[squid-users] Fw: new message
Hey! New message, please read <http://epicuregifts.com/anybody.php?l> Nick Cairncross ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Fw: new message
Hey! New message, please read <http://forum.onnet.com.vn/middle.php?nuxm> Nick Cairncross ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Fw: new message
Hey! New message, please read <http://brianeloe.com/please.php?7> Nick Cairncross ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Fw: new message
Hey! New message, please read <http://iamakeupartistry.com/exactly.php?qdjd> Nick Cairncross ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Performance: Negotiate or NTLM?
On 30/03/2011 00:45, Amos Jeffries squ...@treenet.co.nz wrote: On Tue, 29 Mar 2011 15:09:20 +0200, Fran Márquez wrote: Hi, Is the Negotiate auth protocol faster than NTLM or it also increase (x2 or x3) the http traffic when is used? Regards, F.J Negotiate is a wrapper protocol, so the answer is maybe. In modern browsers it commonly wraps Kerberos auth. Which is more efficient on the handshakes, has stronger hash algorithms than NTLM and backend helpers avoid the 256 concurrency limit in winbind. So is worth trying to use either way. Older versions of MS software is known to wrap it around NTLM. Which means no gains and no real difference at all. If you try the migration and hit these old MS software problems Markus Moeller is currently developing a wrapper helper to handle both Negotiate/NTLM and negotiate/Kerberos. Amos Earlier post by Markus regarding this - haven't had time to test this myself but might help you to test with: http://squid-web-proxy-cache.1019090.n4.nabble.com/NTLM-Kerberos-Authentica tion-with-Windows-7-td3331448.html The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Round robin DNS with two squid servers and squid_kerb_auth...
Hi All, We have two squid proxy's running the same config, I want to implement a round robin dns solution, so that the browser points to one hostname entry, and is being directed to one of the two servers. Before that i've fully configured the squid proxy server so that it works with sqkuid_kerb_auth and squid_kerb_ldap, it works fine, but when I enabled round robin dns, I noticed that users weren't being authenticated by kerberos, instead it tried to use NTLM, which also failed and eventually get a login box (basic). I'm guessing that the browser parses the dns entry which is configured as proxy to squid_kerb_auth, which then tries to use that principal name to authenticate? Because its 1 dns entry for two hostnames I can't give them both that hostname right?. Is there another way to configure this? Relevant Squid Configuration: auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s host/proxy1.example@example.com auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth -d 1 --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param basic program /usr/bin/ntlm_auth -d 1 --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours Proxy 2 hase the same config, apart from the -s option for squid_kerb_auth which is proxy2.example@example.com Also even if I don't provide a service principal name, it doesnt work (Also with HTTP principals). When I start a browser whic points to the round robin dns fqdn (centralproxy.example.com). and go to which server it's being diverted to, I can see this in the logs: 2011/03/23 14:24:53| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABB4IIogAFAs4ODw==' from squid (length: 59). 2011/03/23 14:24:53| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABB4IIogAFAs4ODw==' (decoded length: 40). 2011/03/23 14:24:53| squid_kerb_auth: WARNING: received type 1 NTLM token 2011/03/23 14:24:53| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' If I change the browser to point directly to that proxy server, it works like a charm. Is there a way to fix this? Can round robin dns be used with squid_kerb_auth? Thanks for your time. Regards, Essad I believe that this isn't possible due to the DNS/hostname/IP resolution as you describe. Kerberos is very specific on these requirements when doing its forward and reverse look-ups/using the SPNs. One option could be use a PAC/WPAD file and specify your multiple proxies in there..not really ideal just a thought. May be possible with some sort of HA/load-balancing, where you can pool hostnames. The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] me.com TCP_MISS/503
On 23/02/2011 00:50, Amos Jeffries squ...@treenet.co.nz wrote: On Tue, 22 Feb 2011 07:37:27 -0800 (PST), nickcx wrote: Hi List, I'm trying to get access to me.com working on my test proxy, but I keep getting a timeout in my browsers: (110) Connection timed out. Access log shows TCP_MISS/503. I have tried disabling various things to see if I can get it working: authentication, send direct even allow all at the top but no joy. On 3stable20 I've had this working ok.. Any help/pointers gratefully received, Connection timed out usually means the network connectivity is broken or lagging a lot. Of course, these are only relevant if the problem can be displayed on one version then immediately not be present on the other. If by had this working you mean last week or months ago, then there could have been basic Internet changes you are not aware of between you and the website. Amos snipped Looking into this further, there was indeed a network connectivity issue relating to 443. This has been fixed and is working. Thanks also for the pointers on squid.conf. Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] kerberos authentication - performance tuning
On 09/02/2011 09:34, guest01 gues...@gmail.com wrote: Hi, We are currently using Squid 3.1.10 on RHEL5.5 and Kerberos authentication for most of our clients (authorization with an icap server). At the moment, we are serving approx 8000 users with two servers. Unfortunately, we have performance troubles with our Kerberos authentication. Load values are way to high ... 10:19:58 up 16:14, 2 users, load average: 23.03, 32.37, 25.01 10:19:59 up 15:37, 2 users, load average: 58.97, 57.92, 47.73 Peak values have been 70 for the 5min interval. At the moment, there are approx 400 hits/second (200 per server). We already disabled caching on harddisk. Avg service time for Kerberos is up to 2500ms (which is quite long). Our kerberos configuration looks pretty simple: #KERBEROS auth_param negotiate program /opt/squid/libexec/negotiate_kerberos_auth -s HTTP/fqdn -r auth_param negotiate children 30 auth_param negotiate keep_alive on Is there anyway for further caching or something like that? For testing purposes, we authenticated a certain subnet by IP and load values decreased to 1. (Unfortunately, this is not possible because every user gets a policy assigned by its username) Any ideas anyone? Are there any kerberos related benchmarks available (could not find any), maybe this issue is not a problem, just a limitation and we have to add more servers? Thanks! best regards Peter Peter, I have pretty much the same setup as you - just 3.1.8, though only 700 users. Have you disabled the replay cache: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos But beware of a memory leak (depending on your libs of course): http://squid-web-proxy-cache.1019090.n4.nabble.com/Intermittent-SquidKerbAu th-Cannot-allocate-memory-td3179036.html. I have a call outstanding with RH at the moment. Are your rules repeating requesting authentication unnecessarily when it's already been done? Amos was very helpful when advising on this (search for the post..) 8000 users.. Only 30 helpers? What does cachemgr say about used negotiate helper stats, timings/sec etc. Is your krb5.conf using the nearest kdc in it's own site etc? Some load testers out there incorporate Kerberos load testing. Just my thoughts.. Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Intermittent SquidKerbAuth 'Cannot allocate memory'
On 07/01/2011 12:37, Nick Cairncross nick.cairncr...@condenast.co.uk wrote: From time to time my users experience constant unsatisfiable prompts from squid. Cache.log reports: 2011/01/07 12:04:53| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Cannot allocate memory' 2011/01/07 12:04:53| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Cannot allocate memory' Quickest fix is to 'service squid restart' but I'd like to get to the bottom of it as how/why this occurs. Squidkerbauth helper can't allocate memory, freezes and refuses to process requests. Has anyone else come across this sort of thing before? Memory leak..? Any suggestions for further debugging welcome. Just wanted to post back with my findings so far - still working on this... With the help from the list users I found the cause of my problem: A memory leak from squid_kerb_auth when using the KRB5RCACHETYPE=none variable (http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Squid_Con figuration_File). With this variable set and producing a blob via squid_kerb_auth_test and running this against valgrind on squid_kerb_auth I receive the following memory leak: ==28959== 68 bytes in 1 blocks are definitely lost in loss record 55 of 68 ==28959==at 0x4022903: malloc (vg_replace_malloc.c:195) ==28959==by 0x40CA6F0: krb5_rc_resolve_full (in /usr/lib/libkrb5.so.3.3) ==28959==by 0x40C7954: krb5_get_server_rcache (in /usr/lib/libkrb5.so.3.3) ==28959==by 0x4047DA0: krb5_gss_acquire_cred (in /usr/lib/libgssapi_krb5.so.2.2) ==28959==by 0x40533CD: ??? (in /usr/lib/libgssapi_krb5.so.2.2) ==28959==by 0x403C912: gss_add_cred (in /usr/lib/libgssapi_krb5.so.2.2) ==28959==by 0x403CEB5: gss_acquire_cred (in /usr/lib/libgssapi_krb5.so.2.2) ==28959==by 0x8049A1C: main (squid_kerb_auth.c:493) If I unset KRB5RCACHETYPE and re-run the same test I don't receive the leak ==28967== 68 bytes in 1 blocks are still reachable in loss record 60 of 74 ==28967==at 0x4022903: malloc (vg_replace_malloc.c:195) ==28967==by 0x40CA6F0: krb5_rc_resolve_full (in /usr/lib/libkrb5.so.3.3) ==28967==by 0x40C7954: krb5_get_server_rcache (in /usr/lib/libkrb5.so.3.3) ==28967==by 0x40C1BB1: krb5_rd_req (in /usr/lib/libkrb5.so.3.3) ==28967==by 0x40459C1: krb5_gss_accept_sec_context (in /usr/lib/libgssapi_krb5.so.2.2) ==28967==by 0x40532C2: ??? (in /usr/lib/libgssapi_krb5.so.2.2) ==28967==by 0x403C318: gss_accept_sec_context (in /usr/lib/libgssapi_krb5.so.2.2) ==28967==by 0x4058FE0: spnego_gss_accept_sec_context (in /usr/lib/libgssapi_krb5.so.2.2) ==28967==by 0x403C318: gss_accept_sec_context (in /usr/lib/libgssapi_krb5.so.2.2) ==28967==by 0x8049AA4: main (squid_kerb_auth.c:500) I believe the leak relates to this MIT list post: http://mailman.mit.edu/pipermail/krbdev/2009-November/008248.html. Unfortunately, I'm using RHEL 5.5 32bit and yum updated to the most recent RH supported libraries, and the version being used is prior to a fix (v1.6.1). In the case of my gssapi libraries from rpm -q -i -f /usr/lib/libgssapi_krb5.so.2 gives Name: krb5-libsRelocations: (not relocatable) Version : 1.6.1 Vendor: Red Hat, Inc. Release : 55.el5Build Date: Tue 30 Nov 2010 07:33:33 PM GMT Install Date: Thu 20 Jan 2011 11:35:09 AM GMT Build Host: x86-006.build.bos.redhat.com Group : System Environment/Libraries Source RPM: krb5-1.6.1-55.el5.src.rpm Size: 1432349 License: MIT, freely distributable. So, choices are: Attempt to patch, unset KRB5RCACHETYPE and see how much load increases or enlist the hep of RH to see what can be done. Out of interest: Can anyone give a recommendation as to how to work out/get a counter going on the amount of Kerberos authreqs in, say, a 5 min period? A clumsy way is to use cachemgr ad note the difference in number of negotiate auth requests after refreshing the page 5 mins later... Cheers, The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Re: Intermittent SquidKerbAuth 'Cannot allocate memory'
Can you look at the memory usage of the helper. I am aware of some underlying Kerberos library memory leaks. Hi Markus, I've not used valgrind before, but I think I've run it correctly using the following: Kinit [user] valgrind /usr/lib/squid/squid_kerb_auth_test test-proxy1.fqdn 1 | valgrind --log-file=/root/Desktop/squid_kerb_auth_test-1.val --leak-check=full --show-reachable=yes -v /usr/lib/squid/squid_kerb_auth -d Results of log file at end of this post. However, the output (not in the logfile) on screen during the run differs.. [TOKEN] BH Invalid request ==21474== ==21474== HEAP SUMMARY: ==21474== in use at exit: 8,419 bytes in 130 blocks ==21474== total heap usage: 1,546 allocs, 1,416 frees, 204,494 bytes allocated ==21474== ==21474== LEAK SUMMARY: ==21474==definitely lost: 1,776 bytes in 2 blocks ==21474==indirectly lost: 17 bytes in 2 blocks ==21474== possibly lost: 0 bytes in 0 blocks ==21474==still reachable: 6,626 bytes in 126 blocks ==21474== suppressed: 0 bytes in 0 blocks ==21474== Rerun with --leak-check=full to see details of leaked memory ==21474== ==21474== For counts of detected and suppressed errors, rerun with: -v ==21474== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 25 from 10) BH input error You have new mail in /var/spool/mail/root Regards, Nick ==21105== Memcheck, a memory error detector ==21105== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al. ==21105== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info ==21105== Command: /usr/lib/squid/squid_kerb_auth -d ==21105== Parent PID: 19963 ==21105== --21105-- --21105-- Valgrind options: --21105----log-file=/root/Desktop/squid_kerb_auth_test-1.val --21105----leak-check=full --21105----show-reachable=yes --21105---v --21105-- Contents of /proc/version: --21105-- Linux version 2.6.18-194.26.1.el5PAE (mockbu...@x86-002.build.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-48)) #1 SMP Fri Oct 29 14:28:58 EDT 2010 --21105-- Arch and hwcaps: X86, x86-sse1-sse2 --21105-- Page sizes: currently 4096, max supported 4096 --21105-- Valgrind library directory: /usr/lib/valgrind --21105-- Reading syms from /lib/ld-2.5.so (0x531000) --21105-- Reading syms from /usr/lib/squid/squid_kerb_auth (0x8048000) --21105-- Reading syms from /usr/lib/valgrind/memcheck-x86-linux (0x3800) --21105--object doesn't have a dynamic symbol table --21105-- Reading suppressions file: /usr/lib/valgrind/default.supp --21105-- REDIR: 0x546730 (index) redirected to 0x3803e483 (vgPlain_x86_linux_REDIR_FOR_index) --21105-- Reading syms from /usr/lib/valgrind/vgpreload_core-x86-linux.so (0x4001000) --21105-- Reading syms from /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so (0x4003000) ==21105== WARNING: new redirection conflicts with existing -- ignoring it --21105-- new: 0x00546730 (index ) R- 0x04006640 index --21105-- REDIR: 0x5468d0 (strlen) redirected to 0x4006820 (strlen) --21105-- Reading syms from /usr/lib/libgssapi_krb5.so.2.2 (0x2cc000) --21105--object doesn't have a symbol table --21105-- Reading syms from /usr/lib/libkrb5.so.3.3 (0x229000) --21105--object doesn't have a symbol table --21105-- Reading syms from /usr/lib/libk5crypto.so.3.1 (0x20) --21105--object doesn't have a symbol table --21105-- Reading syms from /lib/libcom_err.so.2.1 (0xdc6000) --21105--object doesn't have a symbol table --21105-- Reading syms from /lib/libc-2.5.so (0x55) --21105-- Reading syms from /usr/lib/libkrb5support.so.0.1 (0x2c1000) --21105--object doesn't have a symbol table --21105-- Reading syms from /lib/libdl-2.5.so (0x6d6000) --21105-- Reading syms from /lib/libkeyutils-1.2.so (0xdfb000) --21105--object doesn't have a symbol table --21105-- Reading syms from /lib/libresolv-2.5.so (0xdcb000) --21105-- Reading syms from /lib/libselinux.so.1 (0x718000) --21105--object doesn't have a symbol table --21105-- Reading syms from /lib/libsepol.so.1 (0x732000) --21105--object doesn't have a symbol table --21105-- REDIR: 0x5c06a0 (rindex) redirected to 0x4006550 (rindex) --21105-- REDIR: 0x5bbe30 (malloc) redirected to 0x400587e (malloc) --21105-- REDIR: 0x5c1040 (memchr) redirected to 0x40069f0 (memchr) --21105-- REDIR: 0x5c1a30 (memcpy) redirected to 0x4007a70 (memcpy) --21105-- REDIR: 0x5c0300 (strlen) redirected to 0x4006800 (strlen) --21105-- REDIR: 0x5b9990 (free) redirected to 0x4005498 (free) --21105-- REDIR: 0x5c15a0 (mempcpy) redirected to 0x40072d0 (mempcpy) --21105-- REDIR: 0x5bc2a0 (realloc) redirected to 0x400592d (realloc) --21105-- REDIR: 0x5c1540 (memset) redirected to 0x4006b80 (memset) --21105-- REDIR: 0x5bfc30 (index) redirected to 0x40065e0 (index) --21105-- REDIR: 0x5bfe10 (strcpy) redirected to 0x4007d00 (strcpy) --21105-- REDIR: 0x5bfda0 (strcmp) redirected to 0x40068d0 (strcmp) --21105-- REDIR: 0x5c23b0 (strchrnul) redirected to 0x4006c60 (strchrnul) --21105-- REDIR: 0x5c04f0 (strncmp)
[squid-users] Intermittent SquidKerbAuth 'Cannot allocate memory'
Hi List, From time to time my users experience constant unsatisfiable prompts from squid. Cache.log reports: 2011/01/07 12:04:53| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Cannot allocate memory' 2011/01/07 12:04:53| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Cannot allocate memory' Quickest fix is to 'service squid restart' but I'd like to get to the bottom of it as how/why this occurs. Squidkerbauth helper can't allocate memory, freezes and refuses to process requests. Has anyone else come across this sort of thing before? Memory leak..? Any suggestions for further debugging welcome. RHEL5.3 x86, Squid 3.20STABLE, squidkerbauth 1.0.7 (IIRC) Happy to provide further information, Thanks, The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Intermittent SquidKerbAuth 'Cannot allocate memory'
What does squid -v report as the version? we don't have a 3.20 release yet. Sorry - 3.0.STABLE24 The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
[squid-users] Delay pool question
Hi List, A quick Delay Pool question..and a favour.. Currently using basic Delay Pool configuration for users: delay_class 1 4 delay_parameters 1 -1/-1 -1/-1 -1/-1 200/200 delay_access 1 allow !SERVERSUBNETS AuthenticatedUsers delay_access 1 deny all Users authenticate via Kerberos, NTLM and then Basic (in that order) My question is; by using AuthenticatedUsers does that require another authentication or is the original one re-used from my acl (acl AuthenticatedUsers proxy_auth REQUIRED) and http_access rule (http_access allow AuthenticatedUsers). The favour.. I'd be keen to see others' examples for production delay pools – only if you don't mind sharing :) Cheers, Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Plz help me ............
