@squid-cache.org
Subject: [squid-users] Re: Re: Re: squid 3.1.14 kerberos single sign on
Hi Ming,
That looks correct. I have three suggestions:
1) Can you reset the AD account password for the squid user and re-
extract
the keytab ?
2) Use another tool like msktutil (see
http
?
Thanks
Ming
-Original Message-
From: Markus Moeller [mailto:hua...@moeller.plus.com]
Sent: Saturday, July 30, 2011 7:51 AM
To: squid-users@squid-cache.org
Subject: [squid-users] Re: Re: Re: squid 3.1.14 kerberos single sign on
Hi Ming,
That looks correct. I have three suggestions
.
These instructions use the following versions of these packages:
RedHat Linux 9.0 with various kernels from kernel.org
MIT Kerberos 1.4 built from source
Samba 3.0.13 built from source
Squid 2.5.STABLE7 built from sourc
SmartFilter 4.01 from Secure Computing (optional)
Note that it may be easier to do
)
This is caused by Samba - does anyone know if this will ever be fixed
properly?
The Kerberos 'KK' buffers were expanded to 32KB in 3.0stable10 and
2.7stable5.
The squid bundled Kerberos helper was updated to version 1.0.3 starting
with the squid 3.1. Not sure about its current status in 2.x
:
In more detail the required steps for squid_kerb_auth (from
https://sourceforge.net/project/showfiles.php?group_id=196348 or from
latest
squid distribution) are:
1) Install kerberos client package
2) Install msktutil package from
http://dag.wieers.com/rpm/packages/msktutil/
3) Configure krb5.conf
4
versions used by Win9x are
hashes which are now trivially broken, none are completely secure. The
latest windows releases have deprecated it in favor of the much more secure
Kerberos (but that won't work with anything much older than XP and IE6).
Just some more explanation here:
There are two
winbind use default domain = yes which I do.
With the option set to yes I get
proxyv4# wbinfo -u | grep test99
test99
without the option I get
proxyv4# wbinfo -u | grep test99
AFCT\test99
What am I missing? I didn't configure anything for kerberos because of this
line in the samba howto
, OS is Fedora 10.
From stracing a helper process i saw its opening/writing/reading from and to
/var/tmp/HTTP_501 , which is a 150-200k file, growing and shrinking all the
time, containing all the Usernames a few times.
Kerberos as itself works as intended. I already changed number of helper
Hi Daniel,
Did you see any configure errors for gssapi.h ?
Markus
Daniel sq...@zoomemail.com wrote in message
news:001301ca19fe$9f450a50$ddcf1e...@com...
Good afternoon,
In my attempt to get Squid on our SLES 11 box authenticating with
Kerberos (negotiate), I used the following to re
[mailto:n...@ger.gmane.org] On Behalf Of Markus Moeller
Sent: Tuesday, August 18, 2009 5:27 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Re: Re: Kerberos Authentication - Squid 3.1.0.13
Henrik Nordstrom hen...@henriknordstrom.net wrote in message
news:1250627594.12999.2.ca
.
The squid/suid_kerb_auth/kerberos config was fine from the beginning I
think (except maybe for the rights to the keytab file, but that was my
mistake, and it is already written on the wiki).
Some other stuff may be useful, such as you need the support tools on
windows to have the ktpass
of a host
principal ( see my posts on the MIT Kerberos mailing list). The work around
I got is:
use msktutil
msktutil -c -b CN=COMPUTERS -s host/fqdn -h fqdn -k
/etc/krb5.keytab --computer-name squid-host --upn host/fqdn --server
domain controller --verbose --enctypes 28
delete any AD entry
]
KdcUseRequestedEtypesForTickets=dword:0001
Secondly it looks like 2008 creates the HTTP principal out of a host
principal ( see my posts on the MIT Kerberos mailing list). The work
around I got is:
use msktutil
msktutil -c -b CN=COMPUTERS -s host/fqdn -h fqdn -k
/etc/krb5.keytab --computer-name squid-host
admin can
impersonate other users by changing the registry key)! Still, it does
the job for me very well and better than clumbsy authentication
against the AD via NTLM/Kerberos/LDAP.
