Hi Giorgi,
You do not need to renew the keytab every 30 days. It is more a best
practice to change them after some period but I think 30 days is a bit too
frequent. At the end you need to determine how high the risk is that
someone got hold of the keytab to impersonate someone else.
Hello Markus
Thank you very much, everything works now. Only two question left
1) Is it necessary to run commands specified below every 30 day?
msktutil --auto-update --verbose --computer-name proxy1-k
msktutil --auto-update --verbose --computer-name proxy2-k
msktutil --auto-update --verbose
Hi Giorgi,
It would be
msktutil -c -b CN=COMPUTERS -s HTTP/proxy1.domain.com -h
proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K
--upn HTTP/proxy1.domain.com--server addc03.domain.com --verbose
--enctypes 28
msktutil -c -b CN=COMPUTERS -s HTTP/proxy2.domain.com -h
Hi Markus
Excuse me for posting in old list, but I have a small question:
So I have 2 squid servers (proxy1.domain.com and proxy2.domain.com) and
one DNS RR record (proxy.mia.gov.ge). Regarding your recommendation how
should I create keytab file.
msktutil -c -b CN=COMPUTERS -s
Hi Joseph,
it is all possible :-)
Firstly I suggest not to use samba tools to create the squid keytab, but
use msktutil (see
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). Then
create a keytab for the loadbalancer name ( that is the one configured in IE
or Firefox).
You may need to increase the following:
src/auth/UserRequest.h:#define MAX_AUTHTOKEN_LEN 32768
Regards
Markus
Amos Jeffries wrote in message news:52971e79.9030...@treenet.co.nz...
On 28/11/2013 10:42 p.m., Berthold Zettler wrote:
Hi Madhav,
all relevant a systems (AD-Controllers and
On 30/08/2013 4:32 a.m., Trever L. Adams wrote:
Hello everyone,
I am having a difficult time. I am not just trying to do something
similar to
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass, but
without blocking most sites for unauthenticated users.
It is a key property of
Hi João Carlos ,
I tested this with windows media player 11 and I do not have a problem to
authenticate against squid using Negotiate/Kerberos. See my exchaange
between wmp 11 and squid.
Markus
GET http://www.jhepple.com/SampleMovies/niceday.wmv HTTP/1.1
Accept: */*
User-Agent:
Hi João Carlos,
Negotiate is a way to negotiate the authentication type. When the
client receives the negotiate request from squid it will try first Kerberos
authentication and if that fails because the SPN does not exist the client
will use NTLM in the Negotiate reply.
To get around
yeah Markus I even thought its becuz of that -d option.
Is it completely safe to ignore this.
Thanks for your help.
On 21 July 2011 23:26, Markus Moeller hua...@moeller.plus.com wrote:
Hi Syed,
-d option is for debug output.
The message
squid_kerb_auth: parseNegTokenInit failed with
Hi Syed,
-d option is for debug output.
The message
squid_kerb_auth: parseNegTokenInit failed with rc=102 comes from old modules
which use check first for a gssapi token and then for an spngeo token.
Regards
Markus
Syed Hussaini gow...@gmail.com wrote in message
ok, does not sound good, but I expected something like that, even
though in theory more CPUs should be able to handle more
work/authentication processes
We don't really care about caching, we are basically only interested
in antivirus and category blocking based on username/group (achieved
with
Hi,
We had to bypass the kerberos authentication for now (most of the
users will be authenticated by IP (there are already more than 1
unique IPs in my Squid logs). iirc, disabling the replay cache did not
help much. There is a load avg of 0.4 right now (authenticating about
9000 users per IP
On Wed, 16 Feb 2011 13:28:29 +0100, guest01 wrote:
Hi,
We had to bypass the kerberos authentication for now (most of the
users will be authenticated by IP (there are already more than 1
unique IPs in my Squid logs). iirc, disabling the replay cache did
not
help much. There is a load avg
Hi Peter
Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message
news:c9782338.5940f%nick.cairncr...@condenast.co.uk...