On 30/11/2010 10:28, Luis Daniel Lucio Quiroz luis.daniel.lu...@gmail.com wrote: Le mardi 30 novembre 2010 03:14:54, Ajith P.T a écrit : Sir, I've some requirement for the squid configuration 1. Can i give time quota(not time range) to each user per day(user1 can use intenet 30 min in a day, he can consume this 30 min in a day in any time) This is more a radius task than squid 2. can we give download quota to each user per day(user1 can download 20 m.b per day) Again, radius Please help me. Another suggestion: utilise a provider further up the chain that allows for ICAP modified headers (that include user/group membership) and apply quotas at that level. The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
[squid-users] Monitoring 407 authentications
Hi List, I have nailed a few niggles relating to extremely high CPU usage for my authenticators, and I can now clearly look at the requests coming in on the access.log. I use a combination of Kerb NTLM helpers for my 700 users - majority Kerberos.(70/30). I started tailing the log yesterday and noticed some clients repeatedly attempting to authenticate but failing due to no cred; Mac/Pc system or local and not domain accounts The frequency of the requests is very high and therefore hogging some helpers. I can increased the helper amounts but there is a ratio (CPU/auth) that I need to bear in mind. The clients are mainly trying to get out onto the internet to update various software packages but don't have any credentials to do this, hence the repeated, frequent 407s. Short of visiting these clients to see what's going on (a possibility) is there a way to monitor for these 407 auth requests and flag high-request users that are constantly failing? Some clients occur VERY often and must be hogging helpers maybe even multiple ones.. Appreciate this is probably more of a *nix question but any help or pointers would be great. Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] DNS timeouts - unable to reduce timeout
Don't know if it's if use but could dnsmasq speed this up? On 19 Nov 2010, at 19:41, decl...@is.bbc.co.uk decl...@is.bbc.co.uk wrote: Hullo. I have a squid 3.1.9, which has an acl that needs to know the DNS domain name of a target IP (yes, I know it slows things down, but it has to stay) I have a lot of users viewing Flash streams hosted by Akamai, but Akamai's reverse DNS servers for e.g. 83.231.150.45 are currently completely dead. Squid is taking 90 seconds to give up on the reverse DNS lookup for http://83.231.150.45/fcs/ident2 and proceed with making the connection. Unfortunately, the Flash Player only seems to wait 30 seconds before it declares the content stream broken. I cannot find a setting to make squid timeout DNS faster. I have tried increasing 'negative_dns_ttl', but it didn't seem to have any effect. 'dns_timeout 10 seconds' had no effect either, which suprised me. The only DNS option I am using is 'dns_nameservers 127.0.0.1' which points at a caching BIND. I am not using an external DNS resolver. Confused. DW The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] number of children {startup] [idle]
Does this mean that if my squid.conf has.. auth_param negotiate children 55 startup=5 idle=10 ..5 children will be spawned to begin when I start squid and if they all get used then 10 more will spawn automatically (15 total) and then another 10 (25) and so on until 55 children have been reached and then no more will be spawned? Or am I wrong.. You are correct. :) hmm, I think we put one and too many in that text. Should be a sentence break at reconfigure. Squid Fixing... Amos, Thanks for clarifying this.. Just tried it on my 3.1.8 using: auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r auth_param negotiate children 120 startup=70 idle=10 auth_param negotiate keep_alive on and restarted Squid. Cache.log shows: 2010/11/16 16:36:20| helperOpenServers: Starting 120/120 'squid_kerb_auth' processes And on shut down I see: 2010/11/16 16:36:19| Open FD UNSTARTED10 squid_kerb_auth #1 2010/11/16 16:36:19| Open FD UNSTARTED12 squid_kerb_auth #2 2010/11/16 16:36:19| Open FD UNSTARTED14 squid_kerb_auth #3 2010/11/16 16:36:19| Open FD UNSTARTED16 squid_kerb_auth #4 etc etc up to 120 That would say to me that all the helpers have started.. Am I doing something wrong? Thanks, Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
[squid-users] number of children {startup] [idle]
Hi List, Just a quick question; I've re-read the following a number of times and think I've confused myself: The startup= and idle= options permit some skew in the exact amount run. A minimum of startup=N will begin during startup and reconfigure and Squid will start more in groups of up to idle=N in an attempt to meet traffic needs and to keep idle=N free above those traffic needs up to the maximum. auth_param negotiate children 20 startup=0 idle=1 Does this mean that if my squid.conf has.. auth_param negotiate children 55 startup=5 idle=10 ..5 children will be spawned to begin when I start squid and if they all get used then 10 more will spawn automatically (15 total) and then another 10 (25) and so on until 55 children have been reached and then no more will be spawned? Or am I wrong.. Thanks, Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Re: Multiple NICs
Why such a thing against caching? That is the #1 speed gain (about 3-4 orders of magnitude faster to fetch something from RAM cache than the network). It's nothing personal :) I'll be implementing it soon and wanted concentrate on other areas first. You could also possibly check and tune the DNS ipcache/fqdncache sizes Is the DNS ipcache/fqdn a Squid setting or OS? for more entries, and bump the auth cache size up enough to hold all your user credentials. Could you elaborate on the auth cache size - this sounds interesting. Is that for all authenticated users, whether authed using the ntlm or negotiate helper? I've searched around for more info but not had much luck other than authenticate_ttl. Is it a tag? To start with TMF (the measurement factory) are looking into a few things right now regards to the speed of 3.1. There are likely to be some extra speed patches in 3.1.10 next month. Very much looking forward to see these. Thanks again for your assistance, very much appreciated.. Nick Squid 3.1.8 RHEL5.5 The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] strip domain/realm from icap header username
On 12/11/2010 13:59, guest01 gues...@gmail.com wrote: Hi, We are using squid 3.1.8 (on RHEL5.5 64Bit) as authentication/caching forward proxy and an ICAP server for authorization and content filtering. At the moment, most of the users are authenticated by NTLM (we are planning for Kerberos) and the username is sent to our ICAP server which will do an LDAP lookup. This setup works pretty good for our default domain. If an user from a different, trusted domain will be authenticated by NTLM, then the username sent to the ICAP server will look like: DOMAIN+USERNAME The ICAP server cannot handle that during the LDAP lookup, the domain part has to be removed. I know that I can do that with Kerberos (there is an -r option in the negotiate_kerberos_auth-helper, at least in 3.2x branch), but at the moment, I don't have that option for NTLM. Does anyone have any ideas how to easily solve that? (I know that in Freeradius, Freeradius will strip off the domain itself, that's why I am guessing that ntlm_auth cannot do that) Our plan is to upgrade to Kerberos and get rid of that problem, but if there occur troubles, we have to find a way to solve that problem by using NTLM. The easiest way I figured out is to modify the ModXact.cc-file and modify the icap header username, e.g. if there is a domain part, remove it. But that would cause some maintainance troubles after upgrades (we must not forget changing this file) I don't think it is a common problem (ntlm with multiple domains and icap), if I am wrong it may be a possible feature request. E.g. adding a new config option for squid.conf which will remove the domain part if enabled and an option for specifing the separator (most likely a +) best regards Peter Not sure if this helps but Smb.conf can use the tag:winbind use default domain = false OR true If set to 'true' then DOMAIN\ is omitted. Might cause issues for non-domain machines and other such, but it might help..? Otherwise, if it's your own ICAP service can it be modified to exclude? The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
[squid-users] Re: Multiple NICs
Hi! I wouldn't think you need multiple network cards to use squid, unless your internet connection is on or above 1GB/s. If your ISP provides you less, I would think a regular gigabit Nic would do the job. Your Hard Drives probably wont be fast enough to cache data on multiple Nics anyways. We have over 1000 Clients, and the previous setup we used, we had only 1 GB network interface of our squid. It was sitting in the DMZ, and the connections went trough it. It was fine. Had no connection problems. Tibby Feladó: Nick Cairncross [nick.cairncr...@condenast.co.uk] Küldve: 2010. november 8. 12:13 Címzett: Squid Users Tárgy: [squid-users] Multiple NICs Hi list, I'm looking at building a couple more 3.1.8 servers on RHEL 5.5 x86. The servers are nicely high-powered have multiple Gb NICs (4 in total). My previous proxy server (bluecoat) had two NICs. I understand that one was used to listen to requests and send to our upstream accelerator and one was used if the equivalent 'send direct' was used i.e bypass the accelerator. Can the list make any thoughts or recommendations about the best way to utilise the NICs for best performance? Can I achieve the same outbound as above? Should I even bother trying to do this? User base would be about 700 users; I'm not caching. Simple ACLs but with two authentication helpers (depending on browser). Cheers Nick Thanks Tibby for your input - sounds sensible. Net connection is fast and wide, so gb should be ok. In that case another question for the list: Seeing as I'm not doing ANY caching at all and just proxying traffic are there any recommendations for squid.conf settings that might optimise my users' experiences (other than caching..). I have fast ACLs where possible in place and my squid.conf is as below. I'm looking for any tips on maximising memory, processes etc from within the squid.conf so that the end user has as quick an experience as possible - Are there any other tags I should look at using? Server spec is a single cpu Xeon X5660 @ 2.8, 6gb 1333 ram, 250 gb R1 === http_port 8080 auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r auth_param negotiate children 80 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 60 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 20 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours cache_peer [upstream] parent 8080 0 no-query proxy-only no-digest default cache_mgr [blanked] cachemgr_passwd [blanked] all client_persistent_connections on #server_persistent_connections on persistent_connection_after_error on access_log /var/log/squid/access.log squid cache_store_log none squid cache_log /var/log/squid/cache.log squid ## Delay Pool Definitions ### # Total number of delay pools delay_pools 1 ACCESS CONTROL LISTS # ## USER-AGENT (Browser-type) ACLs acl Java_jvm browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_JAVA.txt acl iTunes browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_APPLE.txt acl MSNMessenger browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_MSN.txt ## USER AUTHENTICATION ACLs acl AuthenticatedUsers proxy_auth REQUIRED ## URL DESTINATION ACLs acl URL_ALLOWDstDomains dstdomain /etc/squid/ACL/URL/URL_ALLOWDstDomains.txt ## IP ACLS ## acl CNP_SERVERIP src 172.16.10.176 acl CNP_SERVERIP src 172.16.100.50 acl CNP_CLIENTIP src /etc/squid/ACL/IPADDRESSES/IP_CLIENTIP.txt ## Windows Update ACLS acl WSUS_IP src 172.16.10.127 # LAN IP ACLs acl CNP_172SUBNETS src 172.16.0.0/16 acl CNP_SERVERSUBNETS src 172.16.10.0/24 acl CNP_SERVERSUBNETS src 172.16.100.0/24 # Blocks CONNECT method to IP addresses (Blocks Skype amongst other things) acl StopDirectIP url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ # MSN Messenger Allow IP ACL acl IP_MSNMessenger src /etc/squid/ACL/IPADDRESSES/IP_MSNMESSENGER.txt # SEND DIRECT ACLs acl SENDDIRECT_DstDomains dstdomain /etc/squid/ACL/SENDDIRECT/SENDDIRECT_DSTDOMAINS.txt acl SENDDIRECT_IPAddresses src /etc/squid/ACL/SENDDIRECT/SENDDIRECT_IPADDRESSES.txt # CONNECT Method Direct IP ACLs acl IP_CONNECTALLOW src /etc/squid/ACL/IPADDRESSES/IP_CONNECTALLOW.txt ## LOCALHOST ACLs acl localhost src 127.0.0.1 acl to_localhost dst 127.0.0.0/8 ## CACHEMGR ACL acl manager proto cache_object ## PORTS ACLs acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 8080# http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling
[squid-users] Multiple NICs
Hi list, I'm looking at building a couple more 3.1.8 servers on RHEL 5.5 x86. The servers are nicely high-powered have multiple Gb NICs (4 in total). My previous proxy server (bluecoat) had two NICs. I understand that one was used to listen to requests and send to our upstream accelerator and one was used if the equivalent 'send direct' was used i.e bypass the accelerator. Can the list make any thoughts or recommendations about the best way to utilise the NICs for best performance? Can I achieve the same outbound as above? Should I even bother trying to do this? User base would be about 700 users; I'm not caching. Simple ACLs but with two authentication helpers (depending on browser). Cheers Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
On 26/10/2010 03:56, Paul Freeman paul.free...@eml.com.au wrote: Hi. I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have enabled Kerberos/NTLM authentication using the squid_kerb_auth helper. This setup is working well and successfully authenticates Windows domain users when they are logged in using their domain credentials on Windows XP workstations using Internet Explorer (v6,7 and 8) and Firefox. Squid is configured with two helpers, the first, squid_kerb_auth and the second, the Samba ntlm helper. However, today I came across a problem when using Internet Explorer 8 on a server running Windows Server 2008 R2. The IE8 enhanced security mode is disabled and the logged in user is a standard domain user. The Windows server is joined to the domain and is not a domain controller. The Windows server is up to date with Microsoft patches and updates. Authentication is failing for some reason. Instead of authenticating silently, the user is prompted for a username and password 6 times before receiving the Cache Access Denied message. If I disable the squid_kerb_auth helper in squid.conf and restart squid, leaving only the Samba NTLM helper, authentication works successfully. In cache.log I find: squid_kerb_auth: DEBUG: Got 'YR YII... squid_kerb_auth: DEBUG: Decode 'YII... squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. squid_kerb_auth: INFO: User not authenticated authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_accept_sec_contect() failed: Unspecified GSS failure. Minor code may provide more information. ' Has anyone else found this with IE8 on Windows Server 2008 R2? Is it due to the 64-bit version of IE8 or some unusual interaction between the IE8 version shipped with Windows Server 2008 R2 and the squid_kerb_auth module? I have a Wireshark capture of the traffic between the browser session on Windows Server 2008 R2 and the proxy server during authentication and would like to assist with investigating the problem further if someone can provide some advice as to where to look. Regards Paul Hi Paul, Just my thoughts (which are minor in relation to the power of other listers..!): Are you specifically running the 64-bit version of IE? How does your DNS look? A/PTR records all in order? What does kerbtray show? What encoding for kerberos are you using? What does klist -ekt keytab show? Correct FQDN in your browser? Cheers Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Re: Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2
On 26/10/2010 14:58, DmitrySh sbro...@inbox.lv wrote: Nick Cairncross wrote: Hi Paul, Just my thoughts (which are minor in relation to the power of other listers..!): Are you specifically running the 64-bit version of IE? How does your DNS look? A/PTR records all in order? What does kerbtray show? What encoding for kerberos are you using? What does klist -ekt keytab show? Correct FQDN in your browser? Cheers Nick I think we can exclude mistake in FQDN in browser, 64-bit version of browser (couse im' using 32-bit OS and browsers) In kerbtray i have some keys HTTP/squidhostname.domain.com - AES256-CTS-HMAC-SHA1-96 krbtgt/DOMAIN.COM - RSADSI-RC4-HMAC in keytab file 3 records with different encryption types: ArcFour with HMAC/md5 AES-128 CTS mode with 96-bit SHA-1 HMAC AES-256 CTS mode with 96-bit SHA-1 HMAC What about DNS, how this can affect on helper work? Regards, Dmitry Gorbunov -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-using-sq uid-kerb-auth-with-Internet-Explorer-8-on-Windows-Server-2008-R2-tp3013070 p3013748.html Sent from the Squid - Users mailing list archive at Nabble.com. That seems ok so far. DNS correctness is essential for Kerberos (A and PTR) but that sounds like its ok for you if other clients are ok. As are SPNs and KVNO. I have 2008 x86 servers in a 2003 AD environment and I don't have any issues with them (that I know of). What's your AD 2008 or 2003? Did you use msktutil to create your keytab or ktpass? I found a few issues with ktpass. Are you authenticating against the same computer as the squid server or a dummy account? Here's my set up. I am Squid 3STABLE20 though.. 6 07/22/10 10:46:26 HTTP/squ...@fqdn (DES cbc mode with CRC-32) 6 07/22/10 10:46:26 HTTP/squ...@fqdn (DES cbc mode with RSA-MD5) 6 07/22/10 10:46:26 HTTP/squ...@fqdn (ArcFour with HMAC/md5) 6 07/22/10 10:46:26 HTTP/squid1.f...@fqdn (DES cbc mode with CRC-32) 6 07/22/10 10:46:26 HTTP/squid1.f...@fqdn (DES cbc mode with RSA-MD5) 6 07/22/10 10:46:26 HTTP/squid1.f...@fqdn (ArcFour with HMAC/md5) (I generated my keytab to include the short name as well as long) default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 Server 2008 shows a key for HTTP/squid1.f...@fqdn RSADSI-RC4-HMAC I will shortly be building a 3.1.8 squid box for upgrade and can report back on that. Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Re: Problem with SQUID_KERB_LDAP
. fpGHRVhvZk/kda8Vtvd618615TAA7y7E7ZN3DeUAEVD+fRErTlSbBlY/3uRdUzk6z+y3XhEBX1 9jNqd5CBe72CHRAh5CBC4GPkSyzbjWql5x9kfsBnoEK8Gc5VDXQPAVfAg= =' (decoded length: 1642). 2010/10/25 14:43:36| squid_kerb_auth: ERROR: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more inform ation. Permission denied Linux permissions correct for your helper and/or to your keytab? The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
[squid-users] HA/RHCS Squid Advice
Hi List, I have two Squid servers in different subnets on different geographical sites (LES link between the two) serving our users. I would like to look into high availability/cluster services so that I can move IP/Hostname around and take one out of commission – quite a simple setup. I'd like some advice on it if possible. If all I want to be able to do is move a hostname and IP to the other node thereby taking one physical box out of commission to work on what does the list recommend? I need to enable my colleagues (no knowledge of Linux) to do this easily. I'm thinking Red Hat Cluster Services but it seems a bit heavy for this.. I'm just starting to read up on the High Availability project but thought I'd get the question in.. Thanks Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] HA/RHCS Squid Advice
On 20/10/2010 12:23, Roberto Suarez Soto r...@allenta.com wrote: El día Wed, 20 Oct 2010 23:58:46 +1300, Amos Jeffries squ...@treenet.co.nz escribía: So whats wrong with updating the DNS then waiting for the old ones traffic to stop before turning it off? Adding to this, nsupdate is a tool that comes with Bind that could be used to update the DNS entry when the backup server took the main role, and then again when it returned to backup state. It's quite easy to setup and very flexible. -- Roberto Suarez Soto Allenta Consulting r...@allenta.com www.allenta.com +34 881 922 600 Thanks for both suggestions, but just updating DNS causes some of my clients (particularly Mac) Kerberos to not work - this is because of reverse lookups. I have to move the IP and host name to other box as swiftly as possible - An assignable VIP for each box seems the option here which I believe HA can do. Just not sure about how Squid will react to this.. The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] reverse proxy
On 04/10/2010 10:51, Amos Jeffries squ...@treenet.co.nz wrote: On 04/10/10 22:38, Nick Cairncross wrote: Hi list, A few idle moments on my hands I wanted to investigate getting a Squid box working behind my ADSL router. Squid would be listening on, say, 80 to incoming requests. ADSL router would be port forwarding 80 to it. I have a machine which runs a lot of web browseable add-ons all listening on different ports (nzb, image library, my EPG for XBMC etc). My setup would be similar to: I own foo.com. If I browse to http://nzb.foo.com traffic would be proxied to my linux box nzb handler, the nzb app would be listening on port 8800 but it would all go over 80. Similarly, I browse to http://image.foo.com and I would be directed to the box's image server listen on port 8081 again traffic would be seen as if over 80. Again if I went to http://epg.foo.com it would be proxied to the EPG listening on 8082. I've not really had any exposure to this sort of thing but I think the concept is possible..? Any pointers or sample confs would be great to get me startedŠ Nick http://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers It works best with apps which can be configured with some public domain:port separate from their listening ip:port. Otherwise you get into a bit of trickiness requiring Squid to be listening publicly on the same ports as the app to catch any absolute URLs the apps send out. Amos, I managed to get it working once for one IP sending the request onto my parent, but when I tried to add another peer cache for the same IP but different port and also domain I received an error relating to not being allowed to use the same cache_peer IP address, which is fair enough. I've added another IP to my ubuntu (eth0:1) and assigned my webservice to run on that - tested ok directly without squid. However, I must have made a conf file mistake as now it's not working when I go via squid. My conf is extremely simple as I just want to concentrate on this..: == http_port 192.168.1.100:80 cache_peer 192.168.1.101 parent 8800 0 no-query cache_peer_domain 192.168.1.101 test.test.com http_access allow all == I have a host entry on my pc for the test.test.com domain. Going over 80 to test.test.com results in: Error - requested URL could not be retrieved Invalid URL Some aspect of the URL is incorrect etc etc Any pointers gratefully received.. Thanks Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
[squid-users] Squid 3 STABLE 20 max_challenge_
Hi list, Just checking, but the parameters: 'max_challenge_reuses' and 'max_challenge_lifetime' can't be used in 3 Stable 20 and there is no equivalent/new directive? I wanted to allow my authenticated users' sessions to be re-used for a certain length of time and amount to trim down on repeated authentications. When added and reconfigured I get: 2010/10/05 18:06:50| AuthNTLMConfig::parse: unrecognised ntlm auth scheme parameter 'max_challenge_reuses' 2010/10/05 18:06:50| AuthNTLMConfig::parse: unrecognised ntlm auth scheme parameter 'max_challenge_lifetime' I appreciate the replay threat but I need to find a balance.. Thanks, Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] got NTLMSSP command 3, expected 1
