[squid-users] parent for https
Hi all, I am quite new for squid, and now facing a case and no idea how to get it work. There's 2 proxies: Proxy A: nearly a default setup, just configured cache_peer to B Proxy B: as the parent for A, accepts the requests from A So the simple picture is that: Web clients > A > B, and it is supposed that all web requests(http, https) are leaving from B to the destionation servers. Web browser on clients is with proxy A(for all protocals in settings including https) Right now seeing all "http" request are forwarded to B as expected, but those "https" are reaching outside from A directly, not over B. Any idea is appreciated, Thanks a lot!
[squid-users] Re: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
Hi Muhammet, Do you use Kerberos for Windows from MIT ? The 'Network Identity Manager' is from there isn't it ? Which Browser do you use ? Markus "Muhammet Can" wrote in message news:canynonryeksbxpj8qq2ikyuoocia0bc2qr1rw8v0aqev6fc...@mail.gmail.com... Thank's for you reply Amos, I have downloaded negotiate_wrapper and set my squid-config as Markus described here; http://squid-web-proxy-cache.1019090.n4.nabble.com/NTLM-Kerberos-Authentication-with-Windows-7-td3331448.html Now I can connect the web over Squid, but it seems like it still use the old NTLM system; here is the new log files; --> tail -f cache.log 2012/01/12 16:00:24| negotiate_wrapper: Got 'YR TlRMTVNTUAABl4II4gAGAbEdDw==' from squid (length: 59). 2012/01/12 16:00:24| negotiate_wrapper: Decode 'TlRMTVNTUAABl4II4gAGAbEdDw==' (decoded length: 40). 2012/01/12 16:00:24| negotiate_wrapper: received type 1 NTLM token [2012/01/12 16:00:24, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0xe2088297 2012/01/12 16:00:24| negotiate_wrapper: Return 'TT ' 2012/01/12 16:00:24| negotiate_wrapper: Got 'KK from squid (length: 615). 2012/01/12 16:00:24| negotiate_wrapper: Decode (decoded length: 458). 2012/01/12 16:00:24| negotiate_wrapper: received type 3 NTLM token [2012/01/12 16:00:24, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(747) Got user=[test1] domain=[LABRISTEST] workstation=[DELL1-DESTEK] len1=24 len2=276 [2012/01/12 16:00:24, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(337) NTLMSSP Sign/Seal - Initialising with flags: [2012/01/12 16:00:24, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0xe2088215 2012/01/12 16:00:24| negotiate_wrapper: Return 'AF = test1 *** --> tail -f access.log 192.168.0.147 - - [12/Jan/2012:16:03:06 +0200] "GET http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE 192.168.0.147 - - [12/Jan/2012:16:03:07 +0200] "GET http://www.google.com.tr/ HTTP/1.1" 407 1773 TCP_DENIED:NONE 192.168.0.147 - test1 [12/Jan/2012:16:03:07 +0200] "GET http://www.google.com.tr/ HTTP/1.1" 200 16160 TCP_MISS:DIRECT 192.168.0.147 - test1 [12/Jan/2012:16:03:07 +0200] "GET http://www.google.com.tr/csi? HTTP/1.1" 204 413 TCP_MISS:DIRECT *** As you can see in access.log my client computer (test1) is connected. But if you look at cache.log you will see that it still gets NTLM 1 token instead of kerberos. "2012/01/12 16:00:24| negotiate_wrapper: received type 1 NTLM token" I have also checked the credentials on client side with 'Network Identify Manager' When I try to get new credentials it gives this error; "Could not obtain Kerberos v4 credentials" But my client seems to got Kerberos v5 credentials, since after trying this, time stamp renewed to 10hours. (I'm not sure if v4 situation can break anything) So, for this point, can you give me some information about 'what breaks the kerberos and it keeps falling back to NTLM' or at least, where should I look for the debug and inspect what may effect the kerberos auth. Thanks again, and sorry for my English if it disturbs a lot. On Thu, Jan 12, 2012 at 5:57 AM, Amos Jeffries wrote: On 12/01/2012 1:18 a.m., Muhammet Can wrote: Hi all, I have been trying to get squid running with kerberos auth for a few days but I'm in some trouble. The problem has been asked and replied many times on both the squid-users list and on the web, I have read them all, and tried to solve the problem. But still no luck. Here is some of my log files and tests. (config files are prepared with using wiki; http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos) --> tail -f cache.log 2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABl4II4gAGAbEdDw==' from squid (length: 59). 2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABl4II4gAGAbEdDw==' (decoded length: 40). 2012/01/11 11:54:06| squid_kerb_auth: WARNING: received type 1 NTLM token 2012/01/11 11:54:06| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' As no doubt you have seen in those earlier posts type 1 is Negotiate/NTLM. The easiest solution is to use the negotiate_wrapper Marcus developed last year. That should get things working for the users while the details about why NTLM is being used get more of a look at. --> tail -f access.log 192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE 192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE I have tested kerberos on the server side with; --> klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@labristest.com --> kinit -V -k -t /opt/labris/etc/labris-webcache/HTTP.keytab HTTP/test2008.labristest.com Authenticated to Kerberos v5 And, on the client side, I have used kerbt
[squid-users] CACHEMGR: log file entries
Dear all I am sorry to ask, but I am simply unable to get rid of the following type of log lines: CACHEMGR: @127.0.0.1 requesting 'storedir' They are polluting my cache.log. In my squid.conf I have: acl manager proto cache_object log_access deny manager all http_access allow manager localhost http_access deny manager all Why do the log-lines appear? And how do I stop them? Thanks in advance Benedikt
Re: [squid-users] How many proxies to run?
