to AD as a user with the found SPN
name, so the UPN must be the same as the SPN. There is no easy
Hi Louis,
I made lately a change in how the SSL certifcate verification is done. Did
you use the latest version from trunk ? Also set the variable TLS_CACERTFILE
in your startup script (e.g. export TLS_CACERTFILE=/etc/mydir/cas.pem ). I do
not read any ldap.conf file for this yet.
/hostname.domain@domain.org –d
Then you get debug output in your cache.log file.
Markus
"Markus Moeller" <hua...@moeller.plus.com> wrote in message
news:nikoqr$i2m$1...@ger.gmane.org...
What does the log say when you use the –d option with the helper
Markus
"Niles
Hi Michael,
Yes you should be able to set a environment variable KRB5RCACHEDIR in your
startup script. You can also use KRB5RCACHETYPE to set (or disable) the cache
type.
Markus
"Michael Pelletier" wrote in message
KNOWN
User's PC belonging to EXTERNALS.COM are joined to EXTERNALS.COM
Best Regards.
Sent: Saturday, March 19, 2016 at 12:28 AM
From: "Markus Moeller" <hua...@moeller.plus.com>
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] NEGOTIATE Kerberos Auth
Hi,
Is you client
Hi,
Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ?
Can you get a wireshark capture on your client on port 88 ? You should
see some TGS –REQs in the capture and I assume also TGS-REPs with error
messages. Can you share these error messages ?
Regards
Hi Markus,
When you say authentication does not work, do you mean Kerberos
authentication or Kerberos and NTLM ? Can you add a -d for debug to the
Kerberos authentication helper and provide the log file messages ?
Can you also provide the content of the keytab ?
Regards
Markus
"Markus
Hi,
The issue appears if you use the same AD account for samba and the
kerberos keytab creation. As samba will reset the password of the AD
account and thereby invalidate the extracted keytab.
Markus
"Alex Samad" wrote in message
th winbind, I kinit with my personal admin account and
also do a net ads join -U .
the password on the doesn't / hasn't changed.
are you talking about the computer account password ?
if so, then I setup a different computer account for the squid
kerberos application !
On 9 December 2015 at 07:
What other output do you get when using –d ( i.e. enable debug output) ? It
may indicate the reason for your return message.
Markus
"Michael Pelletier" wrote in message
news:CAEnCSG7hVR5DQ7d8awR1ax_qvmOeXBCZOY=mkvflwgji8-+...@mail.gmail.com...
Hello,
, November 03, 2015 9:22 AM
To: Markus Moeller
Subject: Re: [squid-users] Squit with NTLM and Kerberos auth => a error
that's said that squid can by used with Windows AD ?
2015-11-02 22:46 GMT+01:00 Markus Moeller <hua...@moeller.plus.com>:
Hi Olivier,
If I decode a to
Hi Olivier,
Which Kerberos version do you use ? MIT or Heimdal ?
Markus
"Olivier CALVANO" wrote in message
news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com...
Hi
i test a authentification AD with Kerberos/Ntlm
### negotiate kerberos and ntlm
Hi Olivier,
If I decode a token I see
/base64> hexdump -c base64_dec.out
000 ` 201 236 006 006 + 006 001 005 005 002 240 201 223 0 201
010 220 240 032 0 030 006 \n + 006 001 004 001 202 7 002 002
020 036 006 \n + 006 001 004 001 202 7 002 002 \n 242 r 004
What happens if you adjust the system time to be in sync with the AD server ?
Markus
"Михаил" wrote in message
news:1462781444845...@web15m.yandex.ru...
Hi All!
Sometime I get a error message and squid stop:
2015/10/14 14:31:51| WARNING: All 300/300 negotiateauthenticator
Hi Paul,
negotiate_kerberos_auth is for Unix only.
Regards
Markus
"MORRIS Paul [Tuart College]" wrote in message
news:508E8480E38F464FA0778ECCA1DB51F41FE95135@E7359SVIN1052.resources.internal...