Regards,
-sd
2009/10/5 Henrik Nordstrom hen...@henriknordstrom.net:
fre 2009-10-02 klockan 11:42 +0200 skrev
): Client not found in Kerberos database while getting initial
credentials
I've also tried creating the keytab file using
msktutil or samba according to the following doc:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
I get the same error.
How do I sort out this problem?
Thanks
HTTP.keytab
Transferred the file on the CentOS server and placed it
in /etc/squid/HTTP.keytab
kinit -k -t /etc/squid/squid.keytab HTTP/f...@realm.kerberos
I get the error message:
kinit(v5): Client not found in Kerberos database while getting initial
credentials
I've also tried creating
.heidelberg.bw-online.de -v 3 -K
ebay ist he group that contains the users which should be allowed, this group
is in the container Users. The user to read the AD is ldap, also located in
the container Users.
I´ve the deleted the acl and the http_access for the authenticated users with
kerberos
Hi All,
I am working on Delay Pools at the moment and wanted to get some advice.
Currently, I am using Kerberos Authentication for all users in a very simple
configuration. All users are required to authenticate for http_access, which
works fine. I would now like to limit their bandwidth
On Mon, 1 Mar 2010 07:46:47 -0800 (PST), nickcx
ncairncr...@condenast.co.uk wrote:
Hi All,
I am working on Delay Pools at the moment and wanted to get some advice.
Currently, I am using Kerberos Authentication for all users in a very
simple
configuration. All users are required
, 1] libsmb/ntlmssp.c:ntlmssp_update(334)
got NTLMSSP command 3, expected 1
A client is using kerberos (aka 3) to respond to your NTLM (aka 1)
challenge.
* Find out what client browser this is its really rather broken, and
if possible why it's acting this way.
* Look into implementing Kerberos
...@condenast.co.uk wrote in message
news:c7d69a71.1dc21%nick.cairncr...@condenast.co.uk...
Hi,
I just wanted to give this a bump; Is it possible to manipulate the
(Kerberos-authenticated) username that gets sent to my ICAP server and strip
off the @domain?
E.g. jsm...@myaddomain becomes jsmith
with squid_kerb_auth ?
Markus
Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message
news:c7d69a71.1dc21%nick.cairncr...@condenast.co.uk...
Hi,
I just wanted to give this a bump; Is it possible to manipulate the
(Kerberos-authenticated) username that gets sent to my ICAP server
could implement NTLM in similar manner, but it would then
not be possible to integrate with Windows domain controllers / active
directory.
Don't know enough of Kerberos to tell what possibilities there may be to
cache in Negotiate auth.
In the case of Kerberos each request which has the Negotiate
/SQUID.keytab --computer-name proxy --upn
HTTP/proxy.xx.yy --server dc1.xx.yy --verbose
NTLM auth works great, but not the Kerberos one, with the following
lines in squid.conf :
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate
Tom Tux wrote:
I didn't configured kerberos-helper like squid_kerb_auth. I'm just
using ntlm_auth. So why do I have this message?
If you want to use ntlm_auth ( NTLMv1?) you need to change some
compatibility settings in windows, specially windows vista and 7 are
configure by default to only
in Kerberos tickets: HTTP/squid1.f...@fqdn
and HTTP/squid2.f...@fqdn and everything is fine.
However on the third one I get a ticket: HTTP/squid3@ i.e. No fqdn or @FQDN
I have both 'squidx' and 'squidx.fqdn' in my AD SPN for all boxes. I'm thinking
the working two are using the squid.fqdn
are their
hostnames. I have one AD account with the SPNs of all on it. Using fqdn for
the proxy address to 2 of them results in Kerberos tickets:
HTTP/squid1.f...@fqdn and HTTP/squid2.f...@fqdn and everything is fine.
