You may need to increase the following:
src/auth/UserRequest.h:#define MAX_AUTHTOKEN_LEN 32768
Regards
Markus
Amos Jeffries wrote in message news:52971e79.9030...@treenet.co.nz...
On 28/11/2013 10:42 p.m., Berthold Zettler wrote:
Hi Madhav,
all relevant a systems (AD-Controllers and
is there.
Unfortunately, this service principal didn't appear in keytab.
On Sun, Nov 3, 2013 at 4:20 AM, Markus Moeller hua...@moeller.plus.com
wrote:
Exactly you need the HTTP service principal in the keytab.
Regards
Markus
Mihail Lukin wrote in message
, Markus Moeller hua...@moeller.plus.com
wrote:
Hi Mihail,
If you use wireshark you can expand the details of:
Proxy-Authorization: Negotiate YIIHoAYGKwYBB...
It will tell you which service principal the client is sending to the
server ? I wonder if the name matches the names in your keytab
The easiest way is to look at the traffic in wireshark.
Markus
Carlos Defoe wrote in message
news:cahshsyvkkczcf+6f1mqqrmmhgodxyn_boeeqcvva3yh4ywl...@mail.gmail.com...
My goal was only to know which computer and/or user is failing to use
each method of authentication. The network is too
for the hint!
On Thu, Oct 31, 2013 at 12:53 AM, Markus Moeller
hua...@moeller.plus.com wrote:
Hi Mihail,
Did you use export KRB5_KTNAME to point to the right keytab ? Is the
keytab readable by the user under which squid runs ?
Markus
Mihail Lukin wrote in message
news:CAAmm_rZ8jNoeFMRGthiYeHQ
Hi Mihail,
Did you use export KRB5_KTNAME to point to the right keytab ? Is the
keytab readable by the user under which squid runs ?
Markus
Mihail Lukin wrote in message
news:CAAmm_rZ8jNoeFMRGthiYeHQ+GgSfmySFnw8708dwdDVUW3=r...@mail.gmail.com...
Hello,
I'm trying to configure Squid
=(...); EZCLIENT=(...)
Firefox: Cookie: EZCLIENT=(...)
Firefox doesn't have the __utma and __utmz, would that be the problem?
Regards
Allan Carvalho
Em 24/10/2013 19:02, Markus Moeller escreveu:
Hi Allan,
Can you take a capture of the traffic from your client to squid with
wireshark ? Look
Hi Allan,
Can you take a capture of the traffic from your client to squid with
wireshark ? Look at port 3128 (squid proxy port) traffic and in the details
you can see the negotiate exchange. Can you compare what you see with IE
and firefox ? Wireshark allows you to expand into the
Hi Marko,
Do you use MIT or Heimdal libraries ? Is your proxy fqdn
rsbgyucnix05.kappastar.com ?
Regards
Markus
MarkoCupać wrote in message
news:20131014172926.9e9e75039fff88058383c...@mimar.rs...
On Mon, 14 Oct 2013 18:17:30 +0300
Pavel Kazlenka pavel.kazle...@measurement-factory.com
Hi Eugene,
I am curious about what you see. Could you do a traffic capture on port
88(Kerberos), 53(DNS) and 389(LDAP) ? In theory the acl helper does cache
results and depending on the caching you should see this delay only for the
first login of the user ( I accept it is too long).
Hi Eugene,
Do you work in a Windows environemnt with AD as kdc ? I have a new
method in my squid 3.4 patch (see squid dev list) which uses the Group
Information MS is putting in the ticket. This would eliminate the ldap
lookup completely.
Markus
Eugene M. Zheganin eug...@zhegan.in
Eugene M. Zheganin eug...@zhegan.in wrote in message
news:5226b394.90...@zhegan.in...
Hi.
