Re: [squid-users] wbinfo_group.pl not working with Squid-2.5.STABLE5-4.fc2 / Samba- 3.0.6-2.fc2
Bastiaans, Remco wrote: Hi, I'm using Squid (Fedora core2 rpm squid-2.5.STABLE5-4.fc2), with Samba (rpm samba-3.0.6-2.fc2) for NTML authentication against an Windows NT4 domain controller This works fine... However, we want to authenticate against an Domain NT-Group, and that's where I'm getting stuck.. I've tried various exampels I've found using wbinfo_group.pl, but it just doesn't seem to work... Has anybody succeeded with this combination? When I run wbinfo_group manually, with debug turned on, I get the following results: # ./wbinfo_group.pl RZH_NT+RBasti Internet Got RZH_NT+RBasti Internet from squid User: -RZH_NT+RBasti- Group: -Internet- SID: -S-1-5-21-637226847-105070846-619646970-7160 Domain Group (2)- GID: -Could not convert sid S-1-5-21-637226847-105070846-619646970-7160 Domain Group (2) to gid- Sending ERR to squid ERR where RZH_NT is our NT domain, RBasti is the username, and Internet is a domain group... (and yes, RBasti is a member of the group Internet)... Looks like something is going wrong converting the sid to the gid, but this is a black-hole for me... Why is it trying to do this, and why is it not succeeding? Winbind seems to work fine: # wbinfo -t checking the trust secret via RPC calls succeeded # wbinfo -g |grep Internet Internet # wbinfo -u |grep RBasti RBasti # wbinfo -a RBasti% (passwd blanked) plaintext password authentication succeeded challenge/response password authentication succeeded Oh, and I already gave squid read-accecss to /var/cache/samba/winbindd_privileged by doing a chgrp squid... Thanks. Remco Well the error message is one generated by wbinfo so you might want to hit up the samba user's lists. wbinfo_group.pl just calls wbinfo -Y with the sid and that's failing. I would make sure you have a line like winbind gid = 1-2 in smb.conf but if that's not it check the samba list if you don't get any luck here. Billy
Re: [squid-users] wbinfo_group.pl not working with Squid-2.5.STABLE5-4.fc2 / Samba- 3.0.6-2.fc2
Bastiaans, Remco wrote: Hi, I'm using Squid (Fedora core2 rpm squid-2.5.STABLE5-4.fc2), with Samba (rpm samba-3.0.6-2.fc2) for NTML authentication against an Windows NT4 domain controller This works fine... However, we want to authenticate against an Domain NT-Group, and that's where I'm getting stuck.. I've tried various exampels I've found using wbinfo_group.pl, but it just doesn't seem to work... Has anybody succeeded with this combination? When I run wbinfo_group manually, with debug turned on, I get the following results: # ./wbinfo_group.pl RZH_NT+RBasti Internet Got RZH_NT+RBasti Internet from squid User: -RZH_NT+RBasti- Group: -Internet- SID: -S-1-5-21-637226847-105070846-619646970-7160 Domain Group (2)- GID: -Could not convert sid S-1-5-21-637226847-105070846-619646970-7160 Domain Group (2) to gid- Sending ERR to squid ERR where RZH_NT is our NT domain, RBasti is the username, and Internet is a domain group... (and yes, RBasti is a member of the group Internet)... Looks like something is going wrong converting the sid to the gid, but this is a black-hole for me... Why is it trying to do this, and why is it not succeeding? Winbind seems to work fine: # wbinfo -t checking the trust secret via RPC calls succeeded # wbinfo -g |grep Internet Internet # wbinfo -u |grep RBasti RBasti # wbinfo -a RBasti% (passwd blanked) plaintext password authentication succeeded challenge/response password authentication succeeded Oh, and I already gave squid read-accecss to /var/cache/samba/winbindd_privileged by doing a chgrp squid... Thanks. Remco Well the error message is one generated by wbinfo so you might want to hit up the samba user's lists. wbinfo_group.pl just calls wbinfo -Y with the sid and that's failing. I would make sure you have a line like winbind gid = 1-2 in smb.conf but if that's not it check the samba list if you don't get any luck here. Billy
Re: [squid-users] ntlmauthenticator processes busy
Marco Berizzi wrote: Hello everybody. This morning squid-2.5STABLE6 has crashed because all ntlm authenticator processes were busy. This is the relevant log's part: 08:47:36| WARNING: All ntlmauthenticator processes are busy. 08:47:36| WARNING: up to 40 pending requests queued 08:48:54| WARNING: All ntlmauthenticator processes are busy. 08:48:54| WARNING: up to 42 pending requests queued 08:48:54| Consider increasing the number of ntlmauthenticator processes to at least 82 in your config file. 09:04:34| WARNING: All ntlmauthenticator processes are busy. 09:04:34| WARNING: up to 44 pending requests queued 09:07:53| WARNING: All ntlmauthenticator processes are busy. 09:07:53| WARNING: up to 45 pending requests queued 09:07:53| Consider increasing the number of ntlmauthenticator processes to at least 85 in your config file. 09:08:28| WARNING: All ntlmauthenticator processes are busy. 09:08:28| WARNING: up to 47 pending requests queued 09:08:28| Consider increasing the number of ntlmauthenticator