...@condenast.co.uk...
Hi,
Running Kerberos auth ok for a while now and I wanted to look at
possibilities of tweaking/optimising it.
Current helper conf:
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r -i -s
GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate
is Kerberos protocol being attempted.
If you are seeing a lot of them it is time to upgrade your network
authentication.
Amos
I recognized, that the values in the AD-computer-object (attribut
msDS-SupportedEncryption-Type) has to match the client-kerberos-ticket
(session-key) and the settings made in /etc/krb5.conf. On all three
parts, the aes-256value must be set.
If not, there's not authentication possible
Hello list,
I'm currently running 3.0.STABLE19 on Ubuntu 10 LTS. I have configured
Kerberos AD authentication as in the config examples at
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos (the
Samba method). It successfully worked for over half a year but
suddenly the SSO
On 20/01/11 01:12, Rafal Zawierta wrote:
Hello,
I'm trying to set up squid to auth against AD.
AD is on 2008 server (but functionality level of 2003).
Kerberos works fine, from linux machine (debian) kinit and klist and
kutil are all right. I also have created krb5.keytab and for my proxy
user
On 20/01/11 03:51, Rafal Zawierta wrote:
Update.
Fortrunately I was able to reinstall my proxy machine and now it works fine.
Steps on Ubuntu 10.04 are almost the same as:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
But please be sure to carry on pathnames
On mån, 2008-06-09 at 10:02 -0700, Alex Morken wrote:
I now believe the issue has to do with squid configuration. I have
not been able to get any indication that it is even trying kerberos -
it is just using the basic auth method. I am going to strip down my
squid config to the basics
On 01/02/11 16:30, Senthilkumar wrote:
Hi Amos,
Thanks for your response.
By using kerberos instead of ntlm scheme can the pop up occurring rarely
can be fixed?
I don't know the answer to that until we find out what your problem was
exactly.
Negotiate has less complexity than NTLM so
When I run msktutil I get this line in the output.
krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
I did kinit before issuing msktutil and it ran successfully. I can see
tickets when I issue klist.
On 30 April 2011 10:43, Go Wow gow...@gmail.com wrote:
Hi,
I'm
On 05/05/11 21:09, Go Wow wrote:
I thought squid with kerberos works like SSO, isnt it?
SSO is the idea of what a browser (and the OS it runs on) does with
credentials to two services. SSO has nothing to do with Squid. It is
entirely a browser feature. Depending on the browser it can
Hi!
I have recently set up a Squid3 using also Kerberos and NTLM
authentication for integration with Active Directory Services.
My only problem is that the users cannot access the Outlook Web
Access. They get two different login windows and then an Error Access
Denied.
I have seen that a lot
On 5/11/2011 3:04 a.m., Markus Nilsson wrote:
Hi!
I'm having some trouble with kerberos (negotiate) authentication and the
Proxy-Authorization header.
Currently I am using digest, and it's working fine. I allow most request in
squid, but am using a url_rewriter to check if the user really
.
Username and password can be configured with the login= option on the
relevant cache_peer line. You get a choice of Basic authentication, with
one of other username:passord detail removed/replaced. In newer Squid
you can also send Negotiate/Kerberos authentication security hashes.
Amos
On Fri, Dec 09, 2011 at 06:31:07PM -, Markus Moeller wrote:
Did you try my negotiate wrapper ? It is part of squid 3.2, but
right now only works with 3.1 ( I have an open bug for 3.2)
looks interesting, I'm going to grab it from last 3.2 sources and
compile it for 3.1. I'll let you know
On Fri, Dec 09, 2011 at 10:04:56PM -, Markus Moeller wrote:
BTW you can also compile 3.2 and just copy the binary. It works as
standalone helper.
I just tried and it seems to works fine and from a small test seems to
fix my main problem :)
Do you know if there can be any performance
Now the update (which does not happen as msktutil determines it is not old
enough to change):
Thanks for the testing Markus.
