Re: [squid-users] Kerberos pac ResourceGroups parsing

On 2023-11-21 23:05, Andrey K wrote: I have posted a PR: https://github.com/squid-cache/squid/pull/1597 This is my first contribution to open source. Could you please verify if everything is OK. Thank you for posting that pull request! Let's continue this conversation on GitHub since

Re: [squid-users] Kerberos pac ResourceGroups parsing

Hello, Alex, I have posted a PR: https://github.com/squid-cache/squid/pull/1597 This is my first contribution to open source. Could you please verify if everything is OK. Kind regards, Ankor. чт, 16 нояб. 2023 г. в 17:01, Alex Rousskov < rouss...@measurement-factory.com>: > On 2023-11-16

Re: [squid-users] Kerberos pac ResourceGroups parsing

On 2023-11-16 07:48, Andrey K wrote: I have slightly patched the negotiate_kerberos_pac.cc to implement ResourceGropIds-block parsing. Please consider posting tested changes as a GitHub Pull Request: https://wiki.squid-cache.org/MergeProcedure#pull-request Thank you, Alex. Maybe it will

[squid-users] Kerberos pac ResourceGroups parsing

Hello, I found that negotiate_kerberos_auth helper does not see domain local AD groups. As it turned out, helper parses only GroupIds and ExtraSids pac-blocks, while the information about domain local groups is placed in the ResourceGropIds pac-block. I have slightly patched the

[squid-users] Kerberos + LDAP issue

I have one question (issue) and I hope that you can help me. Kerberos authentication works perfectly fine when the PC is connected to Domain and the user is authenticated. auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -r -d -k

Re: [squid-users] Kerberos - Cannot decrypt ticket for HTTP

/event_14_kerberos_key_distribution_center.html Best regards, rafael -Original Message- From: squid-users On Behalf Of Klaus Brandl Sent: Friday, November 18, 2022 3:23 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Kerberos - Cannot decrypt ticket for HTTP which options do you have configured

Re: [squid-users] Kerberos - Cannot decrypt ticket for HTTP

which options do you have configured for the auth helper? Something like: auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -i Best regards Klaus Am Freitag, dem 18.11.2022 um 10:54 +0800 schrieb Михаил: > Hi David, > > Thanks for your advice but

Re: [squid-users] Kerberos - Cannot decrypt ticket for HTTP

Hi David, Thanks for your advice but it doesn't help me. I use AD account which haven't set these parameters. Misha. 17.11.2022, 10:07, "David Touzeau" :Hiperhaps this onehttps://wiki.articatech.com/en/proxy-service/troubleshooting/gss-cannot-decrypt-ticket Le 16/11/2022 à 05:11, Михаил a écrit 

Re: [squid-users] Kerberos - Cannot decrypt ticket for HTTP

Hi perhaps this one https://wiki.articatech.com/en/proxy-service/troubleshooting/gss-cannot-decrypt-ticket Le 16/11/2022 à 05:11, Михаил a écrit : Hi everybody, Could you help me to setup my new squid server? I have a problem with keytab authorization. 2022/11/16 11:35:39| ERROR: Negotiate

[squid-users] Kerberos - Cannot decrypt ticket for HTTP

Hi everybody, Could you help me to setup my new squid server? I have a problem with keytab authorization. 2022/11/16 11:35:39| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more

Re: [squid-users] Kerberos authentication with multiple squids

On 10/17/21 10:57 AM, Grant Taylor wrote: My understanding is that you can use Kerberos from clinet0 to proxy1 and that proxy1 can use the same mechanism to get a special ticket to communicate from proxy1 to proxy2 as the original user. I looked at my copy of Kerberos - The Definitive Guide

Re: [squid-users] Kerberos authentication with multiple squids

On 10/17/21 10:46 AM, Markus Moeller wrote: I see,  I think this would mean using Basic Auth to proxy1 which then gets a Kerberos ticket for the user to authenticate to proxy2.  This is possible, but I would not think it is a good secure option. I think that we're now talking about the same

