-551c1fe77...@spamtrap.tnetconsulting.net...
On 10/16/21 1:31 PM, Markus Moeller wrote:
I think you talk about a kdc proxy, which is for another case.
I don't think so. I'm not talking about using a proxy to access the KDC.
I'm talking about using a component of the following s
GSS_C_NO_NAME option to select either key.
A second option is to add a second service principal name to the proxy2 AD
account and use -s GSS_C_NO_NAME.
Regards
Markus
"Amos Jeffries" wrote in message
news:95c70ccd-5c15-3395-2103-3025ef043...@treenet.co.nz...
On 14/10/21 8:48 am, Mark
I think you talk about a kdc proxy, which is for another case.
Regards
Markus
"Grant Taylor" wrote in message
news:b815528d-34ff-0fed-3194-dc6f34199...@spamtrap.tnetconsulting.net...
On 10/13/21 1:48 PM, Markus Moeller wrote:
The problem lies more in the way how Kerb
The problem lies more in the way how Kerberos proxy authentication works.
The client uses the proxy name to create a ticket and in this case it would
be the name of the first proxy e.g. proxy1.internal. The first proxy will
pass it through to the authenticating proxy for authentication
proxy2.
"Alex Rousskov" wrote in message
news:7e75c2bf-51db-f8c3-73f0-ba7fca55e...@measurement-factory.com...
On 10/9/21 1:46 PM, Markus Moeller wrote:
i try to find a way how squid can "route" all Internet
domains to a default proxy and a subset of well defined domains to the
"Alex Rousskov" wrote in message
news:cbe23671-7b3c-e270-f3f4-593d4f030...@measurement-factory.com...
On 10/9/21 9:06 AM, Markus Moeller wrote:
Hi,
I have now tested with the below config and I see my first request
works, but the second fails. So I am not sure if it is still a
con
CT_FAIL 110
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from clientproxy
X-Cache-Lookup: MISS from clientproxy:3128
Connection: keep-alive
--
Thank you
Markus
"Markus Moeller" wrote in message news:sjrrhc$lat$1...@ciao.gmane.io...
I understand now better the concept.
Thank y
I understand now better the concept.
Thank you
Markus
"Alex Rousskov" wrote in message
news:3dec529a-b62e-1e95-6cb7-0b68f6bf3...@measurement-factory.com...
On 10/8/21 8:02 PM, Markus Moeller wrote:
I try to setup a proxy chain, but don't get the setup right. I have o
Hi,
I try to setup a proxy chain, but don't get the setup right. I have one
squid with 2 parents. One with auth for domainA.com and one w/o auth for the
non local IPs (i.e. Internet).
With the below config I see domainA.com still going to the unauthenticated
parent proxy. Any hint why ?
What does he cache log show ?
Markus
"Alex Gutiérrez" wrote in message
news:acd33a78-c0dc-d539-1028-ed1c700db...@esines.cu...
HI community, reciently I install an old UBT 18.04 with squid 3. I use to
authenticate my users kerberos.
Everithing seem´s great, but my all my users are able to use
Hi Klaus,
The negotiate_kerberos_auth helper is not intended to run on Windows.
How did you compile it ?
Markus
"Klaus Westkamp" wrote in message
news:8251c91f-1b08-82f2-f6ec-46ef92fe9...@westkamp.net...
Hi,
i digged a little further (but i'm no exert in WinDBG):
Attachimng to the p
Hi
Maybe some general comments about LB, CNAMEs and Squid Kerberos will help. The
kerberos client will try to request a ticket based on the used hostname. e.g.
if you configure in your browser the proxy name as ha-proxy.slb.example.com
then the client will look for a serviceprincipal of
HT
Hi Klaus,
Is the group you added a security group ? Only security groups are part
of the Kerberos ticket. Which authorisation helper do you use or is this
just based on the auth helper output ?