But what happens after you reset your squid-test-http account on your
Windows Server and run the update again. My guess is it will fail
when it gets to the
I'm having some trouble with the Kerberos part where I need to install
the following package:
apt-get install libsasl2-modules-gssapi-mit libsasl2-modules
It returns
unable to locate package libsasl2-modules-gssapi-mit
unable to locate package libsas12-modules
Are you copying and pasting
On tis, 2007-07-31 at 16:53 +0100, UK SquidUser (AXA-TECH-UK) wrote:
hi, i'm trying to migrate to a new platform of squid proxy servers using
active directory. I can't seem to find any pointers on configuring
squid/kerberos/samba to use multiple domains for authentication..
You need a trust
On tis, 2007-08-21 at 08:59 +0200, Olsson, Mattias wrote:
Thank you for the answer!
In my Windows environment im using kerberos to get a valid ticket. Can that
also be done with Netware?
No idea, and it's not LDAP realted.
Sorry for the lame questions, havent been around Netware since
On Wed, 25 May 2005 04:10 am, marcantonio wrote:
Hi,
How can I troubleshoot Squid with ntlm_auth?
I have been checking everything; the pipe is ok. The program ntlm_auth
works when launched manually; all samba utilities and kerberos utilities
return success. But Squid rejects users.
Can
On Wed, 2005-07-06 at 12:35 +0200, Jakob Curdes wrote:
I could not find ths scenario in docs or mailing list. I would be glad
for a hint to a working setup.
Not yet. Work is in progress to support NEGOTIATE (aka Kerberos,
MS-style) support for squid-3. Until it's ready the only chance to have
On Tue, 13 Jan 2004, Robert Gabriel wrote:
Problem is: can we get Squid to handle [EMAIL PROTECTED], user\domain or
something similar for proxy authentication from Internet Explorer?
Squid just sends whatever the user entered in the login box to the helper.
If you can get the required
I am running Squid 2.5stable5 with Fedora Core2, using PAM, Winbind,
Kerberos, and Samba 3.0.4 to authenticate with my Windows 2000 Server
active Directory.
Everytime a browser proxying through squid tries to load a secure java
applet, it comes up with a red x where the java applet should
will be happy.
Kerberos is not related to the issue as far as I know.
Regards
Henrik
a W2003 Active
Directory or openldap with kerberos authentication.
Would it make sense to also add this to squid_ldap_auth?
Regards
Henrik
mån 2006-08-14 klockan 09:23 +0200 skrev Nirina Michel:
What are the options to add to the cache_peer line to
let squid to negotiate NTLM auth?
None. It's all automatic. There is only options to disable the support
for connection oriented authentication in case you do not want to
support it.
tor 2006-08-17 klockan 11:01 +0200 skrev Nirina Michel:
I just compiled from source 2.6.1 and applyed the
patch 2.6.1-3 for Debian. Does it mean 2.6.1 STABLE 3
or 2.6 STABLE 3? Do I need to install 2.6.2?
2.6.1-3 means Squid-2.6.STABLE1 debian package version 3.
Regards
Henrik
signature.asc
?
- Kerberos in use?
- How did you join the squid into the domain?
Maybe I should ask the samba users list for help?
Make a try, the guys are really good in joining linux systems in windows
domains ;-)
DvS
mån 2006-12-11 klockan 18:54 -0500 skrev Brian J. Murrell:
Wouldn't an existing helper, like the ntlm_auth helper in Samba be of
use? Does it not take the SPNEGO data from the browser and hand it off
to some MS Goop(tm) for an authentication response? That would at least
take care of the
On 2/8/07, Henrik Nordstrom [EMAIL PROTECTED] wrote:
Have you also added the originserver option to cache_peer?
Regards
Henrik
I do have that option set.
Here is my squid.conf:
http_port 80 accel defaultsite=
cache_peer parent 80 0 no-query login=PASS originserver
Hi everyone!