Re: [squid-users] Kerberos authentication with multiple squids

I see, I think this would mean using Basic Auth to proxy1 which then gets a Kerberos ticket for the user to authenticate to proxy2. This is possible, but I would not think it is a good secure option. Regards Markus "Grant Taylor" wrote in message

Re: [squid-users] Kerberos authentication with multiple squids

On 10/16/21 1:31 PM, Markus Moeller wrote: I think you talk about a kdc proxy, which is for another case. I don't think so. I'm not talking about using a proxy to access the KDC. I'm talking about using a component of the following scenario: 1) Client uses traditional username and password

Re: [squid-users] Kerberos authentication with multiple squids

Hi Amos, If you let me know where exactly I can add a few lines. One way to make this setup work would be to add proxy1 also to AD like proxy2 and then merge the keytab for proxy1 into the keytab of proxy2 using ktutil. The negotiate_kerberos_auth handle would require the -s

Re: [squid-users] Kerberos authentication with multiple squids

I think you talk about a kdc proxy, which is for another case. Regards Markus "Grant Taylor" wrote in message news:b815528d-34ff-0fed-3194-dc6f34199...@spamtrap.tnetconsulting.net... On 10/13/21 1:48 PM, Markus Moeller wrote: The problem lies more in the way how Kerberos proxy

Re: [squid-users] Kerberos authentication with multiple squids

On 10/13/21 1:48 PM, Markus Moeller wrote: The problem lies more in the way how Kerberos proxy authentication works. The client uses the proxy name to create a ticket and in this case it would be the name of the first proxy e.g. proxy1.internal.  The first proxy will pass it through to the

Re: [squid-users] Kerberos authentication with multiple squids

On 14/10/21 8:48 am, Markus Moeller wrote: The problem lies more in the way how Kerberos proxy authentication works. The client uses the proxy name to create a ticket and in this case it would be the name of the first proxy e.g. proxy1.internal.  The first proxy will pass it through to the

Re: [squid-users] Kerberos authentication with multiple squids

The problem lies more in the way how Kerberos proxy authentication works. The client uses the proxy name to create a ticket and in this case it would be the name of the first proxy e.g. proxy1.internal. The first proxy will pass it through to the authenticating proxy for authentication

Re: [squid-users] Kerberos authentication with multiple squids

On 12/10/21 9:33 pm, 森 隆聡 wrote: I made Single Sign On environment with AD+Squid and it worked fine. [It works] Client(Windows) -> Squid(CentOS) -> Internet * Client is joined the domain and Squid configured Kerberos Authentication with AD. But after add another squid, it didn't work. ...

[squid-users] Kerberos authentication with multiple squids

I made Single Sign On environment with AD+Squid and it worked fine. [It works] Client(Windows) -> Squid(CentOS) -> Internet * Client is joined the domain and Squid configured Kerberos Authentication with AD. But after add another squid, it didn't work. [Not works] Client -> Squid(No Auth.) ->

Re: [squid-users] Kerberos nad keytab problem

: L.P.H. van Belle; squid-users@lists.squid-cache.org Onderwerp: RE: [squid-users] Kerberos nad keytab problem Hello everyone,   Just my two cents too. Note you can map the *user* to the Kerberos SPN – this lets you have your squid proxy live outside of the AD. Just setup the dedicated user

Re: [squid-users] Kerberos nad keytab problem

. van Belle Sent: Wednesday, 25 September 2019 17:02 To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Kerberos nad keytab problem I also had problems with msktutil.. so i suggest you try this, see below.. Im using it for few years and it always works (for me offcourse).. It should

Re: [squid-users] Kerberos nad keytab problem

On 9/25/19 11:01 AM, L.P.H. van Belle wrote: > I also had problems with msktutil.. so i suggest you try this, see below.. > Im using it for few years and it always works (for me offcourse).. >   > It should be pretty simple, but the site squid-cache (wiki) is in my > opinion a bit outdated.