On 04.09.2013 01:42, Markus Moeller wrote:
Do you work in a Windows environemnt with AD as kdc ? I have a new
method in my squid 3.4 patch (see squid dev list) which uses the Group
Information MS
just put the IP address? Right now i cannot do much tests, cause
i have no testing environment. I will configure and then wait for the
next failure.
thank you
On Sat, Aug 10, 2013 at 10:10 AM, Markus Moeller
hua...@moeller.plus.com wrote:
Hi Carlos,
The helper must determine somehow a LDAP
Hi Carlos,
The helper must determine somehow a LDAP server and as you say there are
several options to failover. I wonder why the CPU goes up (How many
connections/sec do you have). I don't see a magical way to avoid a timeout
if an ldap server fails and squid caches authorisation status
Maybe it is somewhere in the auth handler in squid.
Markus
Klaus Walter klaus.wal...@spb.de wrote in message
news:086bae224bf3fd9ccf686c85e2e54...@myway.de...
Hi Markus,
yes, you are right.
But why is squid using more and more memory until it dies because there
is no more memory available at
Hi Klaus,
If I did not make an error it is the following line:
service_principal = xstrdup(optarg);
and it is not part of a loop and should not create a leak. It gets freed
when the helper exits.
Markus
Klaus Walter klaus.wal...@spb.de wrote in message
Hi Glenn,
If you follow the online guide at
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos you will
see for win2008 a
msktutil -c -b CN=COMPUTERS -s HTTP/fqdn -h fqdn -k
/etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/fqdn --server
domain controller
Hi Klaus,
Thank you for the valgrind output. Could you compile and link the helper
with -g to get the source code line.
Thank you
Markus
Klaus Walter klaus.wal...@spb.de wrote in message
news:20130805115312.15524n2zj4ecq...@webmail.mnet-online.de...
Hi Markus,
thank you very much for
Hi Klaus
If the token is to big then you need to update the source here:
src/auth/UserRequest.h:#define MAX_AUTHTOKEN_LEN 32768
I am curious about the memory leak as I run it through valgrind ( I
noticed some underlying Kerberos library leaks, but no leaks in the helper
itself). Can
Amos Jeffries squ...@treenet.co.nz wrote in message
news:51ede943.6030...@treenet.co.nz...
On 23/07/2013 1:50 p.m., Brendan Kearney wrote:
On Tue, 2013-07-23 at 00:07 +0100, Markus Moeller wrote:
Hi Eugene,
Looks like an interesting problem. Can you wireshark the traffic on
your
home
Hi Eugene,
Looks like an interesting problem. Can you wireshark the traffic on your
home machine on port 88 ( Kerberos ). If the negotiate wrapper says you got
a Kerberos token you should see traffic on port 88.
Markus
Eugene M. Zheganin e...@norma.perm.ru wrote in message
Eugene M. Zheganin e...@norma.perm.ru wrote in message
news:51e51eca.2010...@norma.perm.ru...
Hi.
On 15.07.2013 23:02, Michele Bergonzoni wrote:
I did a few tests with ntlm_auth from samba4, and it seems to work,
with some residual problems with firefox and PCs not joined in the
domain, and
In addition you need to add an option to squid_kerb_auth -s GSS_C_NO_NAME
otherwise the module will expect a HTTP/proxy-name
Markus
SPG spggps...@gmail.com wrote in message
news:1369208281267-4660187.p...@n4.nabble.com...
Hi,
I've read a lot of post about kerberos and load balancers, but I
If the PC which is not in the domain has WINS configured via DHCP you should
also be able to use Kerberos with user@DOMAIN and domain password in the
popup.
Markus
Delton del...@bnpapel.com.br wrote in message
news:51954355.1000...@bnpapel.com.br...
Guys,
I ran some more tests.
Only
Hi Carlos,
It is the client who determines what is used. If Kerberos works on the
client then that will be used over NTLM.
Markus
Carlos Defoe carlosde...@gmail.com wrote in message
news:cahshsyuceybt-dq-17l_vekv0_-wa3kpka6jp99v-doih51...@mail.gmail.com...