Hi,
I am trying without success to use the "negotiate_kerberos_auth.exe" helper
and
Hi Enrico,
The Kerberos helper will authenticate only for now ( There is a now code to
get the group information, but it is not further processed). It does not do
anything to group membership like the winbind cache. Also keep in mind
Kerberos cache for about 10 hours the ticket on the
Hi Louis,
When you have an offline PC do you use DHCP to give an IP ? If so can you
also provide the PC with a WINS server via DHCP ? If that is possible and you
run WINS you can authenticate the user with u...@domain.com when you get the
authentication popup. The WINS server will point
.x86_64
krb5-libs-1.12.2-14.el7.x86_64
regards
olivier
2015-05-03 0:25 GMT+02:00 Markus Moeller hua...@moeller.plus.com:
Which OS and Kerberos version do you have ? There might be some issue with
the cache used KEYRING:persistent:0:0
Markus
Olivier CALVANO o.calv...@gmail.com wrote
is 130751472429170776
Error: Unable to set machine password for OPHTCYSRV1V4-K$: (3) Authentication
error
Error: set_password failed
-- ~KRB5Context: Destroying Kerberos Context
2015-05-03 13:25 GMT+02:00 Markus Moeller hua...@moeller.plus.com:
Did you compile msktutil or is it a package
Which OS and Kerberos version do you have ? There might be some issue with the
cache used KEYRING:persistent:0:0
Markus
Olivier CALVANO o.calv...@gmail.com wrote in message
news:CAJajPefo3t8b1=_v5pfj3h0gq4jk3oosutw8gnhy7z-gs21...@mail.gmail.com...
Hi
I request your help because i want use
Hi Joao,
OK now you use the authentication rule.
How did you create the keytab ? Does the hostname match the keytab entry ?
Can you run the helper with –d to get more debug ?
Markus
From: Joao Paulo Monticelli Gaspar
Sent: Thursday, March 19, 2015 12:41 AM
To: Markus Moeller
How does the config file look like ?
Markus
Joao Paulo Monticelli Gaspar jaumsh...@gmail.com wrote in message
news:CAFjXhx=idbdxeqxbzy56tr5m3fztasu2tqgwlclydi_s-s3...@mail.gmail.com...
Hey people
I have a doubt and couldn't find the answer anywhere yet, I'm using SQUID
integrate to a W2K8
Oh pretty old bug.
Thank you
Markus
Amos Jeffries wrote in message news:54f26815.4020...@treenet.co.nz...
On 1/03/2015 4:55 a.m., Markus Moeller wrote:
Hi,
I wonder about the total size variables st and st for squid logs
# st Sent reply size including HTTP headers
# st Received
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 20/01/2015 11:31 p.m., Simon Stäheli wrote:
Are there any other benefits in using ext_kerberos_ldap_group_acl
instead of ext_ldap_group_acl except the Netbios name to Kerberos
domain name” mappings provided by the -N option. As far as I can
tell,
=5manpath=FreeBSD+Ports+10.1-RELEASEarch=defaultformat=html
default_tgs_enctypes, default_tkt_enctypes and permitted_enctypes
Markus
Ludovit Koren wrote in message news:86h9usfpsk@gmail.com...
Markus Moeller hua...@moeller.plus.com writes:
Hi Ludovit,
Which Kerberos library
Type Principal Aliases
8 aes128-cts-hmac-sha1-96 HTTP/squid1.mdpt.local@MDPT.LOCAL
Markus
Ludovit Koren wrote in message news:86d25i9plr@gmail.com...