Re: [squid-users] Kerberos nad keytab problem

log Now go configure the other parts you need of squid. And enjoy..  :-)     Greetz,   Louis       Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Tevfik Ceydeliler Verzonden: woensdag 25 september 2019 13:59 Aan: squid-users@lists.squid-cache.org Onderwerp: [squid-u

[squid-users] Kerberos nad keytab problem

Hi, I try to use kerberos in my squid. Nut I get an error message : 33 msktutil --auto-update --verbose --computer-name suqidpnb1 --server dctoyo1.toyo.grp -k /etc/squid/PROXY.keytab -- init_password: Wiping the computer password structure -- generate_new_password:

Re: [squid-users] kerberos (Alex Gutiérrez)

Thanks again for your support Mr. Jeffries, My proxy only contains of 1 GB of memory :-( Here i leave my squid.conf ### ###

Re: [squid-users] kerberos

On 30/03/19 3:30 am, Alex Gutiérrez Martínez wrote: > Hello Community, I just compiled my squid 4. Everything works fine > except integration to the Kerberos authentication server. > > I have already managed to integrate my ubuntu with the kerberos and the > tickets are created correctly. Here i

[squid-users] kerberos

Hello Community, I just compiled my squid 4. Everything works fine except integration to the Kerberos authentication server. I have already managed to integrate my ubuntu with the kerberos and the tickets are created correctly. Here i leave my configuration of the auth in the squid

Re: [squid-users] Kerberos issues on 4.1

On 19/07/18 03:41, Victor Sudakov wrote: > > If there were an option to debug which "http_access" line rejects him > I could try it. > Please try: debug_options ALL,1 28,5 ... and have them login. Your cache.log should then list the ACLs being tested and what their results are. Amos

Re: [squid-users] Kerberos issues on 4.1

Amos Jeffries wrote: > >>> > >>> After upgrading to Squid 4.1 (from FreeBSD ports) I started having > >>> problems > >>> with Kerberos authentication. > >>> > >>> A user complained about being denied access. The strange things are that: > >>> > >>> 1. There was only one such user, others seemed

Re: [squid-users] Kerberos issues on 4.1

On 18/07/18 19:16, Victor Sudakov wrote: > Amos Jeffries wrote: >> On 17/07/18 14:20, Victor Sudakov wrote: >>> >>> After upgrading to Squid 4.1 (from FreeBSD ports) I started having problems >>> with Kerberos authentication. >>> >>> A user complained about being denied access. The strange

Re: [squid-users] Kerberos issues on 4.1

Amos Jeffries wrote: > On 17/07/18 14:20, Victor Sudakov wrote: > > > > After upgrading to Squid 4.1 (from FreeBSD ports) I started having problems > > with Kerberos authentication. > > > > A user complained about being denied access. The strange things are that: > > > > 1. There was only one

Re: [squid-users] Kerberos issues on 4.1

On 17/07/18 14:20, Victor Sudakov wrote: > Dear Colleagues, > > After upgrading to Squid 4.1 (from FreeBSD ports) I started having problems > with Kerberos authentication. > > A user complained about being denied access. The strange things are that: > > 1. There was only one such user, others

[squid-users] Kerberos issues on 4.1

Dear Colleagues, After upgrading to Squid 4.1 (from FreeBSD ports) I started having problems with Kerberos authentication. A user complained about being denied access. The strange things are that: 1. There was only one such user, others seemed to be authenticating properly (or just did not

Re: [squid-users] Kerberos authentication on mobile phones

You don't have to join a domain. You only need a Kerberos authentication server to get a ticket. You only need AD (or Samba) if you want also authorisation (PAC data) in you Kerberos ticket. As Amos said you need a Kerberos client and a Browser supporting Proxy-Negotiate. Markus "Amos

Re: [squid-users] Kerberos Heimdal Server Authentication

Can you capture the traffic on port 88 ? Heimdal has not helpful messages, so seeing the real traffic may help identifying the issue. Kinit should create an AS req/rep the test program creates a TGS req/rep Example attached if it gets through. Markus "Panagiotis Bariamis"