However on the third one I get a ticket: HTTP/squid3@ i.e. No fqdn or @FQDN
I have both
Hi
I've implemented a native kerberos-authentication with squid_kerb_auth
and squid_kerb_ldap to query ad-group-memberships. This works fine.
I'm trying to implement a fallback-mechanism with squid_ldap_auth.
But the squid_ldap_auth-fallback is not working. My config looks like this:
auth_param
Hi Tom,
squid_kerb_ldap does not authenticate a user. It just looks up membership
info and can not replace squid_ldap_auth
Markus
Tom Tux tomtu...@gmail.com wrote in message
news:aanlktimybsvmrsy7a7mhbaazvfv63wdfux1i5wd6t...@mail.gmail.com...
Hi
I've implemented a native kerberos
: The sites, which are denied in the access.log,
are normal accessible and appears correctly (this is, what I don't
understandmmmh).
I think, that I don't have rules, which explicitly require another
authentication instead of kerberos. Here is an extract of my
407 does not mean try other
Thanks for the quick response Marcus.
The reason I need to limit computer account and not user account is
that people here move out to distant branches and the internet access
policy is to allow to the position they hold, and thus the computer
they will use.
I've successfully setup the kerberos
Hi,
Running Kerberos auth ok for a while now and I wanted to look at possibilities
of tweaking/optimising it.
Current helper conf:
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r -i -s
GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive on
400 or so
...@condenast.co.uk...
Hi,
Running Kerberos auth ok for a while now and I wanted to look at
possibilities of tweaking/optimising it.
Current helper conf:
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r -i -s
GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate
fixed upstream by MS along with several other security vulnerabilities and
the result is called Kerberos.
The proper session equivalent in both NTLM and Negotiate/Kerberos is the
lifetime of the TCP link, which depends quite a bit on real HTTP/1.1
support to maintain persistence. We have done a *lot
all the kerberos, ldap authentication etc. However,
it's
not quite behaving correctly.
Last I saw,
(http://www.squid-cache.org/mail-archive/squid-users/200803/0523.html)
you'll need to use 2.6 or 2.7 to proxy NTLM authentication. The
connection pinning required to support it has
a reverse proxy solution and looked at Squid. After a lot of
reading, it became clear the Squid 2.6 or above was the best option in
order
to get working NTLM authentication. So
We've installed a Fedora Core 9 box with Squid 3.0, attached it to the
domain and set up all the kerberos, ldap
filter on content, PICS
group, etc. The normal setup is to have DansGuardian - Squid (Proxy)
but DansGuardian does not have kerberos authentication so basically you
setup another Squid (auth only) in front of DG, pass the username to DG
and viola I should have kerberos authentication
/swapping my
squid.conf for squid-auth.conf (to test just the auth part) and it
is
almost instantaneous too.
DansGuardian is very extensive web filter: It can filter on content,
PICS
group, etc. The normal setup is to have DansGuardian - Squid (Proxy)
but DansGuardian does not have kerberos
-- finalize_exec: Determining user principal name
-- finalize_exec: User Principal Name is: HTTP/proxy.bank.local@BANK.LOCAL
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.mskt-1550krb5.conf
-- get_krb5_context: Creating Kerberos Context
-- try_machine_keytab: Using the local credential
krbtgt/orangegroup@orangegroup.com
renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with
HMAC/md5,ArcFour with HMAC/md5
root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com
kvno: Server not found in Kerberos database while getting credentials
for http
until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with
HMAC/md5,ArcFour with HMAC/md5
root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com
kvno: Server not found in Kerberos database while getting credentials
for http/proxyserver.orangegroup@orangegroup.com
root@proxyserver:/home
# kvno http/proxyserver.orangegroup.com
kvno: Server not found in Kerberos database while getting credentials
for http/proxyserver.orangegroup@orangegroup.com
root@proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com
kvno: Server not found in Kerberos database while getting
/01/11 19:36:38 krbtgt/orangegroup@orangegroup.com
renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with
HMAC/md5,ArcFour with HMAC/md5
root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com
kvno: Server not found in Kerberos database while getting credentials
for http
Hello
I'm doing a test with squid using kerberos configured as follows squid
and kerberos
squid.conf
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access allow auth
'
This happens both when trying to access via the proxy using IE/Chrome/Firefox
None of my googling as presented a solution
Thanks
Squid is offering Negotiate/Kerberos auth and the agents are responding
with NTLM or Negotiate/NTLM.
