I will try to get a 2008 R2 box, but it will take some time as I have only a
32bit system and R2 is 64bit.
Markus
"Paul Freeman" wrote in message
news:19672eecfb9ae340833c84f3e90b5956042a4...@mel-ex-01.eml.local...
Hi.
I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have
:41:48| squid_kerb_ldap: Users primary group matches
SOCKS_ALLOW
2010/10/29 18:41:48| squid_kerb_ldap: Unbind ldap server
2010/10/29 18:41:48| squid_kerb_ldap: User markus is member of gr...@domain
socks_al...@suse.home
OK
"Eugene M. Zheganin" wrote in message
news:4cc662af.7
My tests show the same. RC4 works but AES 128/256 fail. It seems to be
some incompatibility between MS and MIT/Heimdal Kerberos libraries
introduces in R2
Markus
"DmitrySh" wrote in message
news:1288361044027-3019158.p...@n4.nabble.com...
I solve the problem on Win7 (temporary)
I set RC4
Let me see if I can get a 8.0/7.x build. Does it compile AND work on 8.1 or
do you still see the crash when reading the keytab ?
Markus
"Eugene M. Zheganin" wrote in message
news:4ccd5f0e.9080...@zhegan.in...
Hi.
On 30.10.2010 00:14, Markus Moeller wrote:
Hi,
I have now a 64b
"Rolf Loudon" wrote in message
news:ea4139a9-af4d-4e0d-8a05-c7b0c3ef4...@ses.tas.gov.au...
hello
Hi Rolf
I am trying to setup kerberos auth against Active Directory - Windows
2000 - in squid, 2.7. This is primarily so that the username is captured
in the access log. But also user based
Are you sure Safari supports proxy authentication with Negotiate or only Web
authentication with Negotiate?
Markus
- Original Message -
From: "Rolf Loudon"
To: "Markus Moeller"
Sent: Wednesday, November 03, 2010 5:07 AM
Subject: [Partly solved] Re: [squid-user
Will all 3 groups have the same rights ? Or do you want to block some users
and others not.
Markus
"Roy Anciso" wrote in message
news:aanlktikjgqwiztr3ubnk-kfg-thjxerg0jg7okr2m...@mail.gmail.com...
Hello,
I know with squid_kerb_ldap you can list multiple groups using a colon
- group1:group2.
ab ?
Markus
"Eugene M. Zheganin" wrote in message
news:4ccd5f0e.9080...@zhegan.in...
Hi.
On 30.10.2010 00:14, Markus Moeller wrote:
Hi,
I have now a 64bit freebsd box and can not replicate the error. Also
the compile error I got where only a symbol problem dup in support_grou
x8017ef000)
Is it possible that you have another kerberos package installed ? How does
your ldd look ? I installed a standard freebsd 8.0 84 bit plus
ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/8.0-RELEASE/packages/net/openldap-sasl-client-2.4.18.tbz
for ldap with sasl support.
Markus
"
ru...
Hi.
On 05.11.2010 21:01, Markus Moeller wrote:
Hi
I get the same successful results on 64 bit FreeBSD 8.0.
$ uname -a
FreeBSD freebsd-80-64.freebsd.home 8.0-RELEASE FreeBSD 8.0-RELEASE #0:
Sat Nov 21 15:02:08 UTC 2009
r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd
Here is a patch for the squid trunk.
Markus
"Amos Jeffries" wrote in message
news:4cdf2628.2050...@treenet.co.nz...
On 13/11/10 22:30, Eugene M. Zheganin wrote:
Hi.
On 05.11.2010 21:01, Markus Moeller wrote:
Hi
I get the same successful results on 64 bit FreeBSD 8.0.
$ uname
.deps/support_resolv.Tpo .deps/support_resolv.Po
Markus
"Eugene M. Zheganin" wrote in message
news:4cde5aaa.1070...@norma.perm.ru...
Hi.
On 05.11.2010 21:01, Markus Moeller wrote:
Hi
I get the same successful results on 64 bit FreeBSD 8.0.
$ uname -a
FreeBSD freebsd-80-64.freebsd.home 8.0-
Hi Rob,
It looks like your kdc does not know about the service principal
HTTP/proxyserver.paragould@xserve.paragould.psd
How did you create the entry and keytab ?