Re: [squid-users] Kerberos authentication on mobile phones

You don't have to join a domain. You only need a Kerberos authentication server to get a ticket. You only need AD (or Samba) if you want also authorisation (PAC data) in you Kerberos ticket. As Amos said you need a Kerberos client and a Browser supporting Proxy-Negotiate. Markus "Amos

[squid-users] Kerberos Heimdal Server Authentication

Hello my setup is as follows : Freebsd 11 Heimdal Kerberos Server and DNS properly configured (testlab enviroment for example.com domain) Freebsd 11 squid proxy server Windows Client I have created a keytab from the Kerberos Server for http/squid.example.com Proxy server machine has no problem

Re: [squid-users] Kerberos authentication on mobile phones

On Tue, May 8, 2018 at 9:03 AM, Amos Jeffries wrote: > On 08/05/18 10:22, Panagiotis Bariamis wrote: > > > > >> A second question. If a non domain joined machine tries to use the proxy > >> will there be a username password prompt where if correct credentials > >> are

Re: [squid-users] Kerberos authentication on mobile phones

On 08/05/18 10:22, Panagiotis Bariamis wrote: > Hello, > Is it possible with a squid kerberos only authentication  setup be able > to authenticate ie android phones to squid? I don't have an answer for that, maybe someone else has experience. If you have the environment available you could try it

[squid-users] Kerberos authentication on mobile phones

Hello, Is it possible with a squid kerberos only authentication setup be able to authenticate ie android phones to squid? A second question. If a non domain joined machine tries to use the proxy will there be a username password prompt where if correct credentials are presented he will be able to

Re: [squid-users] Kerberos negotiate slow avg service time

On 28/02/18 07:43, erdosain9 wrote: > Thank you Amos (sorry again Yuri). > > And yes, the user are complains. > > The problem is this (and sorry for be recurrent with this). > > That value avg ms for some times goes up to 3000... and in that moment all > stop. > > in the cache.log sometimes,

Re: [squid-users] Kerberos negotiate slow avg service time

Thank you Amos (sorry again Yuri). And yes, the user are complains. The problem is this (and sorry for be recurrent with this). That value avg ms for some times goes up to 3000... and in that moment all stop. in the cache.log sometimes, im getting this. support_sasl.cc(276): pid=3729

Re: [squid-users] kerberos authentication with kerberos groups

pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: ERR -Oorspronkelijk bericht- Van: Jeroen Ruijter Verzonden: maandag 19 februari 2018 11:19 Aan: 'Amos Jeffries'; squid-users@lists.squid-cache.org Onderwerp: RE: [squid-users] kerberos authentication with kerberos groups Do you advise to us

Re: [squid-users] Kerberos negotiate slow avg service time

On 24/02/18 06:29, erdosain9 wrote: > Hi to all. > I dont know why i have this bad values. My network is woking fine. How i can > do to fix this. I think is a high value. > > HTTP/1.1 200 OK > Server: squid/3.5.27 > Mime-Version: 1.0 > Date: Fri, 23 Feb 2018 17:16:25 GMT > Content-Type:

Re: [squid-users] Kerberos negotiate slow avg service time

Users complains? 23.02.2018 23:29, erdosain9 пишет: > Hi to all. > I dont know why i have this bad values. My network is woking fine. How i can > do to fix this. I think is a high value. > > HTTP/1.1 200 OK > Server: squid/3.5.27 > Mime-Version: 1.0 > Date: Fri, 23 Feb 2018 17:16:25 GMT >

[squid-users] Kerberos negotiate slow avg service time

Hi to all. I dont know why i have this bad values. My network is woking fine. How i can do to fix this. I think is a high value. HTTP/1.1 200 OK Server: squid/3.5.27 Mime-Version: 1.0 Date: Fri, 23 Feb 2018 17:16:25 GMT Content-Type: text/plain;charset=utf-8 Expires: Fri, 23 Feb 2018 17:16:25 GMT