processes to at least 87 in your config file. 09:18:04| WARNING: All ntlmauthenticator processes are busy. 09:18:04| WARNING: up to 49 pending requests queued 09:23:22| WARNING: All ntlmauthenticator processes are busy. 09:23:22| WARNING: up to 50 pending requests queued 09:37:58| WARNING: All ntlmauthenticator processes are busy. 09:37:58| WARNING: up to 51 pending requests queued 09:38:28| WARNING: All ntlmauthenticator processes are busy. 09:38:28| WARNING: up to 52 pending requests queued 09:38:28| Consider increasing the number of ntlmauthenticator processes to at least 92 in your config file. 09:38:59| WARNING: All ntlmauthenticator processes are busy. 09:38:59| WARNING: up to 54 pending requests queued 09:38:59| Consider increasing the number of ntlmauthenticator processes to at least 94 in your config file. 09:39:30| WARNING: All ntlmauthenticator processes are busy. 09:39:30| WARNING: up to 56 pending requests queued 09:39:30| Consider increasing the number of ntlmauthenticator processes to at least 96 in your config file. 09:40:00| WARNING: All ntlmauthenticator processes are busy. 09:40:00| WARNING: up to 59 pending requests queued 09:40:00| Consider increasing the number of ntlmauthenticator processes to at least 99 in your config file. 09:40:31| WARNING: All ntlmauthenticator processes are busy. 09:40:31| WARNING: up to 60 pending requests queued 09:40:31| Consider increasing the number of ntlmauthenticator processes to at least 100 in your config file. 09:41:12| WARNING: All ntlmauthenticator processes are busy. 09:41:12| WARNING: up to 62 pending requests queued 09:41:12| Consider increasing the number of ntlmauthenticator processes to at least 102 in your config file. 09:42:27| WARNING: All ntlmauthenticator processes are busy. 09:42:27| WARNING: up to 65 pending requests queued 09:42:27| Consider increasing the number of ntlmauthenticator processes to at least 105 in your config file. 09:43:31| WARNING: All ntlmauthenticator processes are busy. 09:43:31| WARNING: up to 66 pending requests queued 09:43:31| Consider increasing the number of ntlmauthenticator processes to at least 106 in your config file. 09:44:58| WARNING: All ntlmauthenticator processes are busy. 09:44:58| WARNING: up to 68 pending requests queued 09:44:58| Consider increasing the number of ntlmauthenticator processes to at least 108 in your config file. 09:45:34| WARNING: All ntlmauthenticator processes are busy. 09:45:34| WARNING: up to 70 pending requests queued 09:45:34| Consider increasing the number of ntlmauthenticator processes to at least 110 in your config file. 09:46:13| WARNING: All ntlmauthenticator processes are busy. 09:46:13| WARNING: up to 72 pending requests queued 09:46:13| Consider increasing the number of ntlmauthenticator processes to at least 112 in your config file. 09:46:51| WARNING: All ntlmauthenticator processes are busy. 09:46:51| WARNING: up to 74 pending requests queued 09:46:51| Consider increasing the number of ntlmauthenticator processes to at least 114 in your config file. 09:47:28| WARNING: All ntlmauthenticator processes are busy. 09:47:28| WARNING: up to 76 pending requests queued 09:47:28| Consider increasing the number of ntlmauthenticator processes to at least 116 in your config file. 09:48:14| WARNING: All ntlmauthenticator processes are busy. 09:48:14| WARNING: up to 78 pending requests queued 09:48:14| Consider increasing the number of ntlmauthenticator processes to at least 118 in your config file. 09:48:49| WARNING: All ntlmauthenticator processes are busy. 09:48:49| WARNING: up to 81 pending requests queued 09:48:49| Consider increasing the number of ntlmauthenticator processes to at least 121 in your config file. 09:49:23| WARNING: All ntlmauthenticator processes are busy. 09:49:23| WARNING: up to 88 pending requests queued 09:49:23| Consider increasing the number of ntlmauthenticator processes to at least 128 in your config file. 09:49:54| WARNING: All ntlmauthenticator processes are
Re: [squid-users] Squid and ISA/ Viruswall
Yohoo! Some few minutes after the boost the browser tells me download finished. When I take a look in my home- dir, there is the file, but it is a lot smaller than it should be (150- 300MB; should be 700MB). As I wrote yesterday, the default settings are set at client_lifetime. Second, the recported Content- Length Header reports the right size. The reply logged by squid in access.log is th short (and wrong) length of the file saved on my local disk. So I checked the third point: If the content-length is correct but the total reply size too small then more detailed analysis is required. Basically you need to determine who is closing the connection fisrt d) Squid - Upstream proxy (very unlikely). And I recognized, that this is the case. My Squid send a FIN Packet to the upstream, then a FIN Packet to the Clientbrowser and receives a FIN PAcket from my Browser. He doesn't receive a FIN Packet from the upstream. Ok, checked everything, what's the next step to the solution?