What do you see on the client ? e.g. in powershell run whoami /groups
Did you clear th
Hi Amos,
Is there any reason that kerberos_sid_group is not included in the tar ?
Thank you
Markus
"Amos Jeffries" wrote in message
news:d6159d58-f75b-1af7-4690-5819cd465188__18406.7017086365$1546614300$gmane$o...@treenet.co.nz...
The Squid HTTP Proxy team is very pleased to announce the a
Can you run the helper standalone with valgrind ?
e.g.
./negotiate_kerberos_auth_test squid.example.com 3 | awk
'{sub(/Token:/,"YR"); print $0}END{print "QQ"}' |
valgrind --log-file=./negotiate_kerberos_auth.val --leak-check=full
--show-reachable=yes
-v ./negotiate_kerberos_auth -d -t none -k
You don't have to join a domain. You only need a Kerberos authentication
server to get a ticket.
You only need AD (or Samba) if you want also authorisation (PAC data) in you
Kerberos ticket.
As Amos said you need a Kerberos client and a Browser supporting
Proxy-Negotiate.
Markus
"Amos Jeffrie
Can you capture the traffic on port 88 ? Heimdal has not helpful messages, so
seeing the real traffic may help identifying the issue.
Kinit should create an AS req/rep
the test program creates a TGS req/rep
Example attached if it gets through.
Markus
"Panagiotis Bariamis" wrote in message
ne
You don't have to join a domain. You only need a Kerberos authentication
server to get a ticket.
You only need AD (or Samba) if you want also authorisation (PAC data) in you
Kerberos ticket.
As Amos said you need a Kerberos client and a Browser supporting
Proxy-Negotiate.
Markus
"Amos Je
Hi Jeroen,
Do you use Active Directory as ldap server ? My automated test says it is
not. I use this check to determine the group attribute check.
support_ldap.cc(342): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Search ldap server with bind path
CN=Schema,CN=Configuration,
Hi,
When using the latest squid 4 release you can use %note{group} to get
the group information from the Negotiate Kerberos helper to transfer the PAC
group SIDs to the external ACL helper.
squid.conf
...
external_acl_type test_acl ipv4 %LOGIN %note{group}
/opt/squid-trunk/sbin/test_acl
Hi Rick,
The log indicates that your Browser sned a NTLM token not a Kerberors
token. This can be easily seen from the first characters of the token
(TlRM). Check the Kerberos communication on the client ( i.e. port 88). The
client should request a token for HTTP/ and receive it. If not
Hi
Did you try the debug option -d for ext_kerberos_ldap_group_acl to get
some debug ? Maybe it gives some indication of the problem ?
Markus
"erdosain9" wrote in message
news:1474570767416-4679652.p...@n4.nabble.com...
So, i have a little more of info
this is config
###Kerberos Auth
Hi Silamael,
Can you perform a kinit u...@example.com ? Does the squid user have
read access to krb5.conf ?
Markus
"Silamael Darkomen" wrote in message
news:955b9071-4d07-f0a2-2925-8f63fa332...@coronamundi.de...
Hello,
I'm currently working on setting up our proxy to authenticate
Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
Markus Moeller
Verzonden: zaterdag 27 augustus 2016 16:52
Aan: squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2
minorbugsmay
ut I have /usr/lib64/squid/negotiate_kerberos_auth_test, thus I'm using it.
My Linux distribution is CentOS 7
Regards,
Márcio
2016-08-28 15:24 GMT-03:00 Markus Moeller :
HI Marcio,
The helper need a Kerberos token as input. Please have a look at
test_negotiate_auth.sh which is in
HI Marcio,
The helper need a Kerberos token as input. Please have a look at
test_negotiate_auth.sh which is in src/auth/negotiate/kerberos of the trunk
version. The squid hostname must match the entry in your keytab and you must
have done kinit to authenticate against a Kerberos server (e.
Hi,
I would say they are bugs. The first “issue” is as you say more about
understanding the difference between UPN and SPN and how the tools use them.