On 09/02/2011 09:34, guest01 gues...@gmail.com wrote:
Hi,
We are currently using Squid 3.1.10 on RHEL5.5 and Kerberos
authentication for most of our clients
A wireshark capture would help to understand what is happening.
Markus
Rob Asher ras...@paragould.k12.ar.us wrote in message
news:4d0883e4.0172.003...@paragould.k12.ar.us...
Hi Markus,
I did actually follow that setting up FF. These are the actual changes I've
made to FF:
Hi Markus,
I did actually follow that setting up FF. These are the actual changes I've
made to FF:
network.auth.use-sspi = false
network.negotiate-auth.gsslib = C:\Program Files\MIT\Kerberos\bin\gssapi32.dll
network.negotiate-auth.trusted-uris = XSERVE.PARAGOULD.PSD
Hi Rob,
Did you follow what I described in this threat
http://thread.gmane.org/gmane.comp.web.squid.general/87060/focus=87084
regarding the FF configuration and gssapi selection ?
Regards
Markus
Rob Asher ras...@paragould.k12.ar.us wrote in message
Hi Markus,
I must still have something wrong. When I open FF now, I get a prompt from KfW
for new credentials for my username even though the network identity manager
already shows I have a valid ticket from the KDC. If I supply the correct
password, I'm still denied cache access. Looking
Hi Tom,
What does klist -ekt squid.keytab show ? Does it have an entry for AES ?
Did you use --enctypes 28 with msktutil as described here
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab ?
Markus
Tom Tux tomtu...@gmail.com wrote in message
Hi Markus
In the meantime, the klist -etk /etc/krb5.keytab have AES entries:
AES-128 CTS mode with 96-bit SHA-1 HMAC
AES-256 CTS mode with 96-bit SHA-1 HMAC
But they were made by the nightly msktutil --auto-update job (after
30 days were passed). And during this step, that
Hi Rob,
It looks like your kdc does not know about the service principal
HTTP/proxyserver.paragould@xserve.paragould.psd
How did you create the entry and keytab ?
Markus
Rob Asher ras...@paragould.k12.ar.us wrote in message
news:4cfcf8e3.0172.003...@paragould.k12.ar.us...
I've
Hi Markus,
I created the service principal with kadmin on the apple server. The actual
command was kadmin.local -q add_principal HTTP/proxyserver.paragould.psd. I
used kadmin also to export the keytab. Here's exactly what I did:
xserve:~ root# kadmin.local
Authenticating as principal
Hi Rob,
What happens when you type kinit HTTP/proxyserver.paragould.psd on your kdc
server ? Do you get a password prompt ?
Markus
Rob Asher ras...@paragould.k12.ar.us wrote in message
news:4cffadf6.0172.003...@paragould.k12.ar.us...
Hi Markus,
I created the service principal with kadmin
Markus,
I do get a password prompt although I don't remember setting a password for it.
xserve:~ root# kinit HTTP/proxyserver.paragould.psd
Please enter the password for
HTTP/proxyserver.paragould@xserve.paragould.psd:
Kerberos Login Failed:
Password incorrect
In Open Directory, I just
Hi Marcus and all.
It turned out that I just needed a restart of the proxy server. I read
on a post who was having the same problem and a restart worked for
him. I tried that and all worked for me too. Kerberos auth is not
working as expected. I only had to follow the wiki example line by
line.
Hi Manoj,
It looks like the client PC does not get the TGS for HTTP/proxy.domain.
Did you configure in IE the proxy with the name proxy.domain or as IP ? IE
requires the name. BTW IE 6 does not support Kerberos proxy authentication.