Markus Moeller hua...@moeller.plus.com writes:
Hi Ludovit,
I haven't seen that error
Hi Ludovit,
I haven't seen that error before either, but when you test you sould have
your own user credentials in the cache. You should use kinit
user@MDPT.LOCAL and then try again the test. is the hostname correctly set
to squid1.mdpt.local ? If not try
Amos Jeffries wrote in message news:54BE3B5C.8040800 at
treenet.co.nz...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 20/01/2015 11:31 p.m., Simon Stäheli wrote:
Are there any other benefits in using ext_kerberos_ldap_group_acl
instead of ext_ldap_group_acl except the Netbios name to
Amos Jeffries wrote in message news:54be3b5c.8040...@treenet.co.nz...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 20/01/2015 11:31 p.m., Simon Stäheli wrote:
Are there any other benefits in using ext_kerberos_ldap_group_acl
instead of ext_ldap_group_acl except the Netbios name to
between the two
helpers are and which one does fit my needs better. Any others?
Nothing I can pick out easily.
Do you know anything about the feature in
ext_kerberos_ldap_group_acl mentioned by Markus Moeller in an
earlier post?
I have a new method in my squid 3.4 patch which uses the Group
I thought it wasn't trivial, otherwise it would have been already done. ;-)
Thank you
Markus
Amos Jeffries wrote in message news:54a3416f.9060...@treenet.co.nz...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 31/12/2014 7:59 a.m., Markus Moeller wrote:
Hi Amos,
On 30/12/2014 3:31
and XP/2003 machines are working just fine.
I've also checked the permissions on the keytab file and they haven't changed
since Saturday, so it's not that... ARGH
Craving ideas and solutions right now... Pilot users are less than satisfied ;)
Cheers,
Pedro
On 25 Oct 2014, at 14:13, Markus
in message
news:b4adceec-5a53-4212-b16c-106237fc4504@Pedros-iPhone...
Hi Markus Moeller,
Hi Markus,
Yeah, I'm currently using that option and permissions are correct too.
On 27 Oct 2014 19:47, Markus Moeller wrote:
Hi Pedro,
Did you try the –s GSS_C_NO_NAME option ?
Markus
Pedro
Hi Pedro,
How did you create your keytab ? What does klist –ekt squid.keytab show ( I
assume you use MIT Kerberos) ?
Markus
Pedro Lobo pal...@gmail.com wrote in message
news:40e1e0e7-50c6-4117-94aa-50b065734...@gmail.com...
Hi Squid Gurus,
I'm at my wit's end and in dire need of some squid
Hi Victor,
That sounds a bit strange. Can you capture with wireshark the traffic on
port 88 on the system which has squiduser in the cache ( best after a clear
the cache with kerbtray first) when accessing squid and send it to me as cap
file ?
Markus
Victor Sudakov wrote in message
Can you capture the traffic on port 88 from the PC to AD after a clean boot
and when you access squid ?
Markus
masterx81 wrote in message
news:1412360733691-4667648.p...@n4.nabble.com...
All solved!
Seem that kerberos is ALWAYS not working only on a specific worstation.
If i use kerberos
:44 a.m., Markus Moeller wrote:
Hi Pavel,
Can you remove line 263 from support_krb5.cc and recompile ? It is
fixed in the trunk for 3.5.
The line is safe_free(principal_name);
Regards Markus
For the record, this fix is now in 3.4.7.
Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22
Markus!
I can't because all problems that I described and all of that pieces
of logs I provided are from squid 3.4.
Squid 3.3 works good, squid 3.4 doesn't. That's the problem.
2014-08-24 18:14 GMT+04:00 Markus Moeller hua...@moeller.plus.com:
Hi Pavel,
Can you use 3.4 then instead of 3.3
Hi Pavel,
Can you use 3.4 then instead of 3.3 as it seems to have the problem fixed
?
Markus
Pavel Timofeev wrote in message
news:CAAoTqftctS7GJfiS-k+RgN1uMkyujE_RdOFsZyBYFU1=dd8...@mail.gmail.com...