The helper tries to “authenticate” squid to AD as a user with the found SPN
name, so the UPN must be the same as the SPN. There is no easy
Hi Louis,
I made lately a change in how the SSL certifcate verification is done. Did
you use the latest version from trunk ? Also set the variable TLS_CACERTFILE
in your startup script (e.g. export TLS_CACERTFILE=/etc/mydir/cas.pem ). I do
not read any ldap.conf file for this yet.
Marku
/hostname.domain@domain.org –d
Then you get debug output in your cache.log file.
Markus
"Markus Moeller" wrote in message
news:nikoqr$i2m$1...@ger.gmane.org...
What does the log say when you use the –d option with the helper
Markus
"Nilesh Gavali" wrote in message
news
Hi Michael,
Yes you should be able to set a environment variable KRB5RCACHEDIR in your
startup script. You can also use KRB5RCACHETYPE to set (or disable) the cache
type.
Markus
"Michael Pelletier" wrote in message
news:caencsg74pkxndiasr4yfgy9uuzqhk21jl5uytzxp6_tmpeu...@mail.gmail.com..
belonging to EXTERNALS.COM are joined to EXTERNALS.COM
Best Regards.
Sent: Saturday, March 19, 2016 at 12:28 AM
From: "Markus Moeller"
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] NEGOTIATE Kerberos Auth
Hi,
Is you client a member of FATHER.COM or KID1.
Hi,
Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ?
Can you get a wireshark capture on your client on port 88 ? You should
see some TGS –REQs in the capture and I assume also TGS-REPs with error
messages. Can you share these error messages ?
Regards
M
You are welcome
Markus
"Victor Sudakov" wrote in message
news:20160305180102.ga94...@admin.sibptus.tomsk.ru...
Markus Moeller wrote:
If I look at the wireshark capture details I see that the client is
sending
a key of version 3( kvno) , but the keytab is version 1. This will
)
kvno: 3
cipher:
265a0b2badd3eb5a0677731ae8a61f5ca6b1c63c466defe9...
authenticator
"Victor Sudakov" wrote in message
news:20160305112825.ga91...@admin.sibptus.tomsk.ru...
Markus Moeller wrote:
What does
Hi Victor,
What does the squid log say when you use -d for the authentication
helper ?
Can you provide a wireshark capture from the client ? I guess that
2008 is using AES not RC4.
Markus
"Victor Sudakov" wrote in message
news:20160304162923.gb81...@admin.sibptus.tomsk.ru...
Hi Markus,
When you say authentication does not work, do you mean Kerberos
authentication or Kerberos and NTLM ? Can you add a -d for debug to the
Kerberos authentication helper and provide the log file messages ?
Can you also provide the content of the keytab ?
Regards
Markus
"Markus So
ch with winbind, I kinit with my personal admin account and
also do a net ads join -U .
the password on the doesn't / hasn't changed.
are you talking about the computer account password ?
if so, then I setup a different computer account for the squid
kerberos application !
On 9 Decem
Hi,
The issue appears if you use the same AD account for samba and the
kerberos keytab creation. As samba will reset the password of the AD
account and thereby invalidate the extracted keytab.
Markus
"Alex Samad" wrote in message
news:CAJ+Q1PW9Ue4zdT9GCt-4MjW=UjDWyBOPc4AFrcjG=qfnewm...
What other output do you get when using –d ( i.e. enable debug output) ? It
may indicate the reason for your return message.
Markus
"Michael Pelletier" wrote in message
news:CAEnCSG7hVR5DQ7d8awR1ax_qvmOeXBCZOY=mkvflwgji8-+...@mail.gmail.com...
Hello,
I am building a new squid virtual templat
, November 03, 2015 9:22 AM
To: Markus Moeller
Subject: Re: [squid-users] Squit with NTLM and Kerberos auth => a error
that's said that squid can by used with Windows AD ?