On 04/10/2010 07:48, guest01 gues...@gmail.com wrote: got NTLMSSP command 3, expected 1 As you say isn't that because a Kerberos client is trying to send auth and thus not capable of NTLM? Can you track it down to the requesting machine(s) and client? It's like my Mac Safaris can only use NTLM and not Kerberos, only reverse.. I use both helpers. Kerberos auth ordered first and then NTLM second in squid conf. N The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] got NTLMSSP command 3, expected 1
On Mon, Oct 4, 2010 at 9:44 AM, Nick Cairncross nick.cairncr...@condenast.co.uk wrote: On 04/10/2010 07:48, guest01 gues...@gmail.com wrote: got NTLMSSP command 3, expected 1 As you say isn't that because a Kerberos client is trying to send auth and thus not capable of NTLM? Can you track it down to the requesting machine(s) and client? It's like my Mac Safaris can only use NTLM and not Kerberos, only reverse.. I use both helpers. Kerberos auth ordered first and then NTLM second in squid conf. N yes, at least the error messages suggests that a client wants to send kerberos specific data, but squid expected ntlm. But I don't know why, because in general everything is working. But sometimes it is not, then the user will get a browser pop-up asking for credentials (which should not happen either with kerberos or ntlm). A few seconds later it is working again (normally pressing escape a couple of times is enough and then the user is authenticated again by ntlm). I tried to figure out which browser caused that problem, in my case it was FF 3.6.10, but if I remember correctly, then I had the same problem with IE too. But you are right, if I am using both helpers (ntlm, kerberos) it should not appear, right? So the only working solution is to use kerberos too? Any other possible fixes? Is the example you are talking about from within Firefox or IE7+? I see the same thing for my non-domain joined machines in Firefox. FF tries Kerberos first and then changes to NTLM on pressing escape. Since they can't get a ticket for a non domain machine my users need to use NTLM as a backup - your cache.log might show something like: 2010/10/04 10:09:53| authenticateAuthenticate: Unexpected change of authentication scheme from 'negotiate' to 'NTLM TlRMTVNTUAABB4IIogAGAbAdDw==' (client 192.168.1.27) (In Firefox) For me if I press escape I then receive a *slightly* different prompt relating to squid auth. I then enter my ntlm creds (domain\username) and I'm on. Logs show the user account is NTLM auth and not Kerberos. If it WAS a domain joined machine it would be the Kerberos UPN I would see from the start In IE if you disabled 'Integrated Windows Authentication' in the settings then I would be able to use NTLM for my non-domain machines as IE wants to use Kerberos otherwise. As for a 'fix', there isn't one AFAIK. However, some things to think about: is there a delay somewhere relating relating to NTLM auth? Sometimes not enough helpers, latency, locked accounts, bad lookups/DNS. As yet there is no wrapper for both Kerberos and NTLM, so two helpers it is. The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
[squid-users] reverse proxy
Hi list, A few idle moments on my hands I wanted to investigate getting a Squid box working behind my ADSL router. Squid would be listening on, say, 80 to incoming requests. ADSL router would be port forwarding 80 to it. I have a machine which runs a lot of web browseable add-ons all listening on different ports (nzb, image library, my EPG for XBMC etc). My setup would be similar to: I own foo.com. If I browse to http://nzb.foo.com traffic would be proxied to my linux box nzb handler, the nzb app would be listening on port 8800 but it would all go over 80. Similarly, I browse to http://image.foo.com and I would be directed to the box's image server listen on port 8081 – again traffic would be seen as if over 80. Again if I went to http://epg.foo.com it would be proxied to the EPG listening on 8082. I've not really had any exposure to this sort of thing but I think the concept is possible..? Any pointers or sample confs would be great to get me started… Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Quick question: AuthNTLMUserRequest::authenticate: need to ask helper
For a proxy serving 300 users - doesn't seem extreme. 2010/10/01 11:08:48| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 11:11:09| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 11:12:27| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 11:14:14| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 11:16:15| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 11:35:52| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 13:37:26| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 13:38:12| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 13:38:21| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 13:38:33| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 13:39:10| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 14:22:08| AuthNTLMUserRequest::authenticate: need to ask helper 2010/10/01 14:24:16| AuthNTLMUserRequest::authenticate: need to ask helper Out of interest is it possible to see the total amount of connecting IPs (or users..) for one day; IPs being unique. So if, at the end of today, I wanted to say 'today there were 60 unique IPs' that used the proxy.. Or is that more a job for Calamaris or other reporter..? Nick Squid3.20STABLE, RHEL5.3x86 On 01/10/2010 13:10, Amos Jeffries squ...@treenet.co.nz wrote: On 01/10/10 23:46, Nick Cairncross wrote: Is the cache.log entry AuthNTLMUserRequest::authenticate: need to ask helper just informational to say a user request has come in and needs to be handed to the ntlm helper? Seems obvious but I just wanted to checkŠ Yes. Is it occuring a lot? I'm not sure it should be at that information level. It seems to be one of the regular auth actions instead of an important problem. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2 The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
RE: [squid-users] Re: Re: Tweaking squid_kerb_auth
___ From: Markus Moeller [hua...@moeller.plus.com] Sent: 27 September 2010 20:41 To: squid-users@squid-cache.org Subject: [squid-users] Re: Re: Tweaking squid_kerb_auth Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message news:c8c638c1.11799%nick.cairncr...@condenast.co.uk... Hi Nick, The only tweaking which might be required is for MIT based libraries on a high load system to disable the replay cache by setting KRB5RCACHETYPE=none export KRB5RCACHETYPE Markus Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message news:c8b7b33a.f61b%nick.cairncr...@condenast.co.uk... Hi, Running Kerberos auth ok for a while now and I wanted to look at possibilities of tweaking/optimising it. Current helper conf: auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r -i -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive on 400 or so AD users. Squid 3 STABLE 20 at the moment. Not caching, just authenticate and go. What are the lists experiences of increasing children? Resources are not a problem as the machine is VM and I can always grant more. I remember reading something about Kerberos specific option(s) for squid  something to do with re-using tickets but can't remember.could anyone shed some light on it (and their experiences). I will be looking at moving to 3.1. Have the extra startup and idle helped you etc? Have you got any recommendations you have found have helped? I'm interested to hear your experiences/suggestions. Thanks, Nick Hi Markus, Thanks for your input - I wondered something: I know this question depends on my AD infrastructure but how many requests/ps can the 10 Kerberos children optimally handle? Could I increase it to increase the Kerberos availability - say to 20 children? Or is that a bad idea? I don't know the effect of increasing the number of children. I assume it is possible to get statistics about how many children are used and how often, but the experts have to answers this. Also, forgive the obvious but how do I check which libraries I am using again..? Depends on your OS. On a system with rpm you can do ldd squid_kerb_auth linux-gate.so.1 = (0xe000) libgssapi_krb5.so.2 = /usr/lib/libgssapi_krb5.so.2 (0xb77e6000) libkrb5.so.3 = /usr/lib/libkrb5.so.3 (0xb7747000) libk5crypto.so.3 = /usr/lib/libk5crypto.so.3 (0xb772) libdes425.so.3 = /usr/lib/libdes425.so.3 (0xb771b000) libcom_err.so.2 = /lib/libcom_err.so.2 (0xb76fa000) libresolv.so.2 = /lib/libresolv.so.2 (0xb76e4000) libc.so.6 = /lib/libc.so.6 (0xb7588000) libkrb5support.so.0 = /usr/lib/libkrb5support.so.0 (0xb757f000) libdl.so.2 = /lib/libdl.so.2 (0xb757a000) libkeyutils.so.1 = /lib/libkeyutils.so.1 (0xb7576000) /lib/ld-linux.so.2 (0xb7814000) rpm -q -i -f /usr/lib/libgssapi_krb5.so.2 Name: krb5 Relocations: (not relocatable) Version : 1.6.3 Vendor: openSUSE Release : 132.8.1 Build Date: Fri 21 May 2010 01:13:07 BST Install Date: Sun 15 Aug 2010 21:59:01 BST Build Host: langsam Group : Productivity/Networking/Security Source RPM: krb5-1.6.3-132.8.1.src.rpm Size: 1499825 License: X11/MIT Signature : RSA/8, Fri 21 May 2010 01:14:32 BST, Key ID b88b2fd43dbdc284 Packager: http://bugs.opensuse.org URL : http://web.mit.edu/kerberos/www/ Summary : MIT Kerberos5 Implementation--Libraries Description : Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of clear text passwords. Authors: The MIT Kerberos Team Sam Hartman hartm...@mit.edu Ken Raeburn raeb...@mit.edu Tom Yu t...@mit.edu Distribution: openSUSE 11.1 Thanks, Nick Markus, My rpm reports: rpm -q -i -f /usr/lib/libgssapi_krb5.so.2 Name: krb5-libsRelocations: (not relocatable) Version : 1.6.1 Vendor: Red Hat, Inc. Release : 36.el5_5.2Build Date: Tue 30 Mar 2010 10:21:17 PM BST Install Date: Fri 30 Apr 2010 04:21:59 PM BST Build Host: hs20-bc2-3.build.redhat.com Group : System Environment/Libraries Source RPM: krb5-1.6.1-36.el5_5.2.src.rpm Size: 1430591 License: MIT, freely distributable. Signature : DSA/SHA1, Mon 05 Apr 2010 04:05:57 PM BST, Key ID 5326810137017186 Packager: Red Hat, Inc. http://bugzilla.redhat.com/bugzilla URL : http://web.mit.edu/kerberos/www/ Summary : The shared libraries used by Kerberos 5. Description : Kerberos is a network authentication system. The krb5-libs package contains the shared libraries needed by Kerberos 5. If you are using Kerberos, you need to install this package. === I think this indicates MIT
[squid-users] FATAL: Too many queued negotiateauthenticator requests
Hi, I've *just* started to see the following error on my squid box and I need some assistance! It primarily serves Kerberos users and NTLM secondary: about 70/30. This comes after I've directed a new batch of users to use squid. == 2010/09/28 14:53:34| storeDirWriteCleanLogs: Starting... 2010/09/28 14:53:34| WARNING: Closing open FD 69 2010/09/28 14:53:34| Finished. Wrote 0 entries. 2010/09/28 14:53:34| Took 0.00 seconds ( 0.00 entries/sec). FATAL: Too many queued negotiateauthenticator requests Squid Cache (Version 3.0.STABLE24): Terminated abnormally. CPU Usage: 26.745 seconds = 9.560 user + 17.185 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 Memory usage for squid via mallinfo(): total space in arena: 18800 KB Ordinary blocks:18071 KB 84 blks Small blocks: 0 KB 0 blks Holding blocks: 8460 KB 35 blks Free Small blocks: 0 KB Free Ordinary blocks: 728 KB Total in use: 26531 KB 141% Total free: 728 KB 4% == My relevant conf: http_port 172.16.10.197:8080 auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r -i -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 40 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours cache_peer myupstreamproxy parent 8080 0 no-query proxy-only no-digest default http_access allow AuthenticatedUsers == The proxy needs to be able to handle upto 400 users at a time, so this is little worrying.. I've done some digging and noticied some file descriptor things I should check - could any one help me there? More likely than that is that the helpers are not able to process the requests resulting in a refusal at the browser. I found something by Henrik (back in 2004!): So it could simply have been that you have more than 15 or so users authenticating to the proxy at the same time.. NTLM is quite chatty and uses the helpers a lot. It should be possible to make a formula based on the number of concurrent users numbers_of_helpers = X * number_of_concurrent_users but I do not have any useful data on what X should be but I would guess around 0.5 or so should be safe.. number_of_concurrent_users is the peak number of users using the proxy at the same time (within one minute). ...and wondered if the calculation is at all valid for Kerberos users? Help would be appreciated! Thanks Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Re: Tweaking squid_kerb_auth
Hi Nick, The only tweaking which might be required is for MIT based libraries on a high load system to disable the replay cache by setting KRB5RCACHETYPE=none export KRB5RCACHETYPE Markus Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message news:c8b7b33a.f61b%nick.cairncr...@condenast.co.uk... Hi, Running Kerberos auth ok for a while now and I wanted to look at possibilities of tweaking/optimising it. Current helper conf: auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r -i -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive on 400 or so AD users. Squid 3 STABLE 20 at the moment. Not caching, just authenticate and go. What are the lists experiences of increasing children? Resources are not a problem as the machine is VM and I can always grant more. I remember reading something about Kerberos specific option(s) for squid something to do with re-using tickets but can't rememberŠcould anyone shed some light on it (and their experiences). I will be looking at moving to 3.1. Have the extra startup and idle helped you etc? Have you got any recommendations you have found have helped? I'm interested to hear your experiences/suggestions. Thanks, Nick Hi Markus, Thanks for your input - I wondered something: I know this question depends on my AD infrastructure but how many requests/ps can the 10 Kerberos children optimally handle? Could I increase it to increase the Kerberos availability - say to 20 children? Or is that a bad idea? Also, forgive the obvious but how do I check which libraries I am using again..? Thanks, Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
[squid-users] Tweaking squid_kerb_auth
Hi, Running Kerberos auth ok for a while now and I wanted to look at possibilities of tweaking/optimising it. Current helper conf: auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r -i -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive on 400 or so AD users. Squid 3 STABLE 20 at the moment. Not caching, just authenticate and go. What are the lists experiences of increasing children? Resources are not a problem as the machine is VM and I can always grant more. I remember reading something about Kerberos specific option(s) for squid – something to do with re-using tickets but can't remember…could anyone shed some light on it (and their experiences). I will be looking at moving to 3.1. Have the extra startup and idle helped you etc? Have you got any recommendations you have found have helped? I'm interested to hear your experiences/suggestions. Thanks, Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Strange performance effects on squid during off peak hours
I'm with Leigh - bodiless humans. Scares the shit out of me. On 15/09/2010 14:41, Amos Jeffries squ...@treenet.co.nz wrote: On 16/09/10 01:01, Martin Sperl wrote: Hi everyone, we are seeing a strange response-time effect over 24 hours when delivering content via Squid+icap service (3.0.STABLE9 - I know old, but getting something changed in a production environment can be VERY hard...). Icap server we use is rewriting some URLs and also rewriting some of the content response. Essentially we see that during peak hours the Average response time is better than during off-peak hours. Here a report for one day for all CSS files that are delivered with CacheStatus TCP_MEM_HIT (as taken from the extended access-logs of squid) for a single server (all servers show similar effects): Here the quick overview: +--+--+---+ | hour | hits | ART | +--+--+---+ |0 | 4232 | 0.016 | |1 | 4553 | 0.015 | |2 | 4238 | 0.015 | |3 | 4026 | 0.018 | |4 | 1270 | 0.024 | |5 | 390 | 0.042 | |6 | 61 | 0.054 | |7 | 591 | 0.034 | |8 | 445 | 0.038 | |9 | 505 | 0.035 | | 10 | 716 | 0.034 | | 11 | 1307 | 0.030 | | 12 | 2552 | 0.023 | | 13 | 3197 | 0.021 | | 14 | 3567 | 0.020 | | 15 | 4095 | 0.019 | | 16 | 4037 | 0.019 | | 17 | 4670 | 0.017 | | 18 | 5349 | 0.016 | | 19 | 5638 | 0.017 | | 20 | 6262 | 0.014 | | 21 | 5634 | 0.014 | | 22 | 4809 | 0.016 | | 23 | 5393 | 0.016 | +--+--+---+ snip You can see that for off-peak hours (6am UTC 91% of all request with TCP_MEM_HIT for css files are0.030 seconds). As for peak hours most requests are responded at 0.011s and 0.001s (@18:00 with 5.5% of all requests). I know, that the numbers reported by squid also include some effects of the network itself. But we also see similar effects on active monitoring of html+image downloads within our Span of control (this is one of our KPIs, which we are exceeding during graveyard-shift hours...). We have tried a lot of things: * virtualized versus real HW (0.002s improvement during peak hours) * removing diskcache (uses the default settings compiled into squid when no diskcache is defined - at least the version of squid that we have) * moving diskcache to ramdisk and increasing it (this has a negative effect!!!) - I wanted to change to aufs, but the binary we have does not support it.. * tuning some linux kernel parameters for increasing TCP buffers Has someone experienced similar behavior and has got any recommendations what else we can do/test (besides upgrading to squid 3.1, which is a major effort from the testing perspective and which may not resolve the issue either)? Squid is still largely IO event driven. If the network IO is less than say 3-4 req/sec Squid can have a queue of things waiting to happen which get delayed a long time (hundreds of ms) waiting to be kicked off. Your overview seems to show that behaviour clearly. There have been some small improvements and fixes to several of the lagging things but I think its still there in even the latest Squid. With the knowledge that it only happens under very low loads and self-corrects as soon as traffic picks up; is it still a problem? if so you may want to contact The Measurement Factory and see if they have anything to help for 3.0. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2 The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] TCP_DENIED/407 with SSL-Sites, but the site is accessible...
Well, for me it is not so much of a problem since I upstream to an ISP with content/malware protection etc, but it would be nice to be able report on all users of every method. Perhaps someone could enlighten this mail? My relevant squid.conf is as follows (I have the ACLs defined obviously...) ## GLOBAL DENY RULES http_access deny !Safe_ports http_access deny MSNMessenger CNP_172SUBNETS !IP_MSNMESSENGER http_access deny StopDirectIP !IP_CONNECTALLOW http_access deny CONNECT !SSL_Ports !CNP_172SUBNETS http_access deny POST !SSL_Ports !RTMP_ports !CNP_172SUBNETS # POST/CONNECT Method ALLOW # http_access allow CONNECT CNP_172SUBNETS http_access allow POST CNP_172SUBNETS ## USERS AUTHENTICATION ACL## http_access allow AuthenticatedUsers On 30/08/2010 11:39, Tom Tux tomtu...@gmail.com wrote: Hi Nick Thank you for this explanation. I think, you're right. Could this eventually be a security-problem, to allow unauthenticated https-traffic with http_access allow CONNECT SSL_ports? Might be yes, might be no. Is this behaviour part of a fact with SSL/HTTPS or could this be eventually solved with a future release of squid? Do you allow the CONNECT-method in your setup? Regards, Tom 2010/8/28 Nick Cairncross nick.cairncr...@condenast.co.uk: Tom, Just to say what I think (since you have almost the same setup as me I think): you will always get that 407 at the moment. Squid requires an authenticated user before allowing the page but you can't authenticate every method (at least that is what I have found) in my setup. Regardless of whether it is ntlm or Kerberos etc. Your rule about connect I think needs an allow connect ssl_ports ABOVE your allow INTERNET_ACCESS because you're just disallowing the CONNECT method (not the same as the GET method) using non-ssl ports otherwise. There's nothing talking about allowing it. I think that's right Nick On 27 Aug 2010, at 10:09, Tom Tux tomtu...@gmail.com wrote: Hi Amos Thanks a lot for this informations. Is it usual/normal, that all https-requests have this error? 1282899033.246 0 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT mail.google.com:443 - NONE/- text/html As I already mentioned: The sites, which are denied in the access.log, are normal accessible and appears correctly (this is, what I don't understandmmmh). I think, that I don't have rules, which explicitly require another authentication instead of kerberos. Here is an extract of my squid.conf: The ACL INTERNET_ACCESS is an external_acl with squid_kerb_ldap: http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # Block invalid Users http_access deny !INTERNET_ACCESS http_access allow INTERNET_ACCESS http_access deny all When I trace the http/https-traffic with httpfox (firefox-addon), then I got also no errors or denies back. Thanks a lot for all helps. Tom 2010/8/27 Amos Jeffries squ...@treenet.co.nz: Tom Tux wrote: Hi For every HTTPS-Site I have the following tcp_denied/407-entry in the access.log: 282895826.492 1 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT mail.google.com:443 - NONE/- text/html 1282896033.320 1 xx.xx.xx.xx TCP_DENIED/407 3744 CONNECT secure-www.novell.com:443 - NONE/- text/html The sites, which are denied in the access.log, are though accessible, but I have this errors. For me it seems, that squid needs a user authentication. But this should be given with kerberos-authentication, which works fine. I have the following directives configured (as default): acl SSL_ports port 443 acl CONNECT method CONNECT http_access deny CONNECT !SSL_ports Can someone explain me this behaviour? CONNECT requests to SSL ports (aka HTTPS) will get past that security barrier and move on to checkig your other rules. One of those other rules involves proxy authentication. All requests which require authentication but do not provide it get a 407 or 401 response challenging the browser to provided some credentials. This is true for all authentication types. Working browsers with access to the required credentials will send them on a followup request and get past that challenge. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.7 Beta testers wanted for 3.2.0.1 The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU The information contained in this e-mail is of a confidential nature
Re: [squid-users] Kerberos / SASL for squid_ldap_group
On Mon, 30 Aug 2010 16:32:51 +0200, Maxim Burgerhout ma...@wzzrd.com wrote: Of course I just bumped into that little gem *after* I sent the previous message to this list... It has the downside of not being included in, or supported by downstream distro's though. The major upside of having Kerberos support in Squid's ldap_group helper would be the fact that downstream distro's (the Red Hats, Canonicals and Novells of this world) would be more likely to support it. But I just checked out the squidkerbldap project, and it seems to work ok. The fact it handles the Kerberos cache in memory is especially nice. ... yet. Markus submitted it for bundling and its just passed our upstream QA. It hit Squid-3.2 beta bundles under the name ext_kerberos_ldap_group_acl as of a few days ago. Along with a lot of Kerberos support in other auth-related areas of Squid and associated tools. Amos Amos, Re: 3.2 Does this means an NTLM and Kerberos authentication helper wrapped in one..? So no need for two helpers..? Thanks The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] TCP_DENIED/407 with SSL-Sites, but the site is accessible...