[squid-users] Kerberos authentcation failure

A new problem popped up in the last couple of days in an otherwise working environment. Active Directory running on 2008r2 Windows 10 client Squid 3.5.12 # squid -v Squid Cache: Version 3.5.12 Service Name: squid Ubuntu linux configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'

Re: [squid-users] kerberos authentication with kerberos groups

februari 2018 11:19 Aan: 'Amos Jeffries'; squid-users@lists.squid-cache.org Onderwerp: RE: [squid-users] kerberos authentication with kerberos groups Do you advise to use capitals or small characters for the domain name? -Oorspronkelijk bericht- Van: squid-users [mailto:squid-users

Re: [squid-users] kerberos authentication with kerberos groups

-users] kerberos authentication with kerberos groups On 17/02/18 02:02, Jeroen Ruijter wrote: > I'm trying to replace my basic ldap authentication by kerberos single > sign on. > NP: Despite what some claim, SSO is not unique to NTLM and Kerberos authentication. It is a behaviour of

Re: [squid-users] kerberos authentication with kerberos groups

' -Oorspronkelijk bericht- Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Amos Jeffries Verzonden: vrijdag 16 februari 2018 18:58 Aan: squid-users@lists.squid-cache.org Onderwerp: Re: [squid-users] kerberos authentication with kerberos groups On 17/02/18 02:02, Jeroen

Re: [squid-users] kerberos authentication with kerberos groups

On 17/02/18 02:02, Jeroen Ruijter wrote: > I'm trying to replace my basic ldap authentication by kerberos single > sign on. > NP: Despite what some claim, SSO is not unique to NTLM and Kerberos authentication. It is a behaviour of the tools used. As such it can be done with *any* authentication

[squid-users] kerberos authentication with kerberos groups

I'm trying to replace my basic ldap authentication by kerberos single sign on. The user can succesfully login with single sign on, but I have restriction on groups and that is where it goes wrong. I would like to use -r to trim the domain name, but when I do so it seems to work even less.

Re: [squid-users] Kerberos access denied and reauthentication

Looks like since posting the log the problem has disappeared for all 5 of my test users; since nothing has been changed on the network, could it have been caused by a Firefox and Chrome bug that has been recently fixed (I don't recall ever seeing the problem on IE)? Does anyone know of the

Re: [squid-users] Kerberos access denied and reauthentication

I've just had the problem happen again (usually it happens after a long period of inactivity, e.g. when trying to load the first web page in the morning). Here's the log: https://pastebin.com/fFTJNiKf I'm looking into getting the output from squidclient but I have to try and reproduce the

Re: [squid-users] Kerberos access denied and reauthentication

W dniu 28.07.2017 o 10:46, Grey pisze: Shoul I wait for the error to appear and post the section relevant to the time when it occurs? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-access-denied-and-reauthentication-tp4683224p4683232.html Sent

Re: [squid-users] Kerberos access denied and reauthentication

Shoul I wait for the error to appear and post the section relevant to the time when it occurs? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-access-denied-and-reauthentication-tp4683224p4683232.html Sent from the Squid - Users mailing list archive

Re: [squid-users] Kerberos access denied and reauthentication

On 2017-07-27 10:27, Grey wrote: Hi, I'm trying to setup a proxy server using Squid 3.5.23 on Debian 9; I've successfully setup Kerberos authentication generating the keytab file with ktutil and manually setting the required SPN on my Windows domain controller. The problem I'm encountering is

[squid-users] Kerberos access denied and reauthentication

Hi, I'm trying to setup a proxy server using Squid 3.5.23 on Debian 9; I've successfully setup Kerberos authentication generating the keytab file with ktutil and manually setting the required SPN on my Windows domain controller. The problem I'm encountering is that sometimes (right now I'm the