2015-11-02 22:46 GMT+01:00 Markus Moeller :
Hi Olivier,
If I decode a token I see
/base64>
Hi Olivier,
If I decode a token I see
/base64> hexdump -c base64_dec.out
000 ` 201 236 006 006 + 006 001 005 005 002 240 201 223 0 201
010 220 240 032 0 030 006 \n + 006 001 004 001 202 7 002 002
020 036 006 \n + 006 001 004 001 202 7 002 002 \n 242 r 004
030
Hi Olivier,
Which Kerberos version do you use ? MIT or Heimdal ?
Markus
"Olivier CALVANO" wrote in message
news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com...
Hi
i test a authentification AD with Kerberos/Ntlm
### negotiate kerberos and ntlm authentication
auth_par
What happens if you adjust the system time to be in sync with the AD server ?
Markus
"Михаил" wrote in message
news:1462781444845...@web15m.yandex.ru...
Hi All!
Sometime I get a error message and squid stop:
2015/10/14 14:31:51| WARNING: All 300/300 negotiateauthenticator processes are
busy.
Hi Paul,
negotiate_kerberos_auth is for Unix only.
Regards
Markus
"MORRIS Paul [Tuart College]" wrote in message
news:508E8480E38F464FA0778ECCA1DB51F41FE95135@E7359SVIN1052.resources.internal...
Hi,
I am trying without success to use the "negotiate_kerberos_auth.exe" helper
and "basic_sm
Hi Enrico,
The Kerberos helper will authenticate only for now ( There is a now code to
get the group information, but it is not further processed). It does not do
anything to group membership like the winbind cache. Also keep in mind
Kerberos cache for about 10 hours the ticket on the cl
Hi Louis,
When you have an offline PC do you use DHCP to give an IP ? If so can you
also provide the PC with a WINS server via DHCP ? If that is possible and you
run WINS you can authenticate the user with u...@domain.com when you get the
authentication popup. The WINS server will point t
Context
it's good for you ?
regards
olivier
2015-05-03 13:25 GMT+02:00 Markus Moeller :
Did you compile msktutil or is it a package in centos ?
Markus
"Olivier CALVANO" wrote in message
news:cajajpecqd+_1krufwa9eac4iyakapzblyg-9vuueklgwuec...@mail.gmail.c
_get_pwdLastSet: pwdLastSet is 130751472429170776
Error: Unable to set machine password for OPHTCYSRV1V4-K$: (3) Authentication
error
Error: set_password failed
-- ~KRB5Context: Destroying Kerberos Context
2015-05-03 13:25 GMT+02:00 Markus Moeller :
Did you compile msktutil or is it a package in c
krb5-libs-1.12.2-14.el7.x86_64
regards
olivier
2015-05-03 0:25 GMT+02:00 Markus Moeller :
Which OS and Kerberos version do you have ? There might be some issue with
the cache used KEYRING:persistent:0:0
Markus
"Olivier CALVANO" wrote in message
news:CAJajPefo3t8b1=_v5pfj3h
Which OS and Kerberos version do you have ? There might be some issue with the
cache used KEYRING:persistent:0:0
Markus
"Olivier CALVANO" wrote in message
news:CAJajPefo3t8b1=_v5pfj3h0gq4jk3oosutw8gnhy7z-gs21...@mail.gmail.com...
Hi
I request your help because i want use NTLM/Kerberos for a
Hi Joao,
OK now you use the authentication rule.
How did you create the keytab ? Does the hostname match the keytab entry ?
Can you run the helper with –d to get more debug ?
Markus
From: Joao Paulo Monticelli Gaspar
Sent: Thursday, March 19, 2015 12:41 AM
To: Markus Moeller
Hi Joao
Then you hit
http_access allow localnet
and not
http_access allow ad_auth
Comment out the following line in squid.conf
http_access allow localnet
and try again.