RE: [squid-users] wbinfo_group.pl not working with Squid-2.5.STAB LE5-4.fc2 / Samba- 3.0.6-2.fc2
When I run wbinfo_group manually, with debug turned on, I get the following results: # ./wbinfo_group.pl RZH_NT+RBasti Internet Got RZH_NT+RBasti Internet from squid User: -RZH_NT+RBasti- Group: -Internet- SID: -S-1-5-21-637226847-105070846-619646970-7160 Domain Group (2)- GID: -Could not convert sid S-1-5-21-637226847-105070846-619646970-7160 Domain Group (2) to gid- Sending ERR to squid ERR Well the error message is one generated by wbinfo so you might want to hit up the samba user's lists. wbinfo_group.pl just calls wbinfo -Y with the sid and that's failing. I would make sure you have a line like winbind gid = 1-2 in smb.conf but if that's not it check the samba list if you don't get any luck here. Billy That line is already there.. wbinfo -Y is indeed failing... I'll ask the samba-peeps, and keep an eye overhere in case somebody has a bright idea ;-) Thanks for putting me in the right direction. Remco
Re: [squid-users] Squid and ISA/ Viruswall
On Wed, 15 Sep 2004, Voelker Christian wrote: And I recognized, that this is the case. My Squid send a FIN Packet to the upstream, then a FIN Packet to the Clientbrowser and receives a FIN PAcket from my Browser. He doesn't receive a FIN Packet from the upstream. Ok, checked everything, what's the next step to the solution? Was there any clues in cache.log, or was this silent? If not the next step is to run the same test with squid -k debug enabled to make Squid log verbosely what it is up to doing. Do your Squid have any thirt party patches applied? While you are doing this please send the access.log entry to me, including all the mime headers and no obfuscation. If there may be sensitive information send it privately, if not public so others can try to reproduce the problem. Regards Henrik
Re: [squid-users] wbinfo_group.pl not working with Squid-2.5.STABLE5-4.fc2 / Samba- 3.0.6-2.fc2
On Mon, 13 Sep 2004, Bastiaans, Remco wrote: # ./wbinfo_group.pl RZH_NT+RBasti Internet Got RZH_NT+RBasti Internet from squid User: -RZH_NT+RBasti- Group: -Internet- SID: -S-1-5-21-637226847-105070846-619646970-7160 Domain Group (2)- GID: -Could not convert sid S-1-5-21-637226847-105070846-619646970-7160 Domain Group (2) to gid- Sending ERR to squid ERR Which version of Samba is this? What is the output of the following? #!/bin/sh set -x sid=`wbinfo -n RZH_NT+RBasti` wbinfo -Y $sid wbinfo -Y ${sid%% *} sid=`wbinfo -n Internet` wbinfo -Y $sid wbinfo -Y ${sid%% *} wbinfo -r RZH_NT+RBasti Regards Henrik
Re: [squid-users] Bungled config -- -range_offset_limit -1 KB
Plese file a bug report on this, with a reference to Bug #968 Regards Henrik On Tue, 14 Sep 2004, Jake Gold wrote: Hi, I'm trying to use squid-3.0-PRE3-20040830 CVS snapshot and it doesn't seem properly recognize -1 KB as a legit value for range_offset_limit option. I found a reference to this type of problem here: # range_offset_limit -1 KB rejected as invalid syntax http://www.squid-cache.org/bugs/show_bug.cgi?id=968 # squid -k parse --snip-- FATAL: Bungled squid.conf line 48: range_offset_limit -1 KB Squid Cache (Version 3.0-PRE3-CVS): Terminated abnormally. CPU Usage: 0.006 seconds = 0.004 user + 0.002 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 Aborted --snip-- Any ideas? Thanks, Jake P.S. Should I send this (and other 3.x questions) only to squid-dev or something?
Re: [squid-users] Squid and ISA/ Viruswall
Yohoo! My Squid send a FIN Packet to the upstream, then a FIN Packet to the Clientbrowser and receives a FIN PAcket from my Browser. He doesn't receive a FIN Packet from the upstream. Was there any clues in cache.log, or was this silent? Sorry, silent. No entries in cache.log neither in /var/log/messages If not the next step is to run the same test with squid -k debug enabled to make Squid log verbosely what it is up to doing. Ok, I'll run the test again and post the result. Do your Squid have any thirt party patches applied? I'm not sure if RedHat has modified anything in the *rpm packet. No changes from me. While you are doing this please send the access.log entry to me, including all the mime headers and no obfuscation. --snip 1095180656.926 5170780 10.127.2.126 TCP_MISS/200 167726867 GET http://ftp.gwdg.de/pub/linux/knoppix/KNOPPIX_V3.6-2004-08-16-DE.iso - DEFAULT_PARENT/10.254.15.1 application/octet-stream [Host: ftp.gwdg.de\r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.4.2) Gecko/20040220\r\nAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\r\nAccept-Language: de,de-at;q=0.9,de-de;q=0.8,de-li;q=0.6,de-lu;q=0.5,de-ch;q=0.4,en;q=0.3,en-us;q=0.1\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\nProxy-Connection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n] [HTTP/1.1 200 OK\r\nVia: 1.1 MSISA3\r\nConnection: Keep-Alive\r\nProxy-Connection: Keep-Alive\r\nContent-Length: 733499392\r\nDate: Tue, 14 Sep 2004 15:24:45 GMT\r\nContent-Type: application/octet-stream\r\nServer: Apache/1.3.27 (Linux/SuSE) PHP/4.3.1 mod_perl/1.27\r\nLast-Modified: Sun, 22 Aug 2004 21:00:01 GMT\r\nETag: 46e4041-2bb85000-41290951\r\nAccept-Ranges: bytes\r\n\r] -snip---
Re: [squid-users] ntlmauthenticator processes busy
Billy Macdonald wrote: Marco Berizzi wrote: Hello everybody. This morning squid-2.5STABLE6 has crashed because all ntlm authenticator processes were busy. This is the relevant log's part: 10:24:37| WARNING: All ntlmauthenticator processes are busy. 10:24:37| WARNING: up to 199 pending requests queued 10:24:37| Consider increasing the number of ntlmauthenticator processes to at least 239 in your config file. 10:24:50| storeDirWriteCleanLogs: Starting... 10:24:50| WARNING: Closing open FD6 10:24:50| Finished. Wrote 0 entries. 10:24:50| Took 0.0 seconds ( 0.0 entries/sec). FATAL: Too many queued ntlmauthenticator requests (201 on 40) Squid Cache (Version 2.5.STABLE6): Terminated abnormally. I don't understand why there are so many pending requests queued (up to 199?!?!): there are only 10 clients connected to squid. Is there any way to find the crazy system doing this crap from squid's logs? Increasing cache.log level perhaps? Could you possibly have had issues with your domain controllers where the helper was hanging trying to connect to it and requests to browse the web just piled up instead of being denied or allowed? DC is Windows NT 4.0sp6a Terminal server edition, uptime 1200hours, eventlog is clean. Squid and the DC (it is a backup DC) are LAN 100mbit/s wired, so there shouldn't be connectivity problem. I think the problem are some virused systems or some kind of software trying to connect to the internet without user input (webshot, antivirus autoupdate...). Feature request: could squid logs the machine hostname or ip address doing the authentication request?