Hello,
Is it possible to
using
kerberos and ntlm, before the basic auth. If the memory problem is
from usernames received from basic authentication, i should see less
errors now. I also made one isolated clone of the proxy, for testing.
I will do more tests tomorrow.
On Thu, May 9, 2013 at 7:57 PM, Markus Moeller hua
set default
domain: %s\n, LogTime(), PROGRAM, up, dp);
else
log((char *) %s| %s: INFO: Got User: %s set default
domain: %s\n, LogTime(), PROGRAM, up, dp);
}
On Fri, May 10, 2013 at 3:18 PM, Markus Moeller hua...@moeller.plus.com
wrote:
Hi Carlos,
Could you run
Name: %s
So I do not see a case where The following would be logged INFO: Got
User: testusername Domain:.Can you get from the cache log the user
authentication details (e.g. was it basic or kerberos or ntlm) ?
Markus
Markus Moeller hua...@moeller.plus.com wrote in message
news:kmfc9i$80t$1
/lib64/libc.so.6
On Fri, May 3, 2013 at 5:34 PM, Markus Moeller hua...@moeller.plus.com
wrote:
Hi Carlos
Can you run ext_kerberos_ldap_group_acl standalone with gdb ?
Use:
export KRB5_KTNAME=squid.keytab
gdb /usr/local/squid/libexec/ext_kerberos_ldap_group_acl
run your list of arguments
Has IE integrated windows authentication enabled ? Can you get a wireshark
capture from your windows machine on port 88.
Markus
SPG spggps...@gmail.com wrote in message
news:1367914304369-4659821.p...@n4.nabble.com...
A lot of thanks Markus and sorry by my big delay in answering but I
:00 1161
/lib64/libdl-2.12.so
36a800-36a8083000 r-xp fd:00 1154
/lib64/libm-2.12.so
Program received signal SIGABRT, Aborted.
0x0036a74328a5 in raise () from /lib64/libc.so.6
On Fri, May 3, 2013 at 5:34 PM, Markus Moeller hua...@moeller.plus.com
wrote:
Hi Carlos
Can you
fails
and the basic auth takes place. Probably with non-domain machines.
It's difficult to examine, because the proxy is active and with a
large number of users.
On Wed, May 8, 2013 at 6:21 PM, Markus Moeller hua...@moeller.plus.com
wrote:
Hi Carlos,
Which version do you use
Hi Carlos
Can you run ext_kerberos_ldap_group_acl standalone with gdb ?
Use:
export KRB5_KTNAME=squid.keytab
gdb /usr/local/squid/libexec/ext_kerberos_ldap_group_acl
run your list of arguments from squid config file
Once it runs enter the username you got from the kerberos auth helper e.g.
Could it be that a Windows application uses its system key to authenticate
against squid ? This could happen if now user is logged in and the
application runs as a service.
Markus
JC Putter jcput...@gmail.com wrote in message
Can you try kinit -V -k -t /etc/squid/.keytab HTTP/proxyprueba.xxx.xxx ?
Markus
SPG spggps...@gmail.com wrote in message
news:1364200322406-4659198.p...@n4.nabble.com...
Hi,
I have a domain with 2008 and 2003 DCs. If I genus a keytab in windows
2008
only work with 2008 server's and if I
Hi Alex,
The test you do is not a valid test for the Kerberos authentication
helper. The input is a Kerberos token which you can create with the tool
provided by issuing:
kinit user@DOMAIN
and
./squid_kerb_auth_test squid-fqdn
Token:
think I'm misunderstanding. Its is not possible to
assign the same SPN to real names of both the squids behind the
balancer?
Thanks,
Sean
On 1 March 2013 21:06, Markus Moeller hua...@moeller.plus.com wrote:
That should work. What do you see in Wireshark when you look at the
traffic
to the proxy
That should work. What do you see in Wireshark when you look at the traffic
to the proxy ? If you exand the Negotiate header you should see what is the
principal name and kvno. Both must match what is in your keytab ( check with
klist -ekt /etc/keytab)
Markus
Sean Boran s...@boran.com
...