I have an unique server doing this job. My scenario is most the same as mentioned above. I just want to know if i can make this server a Virtual Machine, that will use shared hard disk / memory / cpu with another VMs.
[squid-users] Assertion failed error causing worker process to restart
Hi, Running squid 3.2 snapshot starting up with -SYC and seeing 2012/01/12 16:06:30 kid8| Beginning Validation Procedure 2012/01/12 16:06:30 kid8| UFSSwapDir::doubleCheck: MISSING SWAP FILE 2012/01/12 16:06:30 kid8| UFSSwapDir::dumpEntry: FILENO 0053D933 2012/01/12 16:06:30 kid8| UFSSwapDir::dumpEntry: PATH /cache1/8/13/ D9/0053D933 2012/01/12 16:06:30 kid8| StoreEntry->key: F6A9FB4E20007D04 2012/01/12 16:06:30 kid8| StoreEntry->next: 0 2012/01/12 16:06:30 kid8| StoreEntry->mem_obj: 0 2012/01/12 16:06:30 kid8| StoreEntry->timestamp: 4294967296 2012/01/12 16:06:30 kid8| StoreEntry->lastref: 16243941 2012/01/12 16:06:30 kid8| StoreEntry->expires: 2259152797697 2012/01/12 16:06:30 kid8| StoreEntry->lastmod: 1326384112 2012/01/12 16:06:30 kid8| StoreEntry->swap_file_sz: 1326384117 2012/01/12 16:06:30 kid8| StoreEntry->refcount: 1908 2012/01/12 16:06:30 kid8| StoreEntry->flags: SPECIAL ,REVALIDATE,DELAY_SENDING,CACHABLE,FWD_HDR_WAIT,NEGCACHED,BAD_LENGTH 2012/01/12 16:06:30 kid8| StoreEntry->swap_dirn: 0 2012/01/12 16:06:30 kid8| StoreEntry->swap_filen: 5495091 2012/01/12 16:06:30 kid8| StoreEntry->lock_count: 0 2012/01/12 16:06:30 kid8| StoreEntry->mem_status: 0 2012/01/12 16:06:30 kid8| StoreEntry->ping_status: 0 2012/01/12 16:06:30 kid8| StoreEntry->store_status: 0 2012/01/12 16:06:30 kid8| StoreEntry->swap_status: 2 2012/01/12 16:06:30 kid8| Completed Validation Procedure 2012/01/12 16:06:30 kid8| Validated 1 Entries 2012/01/12 16:06:30 kid8| store_swap_size = 1295300.00 KB 2012/01/12 16:06:30 kid8| assertion failed: store_rebuild.cc:115: "store_errors == 0" nothing read from stdin nothing read from stdin In cache.log Need a config file? Rgds Alex == Time for another Macmillan Cancer Support event. This time its the 12 day Escape to Africa challenge View route at http://maps.google.co.uk/maps/ms?ie=UTF8&hl=en&msa=0&msid=203779866436035016780.00049e867720273b73c39&z=8 Please sponsor me at http://www.justgiving.com/Alex-Sharaz
Re: [squid-users] Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
Thank's for you reply Amos, I have downloaded negotiate_wrapper and set my squid-config as Markus described here; http://squid-web-proxy-cache.1019090.n4.nabble.com/NTLM-Kerberos-Authentication-with-Windows-7-td3331448.html Now I can connect the web over Squid, but it seems like it still use the old NTLM system; here is the new log files; --> tail -f cache.log 2012/01/12 16:00:24| negotiate_wrapper: Got 'YR TlRMTVNTUAABl4II4gAGAbEdDw==' from squid (length: 59). 2012/01/12 16:00:24| negotiate_wrapper: Decode 'TlRMTVNTUAABl4II4gAGAbEdDw==' (decoded length: 40). 2012/01/12 16:00:24| negotiate_wrapper: received type 1 NTLM token [2012/01/12 16:00:24, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0xe2088297 2012/01/12 16:00:24| negotiate_wrapper: Return 'TT ' 2012/01/12 16:00:24| negotiate_wrapper: Got 'KK from squid (length: 615). 2012/01/12 16:00:24| negotiate_wrapper: Decode (decoded length: 458). 2012/01/12 16:00:24| negotiate_wrapper: received type 3 NTLM token [2012/01/12 16:00:24, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(747) Got user=[test1] domain=[LABRISTEST] workstation=[DELL1-DESTEK] len1=24 len2=276 [2012/01/12 16:00:24, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(337) NTLMSSP Sign/Seal - Initialising with flags: [2012/01/12 16:00:24, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0xe2088215 2012/01/12 16:00:24| negotiate_wrapper: Return 'AF = test1 *** --> tail -f access.log 192.168.0.147 - - [12/Jan/2012:16:03:06 +0200] "GET http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE 192.168.0.147 - - [12/Jan/2012:16:03:07 +0200] "GET http://www.google.com.tr/ HTTP/1.1" 407 1773 TCP_DENIED:NONE 192.168.0.147 - test1 [12/Jan/2012:16:03:07 +0200] "GET http://www.google.com.tr/ HTTP/1.1" 200 16160 TCP_MISS:DIRECT 192.168.0.147 - test1 [12/Jan/2012:16:03:07 +0200] "GET http://www.google.com.tr/csi? HTTP/1.1" 204 413 TCP_MISS:DIRECT *** As you can see in access.log my client computer (test1) is connected. But if you look at cache.log you will see that it still gets NTLM 1 token instead of kerberos. "2012/01/12 16:00:24| negotiate_wrapper: