Hi Daniel,
You need to check your client when you get an NTLM token instead of a
Kerberos token. It means the client can not get the HTTP/fqdn token for
for squid proxy. You can check this with tools like wireshark ( Check
communication on port 88).
Regards
Markus
Daniel Reif wrote
Hi,
If I understand correctly, you've created a account for all squid and one
for balance service, and you've associated the SPN of balance service for
all squid account. Is this correct? Aren't there problems with ducplicat SPN
in AD?
A lot of thanks.
--
View this message in context:
Hi,
FYI ... I got the two squids working behind the (Kemp) load balancer
with kerberos auth
Procedure:
0. myproxy.vptt.ch points to the IP of the load balancer. This is
referenced in wpad.dat or browser settings. Squid runs on port 80, so
the URL of the proxy is http://myproxy.ch:80
1. create
Markus,
The klist outputs are further below, but I have the feeling that is
not the problem, that the solution needs to be different (after
reading the following articles).
See for example:
the thing to watch out for is that AD will fail to return a ticket if
the SPN requested is found on more
On Thu, Mar 14, 2013 at 05:10:23PM +0100, Sean Boran wrote:
See for example:
the thing to watch out for is that AD will fail to return a ticket if
the SPN requested is found on more than one account (because it
doesn't know which account to use). So be careful that you do not
accidentally
Hi Sean,
Can you do a klist -ekt squid.keytab on both squid servers and send me
the output ? I assume you are missing entries.
Markus
Sean Boran s...@boran.com wrote in message
news:CAOnghjtWpc0fPBVVB=yf3beglgfrrf1jqoxlzvbfhuhbvyl...@mail.gmail.com...
(sorry for the slow answer, an
2012 21:22
An: squid-users@squid-cache.org
Betreff: [squid-users] Re: No Kerberos Auth
Hi Ralph,
If you use NTLM and Kerberos make sure you do NOT use the sam AD account for
both. The samba daemon will change the password on a regular basis which will
bring the keytab out of sync with the AD
; squid-users@squid-cache.org
Betreff: AW: [squid-users] Re: No Kerberos Auth
Wonderfull now it works But i`ve got a little bit slow.
Is there any limitation how many negotiate_wrapper I can start ?
Actually I use 250 and everyone is still busy
-Ursprüngliche Nachricht-
Von
: [squid-users] Re: No Kerberos Auth
Hello Markus,
i`ve found some answere from you in this thread
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-kerb-auth-High-CPU-load-td4569213.html
where you wrote that it is better to deactivate the Kerberos replay cache by
KRB5RCACHETYPE=none export
-cache.org
Betreff: Re: [squid-users] No Kerberos Auth
Ok Thx,
With Windows Server 2008 you should use --enctypes 28 parameter with
msktutils command.
Did your ntlm authentification work fine ? How did you configure it ? With
Samba/Winbind ?
On Tue, Oct 30, 2012 at 3:08 PM, Jarosch, Ralph
Hi Markus,
The answers are:
1) Yes
2) The keytab contains the hostname of the squid server. So you would
need multiple keytabs
3) The principal name will be based on a fixed part HTTP and the name you
use in the Browser configuration. If you use in IE squid1.domain.com then
you must
On Fri, Dec 09, 2011 at 10:04:56PM -, Markus Moeller wrote:
BTW you can also compile 3.2 and just copy the binary. It works as
standalone helper.
I just tried and it seems to works fine and from a small test seems to
fix my main problem :)
Do you know if there can be any performance
Try my version on sourceforge
https://downloads.sourceforge.net/project/squidkerbauth/negotiate_wrapper/negotiate_wrapper-1.0.1/negotiate_wrapper-1.0.1.tar.gz?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fsquidkerbauth%2Fts=1323468064use_mirror=switch
Emmanuel Lacour elac...@easter-eggs.com
BTW you can also compile 3.2 and just copy the binary. It works as
standalone helper.
Markus Moeller hua...@moeller.plus.com wrote in message
news:jbu0gi$d5d$1...@dough.gmane.org...
Try my version on sourceforge
14 matches
Mail list logo