On Fri, Feb 22, 2013 at 02:48:56PM +, Markus Moeller wrote:
A pure squid Kerberos authentication setup does not create any
connection
between squid and AD. I am 100% sure of that.
OK, in that case I am now confused.
If you use additionally squid_kerb_ldap then yes there are connections
Brett Lymn brett.l...@baesystems.com wrote in message
news:20130221233448.ga...@baea.com.au...
On Thu, Feb 21, 2013 at 11:23:32PM +, Markus Moeller wrote:
I don't think this has to do with squid and Kerberos.
Reasonably sure it does - for a start the machine that AD says is
causing
If you use Kerberos and NTLM do not use the same AD account. Samba will
update the AD account (e.g. change account password after x days) and
msktutil does the same. So you will always have a problem if you do not use
seperate AD accounts and there is nor reason to use the same.
Markus
JC
I don't think this has to do with squid and Kerberos. This is a Windows
client only issue. Usually the user should be prompted by Windows to update
the password. If the user does not update the password the client won't get
a Kerberos ticket and will fallback to NTLM if that also doesn't work
Have you tried the -r flag ?
./squid_kerb_auth -h
Usage:
squid_kerb_auth [-d] [-i] [-r] [-s SPN] [-h]
-d full debug
-i informational messages
-r remove realm from username
-s service principal name
-h help
The SPN can be set to GSS_C_NO_NAME to allow any entry from keytab
default SPN is
@domain1:server2@domain2:server3@:server4 -
A
list is build with a colon as seperator
AUTHOR
This program was written by Markus Moeller
markus_moeller@com-
puserve.com
This manual was written by Markus Moeller
markus_moeller@com-
puserve.com
Ludovit Koren ludovit.ko...@gmail.com wrote in message
news:20130201.141430.1568838938187755043.ko...@tempest.sk...
On Wed, 30 Jan 2013 23:16:46 -
hua...@moeller.plus.com(Markus Moeller) said:
Hi Ludovit,
As background information the Negotiate protocol is a protocol which
can
Hi Ludovit,
As background information the Negotiate protocol is a protocol which can
handle Kerberos and NTLM tokens and the client decides based on its
configuration (and actice Directory) if Kerberos or NTLM will be used.
Usually if Kerberos is not correctly setup the client will use
- Original Message -
From: brendan kearney
To: Markus Moeller
Sent: Tuesday, January 15, 2013 12:42 PM
Subject: Re: [squid-users] Re: Re: Re: Help with Kerberos Configuration
Markus,
thank you for your continued efforts. i appreciate the help.
i did run the helper with the -d
Which error do you see in the squid log ? Can you run the squid_kerb_auth
helper with -d ?
Markus
brendan kearney bpk...@gmail.com wrote in message
news:CAARxGtgzUOc5u0rQ=Mhbxw25RP=dkoddokwiqre9fczj7je...@mail.gmail.com...
i have removed the keytab from the load balancer, and added the
If I look at the source no_suid is only called when chroot is configured and
that works only when you run squid as root.
Do you use chroot ?
Markus
Подшивалов Антон supp...@murmansk-tisiz.ru wrote in message
news:f12fa1c4899e5a792ca5791746dfa...@murmansk-tisiz.ru...
Hello and Happy New
light on what i could be
doing wrong. Please let me know if you further clarification is
needed.
On 8/31/12, Markus Moeller hua...@moeller.plus.com wrote:
You may need a third entry in the keytab for the VIP. IE will look for
a
HTTP/vip ticket.