Can you capture the traffic on port 88 from your client
-
From: Tom Tux tomtu...@gmail.com
To: Markus Moeller hua...@moeller.plus.com
Sent: Thursday, July 08, 2010 1:54 PM
Subject: Re: [squid-users] Re: Kerberos-authentication and ntlm-fallback
with AD-group-membership-checking
Hi Markus
I think, that the output from the log with just the username
...@gmail.com
To: Markus Moeller hua...@moeller.plus.com
Sent: Thursday, July 08, 2010 1:54 PM
Subject: Re: [squid-users] Re: Kerberos-authentication and ntlm-fallback
with AD-group-membership-checking
Hi Markus
I think, that the output from the log with just the username instead
of netbios
Hi Tom
It should work if squid sends Negotiate and NTLM authentication requests to
the client. IE6 will ignore the Negotiate request and reply to NTLM, whereas
IE7 and IE8 will respond to Negotiate. With NTLM you will get a username
like Netbios-Domain\user in contrast to
I´ve added the following to squid.conf:
external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b
CN=Users,DC=heidelberg,DC=bw-online,DC=de -f
((cn=%g)(memberUid=%u)(objectClass=ebay)) -B CN=Users -F (CN=%s) -D
CN=ldap,CN=Users,DC=heidelberg,DC=bw-online,DC=de -w PASSWORD -h
squid_kerb-auth should work.
Markus
Ron Richardson rrichard...@liverpool.k12.ny.us wrote in message
news:fc.000f714603d9ae87000f714603d9ae87.3d9a...@liverpool.k12.ny.us...
Has anyone put Kerberos authentication into the MacPort of Squid? If so,
would you care to share how you did it?
If
, 2009 4:22 PM
To: 'Markus Moeller'; squid-users@squid-cache.org
Subject: RE: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13
Markus,
First, please correct me if I'm wrong but I looked for 'gssapi.h' in
config.log and I'm assuming that config.log contains all the log information
??? ? undelb...@gmail.com wrote in message
news:cf132a050909030128ke05b19bl5cfc7e0f6ac81...@mail.gmail.com...
I've configured Kerberos authentication for users in AD, but there is
one problem: after half an hour IE7 forgets about Kerberos and tries
to use NTLM. User have to restart
Message-
From: Henrik Nordstrom [mailto:hen...@henriknordstrom.net]
Sent: Monday, August 17, 2009 6:04 PM
To: Daniel
Cc: 'Amos Jeffries'; 'Markus Moeller'; squid-users@squid-cache.org
Subject: RE: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13
mån 2009-08-17 klockan 15:41 -0400
tis 2009-08-18 klockan 15:42 -0400 skrev Daniel:
Gentlemen,
I realize that my question has morphed into a general SLES question,
so I won't keep this chain going forever. Here's my last question to
you guys before I start looking for outside help on our SLES 11
implementation (ie;
, August 14, 2009 11:47 PM
To: Daniel
Cc: 'Markus Moeller'; squid-users@squid-cache.org
Subject: Re: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13
Daniel wrote:
Markus,
First, please correct me if I'm wrong but I looked for 'gssapi.h' in
config.log and I'm assuming
mån 2009-08-17 klockan 15:41 -0400 skrev Daniel:
Amos,
Thanks for your response. I have the following already installed:
gssapi related:
'cyrus-sasl-gssapi'
'cyrus-sasl-gssapi-32bit'
'libgssglue1'
'librpcsecgss'
krb related:
'krb5'
'krb5-32bit'
'krb5-client'
What you are
-cache.org
Subject: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13
Hi Daniel,
Did you see any configure errors for gssapi.h ?
Markus
Daniel sq...@zoomemail.com wrote in message
news:001301ca19fe$9f450a50$ddcf1e...@com...
Good afternoon,
In my attempt to get Squid on our SLES 11
Daniel wrote:
Markus,
First, please correct me if I'm wrong but I looked for 'gssapi.h' in
config.log and I'm assuming that config.log contains all the log information
from doing a /configure? Assuming that I am correct, I couldn't find
'gssapi' anywhere inside the log file so I'm not
Hi Daniel,
Did you see any configure errors for gssapi.h ?
Markus
Daniel sq...@zoomemail.com wrote in message
news:001301ca19fe$9f450a50$ddcf1e...@com...
Good afternoon,
In my attempt to get Squid on our SLES 11 box authenticating with
Kerberos (negotiate), I used the following to
41 matches
Mail list logo