Re: [squid-users] Kerberos authentication for squid

On 11/11/2016 7:50 p.m., Tevfik Ceydeliler wrote: > Here is the problem, > > When I set my browser proxy configuration as "squiddc1.DOMAIN.grp " and > then start to browse, I cant see "usern...@domain.grp" log entry in > access.log. > > I think, It means that kerberos not work. > > Have you

[squid-users] Kerberos authentication for squid

Hi, I try to configure squid by using AD authentication via Kerberos. And I have a keytab by using msktutil (PROXY.keytab) I can run kinit, klist, wbinfo (-g, -u, -t) commands without any error. here is my authparam configuration:

Re: [squid-users] Kerberos Ne

so... any advice about this?? Thanks! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-appropriate-log-file-tp4679740p4679901.html Sent from the Squid - Users mailing list archive at Nabble.com. ___

Re: [squid-users] Kerberos Ne

On 29/09/2016 3:02 a.m., erdosain9 wrote: > Hi. > Sorry for my ignorance, but, i have squid authentication with kerberos... > > all is working fine... > > but i have some behavior in cache.log that... i dont know if this is the > expected, or there is some problem > > because the file is

Re: [squid-users] Kerberos Ne

On Wednesday 28 September 2016 at 16:02:42, erdosain9 wrote: > Hi. > Sorry for my ignorance, but, i have squid authentication with kerberos... > > all is working fine... > > but i have some behavior in cache.log that... i dont know if this is the > expected, or there is some problem > >

[squid-users] Kerberos Ne

Hi. Sorry for my ignorance, but, i have squid authentication with kerberos... all is working fine... but i have some behavior in cache.log that... i dont know if this is the expected, or there is some problem because the file is going to be huge as put the squid in production ... this is

[squid-users] Kerberos SSO Error: krb5_get_init_creds_keytab failed

Hi. Im trying to configure SSO (single sing on) with Kerberos. I have this error [root@squid squid]# kinit administrator Password for administra...@xxx.lan: Warning: Your password will expire in 28 days on mié 21 sep 2016 12:20:39 ART [root@squid squid]# msktutil -c -b "CN=COMPUTERS" -s

Re: [squid-users] Kerberos Autenthication doesn't work

Verzonden: donderdag 18 augustus 2016 16:09 Aan: Squid Users Onderwerp: [squid-users] Kerberos Autenthication doesn't work   I have problems with Kerberos Autenthication in Squid3 on Debian 8 and Samba4 DC My Squid version is: 3.4.8   My Kerberos Autenthication doesn't work

Re: [squid-users] Kerberos authentication only working with 1 domain server

Heya Amos, The problem was the keytab that didn't work correctly. I deleted the objects from AD db and recreated keytab from linux side. The output now says that using HTTP/mq-sqproxy.domain.co.za is "Authenticated to kerberos", whilst the others now fail. I guess the HTTP is the only one

Re: [squid-users] Kerberos authentication only working with 1 domain server

On 6/04/2016 3:27 a.m., Drikus Brits wrote: > > > i believe i might have fixed it > > will advise soonest. > Any update? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos authentication only working with 1 domain server

i believe i might have fixed it will advise soonest. On 2016-04-05 16:01, Drikus Brits wrote: > Extra info : > > root@mw-sqproxy-test:/home/geosupport# uname -a > Linux mw-sqproxy-test 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 > 21:16:20 UTC 2015 x86_64 x86_64 x86_64

Re: [squid-users] Kerberos authentication only working with 1 domain server

Extra info : root@mw-sqproxy-test:/home/geosupport# uname -a Linux mw-sqproxy-test 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux root@mw-sqproxy-test:/home/geosupport# squid3 -v Squid Cache: Version 3.3.8 Ubuntu configure options:

[squid-users] Kerberos authentication only working with 1 domain server

Hi Experts, After much struggling it seems i've reached some point of success but yet still not. I've checked a multitude of websites for help before coming here, but didn't get anything valuable yet. My problem as follows : I have 1x win2008R2 server that works with kerberos