received type 1 NTLM token" I have also checked the credentials on client side with 'Network Identify Manager' When I try to get new credentials it gives this error; "Could not obtain Kerberos v4 credentials" But my client seems to got Kerberos v5 credentials, since after trying this, time stamp renewed to 10hours. (I'm not sure if v4 situation can break anything) So, for this point, can you give me some information about 'what breaks the kerberos and it keeps falling back to NTLM' or at least, where should I look for the debug and inspect what may effect the kerberos auth. Thanks again, and sorry for my English if it disturbs a lot. On Thu, Jan 12, 2012 at 5:57 AM, Amos Jeffries wrote: > On 12/01/2012 1:18 a.m., Muhammet Can wrote: >> >> Hi all, >> >> I have been trying to get squid running with kerberos auth for a few >> days but I'm in some trouble. The problem has been asked and replied >> many times on both the squid-users list and on the web, I have read >> them all, and tried to solve the problem. But still no luck. >> >> Here is some of my log files and tests. >> (config files are prepared with using wiki; >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos) >> >> --> tail -f cache.log >> 2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Got 'YR >> TlRMTVNTUAABl4II4gAGAbEdDw==' from squid >> (length: 59). >> 2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Decode >> 'TlRMTVNTUAABl4II4gAGAbEdDw==' (decoded >> length: 40). >> 2012/01/11 11:54:06| squid_kerb_auth: WARNING: received type 1 NTLM token >> 2012/01/11 11:54:06| authenticateNegotiateHandleReply: Error >> validating user via Negotiate. Error returned 'BH received type 1 NTLM >> token' > > > As no doubt you have seen in those earlier posts type 1 is Negotiate/NTLM. > The easiest solution is to use the negotiate_wrapper Marcus developed last > year. That should get things working for the users while the details about > why NTLM is being used get more of a look at. > > > >> >> --> tail -f access.log >> 192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET >> http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE >> 192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET >> http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE >> >> I have tested kerberos on the server side with; >> >> --> klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: administra...@labristest.com >> >> --> kinit -V -k -t /opt/labris/etc/labris-webcache/HTTP.keytab >> HTTP/test2008.labristest.com >> Authenticated to Kerberos v5 >> >> And, on the client side, I have used kerbtray, it seems client has the >> tickets. >> >> I have captured the packets with wireshark as suggested some of the >> earlier
[squid-users] Sharepoint SSL Error
Hello World. Noob Here. I have successfully setup squid as a reverseproxy for port 80, however my attempts to set up the same server to point to a https server on sharepoint have failed. All I get is the authentication box, and the following error message in cache.log: fwdNegotiateSSL: Error negotiating SSL connection on FD 11: error::lib(0):func(0):reason(0) (5/-1/104) The only caveat I have is that I am using an SSL cert that was assigned to another IP address, do you have to have matching SSL certs for this to work properly? Here is my squid config: visible_hostname squid.localhost always_direct allow all ssl_bump allow all pipeline_prefetch off http_port 80 defaultsite=1.2.3.60 https_port 443 cert=/usr/ssl/lol.cer key=/usr/ssl/llol2.server.pem connection-auth=on defaultsite=1.2.3.11 cache_peer 1.2.3.60 parent 80 0 no-query originserver no-digest login=PASS name=bi_iis cache_peer 1.2.3.11 parent 443 0 connection-auth=on no-query originserver login=PASSTHRU ssl sslflags=DONT_VERIFY_PEER name=sharepoint acl bi_server dst 1.2.3.60 acl sharepoint dst 1.2.3.11 acl lan1 src 1.2.3.0/32 acl lan2 src 1.2.3.0/32 acl vpn src 5.6.7.0/32 acl externalip src 2.3.4.0/32 cache_peer_access bi_iis allow bi_server cache_peer_access bi_iis allow lan1 cache_peer_access bi_iis allow lan2 cache_peer_access bi_iis allow vpn cache_peer_access bi_iis allow externalip cache_peer_access bi_iis deny all cache_peer_access sharepoint allow bi_server cache_peer_access sharepoint allow lan1 cache_peer_access sharepoint allow lan2 cache_peer_access sharepoint allow vpn cache_peer_access sharepoint allow externalip cache_peer_access sharepoint deny all http_access allow lan1 http_access allow lan2 http_access allow vpn http_access allow externalip #negative dns entry acl localhost src 127.0.0.1/32 acl manager proto cache_object acl Safe_ports port 80 # httpacl Safe_ports port 443 #https acl CONNECT method CONNECT acl POST method POST never_direct allow CONNECT never_direct allow POST never_direct allow ALL sslproxy_flags DONT_VERIFY_PEER cache_mgr a...