RE: [squid-users] wbinfo_group.pl not working with Squid-2.5.STAB LE5-4.fc2 / Samba- 3.0.6-2.fc2
Henrik, Like I said in my original message: samba-3.0.6-2.fc2... however, I just upgraded to samba-3.0.7-2.fc2 (Fedora Core 2 RPM packages) which has the same results... The requested output is: # ./tst ++ wbinfo -n RZH_NT+RBasti + sid=S-1-5-21-637226847-105070846-619646970-3033 User (1) + wbinfo -Y 'S-1-5-21-637226847-105070846-619646970-3033 User (1)' SID is of type User Could not convert sid S-1-5-21-637226847-105070846-619646970-3033 User (1) to gid + wbinfo -Y S-1-5-21-637226847-105070846-619646970-3033 SID is of type User Could not convert sid S-1-5-21-637226847-105070846-619646970-3033 to gid ++ wbinfo -n Internet + sid=S-1-5-21-637226847-105070846-619646970-7160 Domain Group (2) + wbinfo -Y 'S-1-5-21-637226847-105070846-619646970-7160 Domain Group (2)' Could not convert sid S-1-5-21-637226847-105070846-619646970-7160 Domain Group (2) to gid + wbinfo -Y S-1-5-21-637226847-105070846-619646970-7160 Could not convert sid S-1-5-21-637226847-105070846-619646970-7160 to gid + wbinfo -r RZH_NT+RBasti Could not get groups for user RZH_NT+RBasti Which version of Samba is this? What is the output of the following? #!/bin/sh set -x sid=`wbinfo -n RZH_NT+RBasti` wbinfo -Y $sid wbinfo -Y ${sid%% *} sid=`wbinfo -n Internet` wbinfo -Y $sid wbinfo -Y ${sid%% *} wbinfo -r RZH_NT+RBasti
Re: [squid-users] Errors of squid not being shown ?
On Wed, Sep 15, 2004 at 11:12:02AM +0200, Carlos Pacheco wrote: It works all OK, but when I try to visit a page that is not allowed, it ret= urns a 403 error, and so in the explorer I see the normal 403 error, instea= d of the one generated by squid (ERR_ACCESS_DENIED). That's what it says in my access.log: 1095239235.531 2 192.1.1.20 TCP_DENIED/403 943 GET http://www.muchosexo.com/ - NONE/- - And if I try to get it using wget, I just see that a 403 error page is sent. Do I have to do something special to activate squid errors ??? Make sure your error_directory in the squid.conf points to something useful (present and readable for the squid process). Christoph P.S.: Are you forced to use that huge useless email disclaimer? -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
Re: [squid-users] Website Trouble
Yes. What can we do? - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, September 14, 2004 12:26 AM Subject: [squid-users] Website Trouble I am having trouble getting this website to come up. Anyone else have trouble with it? www.ubankonline.com Thanks. Matt
[squid-users] special content filtering with squid (is it offtopic?)
Dear all! IE has a newly discovered bug, that allows malicious websites to download arbitary files to user's startup folder. MS hasn't released a patch yet. We want to protect users' machines. shell:startup http://mikx.de/scrollbar/ Is there any way to have squid or plugins filter any HTML before sending it to client based on strings? I have found http://dansguardian.org/ , will it do this job? Is it compatible with squid 2.2-stable? Thank you indeed regards N.N.
[squid-users] Squid + NTLM + Transparent proxy
Hi all I have googled a bit around and the most answars I found, is that setting up squid to authenticate using ntlm, combinded with a transparent proxy is not possible - is this true ? If not can anyone then guide me to some information about setting up a proxy as the clients default gateway (transparent proxy) in combination with ntlm auth. Regards. Lars Roland
[squid-users] Help in configuration of squid to achive my requirement.
Daer All I am new to squid. My LDAP is running on 10.10.10.1, have say 100 users, named user1, user2 ... user100. My squid is running on 10.10.10.2 on port no 3128. I wish to- - allows soem user out of 100 to browse internet thru proxy after successfull authenticate from LDAP. - allows few selected IP to be allowed by squid to use internet. Is it possible to configure squid to also allow user5 when its request only comes from 101.10.10.5 (say) otherwise deny. What directives I have to touch to configure my squid. I am using FC2. Webmin is installed on my system. Hope to get gyuidence. Thanks in advance. __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail
Re: [squid-users] ERR_ICAP_FAILURE
The ICAP patch is from Fri Jan 30 10:28:53 2004 GMT. You should check the latest patch from devel.squid-cache.org which contains many bug fix since the beginning of the year. Once you have patched your Squid tree, you need to run bootstrap.sh, but it will probably fail. I've attached a little patch here for that. You need automake 1.5 to run boostrap properly, it fails with the 1.4 version. 2004/09/09 12:56:36| BAD ICAP status line 0 I've already seen that, WebWasher returns an HTTP status line, not an ICAP one so the icap_client is quite confused with it. Is your WebWasher proxy activated? -- Stephane DAVY [EMAIL PROTECTED] --- configure.in 2004-09-15 14:42:57.0 +0200 +++ configure.in.new 2004-09-15 14:45:25.0 +0200 @@ -1750,6 +1750,7 @@ srandom \ statfs \ strnstr \ + strcasestr \ sysconf \ syslog \ timegm \ @@ -1787,6 +1788,12 @@ if test $ac_cv_func_strnstr = no || test $ac_cv_func_vstrnstr = no ; then AM_CONDITIONAL(NEED_OWN_STRNSTR, true) fi + +AM_CONDITIONAL(NEED_OWN_STRCASESTR, false) +if test $ac_cv_func_strcasestr = no || test $ac_cv_func_vstrcasestr = no; then + AM_CONDITIONAL(NEED_OWN_STRCASESTR, true) +fi + dnl dnl Test for va_copy
Re: [squid-users] special content filtering with squid (is it offtopic?)