Markus
"Rob Asher" wrote in message
news:4cfcf8e3.0172.003...@paragould.k12.ar.us...
I've looked through some of the mai
-
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169
"Markus Moeller" 12/08/10 2:39 PM >>>
Hi Rob,
It looks like your kdc does not know about the service principal
HTTP/proxyserver.paragould@xserve.paragould.psd
How did you create the entry and keytab ?
Markus
Hi Tom,
What does klist -ekt squid.keytab show ? Does it have an entry for AES ?
Did you use --enctypes 28 with msktutil as described here
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab ?
Markus
"Tom Tux" wrote in message
news:aanlktimuyh9msqcte5shmmoqd
#x27;m not able to talk to squid with "rc4-hmac"? So the stronger
wins?
Thanks in advance.
Tom
2010/12/9 Markus Moeller :
Hi Tom,
What does klist -ekt squid.keytab show ? Does it have an entry for AES ?
Did you use --enctypes 28 with msktutil as described here
http://wiki.squid-c
manager
doesn't ask for a password that I can remember. I didn't add an actual user
named proxyserver because that didn't make sense to me for a host.
Thanks,
Rob
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169
"Marku
------
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169
"Markus Moeller" 12/10/10 2:19 PM >>>
Hi Rob,
Before you used xst you must have created the principal with a command
like add_principal or ank with either a -pw or -randkey option.
ct
870-236-7744 x169
"Markus Moeller" 12/10/10 5:16 PM >>>
Hi Rob,
It looks like no password was set or the keytab does not contain the right
key (password). Can you try to use add_principal with -randkey ?
Markus
"Rob Asher" wrote in message
news:4d025e
r
Network Systems Technician
Paragould School District
870-236-7744 x169
"Markus Moeller" 12/10/10 5:16 PM >>>
Hi Rob,
It looks like no password was set or the keytab does not contain the right
key (password). Can you try to use add_principal with -randkey ?
Markus
"R
actly, if it's msktutil's guilt.
Tom
2010/12/10 Markus Moeller :
Hi Tom,
AES is a stronger encryption than RC4, why it is selected first by clients
who support it (Windows 7,Vista, 2008, newer MIT/Heimdal versions on
Unix).
XP/Windows 2003 clients will continue to use RC4 as AES is
nd the FF version is 3.6.12 I still get a prompt for new
credentials and it still denies me even though the credentials are valid in
network identity manager.
Thanks,
Rob
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169
"Markus Mo
Is it possible that you run a samba daemon like winbindd ? If samba is
fully configured it will emulate a Windows desktop/server and changes on a
regular basis the machine password which is used for the Kerberos key. So
if the machine password is changed ther key in hye keytab will be invalid.
Hi Bhavesh,
"Bhavesh Patel" wrote in message
news:1321458350063-4076779.p...@n4.nabble.com...
Hi All,
Was looking through the archives and kind of found some answers but I
wanted
to make sure. I had a few questions actually.
1) Looks like Squid supports Single Forest Multiple domain setu
Did you try my negotiate wrapper ? It is part of squid 3.2, but right now
only works with 3.1 ( I have an open bug for 3.2)
Markus
"Emmanuel Lacour" wrote in message
news:20111209110446.gc11...@easter-eggs.com...
On Thu, Dec 08, 2011 at 09:14:51PM +0100, Emmanuel Lacour wrote:
As negoti
e in message
news:20111209203605.gf11...@easter-eggs.com...
On Fri, Dec 09, 2011 at 06:31:07PM -0000, Markus Moeller wrote:
Did you try my negotiate wrapper ? It is part of squid 3.2, but
right now only works with 3.1 ( I have an open bug for 3.2)
Can you give me hints on how to build it for 3.1 ?
BTW you can also compile 3.2 and just copy the binary. It works as
standalone helper.
"Markus Moeller" wrote in message
news:jbu0gi$d5d$1...@dough.gmane.org...
Try my version on sourceforge
https://downloads.sourceforge.net/project/squidkerbauth/negotiate_wrapper/negotiate_wra
Hi Emmanuel,
I did not do any performance testing, so I don't know.
Markus
"Emmanuel Lacour" wrote in message
news:20111212164632.gd3...@easter-eggs.com...