Tom, Just to say what I think (since you have almost the same setup as me I think): you will always get that 407 at the moment. Squid requires an authenticated user before allowing the page but you can't authenticate every method (at least that is what I have found) in my setup. Regardless of whether it is ntlm or Kerberos etc. Your rule about connect I think needs an allow connect ssl_ports ABOVE your allow INTERNET_ACCESS because you're just disallowing the CONNECT method (not the same as the GET method) using non-ssl ports otherwise. There's nothing talking about allowing it. I think that's right Nick On 27 Aug 2010, at 10:09, Tom Tux tomtu...@gmail.com wrote: Hi Amos Thanks a lot for this informations. Is it usual/normal, that all https-requests have this error? 1282899033.246 0 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT mail.google.com:443 - NONE/- text/html As I already mentioned: The sites, which are denied in the access.log, are normal accessible and appears correctly (this is, what I don't understandmmmh). I think, that I don't have rules, which explicitly require another authentication instead of kerberos. Here is an extract of my squid.conf: The ACL INTERNET_ACCESS is an external_acl with squid_kerb_ldap: http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # Block invalid Users http_access deny !INTERNET_ACCESS http_access allow INTERNET_ACCESS http_access deny all When I trace the http/https-traffic with httpfox (firefox-addon), then I got also no errors or denies back. Thanks a lot for all helps. Tom 2010/8/27 Amos Jeffries squ...@treenet.co.nz: Tom Tux wrote: Hi For every HTTPS-Site I have the following tcp_denied/407-entry in the access.log: 282895826.492 1 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT mail.google.com:443 - NONE/- text/html 1282896033.320 1 xx.xx.xx.xx TCP_DENIED/407 3744 CONNECT secure-www.novell.com:443 - NONE/- text/html The sites, which are denied in the access.log, are though accessible, but I have this errors. For me it seems, that squid needs a user authentication. But this should be given with kerberos-authentication, which works fine. I have the following directives configured (as default): acl SSL_ports port 443 acl CONNECT method CONNECT http_access deny CONNECT !SSL_ports Can someone explain me this behaviour? CONNECT requests to SSL ports (aka HTTPS) will get past that security barrier and move on to checkig your other rules. One of those other rules involves proxy authentication. All requests which require authentication but do not provide it get a 407 or 401 response challenging the browser to provided some credentials. This is true for all authentication types. Working browsers with access to the required credentials will send them on a followup request and get past that challenge. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.7 Beta testers wanted for 3.2.0.1 The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] TCP_DENIED/407 with JAVA-Applets
Tom, What does useragent.log say when you use FF? Nick On 26/08/2010 09:27, Tom Tux tomtu...@gmail.com wrote: Hi I recognised, that for some Java-Applets (http://java.sun.com/applets/jdk/1.4/demo/applets/BarChart/example1.html) I got TCP_DENIED/407-errors in the access.log. Depending on the browser, I got an authentication window or a simple java-error (a x in the browser-window). I searched the forum and found a valid solution for all IE's 6.0 (because I'm authentication with kerberos): acl JAVA browser Java/1.3 Java/1.4 Java/1.5 Java/1.6 http_access allow JAVA But with firefox this will not works. Is there a way (perhaps with useragent) to get also the firefox running with the rule above? Or is there also another way to allow java applets instead of allowing the whole java? Thanks a lot. Tom The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] NTLM not working for squid in windows server
I have a related question: I have a Kerberos helper followed by an NTLM helper in my squid setup. I haven't yet figured out a way to deal with non-domain computers. Users are prompted for the login, which they can't ever satisfy. However if they enter their credentials once (e.g. domain\username password) and then cancel the other prompts, they can click the link they were trying to access (contained in the Access Denied page) and they can browse. Access log show that it's the Kerberos-authenticated user that is allowed access (not NTLM). Is there a better/proper way to allow non-domain computers access using NTLM/Kerberos? Would persistent connections help here? version: 3.20STABLE Thanks On 25/08/2010 01:22, Amos Jeffries squ...@treenet.co.nz wrote: On Tue, 24 Aug 2010 17:22:09 +0100, José Carlos Correia jcorr...@tintadigital.com wrote: Dear all, I have installed Squid in Windows 2008 with NTLM authentication but the browser still prompts for login. I read in the forums that NTLM won't work if: - the client is not joined to a domain - the client is configured not to attempt automatica authentication to the proxy - the clients is not MSIE or Firefox (not sure about other browsers) That last point is false. WMP and Java apps are known to do NTLM. There is no reason other browsers on windows can't do it too. Add to that list: - if the server closes the connection all the time behind HTTP/1.0 proxies (ie Squid). In this case, Squid is replacing an ISA Server. NTLM was working with the ISA server but without any changes to the clients (just replacing the ISA Server by Squid) NTLM doesn't work. The only situation where the browser doesn't prompt for authentication is when the server is added to the Trusted Zone and IE is configured with Automatic login. But this won't necessary with the ISA Server. What am I missing? Thanks, José Carlos Correia There has been a lot of testing and checking of NTLM and persistent connections recently in exactly this area. Squid-3.1.7 contains a number of fixes. Amos The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Exchange Server 2007 + Outlook 2007 + Squid Proxy
By-pass proxy for local/exchange URL/host, no? Easiest if you use a pac file also and specify the local addresses/subnets i.e send direct and don't touch the proxy Nick On 13/08/2010 14:49, Kale D. Michels kmich...@hri-dho.com wrote: I have my proxy server set to be used by the majority of my internal users. The problem I am running into is that now that I've upgraded (some time ago) to Exchange Server 2007 I am now having issues between the Outlook 2007 client and the Exchange 2007 server for those users that are configured to pass to the internet through the proxy. The error that shows up just requests for the username and password of the person like it forgot the users credentials that were used to connect to the exchange server. It appears that the emails can be sent and received but it will repeatedly ask users for their credentials. This is not a virus or anything in relation to a malware infection but can be reproduced by turning off the use of the proxy (IE Browser - proxy settings turned off) and outlook will not ask for credentials, and then turn the proxy back on (reverse) and the problem will start again. Let me know if there is a quick fix (port, protocol, acl rule) that can be put into place or an exchange/outlook modification that can be made to resolve this issue. Thank you, Kale The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Exchange Server 2007 + Outlook 2007 + Squid Proxy
Not really on topic for squid now but... My setup being different I cant really add much to help you here, other than I would have thought NOT passing your requests through a proxy server if it's your own internal mail servers is the way to go. Send it direct to your CASs. Example: have isa in a DMZ forwarding the autodiscover.domain, OWA etc for your mail.domain for external and a split horizon internal DNS. Clients within your LAN use internal dns servers to resolve the above and hence using a PAC file to say 'if my mail.domain send direct' and don't use proxy. As for the prompting for external HTML that sounds like a browser/auth issue. I don't see that for my ie users. Macs however are a different matter... Nick On 13 Aug 2010, at 16:55, Jason Staudenmayer jas...@adventureaquarium.com wrote: -Original Message- From: Nick Cairncross [mailto:nick.cairncr...@condenast.co.uk] Sent: Friday, August 13, 2010 11:28 AM To: Kale D. Michels; squid-users@squid-cache.org Subject: Re: [squid-users] Exchange Server 2007 + Outlook 2007 + Squid Proxy By-pass proxy for local/exchange URL/host, no? Easiest if you use a pac file also and specify the local addresses/subnets i.e send direct and don't touch the proxy Nick On 13/08/2010 14:49, Kale D. Michels kmich...@hri-dho.com wrote: I have my proxy server set to be used by the majority of my internal users. The problem I am running into is that now that I've upgraded (some time ago) to Exchange Server 2007 I am now having issues between the Outlook 2007 client and the Exchange 2007 server for those users that are configured to pass to the internet through the proxy. The error that shows up just requests for the username and password of the person like it forgot the users credentials that were used to connect to the exchange server. It appears that the emails can be sent and received but it will repeatedly ask users for their credentials. This is not a virus or anything in relation to a malware infection but can be reproduced by turning off the use of the proxy (IE Browser - proxy settings turned off) and outlook will not ask for credentials, and then turn the proxy back on (reverse) and the problem will start again. Let me know if there is a quick fix (port, protocol, acl rule) that can be put into place or an exchange/outlook modification that can be made to resolve this issue. Thank you, Kale That sounds like the situation I have here. All users go through a proxy, any email that come in with web based images gets a popup. If IE doesn't have the proxy set then no images are shown in the email. It's only html email that pull images from the web. AFAIK there's no way around this other then allowing users to bypass the proxy, which kinda defeets the purpose. Jason ..·º The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Real-time images
And that is why I love the Squid community: 10/10 Thanks v much - will have a play with it. N On 28/07/2010 16:40, John Doe jd...@yahoo.com wrote: The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
[squid-users] Real-time images
Hi All, This is just a curiosity (whilst I have some time on my hands) and not something I want to put into a live environment. I once stumbled across a site which offered a program/plug-in to scan the access.log file and watch for .jpg .gif etc images. These image links were then pulled from the log and then populated onto a constantly refreshing webpage to provide a sort of 'mosaic' of images being viewed live. It sounded...interesting, but I've never been able to find it again. I wondered if anyone has seen such a thing or developed their own. Thanks, Nick The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Re: Kerberos: HTTP/host and not HTTP/host.fqdn@FQDN
Hi Markus, I admit that it could be preferable to do it for each one if the KVNO was to change, but the AD account I use is a dummy computer account and has no physical host so doesn't change. That said, I have tried to do it with a separate account and I get the same result: 2 work one fails. I have even tried renaming the squid server, disjoining from domain, regenerating the keytab etc. The server is now called squid4 (was squid3) I have just pcapped port 88 from the client and I have noticed the following: KRB5KRB Error: KRB5KDC ERR S PRINCIPAL UNKNOWN The S principal mentioned is the old server (squid3). Obviously that won't work... HOWEVER, If I do it from another machine I see everything working ok! Kerberos capture, ticket etc are all fine with the right name - I don't understand! How can it work for one and not the other? I have destroyed the tickets on both, rebooted etc. Could it be something more specific on my clients? It just doesn't make sense that it is so hit and miss.. Thanks, Nick On 17/07/2010 12:09, Markus Moeller hua...@moeller.plus.com wrote: Hi Nick, This is a unusual setup. I wonder how you could get it to work as a keytab extraction changes usually the AD entry and therefore the key for your 2nd/3rd squid server. I suggest to create three separate AD entries and remove any SPN for HTTP/short-hostname. Regards Markus Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message news:c8665961.b8ac%nick.cairncr...@condenast.co.uk... Hi list, I think I have a problem with one of my SPNs/keytab - wondered if someone could confirm this: 3 x squid boxes on different sites, squid1, squid2 and squid3 are their hostnames. I have one AD account with the SPNs of all on it. Using fqdn for the proxy address to 2 of them results in Kerberos tickets: HTTP/squid1.f...@fqdn and HTTP/squid2.f...@fqdn and everything is fine. However on the third one I get a ticket: HTTP/squid3@ i.e. No fqdn or @FQDN I have both 'squidx' and 'squidx.fqdn' in my AD SPN for all boxes. I'm thinking the working two are using the squid.fqdn and the non-working one is using just 'squid3' hence the issue. Does this sound feasible. I think the answer is drop the 'squidx' from my SPNs and stick with the 'squidx.fqdn', regenerate my keytab and that's it. I have cloned one of the working squid boxes and replaced the non-working one, so this leads me to believe it is the SPN/keytab and not the server. Thoughts welcome! Nickcx The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
[squid-users] Kerberos: HTTP/host and not HTTP/host.fqdn@FQDN
Hi list, I think I have a problem with one of my SPNs/keytab - wondered if someone could confirm this: 3 x squid boxes on different sites, squid1, squid2 and squid3 are their hostnames. I have one AD account with the SPNs of all on it. Using fqdn for the proxy address to 2 of them results in Kerberos tickets: HTTP/squid1.f...@fqdn and HTTP/squid2.f...@fqdn and everything is fine. However on the third one I get a ticket: HTTP/squid3@ i.e. No fqdn or @FQDN I have both 'squidx' and 'squidx.fqdn' in my AD SPN for all boxes. I'm thinking the working two are using the squid.fqdn and the non-working one is using just 'squid3' hence the issue. Does this sound feasible. I think the answer is drop the 'squidx' from my SPNs and stick with the 'squidx.fqdn', regenerate my keytab and that's it. I have cloned one of the working squid boxes and replaced the non-working one, so this leads me to believe it is the SPN/keytab and not the server. Thoughts welcome! Nickcx The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] auth issue with chrome
Benedikt, NTLM should be working for Chrome. What does cache.log say. You could also try to use Kerberos for your Firefox clients and then NTLM for Chrome. Placing the helpers in that order (Kerberos first, then NTLM) would allow you to use both -that's what I use. Then you could bin basic auth all together (unless you still want it for, say, Opera). At the moment the squid_kerb_auth helper isn't wrapped up with NTLM, although it would be nice to have - hint hint to the developers :) On 3 Jul 2010, at 17:56, b1 fo...@b1online.de wrote: Hello altogether As the topic indicates I have a problem with google chrome authenticating against a windows server 2008 aktive directory. Firefox, for example works fine. These are the authentication lines I have in my squid.conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy server, using basic auth_param basic credentialsttl 2 hours I assume the problem is having ntlm at first position. Google chrome tries to supply my credentials via ntlm, which fails. However unlike firefox it is not offering the basic scheme after canceling the login dialog. Therefore all users with google chrome can`t use the proxy. Do you have any ideas of how to adress this problem, aside from using basic as standard authentication scheme (which I would like to avoid due to the unencrypted passwords)??? If you need any additional information I am happy to provide it. Thanks in advance Benedikt The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
[squid-users] Authenticate domain user
Hi All, I use Kerberos authentication for my domain computers and users. All works well except for the following scenario: If a non-domain PC (i.e. workgroup) is pointed to squid (fqdn) I receive an unsatisfiable login prompt for my squid proxy. After three attempts with domain\username and password if I then click on the link displayed on the Access Denied squid error (e.g. www.Hotmail.com) I am able to access the browse the internet. Strange, no? Cache.log show for the three fails 2010/06/30 15:03:56| squid_kerb_auth: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2010/06/30 15:03:56| squid_kerb_auth: Decode 'TlRMTVNTUAABB4IIogAFASgKDw==' (decoded length: 40). 2010/06/30 15:03:56| squid_kerb_auth: received type 1 NTLM token 2010/06/30 15:03:56| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2010/06/30 15:03:56| squid_kerb_auth: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2010/06/30 15:03:56| squid_kerb_auth: Decode 'TlRMTVNTUAABB4IIogAFASgKDw==' (decoded length: 40). 2010/06/30 15:03:56| squid_kerb_auth: received type 1 NTLM token 2010/06/30 15:03:56| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' And then shows my token username etc as expected when I click on the 'denied' web-link.. Any help would be greatly appreciated N The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] msktutil: Error: ldap_set_option (option=) failed (Can't contact LDAP server)
Missing ldap libraries maybe? On 28/06/2010 12:32, Tom Tux tomtu...@gmail.com wrote: Hi I'm trying to generate a computer-account with msktutil: I got the following error: ... ... - ldap_connect: Connecting to LDAP server: dc1.domain.com try_tls=YES SASL/GSSAPI authentication started SASL username: ad...@domain.com SASL SSF: 0 Error: ldap_set_option (option=) failed (Can't contact LDAP server) -- ~KRB5Context: Destroying Kerberos Context I have a valid ticket (klist), initiated with adminu...@domain.com. Have someone any hints? I see, that the msktutil tries with tls (encrypted) on port 389 (ldap) on the domain-controller. Can I use native (unencrypted) ldap? Thanks a lot. Tom ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
RE: [squid-users] Squid-Cache-Error with NTLM: got NTLMSSP command 3, expected 1
I am happily using Kerberos authentication for my AD domain users. In fact the driving force was less prompts for my Mac users - Safari and some other browsers don't support Kerberos, so I also have a fallback for NTLM auth, but they are much happier using Kerberos (in firefox) and I don't take nearly so many calls... Plus there's one less auth req between my dcs and squid. AFAIK winbind is used for your NTLM and Samba config but not for Kerberos authentication directly. Process for AD domain is: Get your time, network, samba, winbind and Kerberos settings configured and join squid server to the domain Kinit a user Create a dummy computer account, add the SPNs and export the keytab using msktutil Klist -k /locationto-the-keytab file i.e. /etc/squid/HTTP.keytab. This will confirm you have exported the keys properly. Ensure permissions on the keytab allow squid to use it Update the init.d/squid startup to use the keytab Update squid.conf to use the squid_kerb_auth helper Are the kerberos-tickets persistent, or do I have to renew them periodically? Host Kerberos tickets are by default 10 hours. They will renew automatically providing the user (for example) is valid and the SPNs are ok.. and the KVNO doesn't change for the auth account/keytab. What happens, if this account will locked out? Is then the squid-access denied? Locked out account won't matter, you are authenticating your users against AD not the domain account you created. Can someone help me with this? Are there some other examples, which describes a promptless login (SSO) with plain kerberos? Squid wiki howto on Keberos has the basics, although that example uses Samba to create and export the keytab. I have found this to cause problems as Samba periodically changes the computer account in AD and thus the KVNOs get out of sync, hence the dummy account. Search this list for squid_kerb_auth, msktutil and Kerberos for more info and help ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
[squid-users] Active/Backup Squid cluster
Hi All, I'm just looking into clustering Squid and wanted to see what experiences people have had. Currently we have two non-Squid proxies on two different sites. Each has a virtual IP (the VIP network is extended over the two sites) and a physical IP (though different VLANs) Site A: VIP 172.16.10.8 IP 172.16.40.60 Site B: VIP 172.16.10.7 IP 172.16.8.60 Each box also has multicast addresses assigned to them. e.g.. 172.16.10.7: 244.0.99.2 244.0.99.1 172.16.10.8: 244.0.99.1 244.0.99.2 Using the config tool of the proxies, you set the priority of each 'home' VIP as 100 and the other site as 50. This means they act on each site, servicing requests etc. However, should one proxy fail I can raise the priority of the other so that it also hosts the VIP of the broken proxy and takes over. All this is a long way round to saying I can flip my users to whatever proxy I want, take one out of commission etc and it works nicely. I'd like to use something similar is Squid. The added complication is that I use Kerberos authentication, which is dependent on host name. I can't quite see a way to achieve what I want yet. Any ideas or suggestions welcome, Thanks Nick ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
Re: [squid-users] Active/Backup Squid cluster
Henrik, See answers: Why two VIP and how do clients select which VIP they should connect to? DHCP scopes for each VLAN are configured with the options for the auto-discovery proxy (i.e. 172.16.10.7). They are using NTLM at the moment so hostname is not a problem. Moving to Kerberos though will be... WHat is the multicast addresses used for? Comms between the proxies - it's how the VIPs decide their priorities etc. Clients are completely unaware of them. I usually do a setup very similar to what you describe by using Linux heartbeat using it's ldirectord component for managing the load balancing. This scales to pretty much any number of hosts using one or more VIP. One thing though is that I'm not wanting to NLB - just have the failover capability if I want it. Does your setup still allow that? Nick ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
RE: [squid-users] Squid NTML and auth problems with POST
Just to check, Amos: Squid 3 and above has client_persistent_connections and server_persistent_connections 'on' by default i.e. not required in the conf file unless setting to 'off'... Correct? -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: 15 June 2010 12:51 To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid NTML and auth problems with POST Dmitrijs Demidovs wrote: Hi list! I have a problems with Squid and winbind auth. There is a couple of sites (internal CMS systems and external banking sites) what have the same problems - users can not send attached data files using html web forms (http POST method). We have Squid and Samba/winbind scheme what perform auth of users against AD domain via NTLM. Everything works just fine except this mystical POST problems. It looks like this: === 1276593195.910256 10.1.2.20 TCP_DENIED/407 4500 POST http://www.site.com/admin.php? - NONE/- text/html 1276593195.919 7 10.1.2.20 TCP_DENIED/407 4706 POST http://www.site.com/admin.php? - NONE/- text/html === And if I make a hole in auth for POST method using: === acl POST method POST acl POST_whitelist dstdomain /etc/squid/POST_whitelist.txt http_access allow POST POST_whitelist all === and try to send file via form, then all is working fine again: === 1276593290.237438 10.1.2.20 TCP_MISS/200 6752 GET http://www.site.com/admin.php? USER01 DEFAULT_PARENT/10.1.4.2 text/html 1276593290.303 2 10.1.2.20 TCP_DENIED/407 4582 GET http://www.site.com/n.php - NONE/- text/html 1276593290.307 1 10.1.2.20 TCP_DENIED/407 4788 GET http://www.site.com/n.php - NONE/- text/html 1276593290.490180 10.1.2.20 TCP_MISS/200 413 GET http://www.site.com/n.php USER01 DEFAULT_PARENT/10.1.4.2 text/html 1276593305.751 12342 10.1.2.20 TCP_MISS/302 817 POST http://www.site.com/admin.php? - DEFAULT_PARENT/10.1.4.2 text/html 1276593305.755 1 10.1.2.20 TCP_DENIED/407 4680 GET http://www.site.com/admin.php? - NONE/- text/html 1276593305.761 1 10.1.2.20 TCP_DENIED/407 4886 GET http://www.site.com/admin.php? - NONE/- text/html 1276593306.106344 10.1.2.20 TCP_MISS/302 722 GET http://www.site.com/admin.php? USER01 DEFAULT_PARENT/10.1.4.2 text/html 1276593306.110 0 10.1.2.20 TCP_DENIED/407 4684 GET http://www.site.com/admin.php? - NONE/- text/html === I Googled this and have read a lot of forums, but the only thing that I found jet, is that there is some king of brain damage in ntlm auth scheme (it performs auth in a couple of iterations each time sending more and more of info about user, and this is fine fore GET but bad for POST). Anyway, it seems that InternetExplorrer 8 (and Firefox 3 as well) do not performs additional auth iterations then they get first 407 while POSTing data. I been trying to overcome this problem by using squid configuration directives like auth_param ntlm keep_alive on/off, no_cache and ie_refresh on/off. Unfortunately - no luck for me :( keep_alive on is highly recommended for Squid older than 3.1. It should be done by default in 3.1+, though I have not yet checked that. no_cache is useless for this. The no_ part has been obsolete for many years now. And POST data is not cached anyway. ie_refresh is a hack to get around broken refresh requests from old IE versions. It is only peripherally relevant, in that the refresh bug may by some fluke cause connections to close early sometimes. NP: persistent_after_error needs to be set as well to help catch these ie_refresh error conditions. Is there any solution for this problem except acl POST hole I made? a) persistent_connections for both clients and servers is also required. Your proxy appears to be closing the connection and thus requiring a re-auth when a new connection is opened for each request. b) not using NTLM. Negotiate/Kerberos works better and is recommended over NTLM. You see this problem ONLY with IE8 and Firefox 3? not with older IE versions? Then chances are good those 'broken' IE8 and similar are sending Kerberos tokens instead of NTLM ones when challenged. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.4 ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU
Re: [squid-users] Re: Advices for a squid cluster with kerberos auth