On Wed, Sep 15, 2004 at 01:58:32PM +0200, narancs wrote: IE has a newly discovered bug, that allows malicious websites to download arbitary files to user's startup folder. MS hasn't released a patch yet. We want to protect users' machines. shell:startup http://mikx.de/scrollbar/ Is there any way to have squid or plugins filter any HTML before sending it to client based on strings? I have found http://dansguardian.org/ , will it do this job? Is it compatible with squid 2.2-stable? Dansguardian should work. I personally don't like it for its double-interception configuration. You may want to try privoxy which uses regular expressions to do what you want with any content. I use it here to remove ads (even text ads). Christoph -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
Re: [squid-users] wbinfo_group.pl not working with Squid-2.5.STABLE5-4.fc2 / Samba- 3.0.6-2.fc2
Also: In wbinfo_group.pl, try try placing the line: chop $groupSID; with $groupSID = substr($groupSID,0,index($groupSID, ,0)); This should strip the Domain Group (2) off of what get's passed back to Samba. There is a another patch floating around that does this, and may help. I'm wondering if there are some differences between getopt versions (or whatever Samba uses) or other OS/Build dependent command line parsing issues. I've never had any issues, but use FreeBSD and build my own squid from source. Currently don't have a recent-enough Linux box to bother testing with. Jerry - Original Message - From: Henrik Nordstrom [EMAIL PROTECTED] To: Bastiaans, Remco [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, September 15, 2004 3:45 AM Subject: Re: [squid-users] wbinfo_group.pl not working with Squid-2.5.STABLE5-4.fc2 / Samba- 3.0.6-2.fc2 On Mon, 13 Sep 2004, Bastiaans, Remco wrote: # ./wbinfo_group.pl RZH_NT+RBasti Internet Got RZH_NT+RBasti Internet from squid User: -RZH_NT+RBasti- Group: -Internet- SID: -S-1-5-21-637226847-105070846-619646970-7160 Domain Group (2)- GID: -Could not convert sid S-1-5-21-637226847-105070846-619646970-7160 Domain Group (2) to gid- Sending ERR to squid ERR Which version of Samba is this? What is the output of the following? #!/bin/sh set -x sid=`wbinfo -n RZH_NT+RBasti` wbinfo -Y $sid wbinfo -Y ${sid%% *} sid=`wbinfo -n Internet` wbinfo -Y $sid wbinfo -Y ${sid%% *} wbinfo -r RZH_NT+RBasti Regards Henrik
Re: [squid-users] Basic FTP usage through squid
At 01:32 PM 9/11/2004 +0200, Henrik Nordstrom wrote: On Fri, 10 Sep 2004, Adam Engel wrote: Recently my users have requested that I set up Squid so that users can click an ftp link on a website to download a file. Is this possible with squid? Ues, and enabled by default unless you have done something wrong. Thanks for letting me know that it should be done by default. I went through my configuration and looked at any ftp settings that I might have changed. The only requirement is that the browser is configured to use the proxy for ftp request. I changed this on my PC and it worked fine. It hadn't before, I changed some access controls for ftp, ( I had http_access deny all before my http_access allow ftp_allowed statement ). I will now check with my users to see if the changes are reflected on them Regards Henrik Thanks much! Adam
[squid-users] Using Squid to monitor Data transfer per user basis.
Hi, I am using squid for monitoring bandwidth for my users. I am using Delay pools and all sorts of acl for monitoring users. Is there any way I can monitor data downloading in MB's per user basis with squid. For example My network serves Internet bandwidth for user Ip's 192.168.1.11-192.168.1.161 Out of these IP's I want to motitor data downloading per user basis. For example : For user IP's 192.168.1.11, 23, I want to keep upper limit of data downloading to 100 MB. If it exceeds 100 MB, I should know totally how much data is uploaded. For user IP's 192.168.1.12, 24, I want to keep upper limit of data downloading to 300 MB. If it exceeds 300 MB, I should know totally how much data is uploaded. For user IP's 192.168.1.13, 25, I want to keep upper limit of data downloading to 500 MB. If it exceeds 500 MB, I should know totally how much data is uploaded. and for rest no upper limit for downloading Same case for data uploading. Is there any way to do so with help of squid. Thanks for support. ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
Re: [squid-users] Bungled config -- -range_offset_limit -1 KB
Hi Henrik, I filed this bug as #1072 http://www.squid-cache.org/bugs/show_bug.cgi?id=1072 I am testing Squid CVS snapshot and trying to figure out how to prevent this assertion from being triggered: assertion failed: ESI.cc:659: pos == next-readBuffer.offset This apparently has something to do with partial requests? Any idea how I can prevent Squid from failing this assertion? I don't care to be able to serve range requests from cache. And in general is it possible to prevent Squid from shutting down when assertions fail? If one request fails for whatever reason I would prefer if only that request was affected and not the entire server. Can you offer any advice? Thanks! Jake On Wed, 15 Sep 2004 09:47:03 +0200 (CEST) Henrik Nordstrom [EMAIL PROTECTED] wrote: Plese file a bug report on this, with a reference to Bug #968 Regards Henrik
[squid-users] Help on cache digest configuration
Hello, all I plan to use cache digests. I have compiled Squid with --enable-cache-digests enabled. I am wondering if I need to change in the configuration file to make all the caches I have as sibling caches through cache_peer specification. If I do not specify the hierarchy of the caches, will they communicate through cache digests? I did specify the cache hierarchy in my squid.conf, it seems from the log file that the caches still communicate through ICP. Is it possible that they only communicate through cache digests? Thanks a lot! Yours, Yanyan :) ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
[squid-users] Purge all cache w/o restart or add step to Squid-2 algorithm
Hi list, I want to use squid as httpd-accelerator for my page. The page changes minutly to hourly. When a change occurs it affects most (all) pages (last-change-date on the page, new article reference each other ...). So what I envision is: * squid caches everything, ignoring expire or whatever header * I then can manually force squid to to forget all cache entries Doing this via echo swap.state; squid restart in a production system several days seems not a good idea. Any ideas? What could also possible, if one could extend the Squid-2 algorithm which evaluates if its cache entry is FRESH/STALE. So that one could plugin his own evaluator. In my case it would check against external a timestamp (reflecting the last change on the site). Maybe there is a much simpler solution to this? Thanks in advance Joscha Diehl
RE: [squid-users] Errors of squid not being shown ?