That's how squid's 3.4.6 helper works with usern...@example.org
...@scranton.edu
phone : 570-941-6168
---
On 8/21/14, 3:20 PM, Markus Moeller hua...@moeller.plus.com wrote:
Hi Scott,
So from what see in your first log you have a user MYSUER with a
domain/realm MYDOMAIN, but squid belongs to SUBDOMAIN.DOMAIN.COM.
squid_kerb_ldap
Hi Scott,
So from what see in your first log you have a user MYSUER with a
domain/realm MYDOMAIN, but squid belongs to SUBDOMAIN.DOMAIN.COM.
squid_kerb_ldap tries to authenticate to the domain MYDOMAIN using the
keytab but does not find any entry for MYDOMAIN in the keytab. Then
Hi Daniel,
You need to check your client when you get an NTLM token instead of a
Kerberos token. It means the client can not get the HTTP/fqdn token for
for squid proxy. You can check this with tools like wireshark ( Check
communication on port 88).
Regards
Markus
Daniel Reif wrote
but skype doesn't, only works by specifying user/pass in
configuration and as I think it uses basic ldap auth.
When there was NTLM auth, it worked, but now I removed all NTLM from
squid, only kerberos negotiate and basic is left.
George
On 26/07/14 15:55, Markus Moeller wrote:
Hi Giorgi,
It would
server name should I put in
-s, -h, --upn and --computer-name?
Many Thanks
George
On 07/02/14 01:26, Markus Moeller wrote:
Hi Joseph,
it is all possible :-)
Firstly I suggest not to use samba tools to create the squid keytab,
but use msktutil (see
http://wiki.squid-cache.org/ConfigExamples
Hi George,
There might be another reason for the crash. Could you first try to
replace on line 358 of negotiate_kerberos_pac.cc
ad_data = (krb5_data *)xmalloc(sizeof(krb5_data));
with
ad_data = (krb5_data *)xcalloc(1,sizeof(krb5_data));
Regards
Markus
Markus Moeller wrote in message
?
Original Message
Subject: [squid-users] Re: upgrading from 3.3.8 to 3.4.5 crashes
negotiate_kerberos_auth
From: Markus Moeller hua...@moeller.plus.com
To: squid-users@squid-cache.org
Date: 22/06/14 13:35
Hi George,
There might be another reason for the crash. Could you first try
=0x7fffaff0 ,
context=0x60f9e0, pac=0x0) at negotiate_kerberos_pac.cc:464
#7 0x00403265 in main (argc=5, argv=0x7fffe0e8) at
negotiate_kerberos_auth.cc:419
BR,
George
On Fri, 20 Jun 2014 19:11:27 +0100, Markus Moeller
hua...@moeller.plus.com wrote:
Can you type where at the gdb
/raise.c:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
in ../nptl/sysdeps/unix/sysv/linux/raise.c
Current language: auto
The current source language is auto; currently c.
(gdb)
BR,
George
On Thu, 19 Jun 2014 22:50:07 +0100, Markus Moeller
hua
Hi George,
It might be some new code I added for Kerberos PAC analysis to extract
groups. What Kerberos version do you use ? Can you send me your config.log ?
Thank you
Markus
George Billios wrote in message
news:e1wxb2r-0002u0...@rmm6prod02.runbox.com...
On Thu, 19 Jun 2014 23:21:45
Hi George,
Could you do the following please ?
1) Compile negotiate_kerberos_auth with debug (i.e. with -g )
2) kinit user@DOMAIN
3) export KRB5_KTNAME=squid.keytab
4) run negotiate_kerberos_auth_test squid-fqdn
5) run gdb negotiate_kerberos_auth
6) on prompt type run -d
7)
Hi Valentin,
I think the problem is here:
2014/06/03 15:52:59| squid_kerb_ldap: Search ldap server with bind path
CN=Schema,CN=Configuration,DC=dominion,DC=local and filter:
(ldapdisplayname=samaccountname)
2014/06/03 15:52:59| squid_kerb_ldap: Found 0 ldap entries
2014/06/03 15:52:59|
Hi Joseph,
it is all possible :-)
Firstly I suggest not to use samba tools to create the squid keytab, but
use msktutil (see
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). Then
create a keytab for the loadbalancer name ( that is the one configured in IE
or Firefox).