I need my squid to deal with some users in a different way. I'm
running kerberos authetication scheme, so only authenticated users can
access the cache. How could I make an ACL to group some authenticated
users in order to deny or allow some urls especific to them? But
notice
happens to the user if Squid accepts the credentials and
authenticates them. But the other proxy does not? important.
I know about the login=PASS cache_peer directive but I am
wondering how that plays with negotiated authentication schemes like
kerberos.
In HTTP proxy-auth credentials are decided
Hello,
I'm trying to configure squid 3.1.19 on CentOS 6.0 authenticating with
Active Directory, the helper is the authentication NEGOTIATE with
KERBERO.
infrastructure
Squid: 03/01/19
Operating System: Windows Server 2008 R2 and CentOS 6.0
Other software: Winbind and Kerberos.
Problem: Every
Hi all,
I have just implemented squid with kerberos + ntlm + basic
authentication.
I have just been told accessing a sharepoint website on the internet has
stopped working.
It seems the site is running NTLM authentcation.
I have wiresharked the traffic on the proxy and can see the request come
Hi,
When applying the command, net ads keytab add HTTP -U administrator
One warning:-
Warning: kerberos method must be set to a keytab method to use keytab
functions.
Also see below:-
[root@lx hooks]# ktutil
ktutil: rkt /etc
their outbound traffic, but
can't speak NTLM, so the application is prevented from proxying any traffic.
Would a Kerberos integrated Squid be a possible solution to this problem?
Thanks,
Josh
file) we get a login box, but in spite of the right
credentials we won't be logged in.
All computers are authenticated to the AD, so squid has to pass through
the kerberos certificate.
Are there any hints on that?
Thanks!
Kind regards,
Nicole
-Ursprüngliche Nachricht-
Von:Amos Jeffries squ...@treenet.co.nz
You could try the negotiate_wrapper Markus wrote. That permits the NTLM
and Kerberos GSSAPI mechanisms to both be negotiated via Negotiate auth.
Well if i can not and do not handle NTLM - its useless - isn't
Dear Developers Users,
I'm using squid with negotiate (ntlm+kerberos)
I recently discovered, that a computer which is member of the corporate domain
is able to successfully authenticate against squid and use the proxy even
though the local user is not yet logged on.
We want to deny
Hi,
i have some trouble to authenticate our web browser over Kerberos.
I Always get the following error message.
2012/10/30 14:27:55| squid_kerb_auth: DEBUG: Decode
I followed the guide below as a starting point for my squid proxy,
however authentication fails after a day or so (i think due to account
reset)
I am using squid 3.2.6 with msktutil
ERROR: Negotiate Authentication validating user. Error returned 'BH
NT_STATUS_ACCESS_DENIED'
I am running a
Hallo, Carlos,
Du meintest am 19.08.13:
What is the best strategy to use a keytab file within multiple
servers? By now i'm using a NFS share to export the keytab.
Every day msktutil runs to update the file if necessary. The job is
schedule in one server only.
Also, after the update of the
looks like multiple instances is a option.
On Wed, Oct 9, 2013 at 11:04 PM, JC Putter jcput...@gmail.com wrote:
Hi i am using Squid 3.3.9 with Kerberos authentication on my network.
we know have a requirement where we need to give guest users access on
the same proxy, is it possible to run
On 10/14/2013 06:29 PM, Marko Cupać wrote:
2013/10/14 17:23:12 kid1|
'/usr/local/etc/squid/errors/sr-latn-rs/ERR_CACHE_ACCESS_DENIED': (2) No such
file or directory
2013/10/14 17:23:12 kid1| WARNING: Error Pages Missing Language: sr-latn-rs
This is another issue that the ERROR pages do not
Hi,
It is possible to decode those negotiate_kerberos_auth debug
messages? I tried base64 -d, but it shows a lot of garbage and
almost nothing readable.