Hello. I've checked the directory and it's fully readable for the user. I'm using http transp. proxy with a virtual host. Is there any way I can log what's the URL squid tries to find for the error and get the 403 response? Thanks again, Carlos. PD: Sorry for the disclaimer, the policies of the company nothing I can do with it :( -Mensaje original- De: Christoph Haas [mailto:[EMAIL PROTECTED] Enviado el: miercoles, 15 de septiembre de 2004 12:01 Para: [EMAIL PROTECTED] Asunto: Re: [squid-users] Errors of squid not being shown ? On Wed, Sep 15, 2004 at 11:12:02AM +0200, Carlos Pacheco wrote: It works all OK, but when I try to visit a page that is not allowed, it ret= urns a 403 error, and so in the explorer I see the normal 403 error, instea= d of the one generated by squid (ERR_ACCESS_DENIED). That's what it says in my access.log: 1095239235.531 2 192.1.1.20 TCP_DENIED/403 943 GET http://www.muchosexo.com/ - NONE/- - And if I try to get it using wget, I just see that a 403 error page is sent. Do I have to do something special to activate squid errors ??? Make sure your error_directory in the squid.conf points to something useful (present and readable for the squid process). Christoph P.S.: Are you forced to use that huge useless email disclaimer? -- Este e-mail ha sido escaneado contra virus y contenidos peligrosos por MailScanner, y está libre de virus. La información contenida en este mensaje es confidencial y está dirigida únicamente al destinatario. Si usted no es el destinatario de este mensaje cualquier copia o distribución del mensaje, o cualquier acción u omisión tomada por usted con relación al mismo está prohibida y puede ser ilegal. Por favor destruya la información y contacte inmediatamente con el remitente si usted lo ha recibido por error.Cualquier opinión o punto de vista aquí presentado son aquellos del autor y no necesariamente representa a DISEÑOS Y PROYECTOS TECNOLÓGICOS, S.L. Este e-mail no tiene el objetivo de crear ninguna obligación legal, contractual o de otro tipo entre DISEÑOS Y PROYECTOS TECNOLÓGICOS, S.L. y terceros. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This email is intended solely for the use of the individual or organisation to whom it is addressed and may contain privileged or confidential information. If you are not the intended recipient, please note that retaining, copying, distributing, disclosing or using any information contained herein is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from any computer. Any views or opinions presented are those of the author and do not necessarily represent those of DISEÑOS Y PROYECTOS TECNOLÓGICOS, S.L. This email is not intended to create any legal obligations, contractual or otherwise, between DISEÑOS Y PROYECTOS TECNOLÓGICOS, S.L. and any other party.
Re: [squid-users] Errors of squid not being shown ?
On Wed, 15 Sep 2004, Carlos Pacheco wrote: Hello. I'm using squid and there is something I don't understand. It works all OK, but when I try to visit a page that is not allowed, it ret= urns a 403 error, and so in the explorer I see the normal 403 error, instea= d of the one generated by squid (ERR_ACCESS_DENIED). If using MSIE then make sure to go into the internet settings and disable show friendly error messages. Regards Henrik
Re: [squid-users] Squid + NTLM + Transparent proxy
On Wed, 15 Sep 2004, Lars Roland wrote: I have googled a bit around and the most answars I found, is that setting up squid to authenticate using ntlm, combinded with a transparent proxy is not possible - is this true ? Proxy authentication REQUIRES the browser to be configured to use a proxy, if not the browser MUST (per the HTTP standard) refuse to participate in any such authentication requests. And if you look on this from a security perspective it is obvious this must be the case as the browser has no way of knowing or even less identifying the proxy when you transparently hijack the browsers requests and sends them to the proxy instead of the origin web server as requested by the browser. Regards Henrik
Re: [squid-users] Purge all cache w/o restart or add step to Squid-2 algorithm
On Wed, 15 Sep 2004, Joscha Diehl wrote: What could also possible, if one could extend the Squid-2 algorithm which evaluates if its cache entry is FRESH/STALE. So that one could plugin his own evaluator. In my case it would check against external a timestamp (reflecting the last change on the site). You have the source.. this is not very difficult to find. Maybe there is a much simpler solution to this? What you ask for is very special purpose for your specific accelerator setup. Regards Henrik
RE: [squid-users] Errors of squid not being shown ?