@lol.com http_access allow manager localhost http_access allow lan1 http_access allow lan2 http_access allow vpn http_access allow externalip http_access deny manager http_access deny !Safe_ports http_access deny CONNECT #http_access deny all Any help is appreciated thank you. Dale J. Rodriguez
Re: [squid-users] Active Directory and user agents - complete ISA replacement
Hello Super! Everything works fine including groups for basic, ntlm and negotiate. Is it possible to have Digest authentication with Windows 2003 AD? add following for your wiki page: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm keep_alive on Best regards, George Machitidze On Thu, Jan 12, 2012 at 4:29 PM, George Machitidze wrote: > Nevermind - my fault > > On Redhat winbind is running with root and owner of file is root:root, > i've changed it to squid. > > > Best regards, > George Machitidze > > > > On Thu, Jan 12, 2012 at 4:01 PM, George Machitidze wrote: >> Here are first issues: >> >> [root@proxy ~]# kdestroy >> >> >> >> [root@proxy ~]# msktutil --auto-update --verbose --computer-name squid-k >> -- init_password: Wiping the computer password structure >> -- get_dc_host: Attempting to find a Domain Controller to use >> -- get_dc_host: Found Domain Controller: TEST-admsdc02 >> -- get_default_keytab: Obtaining the default keytab name: >> /etc/squid/HTTP.keytab >> -- create_fake_krb5_conf: Created a fake krb5.conf file: >> /tmp/.msktkrb5.conf-iN2kxe >> -- reload: Reloading Kerberos Context >> -- finalize_exec: SAM Account Name is: squid-k$ >> -- try_machine_keytab_princ: Trying to authenticate for squid-k$ from >> local keytab... >> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed >> (Client not found in Kerberos database) >> -- try_machine_keytab_princ: Authentication with keytab failed >> -- try_machine_keytab_princ: Trying to authenticate for host/proxy >> from local keytab... >> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed >> (Client not found in Kerberos database) >> -- try_machine_keytab_princ: Authentication with keytab failed >> -- try_machine_password: Trying to authenticate for squid-k$ with password. >> -- try_machine_password: Error: krb5_get_init_creds_keytab failed >> (Client not found in Kerberos database) >> -- try_machine_password: Authentication with password failed >> -- try_user_creds: Checking if default ticket cache has tickets... >> -- try_user_creds: Error: krb5_cc_get_principal failed (No >> credentials cache found) >> -- try_user_creds: User ticket cache was not valid. >> Error: could not find any credentials to authenticate with. Neither keytab, >> default machine password, nor calling user's tickets worked. Try >> "kinit"ing yourself some tickets with permission to create computer >> objects, or pre-creating the computer object in AD and selecting >> 'reset account'. >> -- ~KRB5Context: Destroying Kerberos Context >> >> [root@proxy ~]# cat /etc/krb5.conf >> [logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> default_realm = TEST.GE >> dns_lookup_realm = false >> dns_lookup_kdc = false >> ticket_lifetime = 24h >> forwardable = yes >> default_keytab_name = /etc/squid/HTTP.keytab >> default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 >> default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 >> permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 >> >> [realms] >> TEST.GE = { >> kdc = TEST-admsdc01.test.ge >> kdc = TEST-admsdc01.test.ge >> admin_server = TEST-admsdc01.test.ge >> default_domain = test.ge >> } >> >> [domain_realm] >> test.ge = TEST.GE >> .test.ge = TEST.GE >> >> [appdefaults] >> pam = { >> debug = true >> ticket_lifetime = 36000 >> renew_lifetime = 36000 >> forwardable = true >> krb4_convert = false >> } >> >> Where can I find the reason? >> >> Best regards, >> George Machitidze >> >> >> >> On Thu, Jan 12, 2012 at 1:11 PM, George Machitidze wrote: >>> Hello James >>> >>> Great job! Thanks for reply >>> >>> I will check and update with tests :) >>> >>> Best regards, >>> George