Regards
Markus
brendan bpk...@gmail.com wrote
Firefox and IE 9
-Original Message-
From: Markus Moeller
Sent: Thursday, January 03, 2013 1:09 AM
To: squid-users@squid-cache.org
Subject: [squid-users] Re: Fighting with kerberos: WARNING: received type
1 NTLM token
Hi David,
Can you get a ticket for HTTP/squid-fqdn ? Do you use IE
Hi David,
Can you get a ticket for HTTP/squid-fqdn ? Do you use IE or Firefox or
?
Markus
David Touzeau da...@articatech.com wrote in message
news:21acfb9be8e34c7dba0fa2f2d0b32...@fr.kaspersky.com...
Dear
I have connected the server to the Active Directory, get tickets and so
on.
- Original Message -
From: Ken Dreyer ktdre...@ktdreyer.com
Newsgroups: comp.protocols.kerberos
To: kerbe...@mit.edu
Sent: Friday, November 23, 2012 7:57 PM
Subject: new msktutil release (v0.4.2)
I'm pleased to announce release 0.4.2 of msktutil.
msktutil is a program for
Hi
I assume you use openldap on your freebsd build. Can you try from the
command line:
# kinit -kt /usr/local/etc/HTTP.keytab
HTTP/proxy.m-tisiz.local@M-TISIZ.LOCAL
# ldapsearch -d 999 -H ldap://pollux.m-tisiz.local:389 -Y GSSAPI -O
maxssf=56 -b dc=M-TISIZ,dc=LOCAL -s sub
I found my error. squid was looking into the wrong conf file.
Markus
Markus Moeller hua...@moeller.plus.com wrote in message
news:k6v2q5$lmn$1...@ger.gmane.org...
I try to create the cache with squid 3.2.2 but without success. How can I
debug this ? -X does not give anything useful.
# /opt
I try to create the cache with squid 3.2.2 but without success. How can I
debug this ? -X does not give anything useful.
# /opt/squid-3.2/sbin/squid -z -F
2012/11/01 23:56:09| WARNING: (B) '127.0.0.1' is a subnetwork of (A)
'127.0.0.1'
2012/11/01 23:56:09| WARNING: because of this '127.0.0.1'
???
-Ursprüngliche Nachricht-
Von: Jarosch, Ralph [mailto:ralph.jaro...@justiz.niedersachsen.de]
Gesendet: Donnerstag, 1. November 2012 13:49
An: Jarosch, Ralph; Markus Moeller; squid-users@squid-cache.org
Betreff: AW: [squid-users] Re: No Kerberos Auth
Hello Markus,
i`ve found some answere from you
Hi Ralph,
If you use NTLM and Kerberos make sure you do NOT use the sam AD account for
both. The samba daemon will change the password on a regular basis which
will bring the keytab out of sync with the AD acccount.
Your proxy will not need any kerberos cache (except if you use my
Hi,
I try to upload a file with curl which works fine without squid. But when
I try the upload with squid I get an error 417 Expectation Failed. I use
squid 3.1.16.
What does that mean ?
Thank you
Markus
curl -v --proxy-negotiate --form file_upload=@test.txt --form
do=test --form
Hi Sean,
When I said client I meant the Windows client ( or do you have also Unix
clients ?) On Windows you can install a tool called kerbtay which shows you
the ticket you have. If you dont' see any ticket for HTTP/squid-fqdn you
need to use a capture tool like wireshark and loot at the
Hi Sean,
If you see NTLM tokens in squid_kerb_auth then either you have not
created a keytab for squid or the client can not get a HTTP/squid ticket
from AD. Please capture traffic on port 88 for kerberos traffic on the
client and 3128 for squid traffic.
Markus
Sean Boran
You may need a third entry in the keytab for the VIP. IE will look for a
HTTP/vip ticket.
Regards
Markus
brendan bpk...@gmail.com wrote in message
news:1346159765625-4656345.p...@n4.nabble.com...
i have two squid instances on two separate servers. each is configured
with
kerberos auth,
Hi Vaelenor,
What does the logfile say when you run squid_kerb_auth with -d as an
option ?