Markus Moeller wrote a negotiate_wrapper helper that works
Hi Daniel,
If this happens for all client, then your environment is not correctly
setup. It basically means the client can not get a Kerberos ticket from the
kdc and falls back to NTLM instead.
Markus
Daniel Faulknor danieljfaulk...@gmail.com wrote in message
news:caao-zhb9kmwk-jbbhsxgw
Hussaini gow...@gmail.com wrote in message
news:CAGj7XbmB5eZTsuWgd9Q9AkE9UeKgG5YV=t0tq7udsa3ejn+...@mail.gmail.com...
Hi,
I'm using squid version - 2.7 Stable9. My Kerberos authentication is
working good as well. I'm receiving this info in my cache.log and just
want to confirm that its not worry
modules
which use check first for a gssapi token and then for an spngeo token.
Regards
Markus
Syed Hussaini gow...@gmail.com wrote in message
news:CAGj7XbmB5eZTsuWgd9Q9AkE9UeKgG5YV=t0tq7udsa3ejn+...@mail.gmail.com...
Hi,
I'm using squid version - 2.7 Stable9. My Kerberos authentication
Hi,
We had the same problem, WMP just sucks ... We were using WMP 10.x on
WinXP and Kerberos-Authentication did not work. Btw, we also have the
problem with Java-Applications.
I cannot offer a solution, just a very insecure workaround ... WMP will
be authenticated by it's User-Agent, which
On Tue, 20 Sep 2011 22:15:29 +0300, Nikolaos Milas wrote:
On 20/9/2011 4:53 μμ, Luis Daniel Lucio Quiroz wrote:
...
There are 3 more way and you shall evaluate what fits the best for
you.
a) you may use Kerberos auth, many browsers suppor it right now.
b) you may use NTLM2 auth, helper
Hi!
I'm having some trouble with kerberos (negotiate) authentication and the
Proxy-Authorization header.
Currently I am using digest, and it's working fine. I allow most request in
squid, but am using a url_rewriter to check if the user really has permission
to access a specific site
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-rtY7WU
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: squid-test-http$
-- try_machine_keytab_princ: Trying to authenticate for squid-test-http$
from local keytab...
-- try_machine_keytab_princ: Error
am not
sure.
I understand the point of having 2 different accounts in AD (thanks
for that) and will just use fqdn-http for kerberos and advise the
guys to never reset the account and hope they remember.
Thank you for your time with this Markus, I appreciate it.
James
(very new to squid)
I am using Windows 2003 Active Directory/KDC and can
successfully login to a protected subdirectory
../htdocs/private on the apache system with
mod_auth_kerb - a kerberos dialog box opens up
asking for username/password.
I would like to point squid reverse proxy to the
apache
If you use only Kerberos (no NTLM) you can use my helpers squid_kerb_auth
and squid_kerb_ldap from
http://squidkerbauth.cvs.sourceforge.net/squidkerbauth/
Regards
Markus
UK SquidUser (AXA-TECH-UK) [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
hi, i'm trying to migrate to a new
might as well use NTLM auth with Squid.
However, NTLM is still horribly broken. Therefore, a properly
functioning auth scheme needs to be implemented by OS, directory
service, and browser vendors to replace NTLM.
The best candidates for this are:
1) Kerberos
2) md5-sess
Kerberos has
delicate implications on HTTP connection
management implemented in Squid. The extension is found in the same
Internet-Draft document documenting the Negotiate (Kerberos over HTTP)
authentication scheme (draft-jaganathan-kerberos-http-01, section 6.
Security Considerations).