Machitidze >>> >>> >>> >>> On Thu, Jan 12, 2012 at 1:00 PM, James Robertson >>> wrote: > When I try to use Opera browser I am getting ugly message after > entering credentials: > > authenticateNegotiateHandleReply: Error validating user via Negotiate. > Error returned 'BH received type 1 NTLM token' Opera does not support Kerberos as far as I know. You will still need to support NTLM. you will have issues with iTunes and possibly various other apps as that need NTLM support. > Is there any "universal", well tested configuration/manual that will > make all clients work? I just completed a guide based on Debian that supports Kerberos, NTLM and basic auth and was planning on updating the Squid Wiki also sometime soon. You should be able to translate that to your RH. HTH. http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
Re: [squid-users] finding the bottleneck
2012/1/11 jeffrey j donovan : > > On Jan 10, 2012, at 7:45 AM, E.S. Rosenberg wrote: > >> Hi, >> We run a setup where our users are passing through 0-2 proxies before >> reaching the Internet: >> - https 0 >> - http transparent 1 (soon also 2) >> - http authenticated 2 >> >> Lately we are experiencing some (extreme) slowness even-though the >> load on the line is only about half the available bandwidth, we know >> that on the ISP side our traffic is also passing through all kinds of >> proxies/filters etc. >> I would like to somehow be able to see where the slowdowns are >> happening to rule out that it's not our side at fault, but I don't >> really know what tool/tools I could use to see what is going on here. >> >> We suspect that the slowness may be related to the ISP doing >> Man-in-the-Middle on non-banking SSL traffic (as per request of >> management), but I really want to rule our side out first >> >> Thanks, >> Eli > > > Hi eli, are you caching ? or going direct. Hi, sorry for the slow reply. We are doing some caching, so far we have not optimized it, Calamaris reports our efficiency between 6-10% on different proxies... Thanks, Eliyahu - אליהו
Re: [squid-users] Active Directory and user agents - complete ISA replacement
Nevermind - my fault On Redhat winbind is running with root and owner of file is root:root, i've changed it to squid. Best regards, George Machitidze On Thu, Jan 12, 2012 at 4:01 PM, George Machitidze wrote: > Here are first issues: > > [root@proxy ~]# kdestroy > > > > [root@proxy ~]# msktutil --auto-update --verbose --computer-name squid-k > -- init_password: Wiping the computer password structure > -- get_dc_host: Attempting to find a Domain Controller to use > -- get_dc_host: Found Domain Controller: TEST-admsdc02 > -- get_default_keytab: Obtaining the default keytab name: > /etc/squid/HTTP.keytab > -- create_fake_krb5_conf: Created a fake krb5.conf file: > /tmp/.msktkrb5.conf-iN2kxe > -- reload: Reloading Kerberos Context > -- finalize_exec: SAM Account Name is: squid-k$ > -- try_machine_keytab_princ: Trying to authenticate for squid-k$ from > local keytab... > -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed > (Client not found in Kerberos database) > -- try_machine_keytab_princ: Authentication with keytab failed > -- try_machine_keytab_princ: Trying to authenticate for host/proxy > from local keytab... > -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed > (Client not found in Kerberos database) > -- try_machine_keytab_princ: Authentication with keytab failed > -- try_machine_password: Trying to authenticate for squid-k$ with password. > -- try_machine_password: Error: krb5_get_init_creds_keytab failed > (Client not found in Kerberos database) > -- try_machine_password: Authentication with password failed > -- try_user_creds: Checking if default ticket cache has tickets... > -- try_user_creds: Error: krb5_cc_get_principal failed (No > credentials cache found) > -- try_user_creds: User ticket cache was not valid. > Error: could not find any credentials to authenticate with. Neither keytab, > default machine password, nor calling user's tickets worked. Try > "kinit"ing yourself some tickets with permission to create computer > objects, or pre-creating the computer object in AD and selecting > 'reset account'. > -- ~KRB5Context: Destroying Kerberos Context > > [root@proxy ~]# cat /etc/krb5.conf > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = TEST.GE > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > forwardable = yes > default_keytab_name = /etc/squid/HTTP.keytab > default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > > [realms] > TEST.GE = { > kdc = TEST-admsdc01.test.ge > kdc = TEST-admsdc01.test.ge > admin_server = TEST-admsdc01.test.ge > default_domain = test.ge > } > > [domain_realm] > test.ge = TEST.GE > .test.ge = TEST.GE > > [appdefaults] > pam = { > debug = true > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > Where can I find the reason? > > Best regards, > George Machitidze > > > > On Thu, Jan 12, 2012 at 1:11 PM, George Machitidze wrote: >> Hello James >> >> Great job! Thanks for reply >> >> I will check and update with tests :) >> >> Best regards, >> George Machitidze >> >> >> >> On Thu, Jan 12, 2012 at 1:00 PM, James Robertson >> wrote: When I try to use Opera browser I am getting ugly message after entering credentials: authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' >>> >>> Opera does not support Kerberos as far as I know. You will still >>> need to support NTLM. you will have issues with iTunes and possibly >>> various other apps as that need NTLM support. >>> Is there any "universal", well tested configuration/manual that will make all clients work? >>> >>> I just completed a guide based on Debian that supports Kerberos, NTLM >>> and basic auth and was planning on updating the Squid Wiki also >>> sometime soon. You should be able to translate that to your RH. >>> >>> HTH. >>> >>> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
Re: [squid-users] Active Directory and user agents - complete ISA replacement
Here are first issues: [root@proxy ~]# kdestroy [root@proxy ~]# msktutil --auto-update --verbose --computer-name squid-k -- init_password: Wiping the computer password structure -- get_dc_host: Attempting to find a Domain Controller to use -- get_dc_host: Found Domain Controller: TEST-admsdc02 -- get_default_keytab: Obtaining the default keytab name: /etc/squid/HTTP.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-iN2kxe -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: squid-k$ -- try_machine_keytab_princ: Trying to authenticate for squid-k$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/proxy from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for squid-k$ with password. -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache found) -- try_user_creds: User ticket cache was not valid. Error: could not find any credentials to authenticate with. Neither keytab, default machine password, nor calling user's tickets worked. Try "kinit"ing yourself some tickets with permission to create computer objects, or pre-creating the computer object in AD and selecting 'reset account'. -- ~KRB5Context: Destroying Kerberos Context [root@proxy ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TEST.GE dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes default_keytab_name = /etc/squid/HTTP.keytab default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 [realms] TEST.GE = { kdc = TEST-admsdc01.test.ge kdc = TEST-admsdc01.test.ge admin_server = TEST-admsdc01.test.ge default_domain = test.ge } [domain_realm] test.ge = TEST.GE .test.ge = TEST.GE [appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Where can I find the reason? Best regards, George Machitidze On Thu, Jan 12, 2012 at 1:11 PM, George Machitidze wrote: > Hello James > > Great job! Thanks for reply > > I will check and update with tests :) > > Best regards, > George Machitidze > > > > On Thu, Jan 12, 2012 at 1:00 PM, James Robertson > wrote: >>> When I try to use Opera browser I am getting ugly message after >>> entering credentials: >>> >>> authenticateNegotiateHandleReply: Error validating user via Negotiate. >>> Error returned 'BH received type 1 NTLM token' >> >> Opera does not support Kerberos as far as I know. You will still >> need to support NTLM. you will have issues with iTunes and possibly >> various other apps as that need NTLM support. >> >>> Is there any "universal", well tested configuration/manual that will >>> make all clients work? >> >> I just completed a guide based on Debian that supports Kerberos, NTLM >> and basic auth and was planning on updating the Squid Wiki also >> sometime soon. You should be able to translate that to your RH. >> >> HTH. >> >> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
[squid-users] assertion failed: comm.cc:1255: "isOpen(fd)" when shutting down squid 3.2 snapshot