Markus
From: Joao Paulo Monticelli Gaspar
Sent: Wednesday, March 18, 2015 11:38 PM
To: Markus Moeller
Subject: Re
Hi,
From which network do you surf ? From localnet ?
Can you send sample log entries ?
Markus
From: Joao Paulo Monticelli Gaspar
Sent: Wednesday, March 18, 2015 9:18 PM
To: Markus Moeller
Subject: Re: [squid-users] Squid + AD + Kerb auth question
squid.conf
visible_hostname
How does the config file look like ?
Markus
"Joao Paulo Monticelli Gaspar" wrote in message
news:CAFjXhx=idbdxeqxbzy56tr5m3fztasu2tqgwlclydi_s-s3...@mail.gmail.com...
Hey people
I have a doubt and couldn't find the answer anywhere yet, I'm using SQUID
integrate to a W2K8 AD server with ker
Do you get any more details when you start the wrapper with –d ?
Markus
"Donny Vibianto" wrote in message
news:CAC49LV6SRXbiFcGxqZgAoaHPj1qeifERtSN63ZrDsa_b=iw...@mail.gmail.com...
anyone please...?
On Sat, Mar 7, 2015 at 10:02 PM, Donny Vibianto
wrote:
Hi Guys,
After two weeks succe
Oh pretty old bug.
Thank you
Markus
"Amos Jeffries" wrote in message news:54f26815.4020...@treenet.co.nz...
On 1/03/2015 4:55 a.m., Markus Moeller wrote:
Hi,
I wonder about the total size variables st for squid logs
# st Received request size including HTTP heade
Good to hear. It seems freebsd has com_err.h why I did not come across it
lately.
Markus
"Simon Stäheli" wrote in message
news:ee58fc57-6b97-4de6-9fdf-2881209a5...@open.ch...
On 14.02.2015, at 15:43, Markus Moeller wrote:
On 12.02.2015, at 17:58, Amos Jeffries wrote:
On 12.02.2015, at 17:58, Amos Jeffries wrote:
On 13/02/2015 5:41 a.m., Simon Stäheli wrote:
hmh, HAVE_KRB5 seems not to be set in include/autoconf.h
What is the correct way to provide squid the path to the kerberos header
files?
./configure —help doesn’t show a useful option as --with-k
@gmail.com...
Markus Moeller writes:
> It could be the new AD server is setup to be backward compatible
> meaning it use RC4 despite being able to use AES. I suggest you crate
> an additional keytab entry for RC4. How did you create the keytab ?
Now it seems to work:
# /usr/
It could be the new AD server is setup to be backward compatible meaning
it use RC4 despite being able to use AES. I suggest you crate an additional
keytab entry for RC4. How did you create the keytab ?
Markus
"Ludovit Koren" wrote in message news:86mw4hbl56@gmail.com..
ssage news:86r3ttbn7d@gmail.com...
Markus Moeller writes:
> Hi Ludovit,
> How did you create the keytab ? Usually there is an option allowing
> you to select the encryption type. The other place to check would be
> /etc/krb5.conf. It can contain a list of supported
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 20/01/2015 11:31 p.m., Simon Stäheli wrote:
Are there any other benefits in using ext_kerberos_ldap_group_acl
instead of ext_ldap_group_acl except the "Netbios name to Kerberos
domain name” mappings provided by the -N option. As far as I can
tell,
"Amos Jeffries" wrote in message news:54BE3B5C.8040800 at
treenet.co.nz...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 20/01/2015 11:31 p.m., Simon Stäheli wrote:
Are there any other benefits in using ext_kerberos_ldap_group_acl
instead of ext_ldap_group_acl except the "Netbios name to Ke
;sektion=5&manpath=FreeBSD+Ports+10.1-RELEASE&arch=default&format=html
default_tgs_enctypes, default_tkt_enctypes and permitted_enctypes
Markus
"Ludovit Koren" wrote in message news:86h9usfpsk@gmail.com...