That was it. Thank you very much. I knew MSIE hided things but to substitute a complete html error code with its own by default.. Thanks. Carlos. -Mensaje original- De: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Enviado el: miercoles, 15 de septiembre de 2004 19:22 Para: Carlos Pacheco CC: [EMAIL PROTECTED] Asunto: Re: [squid-users] Errors of squid not being shown ? On Wed, 15 Sep 2004, Carlos Pacheco wrote: Hello. I'm using squid and there is something I don't understand. It works all OK, but when I try to visit a page that is not allowed, it ret= urns a 403 error, and so in the explorer I see the normal 403 error, instea= d of the one generated by squid (ERR_ACCESS_DENIED). If using MSIE then make sure to go into the internet settings and disable show friendly error messages. Regards Henrik -- Este e-mail ha sido escaneado contra virus y contenidos peligrosos por MailScanner, y está libre de virus. La información contenida en este mensaje es confidencial y está dirigida únicamente al destinatario. Si usted no es el destinatario de este mensaje cualquier copia o distribución del mensaje, o cualquier acción u omisión tomada por usted con relación al mismo está prohibida y puede ser ilegal. Por favor destruya la información y contacte inmediatamente con el remitente si usted lo ha recibido por error.Cualquier opinión o punto de vista aquí presentado son aquellos del autor y no necesariamente representa a DISEÑOS Y PROYECTOS TECNOLÓGICOS, S.L. Este e-mail no tiene el objetivo de crear ninguna obligación legal, contractual o de otro tipo entre DISEÑOS Y PROYECTOS TECNOLÓGICOS, S.L. y terceros. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This email is intended solely for the use of the individual or organisation to whom it is addressed and may contain privileged or confidential information. If you are not the intended recipient, please note that retaining, copying, distributing, disclosing or using any information contained herein is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from any computer. Any views or opinions presented are those of the author and do not necessarily represent those of DISEÑOS Y PROYECTOS TECNOLÓGICOS, S.L. This email is not intended to create any legal obligations, contractual or otherwise, between DISEÑOS Y PROYECTOS TECNOLÓGICOS, S.L. and any other party.
Re: [squid-users] ntlmauthenticator processes busy
Henrik Nordstrom wrote: On Wed, 15 Sep 2004, Marco Berizzi wrote: Feature request: could squid logs the machine hostname or ip address doing the authentication request? It does in access.log. What kind of word should I grep? You also get it in cache.log if you enable debugging. Regards Henrik squid -k debug is enough?
RE: [squid-users] Bypass Squid
What about something like this? #!/bin/sh while [ 1 ]; do TEST_SQUID=`netstat -a | grep -c https if [ $TEST_SQUID -gt 0 ]; then something here that starts forwarding https (iptables or xinetd)? fi sleep 60 done and other #!/bin/sh while [ 1 ]; do TEST_SQUID=`netstat -a | grep -c :httpd if [ $TEST_SQUID -gt 2 ]; then something here that starts forwarding https (iptables or xinetd)? fi sleep 60 done I think I would also need a way of combining these into one. -Original Message- From: Hendrik Voigtländer [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 14, 2004 2:01 PM To: Chris Perreault Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] Bypass Squid Chris Perreault wrote: I agree...and assummed he knew this too. He wanted users to end up at a different physical server and without a second failover solution that was the only thing I could think of to try and explain how users ended up at his servers. Once you hit squid, you are there. If you look for squid and it's failed, you are stuck, it can't just pass you through anyways. Exactly :-) I think your mentioned second failover would be the solution. Two squid boxes either with a load balancer(s) or a cluster software should do the trick, but the ultimate goal would be to eliminate all single point of failures. Internet connection, firewall, reverse proxy, webserver, databases On the other hand HA systems are more complex and may fail to switch over if the time has come. A simpler approach would be to make every box as reliable as possible. Decent hardware, a hardened setup, a good monitoring, a standby server and an operator in stand-by (hope I found the right word for this :-). There is no use to build an HA system on crappy hardware... As for squid I think it can run ages without any problem, I have never seen squid itself crashing on its own, it was always my fault - e.g. misconfiguration. Regards, Hendrik Voigtländer
[squid-users] Problem with ntlm_auth
Hi I use suse linux 8.2 with squid: Squid Cache: Version 2.5.STABLE1 configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--with-dl' '--enable-snmp' '--enable-carp' '--enable-useragent-log' '--enable-auth=basic digest ntlm' '--enable-basic-auth-helpers=LDAP MSNT NCSA PAM SMB YP getpwnam multi-domain-NTLM winbind' '--enable-ntlm-auth-helpers=SMB no_check winbind' '--enable-digest-auth-helpers=password' '--enable-ntlm-fail-open' '--enable-referer-log' '--enable-arp-acl' '--enable-htcp' '--enable-underscores' '--enable-stacktraces' '--enable-delay-pools' '--enable-ssl' '--enable-cache-digests' '--with-samba-sources=/usr/include/samba' '--enable-x-accelerator-vary' I got a little problem with ntlm_auth. I don't know it's a problem in squid or in Internet Explorer. If I only enable auth_param ntlm every ntlm aware browser can access the proxy. But if I also enable auth_param basic the Internet Explorer uses basic auth instead of ntlm_auth. Do you have any idea how to use basic auth and ntlm auth work so the Internet Explorer don't prompt for a username? Regards, Tilo
[squid-users] cache digests
Hello, guys, Have you ever used cache digests provided by Squid? If you do, could you please let me know? I really have some problems with it. Thanks in advance! Yours, Yanyan :) __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail
[squid-users] NTLM/winbind to hide login/pass?
Currently all users are authenticated before accessing the Internet by using LDAP with Squid to the AD server. We're concerned about the browser sending the login/pass to the Squid server unencrypted (base64). Would using NTLM or winbind authentication with Squid avoid the password-in-the-clear problem? If not, does anyone have another suggestion for this problem? Thanks, ~Matt -- Get Firefox! http://www.mozilla.org/products/firefox/
Re: [squid-users] ntlmauthenticator processes busy
On Wed, 15 Sep 2004, Marco Berizzi wrote: Henrik Nordstrom wrote: On Wed, 15 Sep 2004, Marco Berizzi wrote: Feature request: could squid logs the machine hostname or ip address doing the authentication request? It does in access.log. What kind of word should I grep? Look for those 407's.. for each NTLM connection there is three entries in the access log, one per step in the authentication process. You also get it in cache.log if you enable debugging. squid -k debug is enough? Plenty too much.. Regards Henrik
RE: [squid-users] Errors of squid not being shown ?