Regards
Henrik
I'd used NTLM authentication before switching to the LDAP. NTLM is a
legacy authentication protocol. Our forest/domain is now all
2003/XP/2000. Eventually I'd like to disable the NTLM. It would be good
if squid 3.0 can support Kerberos bind to MS LDAP.
Thanks a lot,
Alex
-Original Message
Hi,
I am sure that my problem is a direct result of a
recent system update that ran yesterday. I kind of
thought my kerberos needed updating but doing so
didn't make a difference.
A vinilla squid build works but when I apply the patch
for collapsed_forwarding I get the following errors:
gcc
Samba and Kerberos
installed.
Venu
-Original Message-
From: Greg Scott [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 05, 2005 1:46 PM
To: Nemallikanti, Venu; squid-users@squid-cache.org
Subject: RE: [squid-users] RE: Integrated authentication with IE on
Windows 2003
Does this sound familiar
Hello all,
I have looked everywhere, the archives, FAQs, man pages, squid.conf
etc. I must be missing something. PLEASE CAN SOMEONE HELP!
We have at our client, Linux with Kerberos 5 setup to authenticate users
wishing to use Squid via Active Directory Services on NT. The NT system
is the KDC
Hi Adrian,
At 15.28 18/03/2007, Adrian Chadd wrote:
On Sun, Mar 18, 2007, Guido Serassio wrote:
I don't agree because the content is still outdated to 2.5 squid.conf
syntax and the Kerberos config often is not needed (as in Samba
documentation).
It could be better to link the official
On 14/01/2012 4:41 a.m., Javier Conti wrote:
Hi list,
I'm trying to setup access to several internal websites that use
Integrated Windows Authentication in a Windows XP/7/2008
environment through Squid 3.1.12. I successfully setup Squid
to authenticate users using Kerberos or NTLM
interface seems to work fine.
I've seen this problem reported around the internet. These older posts reveals
some insight:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-NTML-and-auth-problems-with-POST-td2255704.html
This is a well known problem with NTLM design. Kerberos was re-designed
protocol
credentials properly when challenged.
* So far you have been talking around the edges of something that sounds
like a client not sending Kerberos auth protocol credentials correctly
when challenged,
or possibly you misconfiguring a Kerberos helper to validate
non-Kerberos credentials
challenged.
* So far you have been talking around the edges of something that sounds
like a client not sending Kerberos auth protocol credentials correctly
when challenged,
or possibly you misconfiguring a Kerberos helper to validate
non-Kerberos credentials.
The user watching gets to see
Hi.
squid is 3.1.19 on FreeBSD 8.2 with MIT kerberos. squid_kerb_auth is in use
as the only
auth scheme. Have some external acl to check authorization in mysql db. On
machines
running XP SP2 with IE8 (enabled Windows Intergrated Auth) sometimes
authentication
windows popup. I think
/squid is sourced by the squid startup script ?
Markus
Simon Dwyer m...@simmyd.net wrote in message
news:1334789097.2408.17.ca...@sdwyer.federalit.net...
Hi all,
I have got kerberos working and moved it to production but then the
server started smashing its cpu. It seems
kerberos working and moved it to production but then the
server started smashing its cpu. It seems that the squid_kerb_auth
processes are killing the cpu.
I have the following in my config.
/etc/sysconfig/squid/
KRB5RCACHETYPE=none
export KRB5RCACHETYPE
/etc/squid/squid.conf
auth_param
, that squid_ldap_auth did the authentication using Kerberos while
connecting to Active Directory controler.
Is it possible?
Not with that helper, no. squid_ldap_auth takes in Basic authentication tokens.
There is a different helper needed to perform Kerberos over LDAP.
http://squidkerbauth.sourceforge.net
apologize for the inaccurate question.
I need, that squid_ldap_auth did the authentication using Kerberos while
connecting to Active Directory controler.
Is it possible?
Not with that helper, no. squid_ldap_auth takes in Basic authentication
tokens.
There is a different helper needed to perform
for the inaccurate question.
I need, that squid_ldap_auth did the authentication using Kerberos while
connecting to Active Directory controler.
Is it possible?