On Fri, Dec 09, 2011 at 10:04:56PM -, Markus Moeller wrote:
BTW you can also compile 3.2 and just copy the bina
Hi Wladner,
If you use MIT Kerberos you could try to disable the replay cache
Kerberos can keep a replay cache to detect the reuse of Kerberos tickets
(usually only possible in a 5 minute window) . If squid is under high load
with Negotiate(Kerberos) proxy authentication requests the replay ca
Thank you :-)
"Emmanuel Lacour" wrote in message
news:4ee76014.5010...@easter-eggs.com...
On 13/12/2011 00:15, Markus Moeller wrote:
Hi Emmanuel,
I did not do any performance testing, so I don't know.
ok, I'll let you informed when I put this on production servers ;)
"Amos Jeffries" wrote in message
news:a33f8edad2f5caa9757fe142bb456...@treenet.co.nz...
On Wed, 14 Dec 2011 13:22:38 -0200, Wladner Klimach wrote:
Hello,
i'm running squid with kerberos authentication. The problem is that
it's runing too slow. Looks like squid is negotiating with AD every
UR
"Wladner Klimach" wrote in message
news:cap3mw_fjxekwugsusqpnowq096nya-a+17+gbtk2sa2jdwu...@mail.gmail.com...
Hello,
i'm running squid with kerberos authentication. The problem is that
it's runing too slow. Looks like squid is negotiating with AD every
URL it tries to get. Anyone could point me
Can you run an strace against the process ?
Markus
"Wladner Klimach" wrote in message
news:cap3mw_eaz_v+qaqiz+vc1s0oyzawwes1-fdhtezeabfrq7a...@mail.gmail.com...
Amos,
so what could be causing so much load on cpu? When I run top i can see
there's no swap and the squid_kerb_auth is the process
Hi Amos
"Amos Jeffries" wrote in message
news:4ef3e3b6.4060...@treenet.co.nz...
On 23/12/2011 12:39 p.m., James Robertson wrote:
We have successfully deployed a squid3 proxy in a Windows AD domain
that authenticates users with the kerberos helper and uses LDAP
queries to allow access based on
"Brett Lymn" wrote in message
news:20111228062759.gb21...@baea.com.au...
On Wed, Dec 28, 2011 at 05:23:55PM +1100, James Robertson wrote:
Because I implemented Kerberos first I already had a machine account
in Active Directory that was created by the msktutil utility.
When I researched imple
It was an selinux problem. Disabling selinux solved the issue.
Markus
"Markus Moeller" wrote in message
news:jctlle$i63$1...@dough.gmane.org...
Can you run an strace against the process ?
Markus
"Wladner Klimach" wrote in message
news:cap3mw_eaz_v+qaqiz+vc1s0oyza
It could be because of the wrong use of msktutil. The -s option require
HTP/.
msktutil --help shows:
-s, --serviceAdds the service for the current host.
The service is of the form /.
If the hostname is omitted, assumes current
hostname.
Mar
lient not found in Kerberos database)
"Markus Moeller" wrote in message
news:je4600$4bd$1...@dough.gmane.org...
It could be because of the wrong use of msktutil. The -s option require
HTP/.
msktutil --help shows:
-s, --serviceAdds the service for t
"James Robertson" wrote in message
news:CAMALoy9d=kwHQAAfP8=1suhwnW8eq7Q=jr3aataujs25nx8...@mail.gmail.com...
Looking at your email again. You say your hostname is
3msydproxy01.example.local including the domain. So it should have
worked.
I think the problem is that ou don't use the -s HTTP
"James Robertson" wrote in message
news:0bd90128$e3187210$a9495630$@mesrobertson.com...
This doesn't matter what does the next lines say ?
-- try_machine_keytab_princ: Trying to authenticate for HTTP
/3msydproxy01.example.local from local keytab...
This should be successful.
The kini
Hi James,
Here is my test against a 2003AD server using msktutil-0.4. The only
change I did was to add -k to the update command.
Regards
Markus
markus@opensuse11:/tmp> kinit administra...@win2003r2.home
Password for administra...@win2003r2.home:
markus@opensuse11:/tmp> ./create_squid
+ /h
"James Robertson" wrote in message
news:CAMALoy-QRRGSzN6sSU6J6UTmFkAmh7aGETRo=qcn0gjS2R=6...@mail.gmail.com...
Now the update (which does not happen as msktutil determines it is not
old
enough to change):
Thanks for the testing Markus.