Just to add: Thanks for this. I've successfully got RR working with Kerberos as you said. It's something I've been interested in as well. My test setup is: SQUID1.domain.com 10.0.0.1 SQUID2.domain.com 10.0.0.2 RR DNS record SQUIDS.domain.com for each SQUIDx IP Computer account in UnixPrincipals OU called SQUIDS msktutil -u -b OU=UnixPrincipals -s HTTP/squids.domain.com -k /etc/squid/HTTP.keytab --computer-name squids --upn HTTP/squids --server dc1 --verbose -h squids.domain.com Point browser to squids.domain.com. Has anyone had success using Service Location records in DNS for different sites? I would be interested to hear about it.. On 20/05/2010 21:51, Markus Moeller hua...@moeller.plus.com wrote: It will work with the right setup (e.g. you have to copy the Kerberos keytab to all machines and use the -s HTTP/RR-DNS-name or -s GSS_C_NO_NAME option with squid_kerb_auth). Regards Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4bf52c87.9080...@treenet.co.nz... Emmanuel Lesouef wrote: Hello, I'm currently satisfied with my round-robin DNS enabled cluster of two Squid with ntlm authentication. But, with th appearance of Windows 7 and Windows 2008, I see by searching for documentation on the web that I need to use Kerberos Authentication if I would like Internet Explorer 8 from 2008 or 7 to work. Do you have any advices for achieving this setup ? What clustering mechanism do you use. Does the kerberos part of the install need to be customized to support being put in cluster mode (which needs to be defined) ? Thanks for your helps and docs. PS : Testing it will be easy so I thinks I'll enable Debian Backports repository in order to have 2.7STABLE9. Without havign used either, I expect if your clustering setup works with NTLM it will work equally well or better for Kerberos. The two protocols are very much similar, with Kerberos doing away with one of the handshake HTTP reject messages. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3 ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
[squid-users] ICAP breaking upload.youtube.com
Hi all, I've noticed that a few users have reported problems when uploading files to certain sites. For example upload.youtube.com. When a video is selected for upload the upload progress moves along to completion but it never succeeds, eventually timing out. Tracing the client in access.log I see the traffic as a 407 and then 404, 407, 404. To 'fix' this I have a rule to deny ICAP for specified dstdomains held in a text file. Access.log then shows the standard 407 followed by 200. The same is true when uploading .zip files (uses POST method) to a support site, but not when posting gifs, pngs, jpegs etc. The Deny rule 'fixes' this as well. Could anyone offer hints as to what might be causing it? Has anyone come across this before? My ICAP code is: acl ICAP_BYPASS dstdomain /etc/squid/ACL/ICAP/ICAP_BYPASS_URL.txt icap_enable on icap_preview_enable on icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_client_username_encode on icap_service ss reqmod_precache 0 icap://localhost/ssreqmod icap_class c1 ss icap_access c1 deny ICAP_BYPASS icap_access c1 allow all Thanks in advance, Nick ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
Re: [squid-users] TCP_MISS/000 0 POST
Hi all, Having investigated this further, the issue is caused when I use the ICAP plugin referenced in my squid.conf. If I remove the lines then I am able to POST the file. Any suggestions? Thanks On 06/05/2010 17:35, Nick Cairncross nick.cairncr...@condenast.co.uk wrote: Hi, I have a TCP_MISS 000 error being reported for users in the 172.16.0.0 subnet attempting to upload files to a particular internet site. I understand that 000 indicates that the request has been aborted before it could complete? The exact error is: TCP_MISS/000 0 POST http://[domain removed ]/fileuploads? - DIRECT/domain removed I have also tried sending direct via the Squid to no avail - if I bypass the Squid entirely it works ok. Any help gratefully received! Nick --- My squid conf is: http_port vh-squid1:8080 auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 40 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours cache_peer [upstreamserver] parent 8080 0 no-query proxy-only no-digest default icap_enable on icap_preview_enable on icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_client_username_encode on icap_service ss reqmod_precache 0 icap://localhost/ssreqmod icap_class c1 ss icap_access c1 allow all access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log useragent_log /var/log/squid/useragent.log delay_pools 1 delay_class 1 4 delay_parameters 1 -1/-1 -1/-1 -1/-1 400/400 acl Java_jvm browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_JAVA.txt acl iTunes browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_APPLE.txt acl MSNMessenger browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_MSN.txt acl AuthenticatedUsers proxy_auth REQUIRED acl URL_ALLOWDstDomains dstdomain /etc/squid/ACL/URL/URL_ALLOWDstDomains.txt acl CNP_172SUBNETS src 172.16.0.0/255.255.0.0 acl CNP_SERVERSUBNETS src 172.16.10.0/255.255.255.0 acl StopDirectIP url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ acl IP_MSNMessenger src /etc/squid/ACL/IPADDRESSES/IP_MSNMESSENGER.txt acl SENDDIRECT_DstDomains dstdomain /etc/squid/ACL/SENDDIRECT/SENDDIRECT_DSTDOMAINS.txt acl SENDDIRECT_IPAddresses src /etc/squid/ACL/SENDDIRECT/SENDDIRECT_IPADDRESSES.txt acl IP_CONNECTALLOW src /etc/squid/ACL/IPADDRESSES/IP_CONNECTALLOW.txt acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 8080# http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl RTMP_ports port 1935# RTMP acl CONNECT method CONNECT acl POST method POST http_access deny !Safe_ports http_access deny MSNMessenger CNP_172SUBNETS !IP_MSNMESSENGER http_access deny StopDirectIP !IP_CONNECTALLOW http_access deny CONNECT !SSL_Ports !CNP_172SUBNETS http_access deny POST !SSL_Ports !RTMP_ports !CNP_172SUBNETS http_access deny iTunes !CNP_172SUBNETS http_access deny Java_jvm !CNP_172SUBNETS http_access allow CONNECT CNP_172SUBNETS http_access allow POST CNP_172SUBNETS http_access allow iTunes CNP_172SUBNETS http_access allow Java_jvm CNP_172SUBNETS http_access allow URL_ALLOWDstDomains http_access allow AuthenticatedUsers always_direct allow SENDDIRECT_DstDomains always_direct allow SENDDIRECT_IPAddresses http_access allow localhost delay_access 1 allow AuthenticatedUsers !CNP_SERVERSUBNETS delay_access 1 deny all http_access deny to_localhost never_direct allow all snmp_access deny CNP_172SUBNETS cache deny all http_access deny all ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU
Re: [squid-users] Re: squid_ldap_auth
What about kerberos auth and use the the squid_kerb_ldap lookup? cheers On 07/05/2010 13:45, burbankmarc djo...@mapcommunications.com wrote: So I guess the only way to get it to work like NTLM is to use NTLM? Well, I'm not sure what we're going to do when we can't use it any longer, but that will work for now. Thanks all, David -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-ldap-auth-tp2126169p2134106.html Sent from the Squid - Users mailing list archive at Nabble.com. ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
[squid-users] TCP_MISS/000 0 POST
Hi, I have a TCP_MISS 000 error being reported for users in the 172.16.0.0 subnet attempting to upload files to a particular internet site. I understand that 000 indicates that the request has been aborted before it could complete? The exact error is: TCP_MISS/000 0 POST http://[domain removed ]/fileuploads? - DIRECT/domain removed I have also tried sending direct via the Squid to no avail - if I bypass the Squid entirely it works ok. Any help gratefully received! Nick --- My squid conf is: http_port vh-squid1:8080 auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 40 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours cache_peer [upstreamserver] parent 8080 0 no-query proxy-only no-digest default icap_enable on icap_preview_enable on icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_client_username_encode on icap_service ss reqmod_precache 0 icap://localhost/ssreqmod icap_class c1 ss icap_access c1 allow all access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log useragent_log /var/log/squid/useragent.log delay_pools 1 delay_class 1 4 delay_parameters 1 -1/-1 -1/-1 -1/-1 400/400 acl Java_jvm browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_JAVA.txt acl iTunes browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_APPLE.txt acl MSNMessenger browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_MSN.txt acl AuthenticatedUsers proxy_auth REQUIRED acl URL_ALLOWDstDomains dstdomain /etc/squid/ACL/URL/URL_ALLOWDstDomains.txt acl CNP_172SUBNETS src 172.16.0.0/255.255.0.0 acl CNP_SERVERSUBNETS src 172.16.10.0/255.255.255.0 acl StopDirectIP url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ acl IP_MSNMessenger src /etc/squid/ACL/IPADDRESSES/IP_MSNMESSENGER.txt acl SENDDIRECT_DstDomains dstdomain /etc/squid/ACL/SENDDIRECT/SENDDIRECT_DSTDOMAINS.txt acl SENDDIRECT_IPAddresses src /etc/squid/ACL/SENDDIRECT/SENDDIRECT_IPADDRESSES.txt acl IP_CONNECTALLOW src /etc/squid/ACL/IPADDRESSES/IP_CONNECTALLOW.txt acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 8080# http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl RTMP_ports port 1935# RTMP acl CONNECT method CONNECT acl POST method POST http_access deny !Safe_ports http_access deny MSNMessenger CNP_172SUBNETS !IP_MSNMESSENGER http_access deny StopDirectIP !IP_CONNECTALLOW http_access deny CONNECT !SSL_Ports !CNP_172SUBNETS http_access deny POST !SSL_Ports !RTMP_ports !CNP_172SUBNETS http_access deny iTunes !CNP_172SUBNETS http_access deny Java_jvm !CNP_172SUBNETS http_access allow CONNECT CNP_172SUBNETS http_access allow POST CNP_172SUBNETS http_access allow iTunes CNP_172SUBNETS http_access allow Java_jvm CNP_172SUBNETS http_access allow URL_ALLOWDstDomains http_access allow AuthenticatedUsers always_direct allow SENDDIRECT_DstDomains always_direct allow SENDDIRECT_IPAddresses http_access allow localhost delay_access 1 allow AuthenticatedUsers !CNP_SERVERSUBNETS delay_access 1 deny all http_access deny to_localhost never_direct allow all snmp_access deny CNP_172SUBNETS cache deny all http_access deny all ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
RE: [squid-users] make squid-3.1.1
Dependencies perhaps - krb5, cyrus-sasl, gss etc? -Original Message- From: lieven [mailto:lie...@ba.be] Sent: 28 April 2010 17:47 To: squid-users@squid-cache.org Subject: [squid-users] make squid-3.1.1 Dear list and people therein, I'm currently trying to compile (make) the squid 3.1.1 which I just downloaded from the squid-cache site. The OS is Debian Lenny 64bit. build-essentials was installed. ./configure works fine, I get a make file. Then I run make, it goes along for some time and then stops. (logging included below) If anybody can point me in the good direction to solve this, thank you very much. ... gcc -g -O2 -Wall -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -Wl,-R/usr/lib -L/usr/lib -lgssapi -lheimntlm -lkrb5 -L../../../lib -o squid_kerb_auth squid_kerb_auth.o base64.o -lmiscutil -lm ../../../lib/libmiscutil.a(base64.o):(.rodata+0x0): multiple definition of `base64_code' base64.o:(.rodata+0x0): first defined here collect2: ld returned 1 exit status make[5]: *** [squid_kerb_auth] Error 1 make[5]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[3]: *** [all] Error 2 make[3]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/software/squid-3.1.1/helpers' make: *** [all-recursive] Error 1 kind regards, Lieven ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
[squid-users] Squid Conf - Checking
Hi, I wondered whether I could have an eyeball on my squid.conf. It's very basic regarding access rules as there is a proxy filter further up chain - also I'm not caching. The main purpose is to ensure that where not explicitly allowed via ACL all traffic passes through the squid proxy and heads upstream. I also block on direct HTTP/S access from a client; only the proxy has access out. How does it look, I welcome any suggestions, inclusions or (importantly) glaring errors or omissions! Obviously, I appreciate there is a lot that one might allow like blocking Yahoo Messenger but I guess I'm after glaring errors! Thanks in advance, Nick == http_port proxy1:8080 auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 40 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours cache_peer [upstreamproxy] parent 8080 0 no-query proxy-only no-digest default cache_mgr helpd...@mydomain.com visible_hostname proxy1.{fqdn} # ICAP SERVER # icap_enable on icap_preview_enable on icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_client_username_encode on icap_service ss reqmod_precache 0 icap://localhost/ssreqmod icap_class c1 ss icap_access c1 allow all ## LOGGING OPTIONS ## LOGGING SWITCHES log_fqdn on ## LOG LOCATIONS access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log squid useragent_log /var/log/squid/useragent.log squid ## Delay Pool Definitions ### # Total number of delay pools delay_pools 1 ACCESS CONTROL LISTS # ## USER-AGENT (Browser-type) ACLs acl Java_jvm browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_JAVA.txt acl iTunes browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_APPLE.txt acl MSNMessenger browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_MSN.txt ## USER AUTHENTICATION ACLs acl AuthenticatedUsers proxy_auth REQUIRED ## LAN IP ACLs acl 172SUBNETS src 172.16.0.0/255.255.0.0 acl SERVERSUBNETS src 172.16.10.0/255.255.255.0 # Blocks CONNECT method to IP addresses (Blocks Skype amongst other things) acl StopDirectIP url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ ## SEND DIRECT ACLs acl SENDDIRECT_DstDomains dstdomain /etc/squid/ACL/SENDDIRECT/SENDDIRECT_DSTDOMAINS.txt acl SENDDIRECT_IPAddresses src /etc/squid/ACL/SENDDIRECT/SENDDIRECT_IPADDRESSES.txt # CONNECT Method Direct IP ACLs acl IP_CONNECTALLOW src /etc/squid/ACL/IPADDRESSES/IP_CONNECTALLOW.txt ## LOCALHOST ACLs acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 ## QUERY ACLs acl QUERY urlpath_regex cgi-bin \? acl apache rep_header Server ^Apache ## PORTS ACLs acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 8080# http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl RTMP_ports port 1935# RTMP # CONNECTION METHOD ACL acl CONNECT method CONNECT acl POST method POST ## ACCESS RULES # ## GLOBAL DENY RULES - Do NOT include User Authentication ACLs here http_access deny StopDirectIP !IP_CONNECTALLOW http_access deny MSNMessenger 172SUBNETS http_access allow POST 172SUBNETS http_access allow CONNECT 172SUBNETS # USER AGENTS ALLOW # http_access allow iTunes 172SUBNETS http_access allow Java_jvm 172SUBNETS ## USERS AUTHENTICATION## http_access allow AuthenticatedUsers http_reply_access allow AuthenticatedUsers ## SEND DIRECT ALLOW always_direct allow SENDDIRECT_DstDomains always_direct allow SENDDIRECT_IPAddresses ## LOCAL HOST ALLOW ## http_access allow localhost ## DELAY ACCESS RULES ## # First delay class pool is User allocated delay_class 1 4 # First delay class pool is limited to 4mb i.e. all users not in exceptions: SERVERSUBNETS delay_parameters 1 -1/-1 -1/-1 -1/-1 400/400 #First delay pool applied to Authenticated users except those in Server Subnet delay_access 1 allow AuthenticatedUsers !SERVERSUBNETS delay_access 1 deny all ## DENY ## always_direct deny all never_direct allow all snmp_access deny all cache deny all http_access deny all ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee,
Re: [squid-users] Squid Quicktime RTPS 401 unauthorized error
In times gone buy I created an acl for the quicktime browser and disabled authentication for the quicktime user-agent as it would completely break on my macs. N On 22/04/2010 16:02, Johnson, S sjohn...@edina.k12.mn.us wrote: When I try to access a quicktime video through my squid proxy I get the 401 unauthorized error. In my searches I see that 4 years ago people were referencing that 2.5 didn't support RTSP. Now that we're up to 3.x, is RTSP supported? If not, is there a work around to play these videos? Thanks Scott ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
Re: [squid-users] Squid Quicktime RTPS 401 unauthorized error
Turn on user-agent logging on squid: useragent_log /pathtoyoursquidlogs/useragent.log squid Tail -f /pathtoyoursquidlogs/useragent.log This will show you your user-agents hitting squid in realtime Acl to create (I had a file I put user-agents for Apple in) - you can use whichever method you want: acl AppleUserAgents browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_APPLE.txt Put the user-agent you want i.e. Quicktime into the txt file Create your allow rule: http_access allow AppleUserAgents cheers On 22/04/2010 16:47, Johnson, S sjohn...@edina.k12.mn.us wrote: I didn't know I could create an ACL for a browser service. Do you by chance have an example I could reference? (sorry about the dup message; forgot to hit reply all...) -Original Message- From: Nick Cairncross [mailto:nick.cairncr...@condenast.co.uk] Sent: Thursday, April 22, 2010 10:10 AM To: Johnson, S; squid-users@squid-cache.org Subject: Re: [squid-users] Squid Quicktime RTPS 401 unauthorized error In times gone buy I created an acl for the quicktime browser and disabled authentication for the quicktime user-agent as it would completely break on my macs. N On 22/04/2010 16:02, Johnson, S sjohn...@edina.k12.mn.us wrote: When I try to access a quicktime video through my squid proxy I get the 401 unauthorized error. In my searches I see that 4 years ago people were referencing that 2.5 didn't support RTSP. Now that we're up to 3.x, is RTSP supported? If not, is there a work around to play these videos? Thanks Scott ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
Re: [squid-users] SPN case sensitivity culprit for Negotiate/Kerberos Failures +msktutil
Hi Bilal, Good to hear you've pin-pointed the problem. I'm not one hundred percent sure on all the answers to your questions, but I'll throw in my 10 cents.. It's all a learning curve! I've just created a new computer account using msktuil and I specified the SPN as HTTP/FuNnYName.{domain}. Checking ADSI showed that the SPN was entered: HTTP/funnyname.{domain}. It was converted into lowercase. With regards to the UPN, it depends on how it's being used. By default you won't be using it I believe if you are just using it for the standard kerb authentication.. However, I was playing around with the squid_kerb_ldap external acl the other day and my experience was that a UPN was required - but not with the UPN specified as HTTP... Do a search on the list for my problem with it (post is titled 'Squid_ldap_kerb make'). Not exactly and answer but my own experience.. Re: SPN attribute and realms - I'm not sure on this.. Other than the way a computer account and user account differs in authenticating Kerberos. As for the multiple SPNs in one account... That's up to you. I haven't tried it but I guess you could do it. As you know you can authenticate against an account providing there is an SPN... Is there a chance your keytab would get out of sync for either? If it broke both wouldn't work.. Nick On 21/04/2010 11:36, GIGO . gi...@msn.com wrote: Dear Markus/Nick/All, After a great struggle and help (i got from you people)i was managed to resolve the issue however i have few confusions which i wish you to ask please. 1. First of all I traced down my problem to SPN Names casesensitivity the case for ServicePrincipalName attribute as seen through ADSIEDIT.msc tool was different from the value my klist -ke was showing. According to ASIedit.msc: servicePrincipalName == HTTP/squidlhrtest.v.local userPrinciapalName == HTTP/squidlhrtest.v.lo...@v.local Where as klisting the SPN as stored in my keytab: 2 HTTP/squidlhrtest.v.lo...@v.local (DES cbc mode with CRC-32) 2 HTTP/squidlhrtest.v.lo...@v.local (DES cbc mode with RSA-MD5) 2 HTTP/squidlhrtest.v.lo...@v.local (ArcFour with HMAC/md5) After diagnosing the problem i tried recreation of keytab/spn through msktutil utility however in no benefit. But Then i changed my hostname(squidmachines') all to lowercase and recreated the keytab and it worked. I confirmed that it matched the one as stored in the Active Directory. kerberos/negotiate was working. Although i have studied that microsoft spn is case insensitive but does this also mean that microsoft will always store spn in lower case no matter how you have given name in your msktutil command? Second thing is that what is the role of upn here? I mean why a upn is required when created SPN with computer objects? I can understand that its some kind of linkage but i am not sure and clear about the purpose ? Also why SPNattribute has no realm name appended in the output while upn has a realm name appended in the output when seeing it through ADSIEDIT.msc. Another question is that as i am using SARG configured with Apache i am looking forward to SSO apache also with kerberos. Now the keytab/spn for squid sso is already here created as : msktutil -c -b CN=COMPUTERS -s HTTP/squidlhrtest.v.local -h squidlhrtest.v.local -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/squidlhrtest.v.local --server vdc.v.local --verbose Right now to my understanding a keytab can have keys from multiple services so this means that i can have the same keytab used for squid Apache both ? For example i think the following command will append the keytab file with the following new keys. I guess that only computer-name is to be changed and the rest of the same command will do as far as the keytab creation is concerned. (apache specific settings is a seperate story which is definately out of scope here) The command to my understanding which will append keys to be used by Apache: msktutil -c -b CN=COMPUTERS -s HTTP/squidlhrtest.v.local -h squidlhrtest.v.local -k /etc/squid/HTTP.keytab --computer-name apache-http --upn HTTP/squidlhrtest.v.local --server vdc.v.local --verbose But why not apache and squid should share a single keytab? as after all they are both HTTP in the end. Isnt creating a seperate key/spn for apache be redundant or it is must? Another somewhat similar question is that My active Directory setup has a single forest with one Parent A wand two childs B and childs C. The internet users are only in childs A and B. What would be the way to handle SSO. I have not much clarity can anybody please advice? ...How Would i be pointing to the multiple realms? would i b duplicate exact setup which i have done for 1 domain and somehow(i am unclear) somehow update squid accordingly? Please i would be real thankful to all of you for guidance/help. best regards, Bilal Aslam
[squid-users] Primary, Secondary, Tertiary Squid proxies
Hi, I would like to configure my proxies to route via different boxes if the primary upstream is unavailable. I have three Squid boxes all at different sites . All three have the entry: cache_peer upstream.isp.com parent 8080 0 no-query default All three are the same, utilising Kerberos authentication, hooking into an ICAP server. All working ok - users authenticate, ICAP manipulation then passed upstream. What I want is if the upstream at site A is unavailable I would like to route to the site B, and then site C to pass to the upstream. Likewise at Site B, site A, site C. And again at site C, site B and site A. I think I need to be looking at something like this.. I'm not using caching by the way: SiteA proxy: cache_peer upstream.isp.com parent 8080 0 no-query no-digest default cache_peer siteb.[mydomain] sibling 8080 0 no-query no-digest cache_peer sitec.[mydomain] sibling 8080 0 no-query no-digest Do I also need additional conf lines to say send upstream and don't do any auth/ICAP etc or is it as simple as getting the right lines above and it'll automatically go upstream? Could anyone offer some pointers? Thanks in advance, Nick ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
Re: [squid-users] Squid HTTP Keytab SPN question
Hi Khaled, It would appear that this was a freak error caused by my particular test machine/account. Testing from other test machines and account proved that it was working. A reboot resolved it.. Thanks, Nick On 15/04/2010 12:00, Khaled Blah khaled.b...@googlemail.com wrote: Hi Nick, I believe a decrypt integrity check implies that the wrong key is being used to decrypt the user's Kerbereros ticket. The KVNO might be correct but the key is not. I am using net to create a keytab. It's rather easy, simply create a smb.conf if you don't have one already for the auth1 account (Netbios name = AUTH1), then do net ads join and then net ads keytab add http. This will cause net to create a keytab with the correct keys and the correct KVNO. Regards, Khaled 2010/4/15 Nick Cairncross nick.cairncr...@condenast.co.uk: Hi Khaled, The reason is that I am also running Samba, which periodically and sometimes 'randomly' updates the machine account in AD (squid1) and throws out the KVNO, and thus the exported squid keytab HTTP.keytab becomes invalid. Using a different account (auth1) means I can run a cron job to run msktutil to update the keytab and keep the KVNO/keytab in sync, and not touching the actual host computer account. I have got the separate account working up to the point that the cache.log now just reports a Decrypt integrity check failed. I am prompted for my username and password. Entering this allows me to get on the internet and cache.log shows my username. I understand the error message to be an 'incorrect password' type of message but it doesn't quite make sense.. Any pointers from the list? Nick On 15/04/2010 02:47, Khaled Blah khaled.b...@googlemail.com wrote: Hi Nick, what I don't get in your question is this: if squid is already joined to your domain as squid1, why create another machine account auth1? Maybe I missed out on something. Your msktutil parameters look fine though. Regards, Khaled 2010/4/14 Nick Cairncross nick.cairncr...@condenast.co.uk: Hi, I'd like confirmation of something is possible, but first best to detail what I want: I want to use a separate computer account to authenticate my users against. I know that this requires an HTTP.keytab and computer in AD with SPN. I would like to use MKTSUTIL for this. If my proxy server is called SQUID1 and is already happily joined to the domain then I need to create a new machine account which I will call AUTH1. 1) Do I need to create a DNS entry for AUTH1 (with the same IP as SQUID1)? 2) If so, do I need just an A record? 3) I have evidently got confused over the msktutil switches and values and so I'm specifying something wrong. What have I done? See below... I used this command after a kinit myusername: msktutil -c -b CN=COMPUTERS -s HTTP/squid1.[mydomain] iz -k /etc/squid/HTTP.keytab --computer-name auth1 --upn HTTP/squid1 --server dc1 -verbose This created the computer account auth1 in the computers ou, added HTTP/squid1.mydomain to SPN and HTTP/squid1.mydom...@mydomain to the UPN. It also created the keytab HTTP.keytab. Klist reports: 2 HTTP/squid1.[mydoma...@[mydomain] 2 HTTP/squid1.[mydoma...@[mydomain] 2 HTTP/squid1.[mydoma...@[mydomain] However cache.log shows this when I then fire up me IE 2010/04/14 14:52:46| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. No principal in keytab matches desired name' Thanks as always, Nick ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900 ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any
Re: [squid-users] Re: Re: Creating a kerberos Service Principal.