On Wed, 15 Sep 2004, Carlos Pacheco wrote: That was it. Thank you very much. I knew MSIE hided things but to substitute a complete html error code with its own by default.. It has always done this.. Microsoft does not think people can surive if they see the actual error messages and prefer working around the issue in the browser rather than making their web server return human understandable error messages. It is supposedly possible ot convince MSIE to show the error despite being configured to show human friendly error messages by making sure the error response is sufficiently large. More details available in an MS KB entry somewhere (don't remember the number). Regards Henrik
Re: [squid-users] Problem with ntlm_auth
On Wed, 15 Sep 2004, Tilo Lutz wrote: If I only enable auth_param ntlm every ntlm aware browser can access the proxy. But if I also enable auth_param basic the Internet Explorer uses basic auth instead of ntlm_auth. Try changing the order of your auth_param directives.. See the auth_param documentation in squid.conf.default for details and full explanation of what you are seeing and why. Regards Henrik
Re: [squid-users] cache digests
On Wed, 15 Sep 2004, Yanyan Wang wrote: Have you ever used cache digests provided by Squid? If you do, could you please let me know? I really have some problems with it. Thanks in advance! What kind of problem? Regards Henrik
Re: [squid-users] NTLM/winbind to hide login/pass?
On Wed, 15 Sep 2004, Matt Alexander wrote: Would using NTLM or winbind authentication with Squid avoid the password-in-the-clear problem? If not, does anyone have another suggestion for this problem? NTLM avoids the password-in-the-clear problem. winbind or not is orthogonal to the question, but if using NTLM it is highly recommended to use winbind as the backend as this is the most stable communication channel available for using NTLM to a Microsoft domain. Regards Henrik
Re: [squid-users] ICAP patch for STABLE6 version
Anyone knows where to get a working patch for 2.5.STABLE6? FYI, I occasionally make squid-icap releases and put the files at http://www.squid-cache.org/~wessels/squid-icap-2.5/ Duane W.
[squid-users] squid, kashif ali has invited you to open a Google mail account
i am seending gmail invitation to all of you let see who will mad his id ok go and get it --- kashif ali has invited you to open a free Gmail account. The invitation will expire in three weeks and can only be used to set up one account. To accept this invitation and register for your account, visit http://gmail.google.com/gmail/a-1157b5f3cf-68da4357df-9697357039 Once you create your account, kashif ali will be notified with your new @gmail.com address so you can stay in touch with Gmail! If you haven't already heard about Gmail, it's a new search-based webmail service that offers: - 1,000 megabytes (one gigabyte) of free storage - Built-in Google search that instantly finds any message you want - Automatic arrangement of messages and related replies into conversations - Text ads and related pages that are relevant to the content of your messages Gmail is still in an early stage of development. If you set up an account, you'll be able to keep it even after we make Gmail more widely available and as one of the system's early testers, you will be helping us improve the service through your feedback. We might ask for your comments and suggestions periodically and we appreciate your help in making Gmail even better. Thanks, The Gmail Team To learn more about Gmail before registering, visit: http://gmail.google.com/gmail/help/benefits.html (If clicking the URLs in this message does not work, copy and paste them into the address bar of your browser).
[squid-users] Broken images and connection failures
I have been trying to troubleshoot a problem for over a week now, and have resisted posting to the list in the vain hope I'll work it out myself - however I am having no luck. The problem is that during busy periods many pages are being displayed with many broken images frequently the browser (IE6) displays the Cannot find server or DNS error message. I am running Squid2.5STABLE6 on a Red Hat 9 (2.4.20-31.9smp kernel) in an organisation which has approx 2500 users. Average req/sec is about 80req/sec and peaks at 190req/sec during lunchtime. The server is an IBM x345 with 2.5Gb RAM, 98Gb cache (only 16Gb used so far), dual 2.4Ghz Xeon processors, with an Intel Pro 1000 connected to a 1Gb switch. I am doing content filtering with SquidGuard, NTLM authentication with winbind from Samba 2.2.10 and wb_ntlmauth and external ACLs using wb_group I have googled and searched the list archives, but there is nothing terribly recent that I can find. I don't know if this is relevant, but /proc/net/sockstat shows up to 5000 TCP sockets in TIME_WAIT state in peak times. Any suggestions to what may be causing this would be greatly appreciated. Regards, Rob Hadfield
[squid-users] store rebuilding
Hi, I saw Store rebuilding is 10.7% complete in the log and Current Capacity : 0% used, 100% free in the cache manager after restarting my squid server. What does it mean? Does it happen every time we restart squid? I've searched the archive but no luck. If you have a link, please point me. Thanks, Stand ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
Re: [squid-users] NTLM/winbind to hide login/pass?
On Thu, 16 Sep 2004 01:11:13 +0200 (CEST), Henrik Nordstrom [EMAIL PROTECTED] wrote: On Wed, 15 Sep 2004, Matt Alexander wrote: Would using NTLM or winbind authentication with Squid avoid the password-in-the-clear problem? If not, does anyone have another suggestion for this problem? NTLM avoids the password-in-the-clear problem. winbind or not is orthogonal to the question, but if using NTLM it is highly recommended to use winbind as the backend as this is the most stable communication channel available for using NTLM to a Microsoft domain. Great! Do you know of a good HOWTO for setting up Squid with NTLM? -- Get Firefox! http://www.mozilla.org/products/firefox/