Hi, excerpt from cache.log when running /usr/local/squid/sbin/squid -k shutdown 2012/01/12 10:45:59 kid7| Open FD READ/WRITE 82 apps.facebook.com:443 2012/01/12 10:45:59 kid7| Open FD READ/WRITE 83 apps.facebook.com:443 2012/01/12 10:45:59 kid7| Open FD READ/WRITE 84 http://s0.2mdn.net/2986074/PID_1802528_160x600.swf 2012/01/12 10:45:59 kid7| Squid Cache (Version 3.2.0.14-20111228- r11479): Exiting normally. 2012/01/12 10:45:59 kid7| assertion failed: comm.cc:1255: "isOpen(fd)" FATAL: Received Segment Violation...dying. 2012/01/12 10:45:59 kid7| storeDirWriteCleanLogs: Starting... nothing read from stdin nothing read from stdin nothing read from stdin nothing read from stdin nothing read from stdin Rgds Alex
Re: [squid-users] Performanceproblem Squid with one URL - strange behaviour ...
On Thu, Jan 12, 2012 at 12:53:18PM +1300, Amos Jeffries wrote: Hi, > So doing I/O to a disk log somehow speeds up TCP throughput? strange definitely right ... but I'm not sure if this speeds up TCP throughput - but speeds up Squid ;-) > This sounds a bit like the speed problems we see with very low traffic > rates. When the I/O loops get very few requests through they end up > pausing in 10ms time chunks each processing cycle to prevent CPU overload > doing lots of processing on very small amounts of bytes. hmm, speed problems should be no problem. I tested also the following: - iptables -t nat -A PREROUTING -p tcp --dport 8081 -j DNAT --to-destination 212.112.181.17:80 - iptables -t nat -A POSTROUTING -p tcp -d 212.112.181.17 -j MASQUERADE no changes in client so every browser url gets redirected to the ment. website. Dirty but what I found out was same speed as a direct internet connection. So speed problems not given - btw: our internet access has speed of 1G :-) > This release is getting a bit old now and has a few I/O buffering bugs in > it that may be related. > Please try the 3.1.18 Debian package from Wheezy / testing repositories > (may require some dependency updates as well). installed testing release - no success :-( > 145 connect() calls in 0.05 ms, all failing? does not seem right at > all. you're right, all calls where connect for IPv6-addresses. But we have this failed calls also with other sites. Testing deactivated IPv6 in OS was decided based on these connect-calls. Anyway the connect calls still used IPv6-addresses. But we have these connect fails with other websites too. So I don't think it's not the root cause. > Given the time measure I don't think its related, but probably worth > knowing and fixing. Did the section 5 trace show what was going on here? hmm I didn't find anything helpful but there are lots of messages. I can provide complete log if needed ... > Add here: > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 configured > Eeek! nearly unlimited access to the whole Internet. Why? only for test purposes :-) Therefore I used tcp/8081, our customer uses 8080 and this config has some ACLs more ... I stripped down configuration to exclude configuration problems ... Another really interesting result from another test. In my home environment I have also a Squid vom Debian Squeeze. Running in a VZ but on 32 Bit environment with nearly same configuration - no problem! And only with a 12MBit internet access ... So should this be a 64bit-related problem? I can't believe ... regards, Andreas Schulz
Re: [squid-users] Active Directory and user agents - complete ISA replacement
Hello James Great job! Thanks for reply I will check and update with tests :) Best regards, George Machitidze On Thu, Jan 12, 2012 at 1:00 PM, James Robertson wrote: >> When I try to use Opera browser I am getting ugly message after >> entering credentials: >> >> authenticateNegotiateHandleReply: Error validating user via Negotiate. >> Error returned 'BH received type 1 NTLM token' > > Opera does not support Kerberos as far as I know. You will still > need to support NTLM. you will have issues with iTunes and possibly > various other apps as that need NTLM support. > >> Is there any "universal", well tested configuration/manual that will >> make all clients work? > > I just completed a guide based on Debian that supports Kerberos, NTLM > and basic auth and was planning on updating the Squid Wiki also > sometime soon. You should be able to translate that to your RH. > > HTH. > > http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