Markus
Vaelenor ajag...@hotmail.com wrote in message
news:1345467274306-4656269.p...@n4.nabble.com...
Hiya,
Thnx for the fast reply, and yes, I did give it permission...
--
View this message in
Hi Paul,
Does squid running user have read access to the keytab ? Did you use
export KRB5_KTNAME to point to the keytab in the startup script ? What is
the hostname of your squid host ? Did you get a minor code message ?
Check also my page for some further hints
to alter the format of the
returned username?
Thanks again
Paul
On 18 August 2012 13:30, Markus Moeller hua...@moeller.plus.com wrote:
Hi Paul,
Does squid running user have read access to the keytab ? Did you use
export KRB5_KTNAME to point to the keytab in the startup script ? What
You probably need to ask on a SELINUX mailing list. I don't see a reason
why SELINUX behaves different on x64 compared to x86.
Markus
Viorel Robu viorelr...@yahoo.com wrote in message
news:loom.20120813t094910-...@post.gmane.org...
Markus Moeller huaraz at moeller.plus.com writes:
Good
Good news.
Thank you for sharing.
Markus
Viorel Robu viorelr...@yahoo.com wrote in message
news:loom.20120810t112710-...@post.gmane.org...
Hooray!!! I solved my problem with squid_kerb_auth!!!
The problem was not in architecture, as I wrongly supposed. The problem is
SELINUX, even in
Hi Rickifer,
squid_kerb_ldap does not require squid_kerb_auth. You can use command line
options for ldap and a default realm.
ext_kerberos_ldap_group_acl [-h] [-d] [-i] [-s] [-a] [-D Realm ] [-N
Netbios-Realm-List] [-m Max-Depth] [-u Ldap-User] [-p Ldap-Password] [-b
Ldap-Bind-Path] [-l
Jeffries squ...@treenet.co.nz wrote in message
news:61820e9d911d198441ff3778b6f10...@treenet.co.nz...
On 01.08.2012 06:37, Markus Moeller wrote:
Hi Amos,
Does squid have an inverse function ? I need UTF-8 encoded strings
for ldap matches and squid_kerb_auth gives me that (as far as I
recall) . Would
Hi Viorel,
What you mean with a list of high load sites ? Are you saying that the
performance depends on which sites you are accessing via squid ?
Regards
Markus
Viorel Robu viorelr...@yahoo.com wrote in message
news:loom.20120806t080838-...@post.gmane.org...
Markus Moeller huaraz
Hi Eugene,
How would a squid_group_ldap line look like ? From where would the
group name come from ? I could try to add this feature.
Thank you
Markus
Eugene M. Zheganin e...@norma.perm.ru wrote in message
news:501f74f7.2090...@norma.perm.ru...
Hi.
On 03.08.2012 04:02, Markus Moeller
What debug setting do I need to know which client connection is sent to
which helper process ?
Thank you
Markus
Hi Viorel,
It is the first time I hear that x64 performs differently to x86. I have
no idea how to debug such a situation.
Markus
Viorel Robu viorelr...@yahoo.com wrote in message
news:loom.20120803t121805-...@post.gmane.org...
Simon Dwyer mail at simmyd.net writes:
Hi all,
I have
Hi Eugene,
What do you suggest squid_kerb_ldap should do to make it simpler for you ?
Markus
Eugene M. Zheganin e...@norma.perm.ru wrote in message
news:501a1d2c.9060...@norma.perm.ru...
Hi.
On 01.08.2012 23:02, Markus Moeller wrote:
Hi Eugene,
Are all 12 groups for the same control
Hi Eugene,
Are all 12 groups for the same control ? If so you can use -g
Group1:Group2:Group3:.
Markus
Eugene M. Zheganin e...@norma.perm.ru wrote in message
news:5019446a.3060...@norma.perm.ru...
Hi.
One more question - is there any way to parametrize the group name, so it
will
:89ad0c1deef6144a82a9c1b5cd694...@treenet.co.nz...