Jeffries wrote in message
news:611078a64927db3a27e7bee192469...@treenet.co.nz...
On 2014-02-03 12:06, Markus Moeller wrote:
Hi,
I am testing authenticating a XP machine with Kerberos, but the
client tries Negotiate/NTLM first after which squid does not accept
the change to Negotiate/Kerberos
Hi Amos,
Amos Jeffries wrote in message
news:b596a7df3abbf894689873c1a4bda...@treenet.coz...
On 2014-02-05 10:06, Markus Moeller wrote:
Hi Amos,
I tried 3.4.3 and it didn't change. I attach a access.log cache.log
and a wireshark capture file. You will see the first Negotiate/NTLM
Hi,
I am testing authenticating a XP machine with Kerberos, but the client
tries Negotiate/NTLM first after which squid does not accept the change to
Negotiate/Kerberos anymore.
If you look at the wireshark log you authentication attempts at 20:44:20 for
Negotiate/NTLM and at 22:44:30 the
Hi Sarfraz,
Which helpers do you run ? The message you see is most probably from the
kerberos_ldap_group helper and means that when the helper tries to
authenticate to AD the AD entry with an attribute
userprincipalname=HTTP/squid-fqdn can not be found.
squid-fqdn being the name you have
: Markus Moeller hua...@moeller.plus.com
To: squid-users@squid-cache.org
Cc:
Sent: Friday, January 3, 2014 5:35 PM
Subject: [squid-users] Re: Keytab client not found in kerberos database
Hi Sarfraz,
Which helpers do you run ? The message you see is most probably from the
kerberos_ldap_group helper
with
HMAC/md5)
Regards,
Sarfraz Aslam
- Original Message -
From: Markus Moeller hua...@moeller.plus.com
To: squid-users@squid-cache.org
Cc:
Sent: Friday, January 3, 2014 6:31 PM
Subject: [squid-users] Re: Keytab client not found in kerberos database
Hi Sarfraz,
You didn't say
news:52c0f9e8.7050...@norma.perm.ru...
Hi.
On 29.12.2013 18:59, Markus Moeller wrote:
I setup a virtual machine with freebsd 10-RC3
$ uname -a
FreeBSD freebsd 10.0-RC3 FreeBSD 10.0-RC3 #0 r259778: Mon Dec 23
23:27:58 UTC 2013
r...@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
the attached
, Markus Moeller wrote:
Could you tell me which OS , kerberos, ldap and sasl version you use ?
It's
FreeBSD 10.0-BETA2 amd64
Heimdal Kerberos 1.5.2
cyrus-sasl 2.1.26
openldap-sasl-client-2.4.38
last two are from FreeBSD ports, -sasl- means it's compiled with
--with-cyrus-sasl.
Thanks.
Eugene
I assume the *s are not in the real file. Can you run a strace against the
auth helper to verify the right keytab is used ?
Markus
flypast wrote in message news:1387953737367-4664034.p...@n4.nabble.com...
Hi Marcus,
Please see my current /etc/init.d/squid file. I had added your suggested
Hi Eugene,
I am not sure of the cause, but it must be somewhere deep in the ldap
or kerberos library. I have seen this behaviour before on Solaris only.
Markus
Eugene M. Zheganin wrote in message
news:52b91c8a.4080...@norma.perm.ru...
Hi.
On 23.12.2013 22:39, Markus Moeller wrote
Hi Amos,
So in this case the Samba ntlm_auth helper would need to escape the
output. Does the Samba team know ? I use
ntlm_auth -V
Version 3.6.12-59.13.1-3108-SUSE-SL12.3-x86_64
Markus
Amos Jeffries wrote in message news:52b8f0f8@treenet.co.nz...