Ex:
negotiate_kerberos_auth.cc(315): pid=32562 :2013/10/30 13:32:45|
negotiate_kerberos_auth: DEBUG: Got 'YR
YIIF0w/very/big/code/here/0z3Q=='
is seriously terrible to use these days (all of
15-bit encryption at best). Consider migrating to the samba ntlm_auth
alternative, or Kerberos, or just dropping it completely.
Amos
On 2013-11-28 07:58, Eliezer Croitoru wrote:
Can you share squid.conf relevant lines?
There are none for this problem. It is bounded by the system I/O limits
and some limits imposed by remote HTTP software (ie header length 4KB
are unreliable over Internet connections).
As mentioned
Hi.
On 23.07.2013 07:50, Brendan Kearney wrote:
your home machine, is it part of the domain that the work proxies are
authenticating against? You would never be able to retrieve a kerberos
ticket from the domain to use for authentication to the proxies if your
home machine is not part
Hi.
On 23.12.2013 22:39, Markus Moeller wrote:
Hi Eugene,
I can only guess that the memory cache is not working. Can you
change in include/autoconf.h
/* Define if kerberos has MEMORY: cache support */
#define HAVE_KRB5_MEMORY_CACHE 1
to
#undef HAVE_KRB5_MEMORY_CACHE
and recompile
Hi Flypast,
Are you using the RPM or from source?
(My RPM is not designed to compile external_acl and other helpers)
Thanks,
Eliezer
On 30/12/13 02:30, flypast wrote:
Hi Markus,
I built a new Centos server at version 6.5 and redo all the configuration on
the new server in the same way.
Dears Squid users and developers.
I'm facing a problem with Windows 7,8 + Mozilla Firefox workstations.
A brief explanation: these workstations (Windows 7, 8 with Mozilla
Firefox) don't auth on a squid server with kerberos, but, everything is
fine with IE and Chrome.
A half-solution is set
because DG does not support kerberos.
If i remember well, dansguardian's default log format does not have the
same format as squid (logfileformat=1 in dansguardian.conf). You need
to change it to logfileformat=3.
Hope this helps,
--
Marko Cupać
Hi
sure here you go. Kerberos version is: 1.8.3+dfsg-4squeeze7
BR,
George
On Thu, 19 Jun 2014 19:26:09 +0100, Markus Moeller hua...@moeller.plus.com
wrote:
Hi George,
It might be some new code I added for Kerberos PAC analysis to extract
groups. What Kerberos version do you use
-spnego --domain=DOMAIN
--kerberos /usr/lib/squid3/negotiate_kerberos_auth -r -d -s GSS_C_NO_NAME
I always get negotiate_wrapper: Return 'AF = * username where username is
the currently logged in user. Where is this asteriks comming from. I can't map
* username to dansguardian filter-groups
documentation on Kerberos
authentication by Squid for Windows (just on *nix), can anyone point me
in the right direction? Ideally I would want to be able to
authenticate on a group level so site technicians just move accounts
into/out of a group to allow or deny access. Also, is there a way to
add
not been able to find any documentation on Kerberos
authentication by Squid for Windows (just on *nix), can anyone point me
in the right direction? Ideally I would want to be able to
authenticate on a group level so site technicians just move accounts
into/out of a group to allow or deny access. Also
Hi,
If the the two domains are placed in two different AD Forests, a forest trust
is needed for Kerberos authentication.
But the two AD forests must be at least Windows 2003 AD Forests running in
forest and domain Windows 2003 native mode.
Here you can find more details:
http
...
Hi,
If the the two domains are placed in two different AD Forests, a forest
trust is needed for Kerberos authentication.
But the two AD forests must be at least Windows 2003 AD Forests running in
forest and domain Windows 2003 native mode.
Here you can find more details:
http
, 20 May 2010 21:51:08 +0100,
Markus Moeller hua...@moeller.plus.com a écrit :
It will work with the right setup (e.g. you have to copy the
Kerberos keytab to all machines and use the -s HTTP/RR-DNS-name
or -s GSS_C_NO_NAME option with squid_kerb_auth).