Re: [squid-users] Kerberos (Negotiate) problem with win2008 AD users

In case anyone reads Russian, I have covered 2 new topics (possible problems) in the Russian Squid+Kerberos Howto: http://tinyurl.com/h68emax -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ squid-users mailing list

Re: [squid-users] kerberos authentication with a machine account doesn't work

apologize for my mail... Fabio 2016-01-14 6:09 GMT+01:00 LYMN : > On Wed, Jan 13, 2016 at 09:30:46AM +0100, Fabio Bucci wrote: >> Hi All, >> i want to terminate a previous job did by ex colleague is changed >> company. Now there is a cluster of 2 nodes of squid with

Re: [squid-users] kerberos authentication with a machine account doesn't work

Hi All, i want to terminate a previous job did by ex colleague is changed company. Now there is a cluster of 2 nodes of squid with NTLM transparent authentication and one spare node i'm using as test and configured with kerberos instead. Reading a lot of info i understood kerberos is more stable

Re: [squid-users] kerberos authentication with a machine account doesn't work

On Wed, Jan 13, 2016 at 09:30:46AM +0100, Fabio Bucci wrote: > Hi All, > i want to terminate a previous job did by ex colleague is changed > company. Now there is a cluster of 2 nodes of squid with NTLM > transparent authentication and one spare node i'm using as test and > configured with

Re: [squid-users] kerberos authentication with a machine account doesn't work

On Mon, Jan 11, 2016 at 09:06:27PM +1300, Amos Jeffries wrote: > On 11/01/2016 2:48 p.m., LYMN wrote: > > > > I did manage to get this working, you did mention the correct solution > > right down the end of your message. > > > > Correct for you yes. That can happen when making half-blind guesses

Re: [squid-users] kerberos authentication with a machine account doesn't work

On 11/01/2016 2:48 p.m., LYMN wrote: > > I did manage to get this working, you did mention the correct solution > right down the end of your message. > Correct for you yes. That can happen when making half-blind guesses at what the problem actually is based on partial information. It might have

Re: [squid-users] kerberos authentication with a machine account doesn't work

Firstly, let me say that whatever you are using for a mail client makes reading/replying to your message difficult (see below for a small sample, I will clean up the rest as best I can)... I did manage to get this working, you did mention the correct solution right down the end of your message.

[squid-users] kerberos authentication with a machine account doesn't work

Hi, We have been using kerberos authentication against Active Directory here for a long time by using a SPN attached to a user account and exporting the keytab. The issue we have is that security policy mandates that the password on the user account be changed which means we have to go and

[squid-users] Kerberos-Authentication to AD 2012

Hi, I'm trying to build a Squid-Proxy that integrates with an Active Directory - and I think I'm only one step from succeeding, but I still get one error from negotiate_kerberos_auth. Here is my config: (everything is hosted inside my VMware Workstation) - Passwords here are only experimental.

Re: [squid-users] Kerberos authentication problem - squid 3.4.11

Markus Moeller hua...@moeller.plus.com writes: It could be the new AD server is setup to be backward compatible meaning it use RC4 despite being able to use AES. I suggest you crate an additional keytab entry for RC4. How did you create the keytab ? Now it seems to work: #

Re: [squid-users] Kerberos authentication problem - squid 3.4.11

Markus Moeller hua...@moeller.plus.com writes: It could be the new AD server is setup to be backward compatible meaning it use RC4 despite being able to use AES. I suggest you crate an additional keytab entry for RC4. How did you create the keytab ? It was created with ktpass

Re: [squid-users] Kerberos authentication problem - squid 3.4.11

Markus Moeller hua...@moeller.plus.com writes: Hi Ludovit, Which Kerberos library version do you use ?Is it possible that the encryption types don't match ? I saw in your first email the following: It is standard Heimdal library on FreeBSD: # kinit --version kinit

Re: [squid-users] Kerberos authentication problem - squid 3.4.11

Hi Ludovit, How did you create the keytab ? Usually there is an option allowing you to select the encryption type. The other place to check would be /etc/krb5.conf. It can contain a list of supported encryption types. See