On 24/12/2013 6:59 a.m., Markus
How do you start the service ? Do you use systemctl ? If so you may need
to add KRB5_KTNAME=/etc/squid/squid.keytab to
/etc/sysconfig/squid
Markus
flypast wrote in message news:1387845981524-4664010.p...@n4.nabble.com...
hi Markus,
Please see the below. I just temporally change access
Hi Brian,
Based on my knowledge it is not possible to use negotiate ( Kerberos or
NTLM ) without AD/Samba.
Regards
Markus
Brian J. Murrell wrote in message
news:1387692922.21328.2.ca...@pc.interlinx.bc.ca...
Hi Eugene,
Could you tell me which OS , kerberos, ldap and sasl version you use ?
Markus
Eugene M. Zheganin wrote in message
news:52b91c8a.4080...@norma.perm.ru...
Hi.
On 23.12.2013 22:39, Markus Moeller wrote:
Hi Eugene,
I can only guess that the memory cache is not working. Can you
Hi Amos,
That looks better.
Thank you
Markus
Amos Jeffries wrote in message news:52b8f376.7070...@treenet.co.nz...
On 24/12/2013 3:27 p.m., Amos Jeffries wrote:
On 24/12/2013 6:59 a.m., Markus Moeller wrote:
snip
kerberos_ldap_group.cc(329): pid=16122 :2013/12/23 17:45:58
news:1387908649.6356.40.ca...@pc.interlinx.bc.ca...
On Tue, 2013-12-24 at 13:42 +, Markus Moeller wrote:
Hi Brian,
Hi Markus,
Based on my knowledge it is not possible to use negotiate ( Kerberos or
NTLM ) without AD/Samba.
Yeah, I guess I mis-represented my limitations. I don't mind
Hi Brian,
I forgot to say that I have not tested the case where there is a trust
between the AD/Samba server and the Linux kdc. I have tested the other case
though.
Markus
Markus Moeller wrote in message news:l9co5k$672$1...@ger.gmane.org...
Hi Brian,
The users Windows machine does
Hi ,
Are you sure your squid user has read access to the keytab ? If the KVNO
and HTTP/... name in the ticket match wht it is in the keytab it should
work.
If your AD entry has also the userprincipalname set to HTTP/proxy
you can test with kinit -kt keytab HTTP/proxy02... It
Hi Eugene,
I can only guess that the memory cache is not working. Can you change in
include/autoconf.h
/* Define if kerberos has MEMORY: cache support */
#define HAVE_KRB5_MEMORY_CACHE 1
to
#undef HAVE_KRB5_MEMORY_CACHE
and recompile ?
Markus
Eugene M. Zheganin wrote in message
Hi Amos,
Which helper has to do which rfc1738_(un)escape ?I am running the
negotiate wrapper with NTLM and Kerberos. When I authenticate with NTLM I
see the following in the log
2013/12/23 17:45:48| negotiate_wrapper: received type 3 NTLM token
2013/12/23 17:45:48| negotiate_wrapper:
Hi
Can you try
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -i -s
GSS_C_NO_NAME
instead of
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -i -s
HTTP/proxy02.deeplayer@deeplayer.com
I wonder if the kerberos library get confused having hostname proxy01
What is the KVNO and encryption type you see in the capture ? You may need
to clear the cache on the XP machine by either lock/unlock the PC pr
logging off/on or using kerbtray. It could be that XP had an old key cached.
Markus
flypast wrote in message
Hi,
If you get an NTLM token form the client it usually means that the client
can not get the service principal for HTTP/proxy where proxy is the
string (yes string if it is an IP it is used as a string) of the configured
Browser proxy. If you take a wireshark capture on the client you
1 - 100 of 550 matches
Mail list logo