Regards
Markus
Understood. Thanks
has been obsolete for 8 years now? It's encryption
schemes were demonstrated to be decrypted in under 15 minutes with a
standard consumer desktop as of a year or so ago.
Microsoft have declared is deprecated in favor of Kerberos back in the
early stages of Vista and all their newer software attempts
complicated. But isn't there a
basic-fallback mechanism for Kerberos/NTLM? Does this only work if there
is a technical error with either Kerberos or NTLM?
Or is it a client thing which has to pick the basic mechanism?
The workaround that comes to mind is to run a shell squid instance for
each client
Interesting. I thought Negotiate will use Kerberos first and then NTLM.
5. Pass Prompt (stays on after ack)
6. KRB5 AS-REQ/AS-REP, TGS-REQ/TGS-REP (with AD server)
7. GET google, Proxy-Authorization: Negotiate token, GSS-API (SPNEGO)
What does squid say here in the logfile ? If the token
news:c8b7b33a.f61b%nick.cairncr...@condenast.co.uk...
Hi,
Running Kerberos auth ok for a while now and I wanted to look at
possibilities of tweaking/optimising it.
Current helper conf:
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r -i -s
GSS_C_NO_NAME
auth_param negotiate children 10
) which worked
perfectly.
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
One thing I'd like to do is continue using LDAP Groups and/or
Organizational Units to grant permissions to certain websites. So my
question is in two parts:
Is there a way to use squid_ldap_auth
Hi,
We are using squid 3.1.8 (on RHEL5.5 64Bit) as authentication/caching
forward proxy and an ICAP server for authorization and content
filtering.
At the moment, most of the users are authenticated by NTLM (we are
planning for Kerberos) and the username is sent to our ICAP server
which will do
Hi
We moved our W2K3-Domaincontrollers to W2K8-DC's. The active-directory
operational mode is still 2003.
We're using kerberos-authentication against the active-directory.
Nightly runs the msktutil --auto-update on the squid-proxy. One day,
this updated the computer-account and added the new
On 09/12/10 19:43, Tom Tux wrote:
Hi
We moved our W2K3-Domaincontrollers to W2K8-DC's. The active-directory
operational mode is still 2003.
We're using kerberos-authentication against the active-directory.
Nightly runs the msktutil --auto-update on the squid-proxy. One day,
this updated
. I kind of figured it needed something else, but I
wasn't sure what to put there. Where can I get or generate the
Kerberos GSSAPI blob I need for the input? I have been digging
around kerberos docs and haven't found what I needed.
Not sure. It's a kerberos authentication handshake, and initially
to see what I can get but I can't find where it is
trying to pass anything to squid_kerb_auth.
It will only talk to squid_kerb_auth when there is a client trying to
perform a kerberos handshake. Before that it's complete silence on the
helper side..
When I comment out the auth_param basic part
-2.6.STABLE20 on CentOS 5 with WinXP clients that are part
of and AD domain.
I have been testing the Kerberos authentication and have noticed that
after a few days I can no longer use the proxy. My Kerberos tickets are
valid on the proxy and on the client and I can access windows network
resources
Hi,
We´re working on a substitution of an ISA by a SQUID server. The problem is
that we have more than 8.000 users and the authentication is based on a
Microsoft AD, so we intend to use kerberos authentication to have a better
perfomance.
We´re using a CentOS 5 with all patches installed
What error do you receive ? Is the authentication or authorisation the
problem ?
Markus
Alexandre augusto [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi all,
After some months looking for some help to build squid + AD authentication
using kerberos in transparent mode
by external groups? people accessing from out on
the Internet?
NP: NTLM does not work reliably across the wide Internet due to its
design as a LAN protocol. Kerberos is only slightly better over WAN.
The key authentication difference between XP and Win7 is NTLM. In Win7
it has been outright
On 3/7/2011 7:28 PM, Amos Jeffries wrote:
On Mon, 07 Mar 2011 17:14:40 -0600, Vernon A. Fort wrote:
What do you mean by external groups? people accessing from out on
the Internet?