On 31.07.2012 11:09, Markus Moeller wrote:
How are special characters converted in squid ? For example my
squid_kerb_auth would return müller for müller, but when using
%LOGIN for the authorisation helper I get m%C3%BCller which I don't
expect
Hi Eugene,
For squid_kerb_ldap to work with automatic ldap server detection you need
to setup your DNS correctly. All SRV records must be hostnames (not IPs as
in your cases some are). The the hostname will be resolved in an IP and
back into a hostname to eliminated CNAMEs. For the final
How are special characters converted in squid ? For example my
squid_kerb_auth would return müller for müller, but when using %LOGIN for
the authorisation helper I get m%C3%BCller which I don't expect in
squid_kerb_ldap.
Are there fucntions in squid which convert strings into different
negotiate keep_alive on
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ACCT.SYSNET.LOCAL
auth_param ntlm children 10
auth_param ntlm keep_alive off
acl auth proxy_auth REQUIRED
On Tue, Jul 3, 2012 at 1:39 AM, Markus
How does your configuration look like ? How did you create the keytab file ?
Markus
Mohamed Navas vmna...@gmail.com wrote in message
news:CAJa81O71_pG63hu7XGW2om6EOBGTS8y-=xdbsrayazgcana...@mail.gmail.com...
Hi,
I have setup the squid authentication with windows 2003 Domain
controller. But
but not in IE with windows XP. My active
directory is in windows 2003
--Original Message--
From: Mohamed Navas
To: 'Markus Moeller'
To: squid-users@squid-cache.org
Subject: RE: [squid-users] Re: Re: Squid Kerberos authentication error
Sent: 26 Jun 2012 9:27 AM
I could solve the issue
-Original Message-
From: Markus Moeller hua...@moeller.plus.com
Date: Tue, 26 Jun 2012 21:16:54
To: squid-users@squid-cache.org
Subject: [squid-users] Re: Re: Re: Squid Kerberos authentication error
What is the proxy name you use in the IE configuration ? What are the
other browsers / systems
,
Br
abusam
-Original Message-
From: Markus Moeller [mailto:hua...@moeller.plus.com]
Sent: Sunday, June 24, 2012 9:39 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Re: Re: Squid Kerberos authentication error
You can use samba to create the keytab, but you mustn't use any samba
Can you check that the squid user has read access to the Kerberos keytab ?
Did you set the environment variable KRB5_KTNAME pointing to the Kerberos
keytab in the startup script ?
Markus
Navas vmna...@gmail.com wrote in message
news:000301cd51e5$7f9e64e0$7edb2ea0$@gmail.com...
Hi,
I am
...
One more thing I am using Samba, I could not use mskutil. Is there any
issue
with Kerberos and Samba.
OS: Redhat EL6.2
squid-3.1
thanks,
-Original Message-
From: Markus Moeller [mailto:hua...@moeller.plus.com]
Sent: Sunday, June 24, 2012 2:59 PM
To: squid-users@squid-cache.org
Subject
Hi Mark,
Do you have the token you received as base64 encoded in the log or
better in a wireshark capture ? This could help identifying if the
un-encrypted elements in the tokebn are correct.
Markus
Mark Davies m...@ecs.vuw.ac.nz wrote in message
Павел Бычихин pa...@hte.vl.net.ua wrote in message
news:4fdc3921.9010...@hte.vl.net.ua...
15.06.2012 20:17, Markus Moeller пишет:
Hi Amos,
http://squidkerbauth.sourceforge.net/ has only my helper
squid_kerb_auth and squid_kerb_ldap which are both availabel in squid 3.2
Hi Amos,
http://squidkerbauth.sourceforge.net/ has only my helper squid_kerb_auth
and squid_kerb_ldap which are both availabel in squid 3.2 as
negotiate_kerberos_auth authentication helper and kerberos_ldap_group as
external acl helper.