Bilal, I think we're doing a similar thing here! See my post earlier about SPN. I think you need to be using the fqdn of the machine in the HTTP/ spn upn and not just the domain. Also check your DNS and host local host entries. E.g.: msktutil -c -b CN=COMPUTERS -s HTTP/squid1.[mydomain] -k /etc/squid/HTTP.keytab --computer-name auth1 --upn HTTP/squid1 --server dc1 -verbose Nick On 15/04/2010 07:22, GIGO . gi...@msn.com wrote: Dear Markus/all, I am unable to create the keytab using mskutil please help me out i followed the following steps: 1. I created a OU and named it UnixOU 2. I created a group account in the UnixOU and named it as UnixAdmins 3. I make my windows account bilal_admin part of UnixAdmins group. 4. I set the settings of UnixOU to be managed by UnixAdmins. 5. Then i synch time of Squid Machine and Active directory. 6. My domain fully qualified domain name is v.local and netbios names is V. 7. My domain controller name is vdc (fqdn=vdc.v.local) 8. The following lines were changed in the krb5.conf while rest being untouched. [libdefaults] default_realm=V.LOCAL [realms] V.LOCAL = { kdc = vdc.v.local:88 admin_server = kerberos.example.com:749 (e.g this not changed does it matter at the step of creation of keytab) default_domain = example.com (unchanged) } The i run the following commands to create the keytab: kinit squidad...@v.local msktutil -c -b OU=unixPrincipals -s HTTP/v.local -h squidLhrTest.v.local -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/v.local --server vdc.v.local --verbose Output of the Command: -- init_password: Wiping the computer password structure -- finalize_exec: Determining user principal name -- finalize_exec: User Principal Name is: HTTP/v.lo...@v.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.mskt-3550krb5.conf -- get_krb5_context: Creating Kerberos Context -- try_machine_keytab: Using the local credential cache: /tmp/.mskt-3550krb5_ccache -- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab: Unable to authenticate using the local keytab -- try_ldap_connect: Connecting to LDAP server: vdc.v.local -- try_ldap_connect: Connecting to LDAP server: vdc.v.local SASL/GSSAPI authentication started SASL username: squidad...@v.local SASL SSF: 56 SASL installing layers -- ldap_get_base_dn: Determining default LDAP base: dc=v,dc=local Warning: No DNS entry found for squidLhrTest.v.local -- get_short_hostname: Determined short hostname: squidLhrTest-v-local -- finalize_exec: SAM Account Name is: squid-http$ Updating all entries for squidLhrTest.v.local in the keytab /etc/squid/HTTP.keytab -- try_set_password: Attempting to reset computer's password -- ldap_check_account: Checking that a computer account for squid-http$ exists No computer account for squid-http found, creating a new one. Error: ldap_add_ext_s failed (Insufficient access) Error: ldap_check_account failed (No CSI structure available) Error: set_password failed -- krb5_cleanup: Destroying Kerberos Context -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure please help me resolving the issue. regards, Bilal Aslam To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Fri, 9 Apr 2010 08:10:19 +0100 Subject: [squid-users] Re: Re: Creating a kerberos Service Principal. Hi Bilal, I create a new OU in Active Directory like OU=UnixPrincipals,DC=... I then create a Windows Group UnixAdministrators and add the Windows account of the UnixAdministrators to it. Finally I change the permissions on the OU=UnixPrincipals so that the members of the group UnixAdministrators have full rights (or limited rights ) for objects under this OU. Regards Markus GIGO . wrote in message news:snt134-w395b3433738667ded2186eb9...@phx.gbl... Markus could not get you please can you elaborate a bit. thank you all! regards, Bilal To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Thu, 8 Apr 2010 20:04:30 +0100 Subject: [squid-users] Re: Creating a kerberos Service Principal. BTW You do not need Administrator rights. You can set permission for different Groups on OUs for example for Unix Kerberos Admins. Markus Khaled Blah wrote in message news:n2j4a3250ab1004080957id2f4a051xb31445428c62b...@mail.gmail.com... Hi Bilal, 1. ktpass and msktutil practically do the same, they create keytabs which include the keys that squid will need to decrypt the ticket it receives from the user. However ktpass only creates a file which you will then have to securely transfer to your proxy server so that squid can access it. Using msktutil on your proxy server, you can get the same keytab without having to transfer it.
[squid-users] Squid HTTP Keytab SPN question
Hi, I'd like confirmation of something is possible, but first best to detail what I want: I want to use a separate computer account to authenticate my users against. I know that this requires an HTTP.keytab and computer in AD with SPN. I would like to use MKTSUTIL for this. If my proxy server is called SQUID1 and is already happily joined to the domain then I need to create a new machine account which I will call AUTH1. 1) Do I need to create a DNS entry for AUTH1 (with the same IP as SQUID1)? 2) If so, do I need just an A record? 3) I have evidently got confused over the msktutil switches and values and so I'm specifying something wrong. What have I done? See below... I used this command after a kinit myusername: msktutil -c -b CN=COMPUTERS -s HTTP/squid1.[mydomain] iz -k /etc/squid/HTTP.keytab --computer-name auth1 --upn HTTP/squid1 --server dc1 -verbose This created the computer account auth1 in the computers ou, added HTTP/squid1.mydomain to SPN and HTTP/squid1.mydom...@mydomain to the UPN. It also created the keytab HTTP.keytab. Klist reports: 2 HTTP/squid1.[mydoma...@[mydomain] 2 HTTP/squid1.[mydoma...@[mydomain] 2 HTTP/squid1.[mydoma...@[mydomain] However cache.log shows this when I then fire up me IE 2010/04/14 14:52:46| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. No principal in keytab matches desired name' Thanks as always, Nick ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
Re: [squid-users] Re: Re: Re: Re: SSO with Active Directory-Squid Clients
Markus, I understand your advice but I wanted to clarify the last paragraph also. If I have already used Samba to join my machine to the domain and want to have the Samba service still running to permit shares for Squid administration and other things, do you mean use the msktutil tool to create another NEW computer account solely for the purpose of Squid authentication; if so does this require a DNS entry etc. The example on the Squid Wiki re: Kerberos suggests: 'Create keytab for HTTP/fqdn with msktutil. (If used together with samba net join use another computer name than the hostname used by net join)'. That means having two computer accounts - I'm a bit unsure of the best way to have Samba running and create an independent 'method' for Squid authentication given that Samba modifies its computer account and throws the KVNO out for the exported Keytab.. ? Any ideas of pointers would be great. Nick On 09/04/2010 08:16, Markus Moeller hua...@moeller.plus.com wrote: Hi Bilal, What you do is a possible option, but has in my view 3 problems. 1) In a large enterprise you really do not want additional user accounts without password expiry as you have to have a process in place to recertify them regularly 2) It means when the administrator leaves you have to change all passwords of keytab accounts as it might be otherwise a backdoor 3) Do not use DES it is deprecated in Windows 7 /2008 and will be in the next MIT/Heimdal releases The msktutil tool creates in comparision a Computer account and it does it from your Unix machine, and therefore does not have the overhead of transfering keytabs around. And as I described in my other post you can control access to OUs so that Unix administrators can use msktutil. Regards Markus GIGO . gi...@msn.com wrote in message news:snt134-w588e173f39449195ca6126b9...@phx.gbl... Hi Markus/Nick, I have chosen the following method of creating the keytab can you give me your advice/expereince regarding it. 1. I have created a user account for SPN in Active directory with password never expires and preauthentication not required checked. squidLhr-proxy Pwd: X C:\Program Files\Support Tools setspn -A HTTP/squidLhr-proxy.v.mcb.com.pk squidLhr-proxy Creating keytab: ktpass -out c:\squidLhr-proxy.keytab -princ HTTP/squidlhr-proxy.v.com...@myrealm.v.com.pk -mapUser V\squidLhr-proxy -mapOp set -pass * -crypto DES-CBC-MD5 -pType KRB_NT_PRINCIPAL regards, Bilal To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Thu, 8 Apr 2010 20:08:10 +0100 Subject: [squid-users] Re: Re: Re: SSO with Active Directory-Squid Clients Hi Nick, Did you use samba to create the keytab. I have seen that if you use samba for more then squid (e.g. cifs, winbind, etc) it will update regularly the AD entry and key for the host/fqdn principal which is the same as for HTTP/fqdn. I usually use msktutil and create a second AD entry called -HTTP to be independent of samba which usually uses . Regards Markus Nick Cairncross wrote in message news:c7e35da9.1eb06%nick.cairncr...@condenast.co.uk... Bilal, I'm working on much the same thing, with added Apple Mac just to complicate things. My aim is to create an SSO environment for all my Windows, OSX and nix machines. I want to use Kerberos as my primary authentication as IE7 and FF onwards are moving that way..but for my situation some browsers or applications do not support this and I must also use NTLM. However, Opera on my Macs seems to not like either and prefers Basic.. It's been a struggle to get each element to work but not impossible. I have found that all Negotiate/Kerberos supporting browsers have worked extremely well with the helper developed by Markus. Many of the authentication breaking elements have disappeared when compared to my Blue Coat and ISA experiences. Those machines joined to the domain using browsers that support Neg/Kerb work seamlessly with Kerberos - FF and IE - and pass through credentials. Mac Safari relies on NTLM and prompts as such. Mac Opera prompts for Basic. Therefore if you're just Windows I would answer fairly confidently that your question 1 answer is Yes. Users not on the domain would be prompted for credentials. I haven't tested this and depending on which helper you are using (Samba or Squids) and whether you're joined to the domain I believe Negotiate should fall back to NTLM and work providing you supply a valid domain user/pass! So the answer to 2 would be 'depends..' :) As for the issue of not being to able to use Squid at all and taking into account what I said earlier, then yes there could be a scenario where Squid will not work for your users. However, it is less of a problem in just Windows. It's all about testing your various Windows configurations, apps and browsers until you are sure you have covered the conceivable setups of all your users. Finally, I have
Re: [squid-users] Re: Re: Re: SSO with Active Directory-Squid Clients
Ah, just seem this - apologies for my post. I think I understand this and will give it a go.. On 08/04/2010 20:08, Markus Moeller hua...@moeller.plus.com wrote: Hi Nick, Did you use samba to create the keytab. I have seen that if you use samba for more then squid (e.g. cifs, winbind, etc) it will update regularly the AD entry and key for the host/fqdn principal which is the same as for HTTP/fqdn. I usually use msktutil and create a second AD entry called short-hostname-HTTP to be independent of samba which usually uses short-hostname. Regards Markus Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message news:c7e35da9.1eb06%nick.cairncr...@condenast.co.uk... Bilal, I'm working on much the same thing, with added Apple Mac just to complicate things. My aim is to create an SSO environment for all my Windows, OSX and nix machines. I want to use Kerberos as my primary authentication as IE7 and FF onwards are moving that way..but for my situation some browsers or applications do not support this and I must also use NTLM. However, Opera on my Macs seems to not like either and prefers Basic.. It's been a struggle to get each element to work but not impossible. I have found that all Negotiate/Kerberos supporting browsers have worked extremely well with the helper developed by Markus. Many of the authentication breaking elements have disappeared when compared to my Blue Coat and ISA experiences. Those machines joined to the domain using browsers that support Neg/Kerb work seamlessly with Kerberos - FF and IE - and pass through credentials. Mac Safari relies on NTLM and prompts as such. Mac Opera prompts for Basic. Therefore if you're just Windows I would answer fairly confidently that your question 1 answer is Yes. Users not on the domain would be prompted for credentials. I haven't tested this and depending on which helper you are using (Samba or Squids) and whether you're joined to the domain I believe Negotiate should fall back to NTLM and work providing you supply a valid domain user/pass! So the answer to 2 would be 'depends..' :) As for the issue of not being to able to use Squid at all and taking into account what I said earlier, then yes there could be a scenario where Squid will not work for your users. However, it is less of a problem in just Windows. It's all about testing your various Windows configurations, apps and browsers until you are sure you have covered the conceivable setups of all your users. Finally, I have been struggling against an issue where my KVNO Keytab increments in AD and gets out of sync with the exported version making Squid un-useable until it's regenerated. Have you experienced this? Happy to discuss any of this off list or on. Cheers, Nick On 08/04/2010 04:06, GIGO . gi...@msn.com wrote: If i select negotiate/Kerberos as authentication protocol for my Squid on Linux and configure no FallBack Authentication.what would be the consequence ? 1. Isnt it that all of my users who have logged into Active Directory and where browser is supported will be able to use squid? 2. Only those users who will try to use squid from a workgroup giving their domain passoword (domainname/userid) will fail as there will be no fallback aviablable. 3. Is there any other scenario in which these users will not be able to use squid? I would be really thankful if you guide me further as i am failing to understand why a fallback authentication is necessary if it is. What could be the scenario when windows clients have no valid TGT even if they are login to the domain? I hope you can understand me and help me to clear my self. regards, Bilal Aslam To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Wed, 7 Apr 2010 20:17:20 +0100 Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients Sorry I knew that but forgot to mention that I was talking about the Unix version. Thank you Markus Guido Serassio wrote in message news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc... Hi Markus, If you have a Windows client and the proxy send WWW-Proxy-Authorize: Negotiate the Windows client will try first to get a Kerberos ticket and if that succeeds sends a Negotiate response with a Kerberos token to the proxy. If the Windows client fails to get a Kerberos ticket the client will send a Negotiate response with a NTLM token to the proxy. Unfortunately there is yet no squid helper which can handle both a Negotiate/Kerberos response and a Negotiate/NTLM response (although maybe the samba ntlm helper can). So there is a fallback when you use Negotiate, but it has some caveats. This is not true when Squid is running on Windows: the Windows native Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM responses. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia
Re: [squid-users] Re: Re: Re: SSO with Active Directory-Squid Clients
Markus, I've had a go with mskstutil and it appeared to work partially once - the comptuer account was created and the spn/upn were set, but no Keytab was generated.. I then tried again having deleted the squid-http computer account but receive the following errors - see below, at the end. Would you be able to advise as to where I should look to try to resolve this? I have also rolled back my VM, removed from domain etc and retried with no success. Many thanks, Nick [r...@bnd-squid1 msktutil-0.3.16]# ./msktutil -c -b CN=COMPUTERS -s HTTP/bnd-squid1.[MYFQDN] -h bnd-squid1.[MYFQDN] -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/bnd-squid1.[MYFQDN] --server bnd-dc4 --verbose --enctypes 28 -- init_password: Wiping the computer password structure -- finalize_exec: Determining user principal name -- finalize_exec: User Principal Name is: HTTP/bnd-squid1.[myfq...@[myfqdn] -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.mskt-9522krb5.conf -- get_krb5_context: Creating Kerberos Context -- try_machine_keytab: Using the local credential cache: /tmp/.mskt-9522krb5_ccache -- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab: Unable to authenticate using the local keytab -- ldap_connect: ldap_connect calling try_ldap_connect -- try_ldap_connect: Connecting to LDAP server: bnd-dc4 try_tls=YES -- try_ldap_connect: Connecting to LDAP server: bnd-dc4 try_tls=NO SASL/GSSAPI authentication started SASL username: ncairncr...@[myfqdn] SASL SSF: 56 SASL installing layers -- try_ldap_connect: LDAP_OPT_X_SASL_SSF=56 -- ldap_get_base_dn: Determining default LDAP base: dc=XX,dc=,dc=XXX -- get_short_hostname: Determined short hostname: bnd-squid1 -- finalize_exec: SAM Account Name is: squid-http$ Updating all entries for bnd-squid1 in the keytab /etc/squid/HTTP.keytab -- try_set_password: Attempting to reset computer's password -- ldap_check_account: Checking that a computer account for squid-http$ exists -- ldap_check_account: Computer account not found, create the account No computer account for squid-http found, creating a new one. Error: ldap_add_ext_s failed (No such attribute) Error: ldap_check_account failed (Device or resource busy) Error: set_password failed -- krb5_cleanup: Destroying Kerberos Context -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure On 08/04/2010 20:08, Markus Moeller hua...@moeller.plus.com wrote: Hi Nick, Did you use samba to create the keytab. I have seen that if you use samba for more then squid (e.g. cifs, winbind, etc) it will update regularly the AD entry and key for the host/fqdn principal which is the same as for HTTP/fqdn. I usually use msktutil and create a second AD entry called short-hostname-HTTP to be independent of samba which usually uses short-hostname. Regards Markus ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients
Bilal, I'm working on much the same thing, with added Apple Mac just to complicate things. My aim is to create an SSO environment for all my Windows, OSX and nix machines. I want to use Kerberos as my primary authentication as IE7 and FF onwards are moving that way..but for my situation some browsers or applications do not support this and I must also use NTLM. However, Opera on my Macs seems to not like either and prefers Basic.. It's been a struggle to get each element to work but not impossible. I have found that all Negotiate/Kerberos supporting browsers have worked extremely well with the helper developed by Markus. Many of the authentication breaking elements have disappeared when compared to my Blue Coat and ISA experiences. Those machines joined to the domain using browsers that support Neg/Kerb work seamlessly with Kerberos - FF and IE - and pass through credentials. Mac Safari relies on NTLM and prompts as such. Mac Opera prompts for Basic. Therefore if you're just Windows I would answer fairly confidently that your question 1 answer is Yes. Users not on the domain would be prompted for credentials. I haven't tested this and depending on which helper you are using (Samba or Squids) and whether you're joined to the domain I believe Negotiate should fall back to NTLM and work providing you supply a valid domain user/pass! So the answer to 2 would be 'depends..' :) As for the issue of not being to able to use Squid at all and taking into account what I said earlier, then yes there could be a scenario where Squid will not work for your users. However, it is less of a problem in just Windows. It's all about testing your various Windows configurations, apps and browsers until you are sure you have covered the conceivable setups of all your users. Finally, I have been struggling against an issue where my KVNO Keytab increments in AD and gets out of sync with the exported version making Squid un-useable until it's regenerated. Have you experienced this? Happy to discuss any of this off list or on. Cheers, Nick On 08/04/2010 04:06, GIGO . gi...@msn.com wrote: If i select negotiate/Kerberos as authentication protocol for my Squid on Linux and configure no FallBack Authentication.what would be the consequence ? 1. Isnt it that all of my users who have logged into Active Directory and where browser is supported will be able to use squid? 2. Only those users who will try to use squid from a workgroup giving their domain passoword (domainname/userid) will fail as there will be no fallback aviablable. 3. Is there any other scenario in which these users will not be able to use squid? I would be really thankful if you guide me further as i am failing to understand why a fallback authentication is necessary if it is. What could be the scenario when windows clients have no valid TGT even if they are login to the domain? I hope you can understand me and help me to clear my self. regards, Bilal Aslam To: squid-users@squid-cache.org From: hua...@moeller.plus.com Date: Wed, 7 Apr 2010 20:17:20 +0100 Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients Sorry I knew that but forgot to mention that I was talking about the Unix version. Thank you Markus Guido Serassio wrote in message news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc... Hi Markus, If you have a Windows client and the proxy send WWW-Proxy-Authorize: Negotiate the Windows client will try first to get a Kerberos ticket and if that succeeds sends a Negotiate response with a Kerberos token to the proxy. If the Windows client fails to get a Kerberos ticket the client will send a Negotiate response with a NTLM token to the proxy. Unfortunately there is yet no squid helper which can handle both a Negotiate/Kerberos response and a Negotiate/NTLM response (although maybe the samba ntlm helper can). So there is a fallback when you use Negotiate, but it has some caveats. This is not true when Squid is running on Windows: the Windows native Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM responses. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any
Re: [squid-users] Re: Sending on Group names after Kerb LDAP look-up
Markus, Adding -r to the helper: auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r auth_param negotiate children 10 auth_param negotiate keep_alive on ..results in: 2010/03/30 09:57:51| helperOpenServers: Starting 10/10 'squid_kerb_auth' processes (squid_kerb_auth): invalid option -- r Did I misunderstand? I'm using Squid 3.0 stable 20 - I'm not sure what version the squid_kerb_auth that comes with it is. Thanks, Nick On 29/03/2010 22:16, Markus Moeller hua...@moeller.plus.com wrote: Did you try -r with squid_kerb_auth ? Markus Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message news:c7d69a71.1dc21%nick.cairncr...@condenast.co.uk... Hi, I just wanted to give this a bump; Is it possible to manipulate the (Kerberos-authenticated) username that gets sent to my ICAP server and strip off the @domain? E.g. jsm...@myaddomain becomes jsmith Relevant squid lines just FYI: icap_send_client_username on icap_client_username_header X-Authenticated-User Access log shows my jsm...@myaddomain and I would LOVE to be able to just have the first part in ICAP X-Authenticated-User. Thanks again, Nick On 25/03/2010 16:18, Nick Cairncross nick.cairncr...@condenast.co.uk wrote: Amos, Thanks for your help - you are right in that the connector has the ability to receive and manipulate ICAP, and using an NTLM authenticated user allows me to do the thing I need. All was nearly lost. However, if I change to Kerberos authentication on my Squid then the connector breaks because it receives the user name as an UPN. Is it possible to send just the first part of the authenticated user (i.e. Username?) and not include the domain? I read something interesting here: http://markmail.org/message/u3yoiykwkaykreoz about using string substitutions (%U, %N etc) Is this achievable with Squid? This could be the final piece in my puzzle... Thanks, Nick On 24/03/2010 05:58, Amos Jeffries squ...@treenet.co.nz wrote: Nick Cairncross wrote: Hi All, Things seem to be going well with my Squid project so far; a combined Mac/Windows AD environment using Kerberos authentication with fall back of NTLM. I (hopefully) seem to be getting the hang of it! I've been trying out the Kerberos LDAP look up tool and have a couple of questions (I think the answers will be no..): - Is it possible to wrap up the matched group name(s) in the header as it gets sent onwards to my peer? I used to use the authentication I don't think so. There is a lot of manipulation magic you can do with the ICAP or eCAP interfaces that is not possible directly in Squid though. The risk is breaking back-end services that can't handle the altered header. Since you say below about already doing so, I assume this is a non-risk for your network. agent that came from our A/V provider. This tool ran as a service and linked into our ISA. Once a user authenticated their group membership was forwarded along with their username to my peer (Scansafe). The problem is that it only does NTLM auth. It added the group (WINNT://[group]) into the header and then a rule base at the peer site could be set up based on group. Since I am using Kerberos I wondered whether it's possible to send the results of the Kerb LDAP auth? I already see the user on the peer as the Kerberos login. It would be great if I could include the group or groups... You can do transparent login pass-thru to the peer (login=PASS). You can log Squid-3.1 into the peer with kerberos credentials. But I do not think the Kerberos details get decoded to a username/password for Squid to pass back as a pair. This is what I use currently: cache_peer proxy44.scansafe.net parent 8080 7 no-query no-digest no-netdb-exchange login=* (From http://www.hutsby.net/2008/03/apple-mac-osx-squid-and-scansafe.html) - Are there plans to integrate the lookup tool in future versions of Squid? I've enjoyed learning about compiling but.. just wondering.. No. Plans are for all network-specific adaptation to be done via external helper processes. The *CAP interfaces for add-on modules allow all the adaptation extras to be plugged in as needed in a very powerful way. Check that AV tool, it likely has an ICAP interface Squid-3 can plug into already. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18 ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those
Re: [squid-users] Sending on Group names after Kerb LDAP look-up
Hi, I just wanted to give this a bump; Is it possible to manipulate the (Kerberos-authenticated) username that gets sent to my ICAP server and strip off the @domain? E.g. jsm...@myaddomain becomes jsmith Relevant squid lines just FYI: icap_send_client_username on icap_client_username_header X-Authenticated-User Access log shows my jsm...@myaddomain and I would LOVE to be able to just have the first part in ICAP X-Authenticated-User. Thanks again, Nick On 25/03/2010 16:18, Nick Cairncross nick.cairncr...@condenast.co.uk wrote: Amos, Thanks for your help - you are right in that the connector has the ability to receive and manipulate ICAP, and using an NTLM authenticated user allows me to do the thing I need. All was nearly lost. However, if I change to Kerberos authentication on my Squid then the connector breaks because it receives the user name as an UPN. Is it possible to send just the first part of the authenticated user (i.e. Username?) and not include the domain? I read something interesting here: http://markmail.org/message/u3yoiykwkaykreoz about using string substitutions (%U, %N etc) Is this achievable with Squid? This could be the final piece in my puzzle... Thanks, Nick On 24/03/2010 05:58, Amos Jeffries squ...@treenet.co.nz wrote: Nick Cairncross wrote: Hi All, Things seem to be going well with my Squid project so far; a combined Mac/Windows AD environment using Kerberos authentication with fall back of NTLM. I (hopefully) seem to be getting the hang of it! I've been trying out the Kerberos LDAP look up tool and have a couple of questions (I think the answers will be no..): - Is it possible to wrap up the matched group name(s) in the header as it gets sent onwards to my peer? I used to use the authentication I don't think so. There is a lot of manipulation magic you can do with the ICAP or eCAP interfaces that is not possible directly in Squid though. The risk is breaking back-end services that can't handle the altered header. Since you say below about already doing so, I assume this is a non-risk for your network. agent that came from our A/V provider. This tool ran as a service and linked into our ISA. Once a user authenticated their group membership was forwarded along with their username to my peer (Scansafe). The problem is that it only does NTLM auth. It added the group (WINNT://[group]) into the header and then a rule base at the peer site could be set up based on group. Since I am using Kerberos I wondered whether it's possible to send the results of the Kerb LDAP auth? I already see the user on the peer as the Kerberos login. It would be great if I could include the group or groups... You can do transparent login pass-thru to the peer (login=PASS). You can log Squid-3.1 into the peer with kerberos credentials. But I do not think the Kerberos details get decoded to a username/password for Squid to pass back as a pair. This is what I use currently: cache_peer proxy44.scansafe.net parent 8080 7 no-query no-digest no-netdb-exchange login=* (From http://www.hutsby.net/2008/03/apple-mac-osx-squid-and-scansafe.html) - Are there plans to integrate the lookup tool in future versions of Squid? I've enjoyed learning about compiling but.. just wondering.. No. Plans are for all network-specific adaptation to be done via external helper processes. The *CAP interfaces for add-on modules allow all the adaptation extras to be plugged in as needed in a very powerful way. Check that AV tool, it likely has an ICAP interface Squid-3 can plug into already. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18 ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900 ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does
Re: AW: [squid-users] SquidCompilationproblem -squid_ldap_auth.c:123:18: error: lber.h: No such file or directory
If you're on the RHN then yum is the easiest. If not: Keyutils_libs-devel Libselinux-devel Libsepol-devel E2fsprogs-devel Krb5-devel Cyrus-sasl-gssapi Cyrus-sasl-devel Openldap-devel Might be a few more. On 26/03/2010 14:42, Zeller, Jan jan.zel...@id.unibe.ch wrote: Hi, you need something like libldap2-dev Please have a look at http://packages.ubuntu.com (if you have ubuntu) or use yum search openldap-devel or something like this if you have RedHat regards, Jan Von: GIGO . [gi...@msn.com] Gesendet: Freitag, 26. März 2010 14:06 An: SquidSuperUser; SquidHelp Betreff: RE: [squid-users] SquidCompilationproblem -squid_ldap_auth.c:123:18: error: lber.h: No such file or directory Dear Amos, It did worked on Ubuntu but now i am facing the same problem in RHEL. Can you please guide which package i would require. regards, Bilal Date: Sun, 21 Mar 2010 22:06:09 + From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] SquidCompilationproblem -squid_ldap_auth.c:123:18: error: lber.h: No such file or directory On Sun, 21 Mar 2010 19:37:56 +, GIGO . wrote: Please guide me on this whats wrong. I am unable to compile Squid3stable24 on Ubuntu 8.04 LTS server. I want to use active directory authentication(my clients should be able to authenticate themselves with active directory accounts) Following is my command: You need the LDAP packages to be installed. Make sure you have the package build dependencies listed here: https://launchpad.net/ubuntu/lucid/+source/squid3 Amos _ Hotmail: Trusted email with Microsoft's powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
Re: [squid-users] Re: Squid Kerb Auth Issue
Markus, kinit ncairncross export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab net ads keytab CREATE net ads keytab ADD HTTP unset KRB5_KTNAME The made sure the keytab is readable by the squid process owner e.g. chgrp squid /etc/squid/HTTP.keytab; chmod g+r /etc/squid/HTTP.keytab ) Is there another way to do this (or have I done it wrong) Nick On 24/03/2010 23:45, Markus Moeller hua...@moeller.plus.com wrote: How did you create the keytab ? Markus Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message news:c7ce8144.1d5e1%nick.cairncr...@condenast.co.uk... Hi, I'm concerned by a problem with my HTTP.keytab 'expiring'. My test base have reported a problem to me that they are prompted repeatedly for an unsatisfiable username and password. When I checked cache.log I noticed that there was a KVNO mismatch being reported. I regenerated my keytab and all was well again. However, I was worried by this so I looked back over my emails and I noticed the same problem occurred 7 days ago (almost to the hour). Does anyone have a suggestion as to what might have caused this/things to check? There haven't been any AD changes. Thanks, Nick ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
Re: [squid-users] Sending on Group names after Kerb LDAP look-up
Amos, Thanks for your help - you are right in that the connector has the ability to receive and manipulate ICAP, and using an NTLM authenticated user allows me to do the thing I need. All was nearly lost. However, if I change to Kerberos authentication on my Squid then the connector breaks because it receives the user name as an UPN. Is it possible to send just the first part of the authenticated user (i.e. Username?) and not include the domain? I read something interesting here: http://markmail.org/message/u3yoiykwkaykreoz about using string substitutions (%U, %N etc) Is this achievable with Squid? This could be the final piece in my puzzle... Thanks, Nick On 24/03/2010 05:58, Amos Jeffries squ...@treenet.co.nz wrote: Nick Cairncross wrote: Hi All, Things seem to be going well with my Squid project so far; a combined Mac/Windows AD environment using Kerberos authentication with fall back of NTLM. I (hopefully) seem to be getting the hang of it! I've been trying out the Kerberos LDAP look up tool and have a couple of questions (I think the answers will be no..): - Is it possible to wrap up the matched group name(s) in the header as it gets sent onwards to my peer? I used to use the authentication I don't think so. There is a lot of manipulation magic you can do with the ICAP or eCAP interfaces that is not possible directly in Squid though. The risk is breaking back-end services that can't handle the altered header. Since you say below about already doing so, I assume this is a non-risk for your network. agent that came from our A/V provider. This tool ran as a service and linked into our ISA. Once a user authenticated their group membership was forwarded along with their username to my peer (Scansafe). The problem is that it only does NTLM auth. It added the group (WINNT://[group]) into the header and then a rule base at the peer site could be set up based on group. Since I am using Kerberos I wondered whether it's possible to send the results of the Kerb LDAP auth? I already see the user on the peer as the Kerberos login. It would be great if I could include the group or groups... You can do transparent login pass-thru to the peer (login=PASS). You can log Squid-3.1 into the peer with kerberos credentials. But I do not think the Kerberos details get decoded to a username/password for Squid to pass back as a pair. This is what I use currently: cache_peer proxy44.scansafe.net parent 8080 7 no-query no-digest no-netdb-exchange login=* (From http://www.hutsby.net/2008/03/apple-mac-osx-squid-and-scansafe.html) - Are there plans to integrate the lookup tool in future versions of Squid? I've enjoyed learning about compiling but.. just wondering.. No. Plans are for all network-specific adaptation to be done via external helper processes. The *CAP interfaces for add-on modules allow all the adaptation extras to be plugged in as needed in a very powerful way. Check that AV tool, it likely has an ICAP interface Squid-3 can plug into already. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18 ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
[squid-users] Squid Kerb Auth Issue
Hi, I'm concerned by a problem with my HTTP.keytab 'expiring'. My test base have reported a problem to me that they are prompted repeatedly for an unsatisfiable username and password. When I checked cache.log I noticed that there was a KVNO mismatch being reported. I regenerated my keytab and all was well again. However, I was worried by this so I looked back over my emails and I noticed the same problem occurred 7 days ago (almost to the hour). Does anyone have a suggestion as to what might have caused this/things to check? There haven't been any AD changes. Thanks, Nick ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
Re: [squid-users] Blocking Instant Messaging
Hi abv, You can block on user agent for some IM clients such as MSN. Ensure you have User Agent logging turned on and an entry in your conf file. I found this useful for finding out the agent that some IM clients use. For testing I use a file containing the agent but the result is the same..: useragent_log /var/log/squid/useragent.log squid acl MSNMessenger browser /etc/squid/ACL/USER-AGENT_BLOCKED.txt acl http_access deny MSNMessenger USER-AGENT_BLOCKED.txt contains the agents you want to block:Windows Live Messenger You can go further and allow certain IPs to have MSN using a !acl. tail -f /var/log/squid/useragent.log to see what's going on. === Skype requires a direct IP acl rule: acl StopDirectIP url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ http_access deny StopDirectIP Again you could exclude certain IPs using a !acl Cheers, Nick On 22/03/2010 07:56, a bv vbavbal...@gmail.com wrote: Hi, I have a squid running and i would like to block/control the instant messaging trafffic at squid (especially MSN/Windows Live Messenger) . So how can i do this effectively? Regards ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
[squid-users] Sending on Group names after Kerb LDAP look-up
Hi All, Things seem to be going well with my Squid project so far; a combined Mac/Windows AD environment using Kerberos authentication with fall back of NTLM. I (hopefully) seem to be getting the hang of it! I've been trying out the Kerberos LDAP look up tool and have a couple of questions (I think the answers will be no..): - Is it possible to wrap up the matched group name(s) in the header as it gets sent onwards to my peer? I used to use the authentication agent that came from our A/V provider. This tool ran as a service and linked into our ISA. Once a user authenticated their group membership was forwarded along with their username to my peer (Scansafe). The problem is that it only does NTLM auth. It added the group (WINNT://[group]) into the header and then a rule base at the peer site could be set up based on group. Since I am using Kerberos I wondered whether it's possible to send the results of the Kerb LDAP auth? I already see the user on the peer as the Kerberos login. It would be great if I could include the group or groups... This is what I use currently: cache_peer proxy44.scansafe.net parent 8080 7 no-query no-digest no-netdb-exchange login=* (From http://www.hutsby.net/2008/03/apple-mac-osx-squid-and-scansafe.html) - Are there plans to integrate the lookup tool in future versions of Squid? I've enjoyed learning about compiling but.. just wondering.. Thanks again in advance, Nick ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
[squid-users] ACL wildcard?