Not with that helper, no. squid_ldap_auth takes in Basic authentication tokens.
There is a different helper needed to perform Kerberos over
username and looking up Kerberos groups with it.
could work, but Basic auth usernames do not normally have the @DOMAIN
syntax part. You will need to check users are logging in with that and
its not being stripped away anywhere.
- to use auth_param negotiate program squid_kerb_auth
Betreff: AW: [squid-users] No Kerberos Auth
Oh ok.. yes it work fine until ten minute i wrote the mail. There it crashed
from one minute to the other I'am just troubleshoot the problem..
Von: Bastien Ceriani [mailto:bastien.ceri...@bulkypix.com]
Gesendet: Dienstag, 30. Oktober 2012 15:16
however I cant get this to work with Kerberos. After a lot(!) of trial and
error I tried my 3.1.16 which worked.
After that I tried compiling 3.1.18, 3.1.19, 3.1.20 and 3.1.21. Everyone of
those crashes either silently or with a
FATAL: Received Segment Violation...dying.
or
assertion failed
to Ubuntu 12.04 with the included squid-3.1.19
however I cant get this to work with Kerberos. After a lot(!) of trial and
error I tried my 3.1.16 which worked.
After that I tried compiling 3.1.18, 3.1.19, 3.1.20 and 3.1.21. Everyone of
those crashes either silently or with a
FATAL: Received Segment
On 22/02/2013 5:06 a.m., Francesco wrote:
hello,
i am trying Squid kerberos authentication instead of NTLM authentication
due to resolve compatibility issue with latest version of windows.
Only two things if i can:
1) in squid.conf, i have to specify windows user with the first capital
letter
On Mon, Feb 25, 2013 at 11:13:35PM +, Markus Moeller wrote:
Maybe it has to do with Samba and NTLM. DO you use the same AD account for
samba and Kerberos ? You should not do that, use different AD accounts as
Smaba might invalidate the keytab.
We use separate accounts for samba
).
Now there are two squids behind the balancer; one of them will behave
correctly and accept kerberos authentication to the balanced proxy
name. (I had not realised the second one worked before). Comparing the
quid and kerb config does not explain the difference.
However on a windows client
the balancer; one of them will behave
correctly and accept kerberos authentication to the balanced proxy
name. (I had not realised the second one worked before). Comparing the
quid and kerb config does not explain the difference.
However on a windows client, querying SPN for the balanced name only
need Kerberos. I'll take a look at the contrib/solaris patch.
Can try on both this old Solaris and OpenIndiana.
A quick trawl of the oracle patches turns up kernel patch 120011-14 as
having the kerberos header files in it. My workstation has that patch
applied but I still see the pragma error
are linked to a user:
To use Kerberos authentication with a load-balanced array of Client
Access servers ..All computers within the Client Access server array
must share the same service account... You can create a computer
account or a user account for the alternate service account
Hmm I
I have just updated our proxies to squid 3.3.2 running on rhel 5.8,
mostly this went smoothly apart from some access to https. As a rule
our proxies authenticate users using kerberos but there some special
sites that are allowed access to without authentication. When accessing
a https site
On Wed, May 22, 2013 at 12:46:08PM +0300, Eliezer Croitoru wrote:
On 2/28/2013 2:57 PM, Sean Boran wrote:
Hi,
Ive received (kemp) load balancers to put in front of squids to
provide failover.
The failover / balancing works fine until I enable Kerberos auth on the
squid.
It seems to me
I would like to hear your advice about kerberos auth configuration on a
new installation.
This will be an installation with two redundant Linux based servers,
clients will be mostly windows joined to active directory, with AD users
logged in. The main focus of the installation
the visible_hostname to be set to the kerberos
ticket principal he's using for SPNEGO
- squid 3.3.x requires the hostname of the proxy in the browser to be set
No, Squid cannot places any such restriction on the browser. This is
probably a side effect of how the Browser locates keytab.
- squid 3.3.x requires
of secure authentication such as Kerberos that no
client *starts* by shotgunning their credentials to unknown recipients.