NP: NTLM does not work reliably across the wide Internet due to its
design as a LAN protocol. Kerberos
the answer is maybe.
In modern browsers it commonly wraps Kerberos auth. Which is more
efficient on the handshakes, has stronger hash algorithms than NTLM and
backend helpers avoid the 256 concurrency limit in winbind. So is worth
trying to use either way.
Older versions of MS software is known
, Amos Jeffries squ...@treenet.co.nz wrote:
On 19/04/11 20:09, Go Wow wrote:
Hi,
I use NTLM to authenticate my AD users with Squid 3.11. My cache logs
You mean 3.1.1? we are only up to 3.2 series so far.
have these entries at random times. I know that the client is sending
a kerberos reply
Hi Eugene,
I created another helper called negotiate_wrapper which is part of squid
3.2 (although there is a bug in squid 3.2 which means Negotiate/ntlm is not
working with squid 3.2) . Anyway the wrapper work fine with squid 3.1 and
3.0.
The config is:
#
# Negotiate/Kerberos
/en/details.aspx?displaylang=enid=23018)?
Regards
Markus
Franco, Battista battista.fra...@saint-gobain.com wrote in message
news:0b0bf3f65f960a4b8be340e64290f4cd0696d...@a00exgec23.za.if.atcsg.net...
Hello
On Centos 6 I want used squid (version 3.1.4) with Kerberos
authentication so only AD
Hi João Carlos,
Negotiate is a way to negotiate the authentication type. When the
client receives the negotiate request from squid it will try first Kerberos
authentication and if that fails because the SPN does not exist the client
will use NTLM in the Negotiate reply.
To get around
the Win2008 default is Kerberos authentication (AKA
negoiate/Kerberos) rather than NTLM the use of mswin_ntlm_auth.exe is
itself a/the security hole in a manner of speaking.
mswin_negotiate_auth.exe uses the Windows native APIs to do Kerberos,
so should work. But 2.7 is a bit old and there may
Hi James,
The issue you have might be related to:
The computer-name has Windows Netbios limitations of 15 characters (see
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos )
3MSYDPROXY01-HTTP is 17 characters long and 3MSYDPROXY01 is 12 characters
long. Can you choose
On Thu, 12 Jul 2007 09:51:23 +0100
Markus Moeller [EMAIL PROTECTED] wrote:
The token seems alright. If you use a recent Kerberos implementation
you should compile with -DHAVE_SPNEGO which will avoid the use of the
spnego helper routines. If you don't run a recent Kerberos
implementation make
supports it currently, and then only if you're
running Windows desktops with a Samba/Windows domain server.
The realm is specific to the proxy configuration - but within an
enterprise it can be set yes. In fact Kerberos realms might be a good
one to choose, if an organisation already has kerberos
can authenticate an Active Directory user by using
Integrated Windows Authentication, so no user/password/domain is
requested and windows logon credentials are used, and to do that it can
use as authentication protocols NTLM or Kerberos. These protocols are
used between the browser and the proxy
the following truths:
- A proxy can authenticate an Active Directory user by using
Integrated Windows Authentication, so no user/password/domain is
requested and windows logon credentials are used, and to do that it can
use as authentication protocols NTLM or Kerberos. These protocols are
used
is able
to
handle KERBEROS/NTLM authentication?
Yes, 2.6 can forward NTLM, Negotiate and Kerberos
Microsoft
authentication schemes, both to origin servers and
peer proxies.
I still use 2.5.9-10 shipped with debian stable.
quite ancient..
Regards
Henrik
p5
explain if you can get
very grateful!
On Wed, Jan 25, 2012 at 12:18 AM, Amos Jeffries squ...@treenet.co.nz wrote:
On 25.01.2012 13:24, João Paulo Ferreira wrote:
Hello
Sorry my English is not the same as good.