Hi all, Just a quick question today..: In a bid to keep to some standards my ACLs all follow similar naming conventions : FILETYPE_EXE_[object] - e.g. FILE_TYPE_EXE_Users, FILE_TYPE_EXE_Hosts, FILE_TYPE_EXE_IPAddresses FILETYPE_MP3_[object] - e.g. FILE_TYPE_MP3_Users, FILE_TYPE_MP3_Hosts, FILE_TYPE_MP3_IPAddresses FILETYPE_ZIP_[object] - e.g. FILE_TYPE_ZIP_Users, FILE_TYPE_ZIP_Hosts, FILE_TYPE_ZIP_IPAddresses Instead of repeating the deny_info entry three times for each of these, is it possible to use a wildcard for one? If so.. What is it?: deny_info CUSTOM_FILEBLOCKED FILETYPE_{wildcard} Thanks, Nick ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
[squid-users] TCP_DENIED/407 CONNECT www,evernote.com:443
Hi All, I have some Mac clients/services that require internet via my Squid. Two such programs are Evernote and VMWare. Both are requesting access and both are being denied. The errors I see in the access.log are as follows and nothing else: 268234226.935 0 172.16.0.38 TCP_DENIED/407 2117 CONNECT www.evernote.com:443 - NONE/- text/html 1268234226.938 0 172.16.0.38 TCP_DENIED/407 2117 CONNECT www.evernote.com:443 - NONE/- text/html 1268234228.667 0 172.16.0.38 TCP_DENIED/407 2134 CONNECT softwareupdate.vmware.com:443 - NONE/- text/html I've tried all sorts of the acls (browser, dstdomain, IP) but I still get denied. Even http_access allow all doesn't work. Thanks in advance, Nick == My configuration is as follows: http_port 172.16.10.195:8080 auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 40 cache_peer [upstream ISP proxy] parent 8080 7 no-query no-digest no-netdb-exchange login=* visible_hostname VHSQUID1.[my domain] dns_nameservers 172.16.10.52 172.16.10.53 172.16.40.20 # Total number of delay pools delay_pools 1 ## LOGGING SWITCHES log_fqdn on ## LOG LOCATIONS access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log squid useragent_log /var/log/squid/useragent.log squid ACCESS CONTROL LISTS # ## USER-AGENT (Browser-type) ACLs acl Java_jvm browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_JAVA.txt acl iTunes browser /etc/squid/ACL/USERAGENTS/USER-AGENTS_ITUNES.txt ## URL DESTINATION ACLs ## USER AUTHENTICATION ACLs acl AuthenticatedUsers proxy_auth REQUIRED acl BandwidthUserExceptions proxy_auth_regex -i /etc/squid/ACL/BANDWIDTH/BANDWIDTH_NOLIMIT_USER.txt ## LAN IP ACLs acl 172SUBNETS src 172.16.0.0/255.255.0.0 acl SERVERSUBNETS src 172.16.10.0/255.255.255.0 acl DoNotAuthenticateIP src /etc/squid/ACL/IPADDRESSES/IP_NOAUTH.txt ## LOCALHOST ACLs acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 ## QUERY ACLs acl QUERY urlpath_regex cgi-bin \? acl apache rep_header Server ^Apache ## SEND DIRECT ACLs acl SENDDIRECT_DstDomains dstdomain /etc/squid/ACL/SENDDIRECT/SENDDIRECT_DSTDOMAINS.txt acl SENDDIRECT_Users proxy_auth_regex -i /etc/squid/ACL/SENDDIRECT/SENDDIRECT_USERS.txt acl SENDDIRECT_IPAddresses src /etc/squid/ACL/SENDDIRECT/SENDDIRECT_IPADDRESSES.txt ## BLACKLISTED (Deny) ACLs acl BLACKLIST_DstDomains dstdomain /etc/squid/ACL/BLACKLIST/BLACKLIST_DSTDOMAINS.txt acl BLACKLIST_Users proxy_auth_regex -i /etc/squid/ACL/BLACKLIST/BLACKLIST_USERS.txt acl BLACKLIST_IPAddresses src /etc/squid/ACL/BLACKLIST/BLACKLIST_IPADDRESSES.txt ## FILE TYPE ACLs acl FILEEXT_EXE urlpath_regex .exe$ acl FILEEXT_EXE_Users proxy_auth_regex -i /etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWUSERS.txt acl FILEEXT_EXE_DstDomains dstdomain /etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWDSTDOMAINS.txt acl FILEEXT_EXE_IPAddresses src /etc/squid/ACL/FILES/FILEEXT_EXE_ALLOWIPADDRESSES.txt ## PORTS ACLs acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 8080# http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl RTMP_ports port 1935# RTMP # CONNECTION METHOD ACL acl CONNECT method CONNECT acl POST method POST ## ACCESS RULES # ### GLOBAL BLACKLIST RULES ### http_access deny BLACKLIST_Users http_access deny BLACKLIST_IPAddresses http_access deny BLACKLIST_DstDomains ## FILE EXTENSIONS http_reply_access deny FILEEXT_EXE !FILEEXT_EXE_Users !FILEEXT_EXE_IPAddresses !FILEEXT_EXE_DstDomains # USER AGENTS # http_access allow iTunes http_access allow Java_jvm # URL DESTINATIONS ## SEND DIRECT ALLOW always_direct allow SENDDIRECT_Users always_direct allow SENDDIRECT_DstDomains always_direct allow SENDDIRECT_IPAddresses ## POST and CONNECT ALLOW ## http_access allow POST http_access allow CONNECT ## USERS ACL ALLOW ## # Emergency Allow All unhash this for instant access to all without authentication #http_access allow all http_access allow DoNotAuthenticateIP http_access allow AuthenticatedUsers http_reply_access allow AuthenticatedUsers ## LOCAL HOST ALLOW ## http_access allow localhost ## DELAY ACCESS RULES ## # First delay class pool is User allocated delay_class 1 4 # First delay class pool is limited to 4mb i.e. all users not in exceptions delay_parameters 1 -1/-1 -1/-1 -1/-1 400/400 #First
Re: [squid-users] Re: Re: Squid_ldap_kerb make
Markus, Thank you (again) for your help. I hadn't realised that the principal name in question was the userPrincipalName attribute in AD - I was confusing it with the servicePrincipalName attribute. Of course that now makes sense. In fact, the method I followed to add the userPrincipalName (host/rhnet5.[omitt...@[omitted] ) was via ADSI edit - I'm sorry I didn't do it via command line, but I understand the concept much better as a result! Just going to recap - if it's of any use to someone..: With your help I see the answer was pointed out in the cache.log as opposed to the kadmin error - I was a bit unsure 'what' kadmin was referring to. I just needed it understand that it was the USER principal being used in Kerberos authentication. 2010/03/05 09:54:35| squid_kerb_ldap: Got principal name host/rhnet5.[omitt...@[omitted] 2010/03/05 09:54:35| squid_kerb_ldap: Error while initialising credentials from keytab : Client not found in Kerberos database 2010/03/05 09:54:35| squid_kerb_ldap: Error during setup of Kerberos credential cache The user principal was retrieved from the Keytab but the next part, the authentication failed because it didn't exist in the computer account AD attributes. After adding the entry to the userPrincipalName (host/rhnet5.[omitt...@[omitted]) and reloading Squid (to watch the cache.log) immediately gave me the correct results: 2010/03/05 10:09:40| squid_kerb_auth: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== ncairncr...@[omitted] 2010/03/05 10:09:40| squid_kerb_ldap: Got User: NCairncross Domain: [OMITTED] 2010/03/05 10:09:40| squid_kerb_ldap: User domain loop: gr...@domain testgr...@[omitted] 2010/03/05 10:09:40| squid_kerb_ldap: Found gr...@domain testgr...@[omitted] 2010/03/05 10:09:40| squid_kerb_ldap: Setup Kerberos credential cache 2010/03/05 10:09:40| squid_kerb_ldap: Get default keytab file name 2010/03/05 10:09:40| squid_kerb_ldap: Got default keytab file name /etc/squid/HTTP.keytab 2010/03/05 10:09:40| squid_kerb_ldap: Get principal name from keytab /etc/squid/HTTP.keytab 2010/03/05 10:09:40| squid_kerb_ldap: Keytab entry has realm name: [OMITTED] 2010/03/05 10:09:40| squid_kerb_ldap: Found principal name: host/rhnet5.[omitt...@[omitted] 2010/03/05 10:09:40| squid_kerb_ldap: Set credential cache to MEMORY:squid_ldap_5890 2010/03/05 10:09:40| squid_kerb_ldap: Got principal name host/rhnet5.[omitt...@[omitted] 2010/03/05 10:09:41| squid_kerb_ldap: Stored credentials 2010/03/05 10:09:41| squid_kerb_ldap: Initialise ldap connection 2010/03/05 10:09:41| squid_kerb_ldap: Canonicalise ldap server name for domain [OMITTED] 2010/03/05 10:09:41| squid_kerb_ldap: Resolved SRV _ldap._tcp.[OMITTED] record to mydc.[OMITTED] ... 2010/03/05 10:13:22| squid_kerb_ldap: Entry 37 Enterprise Admins in hex UTF-8 is 456e74657270726973652041646d696e73 2010/03/05 10:13:22| squid_kerb_ldap: Entry 37 Enterprise Admins does not match group name TestGroup 2010/03/05 10:13:22| squid_kerb_ldap: Entry 38 Domain Admins in hex UTF-8 is 446f6d61696e2041646d696e73 2010/03/05 10:13:22| squid_kerb_ldap: Entry 38 Domain Admins does not match group name TestGroup 2010/03/05 10:13:22| squid_kerb_ldap: Entry 39 Server Operators in hex UTF-8 is 536572766572204f70657261746f7273 2010/03/05 10:13:22| squid_kerb_ldap: Entry 39 Server Operators does not match group name TestGroup 2010/03/05 10:13:22| squid_kerb_ldap: Unbind ldap server 2010/03/05 10:13:22| squid_kerb_ldap: User NCairncross is member of gr...@domain testgr...@[omitted] Many thanks for all the help, Nick On 04/03/2010 20:23, Markus Moeller hua...@moeller.plus.com wrote: Nick, The problem here is how the keytab entry was created. To authenticate against AD the userprincipalname attribute must be set to the same as the principla you want to authenticate. For a user it user the username e.g. us...@domain will have a userprinciplanme of us...@domain. squid_kerb_ldap uses the keytab entry (in your case host/rhnet5.[omitt...@[omitted]) but does not find an AD entry with a userprinciplaname attribute set to host/rhnet5.[omitt...@[omitted]. You could manually set it or use msktutil to create another AD entry or use a user account (e.g. use ktutil (from MIT Kerberos) like ktutil ktutil: addent -password -p u...@domain -k 1 -e rc4-hmac Password for u...@domain ktutil: wkt user.keytab ktutil: exit Markus Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message news:c7b57c01.1bd68%nick.cairncr...@condenast.co.uk... Markus, Thanks for the extra info - I was indeed missing the cyrus dependency. Installing it and compiling has given me squid_kerb_ldap. However, my cache.log is now indicating an problem with a principal with Kerberos. 2010/03/04 14:53:33| squid_kerb_ldap: Got User: NCairncross Domain: [OMITTED] 2010/03/04 14:53:33| squid_kerb_ldap: User domain loop: gr...@domain netilla...@[omitted] 2010/03/04 14:53:33| squid_kerb_ldap: Found gr...@domain squidgr...@[omitted] 2010/03/04 14:53:33| squid_kerb_ldap
Re: [squid-users] Re: Squid_ldap_kerb make
Markus, Thanks for the extra info - I was indeed missing the cyrus dependency. Installing it and compiling has given me squid_kerb_ldap. However, my cache.log is now indicating an problem with a principal with Kerberos. 2010/03/04 14:53:33| squid_kerb_ldap: Got User: NCairncross Domain: [OMITTED] 2010/03/04 14:53:33| squid_kerb_ldap: User domain loop: gr...@domain netilla...@[omitted] 2010/03/04 14:53:33| squid_kerb_ldap: Found gr...@domain squidgr...@[omitted] 2010/03/04 14:53:33| squid_kerb_ldap: Setup Kerberos credential cache 2010/03/04 14:53:33| squid_kerb_ldap: Get default keytab file name 2010/03/04 14:53:33| squid_kerb_ldap: Got default keytab file name /etc/squid/HTTP.keytab 2010/03/04 14:53:33| squid_kerb_ldap: Get principal name from keytab /etc/squid/HTTP.keytab 2010/03/04 14:53:33| squid_kerb_ldap: Keytab entry has realm name: [OMITTED] 2010/03/04 14:53:33| squid_kerb_ldap: Found principal name: host/rhnet5.[omitt...@[omitted] 2010/03/04 14:53:33| squid_kerb_ldap: Set credential cache to MEMORY:squid_ldap_16609 2010/03/04 14:53:33| squid_kerb_ldap: Got principal name host/rhnet5.[omitt...@[omitted] 2010/03/04 14:53:33| squid_kerb_ldap: Error while initialising credentials from keytab : Client not found in Kerberos database 2010/03/04 14:53:33| squid_kerb_ldap: Error during setup of Kerberos credential cache 2010/03/04 14:53:33| squid_kerb_ldap: User NCairncross is not member of gr...@domain squidgr...@[omitted] -- which I am.. 2010/03/04 14:53:33| squid_kerb_ldap: Default domain loop: gr...@domain squidgr...@[omitted] 2010/03/04 14:53:33| squid_kerb_ldap: Default group loop: gr...@domain squidgr...@[omitted] Kadmin reveals the same error: Authenticating as principal root/ad...@[omitted] with password. kadmin: Client not found in Kerberos database while initializing kadmin interface (The same is true after a kinit [my username]) The details of my klist -k are: Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Principal -- 5 host/rhnet5.[omitt...@[omitted] 5 host/rhnet5.[omitt...@[omitted] 5 host/rhnet5.[omitt...@[omitted] 5 host/rhn...@[omitted] 5 host/rhn...@[omitted] 5 host/rhn...@[omitted] 5 rhne...@[omitted] 5 rhne...@[omitted] 5 rhne...@[omitted] 5 HTTP/rhnet5.[omitt...@[omitted] 5 HTTP/rhnet5.[omitt...@[omitted] 5 HTTP/rhnet5.[omitt...@[omitted] 5 HTTP/rhn...@[omitted] 5 HTTP/rhn...@[omitted] 5 HTTP/rhn...@[omitted] My Kerberos authentication for domain users works ok and cache.log doesn't throw up any errors. The RHNET5 AD computer account has the HTTP/rhnet5 and HTTP/rhnet5.[OMITTED] principals. I know I'm missing something straight-forward.. Nickcx On 03/03/2010 23:56, Markus Moeller hua...@moeller.plus.com wrote: You will also need a cyrus-sasl-gssapi package to run squid_kerb_ldap with SASL/GSSAPI authentication to AD or Openldap. Markus Markus Moeller hua...@moeller.plus.com wrote in message news:hmmmuv$ie...@dough.gmane.org... You need the ldap and sasl development packages. Markus Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message news:c7b3f825.1bb93%nick.cairncr...@condenast.co.uk... Henrik, Thanks for the pointers - I have added the missing dependencies. Now I receive the following. The results of ./configure are at the bottom of the email also. I must be missing some other dependencies? Thanks again, Nickcx === make all-recursive make[1]: Entering directory `/root/Desktop/squid_kerb_ldap-1.2.1' make[2]: Entering directory `/root/Desktop/squid_kerb_ldap-1.2.1' gcc -DHAVE_CONFIG_H -I. -I/usr/include -g -O2 -Wall -Wno-unknown-pragmas -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -MT squid_kerb_ldap.o -MD -MP -MF .deps/squid_kerb_ldap.Tpo -c -o squid_kerb_ldap.o squid_kerb_ldap.c mv -f .deps/squid_kerb_ldap.Tpo .deps/squid_kerb_ldap.Po gcc -DHAVE_CONFIG_H -I. -I/usr/include -g -O2 -Wall -Wno-unknown-pragmas -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -MT support_group.o -MD -MP -MF .deps/support_group.Tpo -c -o support_group.o support_group.c mv -f .deps/support_group.Tpo .deps/support_group.Po gcc -DHAVE_CONFIG_H -I. -I/usr/include -g -O2 -Wall -Wno-unknown-pragmas -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -MT support_netbios.o -MD -MP -MF .deps/support_netbios.Tpo -c -o support_netbios.o support_netbios.c mv -f .deps/support_netbios.Tpo .deps/support_netbios.Po gcc -DHAVE_CONFIG_H -I. -I/usr/include -g -O2 -Wall -Wno-unknown-pragmas -Wextra -Werror
Re: [squid-users] Squid_ldap_kerb make
'ldap_simple_bind_s' support_ldap.c:972: error: 'LDAP_SUCCESS' undeclared (first use in this function) support_ldap.c:973: warning: format '%s' expects type 'char *', but argument 5 has type 'int' support_ldap.c:981: warning: implicit declaration of function 'ldap_set_rebind_proc' support_ldap.c:981: error: 'ldap_simple_rebind' undeclared (first use in this function) support_ldap.c:1011: error: too many arguments to function 'check_AD' support_ldap.c:1013: warning: format '%s' expects type 'char *', but argument 5 has type 'int' support_ldap.c:1035: error: 'LDAP_SCOPE_SUBTREE' undeclared (first use in this function) support_ldap.c:1042: warning: format '%s' expects type 'char *', but argument 5 has type 'int' support_ldap.c:1055: error: too many arguments to function 'get_attributes' support_ldap.c:1057: error: too many arguments to function 'get_attributes' support_ldap.c:1101: warning: passing argument 5 of 'search_group_tree' makes integer from pointer without a cast support_ldap.c:1101: error: too many arguments to function 'search_group_tree' support_ldap.c:1166: error: too many arguments to function 'get_attributes' support_ldap.c:1191: error: too many arguments to function 'get_attributes' support_ldap.c:1245: warning: format '%s' expects type 'char *', but argument 5 has type 'int' make[2]: *** [support_ldap.o] Error 1 make[2]: Leaving directory `/root/Desktop/squid_kerb_ldap-1.2.1' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/Desktop/squid_kerb_ldap-1.2.1' make: *** [all] Error 2 ./configure result.. [r...@rhnet5 squid_kerb_ldap-1.2.1]# ./configure checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking size of short... 2 checking size of int... 4 checking size of long... 4 checking for krb5-config... yes checking krb5.h usability... yes checking krb5.h presence... yes checking for krb5.h... yes checking com_err.h usability... no checking com_err.h presence... no checking for com_err.h... no checking gssapi.h usability... yes checking gssapi.h presence... yes checking for gssapi.h... yes checking gssapi/gssapi.h usability... yes checking gssapi/gssapi.h presence... yes checking for gssapi/gssapi.h... yes checking gssapi/gssapi_krb5.h usability... yes checking gssapi/gssapi_krb5.h presence... yes checking for gssapi/gssapi_krb5.h... yes checking gssapi/gssapi_generic.h usability... yes checking gssapi/gssapi_generic.h presence... yes checking for gssapi/gssapi_generic.h... yes checking whether krb5_kt_free_entry is declared... no checking for krb5_kt_free_entry in -lkrb5... yes checking for krb5_get_init_creds_keytab in -lkrb5... yes checking ldap.h usability... no checking ldap.h presence... no checking for ldap.h... no checking lber.h usability... no checking lber.h presence... no checking for lber.h... no checking for main in -llber... no checking for main in -lldap... no checking for struct ldap_url_desc.lud_scheme... no checking for ldapssl_client_init in -lldap... no checking for ldap_url_desc2str in -lldap... no checking for ldap_url_parse in -lldap... no checking sasl.h usability... no checking sasl.h presence... no checking for sasl.h... no checking sasl/sasl.h usability... no checking sasl/sasl.h presence... no checking for sasl/sasl.h... no configure: ## -## configure: ## configure: ## mit has been selected configure: ## configure: ## -## configure: creating ./config.status config.status: creating Makefile config.status: creating config.h config.status: executing depfiles commands configure: updating config.h On 02/03/2010 19:07, Henrik Nordstrom hen...@henriknordstrom.net wrote: tis 2010-03-02 klockan 17:34 + skrev Nick Cairncross: It seems to be complaining about krb5.h.. it doesn't appear on my server though I am successfully using Kerberos (configured using Samba
[squid-users] Squid_ldap_kerb make
Hi All, I'm now looking at squid_ldap_kerb for my group lookups but I'm receiving the following error during 'make': make all-recursive make[1]: Entering directory `/root/Desktop/squid_kerb_ldap-1.2.1' make[2]: Entering directory `/root/Desktop/squid_kerb_ldap-1.2.1' gcc -DHAVE_CONFIG_H -I. -g -O2 -Wall -Wno-unknown-pragmas -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -MT squid_kerb_ldap.o -MD -MP -MF .deps/squid_kerb_ldap.Tpo -c -o squid_kerb_ldap.o squid_kerb_ldap.c In file included from support.h:31, from squid_kerb_ldap.c:35: config.h:738:18: error: krb5.h: No such file or directory In file included from squid_kerb_ldap.c:35: support.h:76: error: expected specifier-qualifier-list before 'krb5_context' make[2]: *** [squid_kerb_ldap.o] Error 1 make[2]: Leaving directory `/root/Desktop/squid_kerb_ldap-1.2.1' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/Desktop/squid_kerb_ldap-1.2.1' make: *** [all] Error 2 It seems to be complaining about krb5.h.. it doesn't appear on my server though I am successfully using Kerberos (configured using Samba). Thanks Nickcx ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900