Re: [squid-users] Kerberos authentication problem - squid 3.4.11

Hi Ludovit, Which Kerberos library version do you use ?Is it possible that the encryption types don't match ? I saw in your first email the following: Your klist shows a HTTP ticket for arcfour Server: HTTP/squid1.mdpt.local@MDPT.LOCAL Client: HTTP/squid1.mdpt.local@MDPT.LOCAL Ticket

Re: [squid-users] Kerberos authentication problem - squid 3.4.11

Hi Ludovit, I haven't seen that error before either, but when you test you sould have your own user credentials in the cache. You should use kinit user@MDPT.LOCAL and then try again the test. is the hostname correctly set to squid1.mdpt.local ? If not try

[squid-users] Kerberos authentication problem - squid 3.4.11

Hi, I have setup kerberos according to: http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: HTTP/squid1.mdpt.local@MDPT.LOCAL IssuedExpires Principal Feb 9 14:55:18

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

Moeller Cc: squid-us...@squid-cache.org Subject: Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed Hi Markus Moeller, Hi Markus, Yeah, I'm currently using that option and permissions are correct too. On 27 Oct 2014 19:47, Markus Moeller

Re: [squid-users] Kerberos Authentication Failing for Windows 7+with BH gss_accept_sec_context() failed

Victor Sudakov wrote: However, I am eager to know what could be causing such weird tickets to be issued, but I think only a Windows expert can tell. After all, the key in the tickets is correct, only the principal name is changed. I only suspect that the name is changed when the client sets

Re: [squid-users] Kerberos Authentication Failing for Windows 7+with BH gss_accept_sec_context() failed

Hi Markus, Thanks for all your help. I'll do some more testing on monday and I'll let you know how it goes. Hopefully it'll be working as expected once having removed the unused AD servers and sorting out and sync issues. Cheers and have a great weekend! Pedro On 1 Nov 2014, at 13:11, Markus

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

Hi Pedro, Did you try the –s GSS_C_NO_NAME option ? Markus Pedro Lobo pal...@gmail.com wrote in message news:94f74226-f24b-4910-95b7-b86ace815...@gmail.com... Hey Everybody, Seems as though I celebrated too soon on Saturday. Today things are back to not working for Windows 7+ machines and

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

Hi Markus Moeller, Hi Markus, Yeah, I'm currently using that option and permissions are correct too. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

Hi Pedro, Can you capture the traffic from one Windows 7 on XP client on port 88 ( just after the login before access a website via squid until successful or unsuccessful accessing the website) using wireshark ? Send me the .cap files to check. Markus Pedro Lobo pal...@gmail.com wrote

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

Hi Markus, When I get in to the office tomorrow, I'll do that and send you the .cap file. Thanks for all the help so far. Pedro Lobo On 27 Oct 2014, at 20:53, Markus Moeller hua...@moeller.plus.com wrote: Hi Pedro, Can you capture the traffic from one Windows 7 on XP client on

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

October 2014 7:26 AM To: Markus Moeller Cc: squid-us...@squid-cache.org Subject: Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed Hi Markus Moeller, Hi Markus, Yeah, I'm currently using that option and permissions are correct too

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Pedro Lobo Sent: Tuesday, 28 October 2014 7:26 AM To: Markus Moeller Cc: squid-us...@squid-cache.org Subject: Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

Hi Carlos, Yeah, the Windows 7 machine is part of the domain. As for basic auth, I'll look into setting that up too, although we were hoping to forgo it entirely. On 25 Oct 2014, at 3:00, Carlos Defoe wrote: Windows 7 inside the domain? Anyway, you should configure a basic auth scheme as a

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

I was recently receiving this (incredibly vague) error. Turns out my squid user didn’t have permission to read the keytab. On Sat, Oct 25, 2014 at 8:37 PM, Pedro Lobo pal...@gmail.com wrote: Hi Markus, I used msktutil to create the keytab. msktutil -c -s HTTP/proxy01tst.fake.net -h

  1   2   3   >