Markus Moeller writes:
> Hi Ludovit,
> Which
Vno Type Principal Aliases
8 aes128-cts-hmac-sha1-96 HTTP/squid1.mdpt.local@MDPT.LOCAL
Markus
"Ludovit Koren" wrote in message news:86d25i9plr@gmail.com...
Markus Moeller writes:
> Hi Ludovit,
> I haven't seen tha
"Amos Jeffries" wrote in message news:54BE3B5C.8040800 at
treenet.co.nz...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 20/01/2015 11:31 p.m., Simon Stäheli wrote:
Are there any other benefits in using ext_kerberos_ldap_group_acl
instead of ext_ldap_group_acl except the "Netbios name to
Hi Ludovit,
I haven't seen that error before either, but when you test you sould have
your own user credentials in the cache. You should use kinit
@MDPT.LOCAL and then try again the test. is the hostname correctly set
to squid1.mdpt.local ? If not try
/usr/local/libexec/squid/negotiate_k
"Amos Jeffries" wrote in message news:54be3b5c.8040...@treenet.co.nz...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 20/01/2015 11:31 p.m., Simon Stäheli wrote:
Are there any other benefits in using ext_kerberos_ldap_group_acl
instead of ext_ldap_group_acl except the "Netbios name to Ker
what the differences between the two
helpers are and which one does fit my needs better. Any others?
Nothing I can pick out easily.
Do you know anything about the feature in
ext_kerberos_ldap_group_acl mentioned by Markus Moeller in an
earlier post?
"I have a new method in my squid 3.4 p
I thought it wasn't trivial, otherwise it would have been already done. ;-)
Thank you
Markus
"Amos Jeffries" wrote in message news:54a3416f.9060...@treenet.co.nz...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 31/12/2014 7:59 a.m., Markus Moeller wrote:
Hi Amos,
On
Hi Amos,
On 30/12/2014 3:31 p.m., Markus Moeller wrote:
Hi,
Can squid authenticate to an upstream proxy using digest ? If I saw
it right cache_peer allows basic and negotiate only (or passthrough)
Thank you
Markus
Not yet.
Amos
Is it planned to add or no real interest in it ?
Thank
Spam detection software, running on the system "master.squid-cache.org",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content p
Hi Ahmed,
squid is a proxy which supports Kerberos authentication.
Markus
"Ahmed Allzaeem" wrote in message
news:001201d014d3$037fda70$0a7f8f50$@netstream.ps...
Hi ,
I have a Kerberos protected website. I am making a Kerberos enabled browser.
I need to test my browser for proxy support.
A
o that and send you the .cap file.
Thanks for all the help so far.
Pedro Lobo
On 27 Oct 2014, at 20:53, Markus Moeller wrote:
Hi Pedro,
Can you capture the traffic from one Windows 7 on XP client on port 88 (
just after the login before access a website via squid until successful o
in message
news:b4adceec-5a53-4212-b16c-106237fc4504@Pedros-iPhone...
Hi Markus Moeller,
Hi Markus,
Yeah, I'm currently using that option and permissions are correct too.
On 27 Oct 2014 19:47, Markus Moeller wrote:
Hi Pedro,
Did you try the –s GSS_C_NO_NAME option ?
Markus
&quo
nd XP/2003 machines are working just fine.
I've also checked the permissions on the keytab file and they haven't changed
since Saturday, so it's not that... ARGH
Craving ideas and solutions right now... Pilot users are less than satisfied ;)
Cheers,
Pedro
On 25 Oct 2014, at 14
ad
permissions). Fixing that seems to have sorted out the problem. I'll be doing
more extensive testes on Monday when the test group start surfing the web.
Thanks for all the help!
On 25 Oct 2014, at 14:13, Markus Moeller wrote:
Hi Pedro,
I wonder if he upper case in the name is a
4 22:59:50 host/proxy01tst.fake@fake.net
(aes128-cts-hmac-sha1-96)
2 10/24/2014 22:59:50 host/proxy01tst.fake@fake.net
(aes256-cts-hmac-sha1-96)
Yep, using MIT Kerberos
Thanks in advance for any help.