So not exactly what was asked for I think.
Markus
Hi Markus,
The answers are:
1) Yes
2) The keytab contains the hostname of the squid server. So you would
need multiple keytabs
3) The principal name will be based on a fixed part HTTP and the name you
use in the Browser configuration. If you use in IE squid1.domain.com then
you must
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
[realms]
MULAWA.INTERNAL = {
kdc = dc-hbt-01.mulawa.internal
kdc = dc-hbt-02.mualwa.internal
}
[domain_realm]
mulawa.internal = MULAWA.internal
.mulawa.internal = MULAWA.internal
On Thu, 2012-04-19 at 23:36 +0100, Markus Moeller wrote
Can you also send me the extract from cache.log for the same period ? Do you
use the -d debug flag with squid_kerb_auth ?
Markus
Markus Moeller hua...@moeller.plus.com wrote in message
news:jmrkhi$42v$1...@dough.gmane.org...
Hi Simon,
The config is standard and looks OK. Can you run strace
it this morning.
I wont be able to try it again till tomorrow morning to see if it
modifies it
Cheers,
Simon
On Thu, 2012-04-19 at 06:44 +0100, Markus Moeller wrote:
Hi Simon,
Unfortunately I do not have a production environment to give you
average
usage numbers.
Can you check
Are you sure /etc/sysconfig/squid is sourced by the squid startup script ?
Markus
Simon Dwyer m...@simmyd.net wrote in message
news:1334789097.2408.17.ca...@sdwyer.federalit.net...
Hi all,
I have got kerberos working and moved it to production but then the
server started smashing its cpu. It
process when used?
Cheers,
Simon
On Thu, 2012-04-19 at 06:15 +0100, Markus Moeller wrote:
Are you sure /etc/sysconfig/squid is sourced by the squid startup script
?
Markus
Simon Dwyer m...@simmyd.net wrote in message
news:1334789097.2408.17.ca...@sdwyer.federalit.net...
Hi all,
I have got
Hi Simon,
This looks like a client PC issue. Can you check with kerbtray that the
client gets a TGS for HTTP/squid-fqdn ? If you can look at the traffic
between the client and AD with wireshark you should see first an AS request
from the client to AD on port 88 and when you the user opens
- Keep it mind max
length is 15 characters)
Regards
Markus
Brett Lymn brett.l...@baesystems.com wrote in message
news:20120416061457.gj...@baea.com.au...
On Mon, Apr 16, 2012 at 07:05:23AM +0100, Markus Moeller wrote:
BTW I would not recommend using ktpass and a user account. ktpass uses
...@treenet.co.nz wrote in message
news:4f841b87.3040...@treenet.co.nz...
On 10/04/2012 10:21 p.m., Markus Moeller wrote:
Hi Amos,
These are my system settings:
/etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
Okay, that should be enough.
networking restarted after changing that?
ifconfig -a
eth0
wrote in message
news:4f83b2d8.9050...@treenet.co.nz...
On 10/04/2012 1:11 a.m., Markus Moeller wrote:
But it should be possible to determine that automatically (e.g. if the
bind on ::1 fails try ipv4) shouldn' it ?
Yes. The socket handling is a bit strange in 3.1 though. Failover does not
work
Amos Jeffries squ...@treenet.co.nz wrote in message
news:4f841b87.3040...@treenet.co.nz...
On 10/04/2012 10:21 p.m., Markus Moeller wrote:
Hi Amos,
These are my system settings:
/etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
Okay, that should be enough.
networking restarted after
But it should be possible to determine that automatically (e.g. if the bind
on ::1 fails try ipv4) shouldn' it ?
Thank you
Markus
Amos Jeffries squ...@treenet.co.nz wrote in message
news:4f82cd96.8060...@treenet.co.nz...
On 7/04/2012 12:08 p.m., Markus Moeller wrote:
It looks like
101 - 200 of 550 matches
Mail list logo