I have installed in my company with Squid 3.1.4 (Winbind, Samba, Kerberos),
but I
-3.2.0.16/helpers/negotiate_auth/wrapper/negotiate_wrapper_auth
-d --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--kerberos
/usr/src/redhat/BUILD/squid-3.1.18/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth
-s HTTP/grazina2.redecamara.camara.gov.br
auth_param negotiate
.
I
have fresh installed the machine back to how it was when the first
email
when out.
Is the keytab readable by the user running squid? The kerberos
messages
are not always the most helpful of things. You could also try writing
a
script wrapper around the authenticator
/websec/HTTPs_Profiles-Proxy_Profiles.html
Isn't there a way to build something like that with squid?
What can you recommend?
What does the backend you are using LDAP protocol to access capable of?
We are using OpenLDAP directly, there is no other backend.
Kerberos is best you can get
...@z390101.bk.fin.local...
i am planing to setup kerberos auth in squid. At the moment we are using
ntlm auth but want also to provide Kerberos/negotiate auth.
A few questions:
1) Do we need a keytab file?
2) We have multiple squid-servers, do I need an individual keytab-file for
each server
2012 21:22
An: squid-users@squid-cache.org
Betreff: [squid-users] Re: No Kerberos Auth
Hi Ralph,
If you use NTLM and Kerberos make sure you do NOT use the sam AD account for
both. The samba daemon will change the password on a regular basis which will
bring the keytab out of sync with the AD
process from NTLM/Samba to Kerberos,
what is the process for add a group check ?
Actually i use wbinfo_group.pl, but in kerberos, i can't start winbind
process.
what is the solution ?
Hi,
You should be able to use the LDAP-based group authorization helper
against Active Directory.
Thanks
, Dec 26, 2012 at 2:43 PM, Noc Phibee Telecom
n...@phibee-telecom.net wrote:
Le 26/12/2012 13:03, Kinkie a écrit :
On Dec 24, 2012 4:15 PM, Noc Phibee Telecom
n...@phibee-telecom.net
wrote:
Hi
If i want change my authentication process from NTLM/Samba to
Kerberos,
what is the process
On 21/02/2013 7:20 p.m., Brett Lymn wrote:
Folks,
I am running 4 proxy servers with squid 3.1.19 (yes, I know it is old,
will update soon) with kerberos authentication behind a F5 load balancer
for a user community of about 2000 people using Windows/I.E.. Normally,
this all works fine, people
On Thu, Feb 21, 2013 at 11:23:32PM +, Markus Moeller wrote:
I don't think this has to do with squid and Kerberos.
Reasonably sure it does - for a start the machine that AD says is
causing the errors is one of the proxy servers and if we restart squid
on that particular machine the problem
On Fri, Feb 22, 2013 at 02:48:56PM +, Markus Moeller wrote:
A pure squid Kerberos authentication setup does not create any connection
between squid and AD. I am 100% sure of that.
OK, in that case I am now confused.
If you use additionally squid_kerb_ldap then yes
You can see an example of authentication using Kerberos here
http://www.howtoforge.com/debian-squeeze-squid-kerberos-ldap-authentication-active-directory-integration-and-cyfin-reporter
or here http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
Em 21/03/2013 19:18, Leonardo
: /tmp/krb5cc_0
Using principal: proxyprueba.xxx@xxx.xxx
Using keytab: /etc/squid/.keytab
kinit: Client not found in Kerberos database while getting initial
credentials
I use ktpass for generate the ticket
C:\ktpass -princ HTTP/srvproxy.sertecin.local@SERTECIN.LOCAL -mapuser
sertecin\srvproxy
in Kerberos database while getting initial
credentials
I use ktpass for generate the ticket
C:\ktpass -princ HTTP/srvproxy.sertecin.local@SERTECIN.LOCAL -mapuser
sertecin\srvproxy -pass admin1234 -crypto rc4-hmac-nt -ptype
krb5_nt_principal -out squid.keytab
Can I generate a keytab for 2008 and 2003
601 - 700 of 3489 matches
Mail list logo