Re: [squid-users] Active Directory and user agents - complete ISA replacement
> When I try to use Opera browser I am getting ugly message after > entering credentials: > > authenticateNegotiateHandleReply: Error validating user via Negotiate. > Error returned 'BH received type 1 NTLM token' Opera does not support Kerberos as far as I know. You will still need to support NTLM. you will have issues with iTunes and possibly various other apps as that need NTLM support. > Is there any "universal", well tested configuration/manual that will > make all clients work? I just completed a guide based on Debian that supports Kerberos, NTLM and basic auth and was planning on updating the Squid Wiki also sometime soon. You should be able to translate that to your RH. HTH. http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
[squid-users] Active Directory and user agents - complete ISA replacement
Hello I am able to authenticate user agents via "Negotiate" with following: auth_param negotiate program /usr/lib64/squid/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on I've configured binding with mskutil and with IE, Mozilla, some other apps everything works fine - there is no username/password popup, it's transparent. Before I did it with winbind, but was getting password popup windows. When I try to use Opera browser I am getting ugly message after entering credentials: authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' I've checked communication between proxy and browser via Wireshark and I see that Opera is negotiating with NTLMSSP, with string "Negotiate" with OS revision version (testing with Windows 7 clients). My goal is to replace ISA with Group+pass AD authentication with Squid and have transparent proxying on IE and with other clients with popup windows :) Is there any "universal", well tested configuration/manual that will make all clients work? If there is a need in a research - I can join. Squid versions available: 2.7.x, 3.1.16, 3.2.0.14, custom-compiled RPM OS: RHEL5 Thanks Best regards, George Machitidze
Re: [squid-users] Problem compiling Squid 3.1.18 on Ubuntu 10.04 LTS - store.cc
On 12/01/2012 8:04 p.m., Justin Lawler wrote: Hi, Any time line for the 3.1.19 release, or any beta releases :-) Betas are every first weekend of the month unless something serious happens to shift it. So 3.2.0.15 beta in 3 weeks unless reality pops its head up and changes things. 3.1.19 is looking a bit spare on bug fixes, probably 4-6 weeks away at this rate http://wiki.squid-cache.org/ReleaseProcess Amos
Re: [squid-users] squid 3.1.x with IIS SharePoint as back-end.
Thanks Amos, Currently, we use a VM ( vmware) to host a RHEL with squid running. I change the back-end site with only an IIS test web site which is hosted on the same IIS system. And it's just a png image file. And it seem working. On RHEL side, there is no limitations on outgoing on iptables rules. Regards, ~Kimi On 12/01/2012, Amos Jeffries wrote: > On 12.01.2012 02:28, kimi ge wrote: >> Hi Amos, >> >> Really appreciate your help. >> >> I did changes with your sugguestion. >> >> Some debug logs are here: >> >> 2012/01/11 13:21:58.167| The request GET >> http://ids-ams.elabs.eds.com/ >> is ALLOWED, because it matched 'origin_servers' >> >> 2012/01/11 13:21:58.168| client_side_request.cc(547) >> clientAccessCheck2: No adapted_http_access configuration. >> >> 2012/01/11 13:21:58.168| The request GET >> http://ids-ams.elabs.eds.com/ >> is ALLOWED, because it matched 'origin_servers' >> >> 2012/01/11 13:21:58.170| ipcacheMarkBadAddr: >> wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80 >> >> 2012/01/11 13:21:58.171| TCP connection to >> wtestsm1.asiapacific.hpqcorp.net/80 failed >> > > There you go. Squid unable to even connect to the IIS server using TCP. > > Bit strange that it should use 404 instead of 500 status. But that TCP > connection failure is the problem. > > >> My squid environment information: >> RHEL6.0 64bit. >> squid v 3.1.4 > > A very outdated Squid release version, even for RHEL (which are on > 3.1.8 or so now). > > * start with checking your firewall and packet routing configurations > to ensure that Squid outgoing traffic is actually allowed and able to > connect to IIS. > > * if that does not resolve the problem, please try a newer 3.1 > release. You will likely have to self-build or use non-RHEL RPM, there > seem to be no recent packages for RHEL. > > > Amos > >