Cheers,
Pedro
On 25 Oct 2014, at 1:26, Markus Moeller wrote:
Hi Pedro,
H
Hi Pedro,
How did you create your keytab ? What does klist –ekt show ( I
assume you use MIT Kerberos) ?
Markus
"Pedro Lobo" wrote in message
news:40e1e0e7-50c6-4117-94aa-50b065734...@gmail.com...
Hi Squid Gurus,
I'm at my wit's end and in dire need of some squid expertise.
We've got a pr
Hi Victor,
That sounds a bit strange. Can you capture with wireshark the traffic on
port 88 on the system which has squiduser in the cache ( best after a clear
the cache with kerbtray first) when accessing squid and send it to me as cap
file ?
Markus
"Victor Sudakov" wrote in message
n
Hi Victor,
That just means that the server requires more information from the client.
This could happen if mutual authentication is required or the dataset is too
large and had to be split. If you run it in squid the client would send new
data until the server says the exchange is complete (
Also you can overwrite it with the -s option if you really need to.
Markus
"Victor Sudakov" wrote in message
news:20141011131747.ga56...@admin.sibptus.tomsk.ru...
Markus Moeller wrote:
Hi Viktor,
These sections of code do the selection in squid:
char *service_name = (cha
HTTP is the standard service for HTTP authentication (web and proxy)
Markus
"Victor Sudakov" wrote in message
news:20141011131747.ga56...@admin.sibptus.tomsk.ru...
Markus Moeller wrote:
Hi Viktor,
These sections of code do the selection in squid:
char *service_name = (cha
else {
server_name = GSS_C_NO_NAME;
major_status = GSS_S_COMPLETE;
minor_status = 0;
}
} else {
major_status = gss_import_name(&minor_status, &service,
gss_nt_service_name, &server_name);
}
Regards
Markus
"Victor Sudakov
Good to see it works now. As far as I recall the MIT message is clearer in
this case.
Regards
Markus
"Victor Sudakov" wrote in message
news:20141011044626.gb49...@admin.sibptus.tomsk.ru...
Markus Moeller wrote:
> What if the service principal's name in squid's key
I think it could. Can you try the option -s GSS_C_NO_NAME ?
Markus
"Victor Sudakov" wrote in message
news:20141010113630.ga39...@admin.sibptus.tomsk.ru...
Colleagues,
What if the service principal's name in squid's keytab does not
coincide with the host's primary FQDN (AKA `hostname`)?
E.g
sub(/Token:/,"YR"); print $0}END{print "QQ"}' | strace -f -F -o
negotiate_kerberos_auth.strace ./negotiate_kerberos_auth -d
Markus
"Victor Sudakov" wrote in message
news:20141008032925.ga77...@admin.sibptus.tomsk.ru...
-----BEGIN PGP SIGNED MESSAGE-
| awk
'{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | strace -f -F -o
negotiate_kerberos_auth.strace ./negotiate_kerberos_auth -d
Markus
"Victor Sudakov" wrote in message
news:20141008032925.ga77...@admin.sibptus.tomsk.ru...
-----BEGIN PGP SIGNED
Hi Victor,
In the helpers/negotiate_auth/kerberos directory is a script
test_negotiate_auth.sh to test authentication outside of squid. Change dir
to your binary directory and do the following ( please adapt to your
environment):
export KRB5_KTNAME=squid-win.keytab
kinit m...@win2003r2.hom
Can you capture the traffic on port 88 from the PC to AD after a clean boot
and when you access squid ?
Markus
"masterx81" wrote in message
news:1412360733691-4667648.p...@n4.nabble.com...
All solved!
Seem that kerberos is ALWAYS not working only on a specific worstation.
If i use kerberos
90 matches
Mail list logo