I understand this. And I understand the Squid has to challenge.
The sites I need to block except for certain groups / authentication,
etc., are not known at http_access time
- Squid 3.1.20-2.2
- Debian 7.2
- Windows Server 2012
- Windows 7 64bits (client)
- Mozilla Firefox 24 32 bits
In this environment,authentication is donevia
Kerberos,withkeypadgenerated byktpass.
My keypad:
root@japura:/etc/squid3# klist -ekt squid.keytab
Keytab name: FILE:squid.keytab
KVNO
Server 2012
- Windows 7 64bits (client)
- Mozilla Firefox 24 32 bits
In this environment,authentication is donevia
Kerberos,withkeypadgenerated byktpass.
My keypad:
root@japura:/etc/squid3# klist -ekt squid.keytab
Keytab name: FILE:squid.keytab
KVNO Timestamp Principal
shows me de negotiate exchange done
correctly (GSS-API Kerberos Ticket Realm Server name), in both
(IE and Firefox), suddenly, a package shows the basic authentication
(Firefox), but i did not recognize why, the only difference I found was
in the field Cookie.
IE: Cookie: __utma=(...); __utmz
of auth
method in the header ? If not it looks like a bug in firefox.
Markus
Allan Carvalho wrote in message
news:blu0-smtp460d779a1f2ee168328e510d1...@phx.gbl...
Hi Markus,
Thanks for the reply, Wireshark shows me de negotiate exchange done
correctly (GSS-API Kerberos Ticket Realm
3.1 to authenticate through AD with W2K8
DC with Kerberos. I used this how-to:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos on
CentOS 6 box that I've joined to domain with `net ads join`.
Now I'm getting the error in cache.log when I'm trying to visit any
URL through this proxy
?
Markus
Mihail Lukin wrote in message
news:CAAmm_rZ8jNoeFMRGthiYeHQ+GgSfmySFnw8708dwdDVUW3=r...@mail.gmail.com...
Hello,
I'm trying to configure Squid 3.1 to authenticate through AD with W2K8
DC with Kerberos. I used this how-to:
http://wiki.squid-cache.org/ConfigExamples/Authenticate
, Oct 31, 2013 at 2:14 PM, Carlos Defoe carlosde...@gmail.com wrote:
Hi Amos,
Seems that it don't work for kerberos tokens:
NTLM Signature:`� � +
NTLM Message Type:2551
BITMAP00
Unknown @12:0x 160
...
For a NTLM token it shows the flags.
On Thu, Oct 31
by the MS tokensz.exe tool is far below this
value.
Our other kerberized systems (Apaches) are working fine with this large
tokensize.
So i think it's a squid / buffer or kerberos-helper related issue
That MAX_AUTHTOKEN_LEN (64KB) is what is used directly to allocate the
Squid buffer
with this large
tokensize.
So i think it's a squid / buffer or kerberos-helper related issue
That MAX_AUTHTOKEN_LEN (64KB) is what is used directly to allocate the
Squid buffer and helper buffer and the base-64 encoded version of the
token needs to fit inside it along with the 3-5 helper protocol bytes
Hello everybody,
I'm rewriting to this list because my problems with the user
authentication persist: all my users have to authenticate either with a
Kerberos Ticket or with username/password. This authentication fails
sometimes - please see the following two examples:
(1) Client 1, Windows 7
I have a network of Linux machines that all use Kerberos to authenticate
and then use those Kerberos tickets for other network services including
squid 3[.2]. This all works swimmingly.
Now enter the first Windows machine onto the network. It's Windows 8
FWIW.
I don't really care
| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH received type 1 NTLM token'
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964p4663967.html
Sent from the Squid - Users
other options I see are NTLM and Negotiate, which
both seem to be Microsoft-specific. Am I missing anything there?
Those are the ones currently supported by Squid.
Negotiate is only sort-of MS specific. It is usually a MS wrapper protocol
around the Kerberos scheme. This is currently the most
901 - 1000 of 3487 matches
Mail list logo