But what happens after you reset your squid-test-http
"James Robertson" wrote in message
news:CAMALoy-QRRGSzN6sSU6J6UTmFkAmh7aGETRo=qcn0gjS2R=6...@mail.gmail.com...
Now the update (which does not happen as msktutil determines it is not
old
enough to change):
Thanks for the testing Markus.
But what happens after you reset your squid-test-http
Hi James,
The issue you have might be related to:
The has Windows Netbios limitations of 15 characters (see
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos )
3MSYDPROXY01-HTTP is 17 characters long and 3MSYDPROXY01 is 12 characters
long. Can you choose a shorter one an
Hi James,
Don't feel foolish I wrote the wiki ;-)
Markus
"James Robertson" wrote in message
news:camaloy_mazhkptnqq0aaqgoha7vofbptsggf+ta+1c+wqkv...@mail.gmail.com...
The has Windows Netbios limitations of 15 characters (see
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
Hi Muhammet,
Do you use Kerberos for Windows from MIT ? The 'Network Identity Manager'
is from there isn't it ? Which Browser do you use ?
Markus
"Muhammet Can" wrote in message
news:canynonryeksbxpj8qq2ikyuoocia0bc2qr1rw8v0aqev6fc...@mail.gmail.com...
Thank's for you reply Amos,
I hav
n;
Network Security: LAN Manager Authentication Level which is undefined,
I have some options for LM and NTLM, and NTLMv2 and some more, but
there is nothing about Kerberos.
Thanks again.
On Fri, Jan 13, 2012 at 1:58 AM, Markus Moeller
wrote:
Hi Muhammet,
Do you use Kerberos for Windows from MIT
Hi Jiang,
There is an open bug http://bugs.squid-cache.org/show_bug.cgi?id=3218 for
squid 3.2.
Regards
Markus
"Jiang Wen Dong" wrote in message
news:5ec12e8343dab541ada70f9951a719ee3a9ce13...@exccr.td-tech.net...
It seems negotiate wrapper v1.0.1 doesn’t work well with squid v3.2.
Does n
Can you get a network capture with wireshark or tcpdump into a files for
port 88 , 389 , 53 464 ? WHat version of AD do you use ? Is it 2003 or 2008
?
Regards
Markus
"Fran Márquez" wrote in
message news:4f4d6884.6040...@chguadalquivir.es...
When I try to start an external acl helper I get the following errors:
2012/04/06 19:03:27| helperOpenServers: Starting 5/5
'ext_kerberos_ldap_group_acl' processes
2012/04/06 19:03:27| commBind: Cannot bind socket FD 90 to [::1]: (99)
Cannot assign requested address
2012/04/06 19:03:27| commBin
/arrow_up.png: (2) No such file or directory
Markus
"Jean-Philippe Menil" wrote in message
news:4f7f5979.2050...@univ-nantes.fr...
On 06/04/2012 20:17, Markus Moeller wrote:
When I try to start an external acl helper I get the following errors:
2012/04/06 19:03:27| helperOpenServers: St
It looks like to be an ipv6 problem. I disabled ipv6 on my OpenSuse, but
squid wants to bind on ::1 (ipv6 localhost) which fails.
Is this a bug ?
Markus
"Markus Moeller" wrote in message
news:jlnsae$iq$1...@dough.gmane.org...
The file permissions are correct:
ls -al /opt/squ
But it should be possible to determine that automatically (e.g. if the bind
on ::1 fails try ipv4) shouldn' it ?
Thank you
Markus
"Amos Jeffries" wrote in message
news:4f82cd96.8060...@treenet.co.nz...
On 7/04/2012 12:08 p.m., Markus Moeller wrote:
It looks like to be an
0 :::139 :::*LISTEN
Markus
"Amos Jeffries" wrote in message
news:4f83b2d8.9050...@treenet.co.nz...
On 10/04/2012 1:11 a.m., Markus Moeller wrote:
But it should be possible to determine that automatically (e.g. if the
bind on ::1 fails try i
"Amos Jeffries" wrote in message
news:4f841b87.3040...@treenet.co.nz...
On 10/04/2012 10:21 p.m., Markus Moeller wrote:
Hi Amos,
These are my system settings:
/etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
Okay, that should be enough.
networking restarted after cha
quot; wrote in message
news:4f841b87.3040...@treenet.co.nz...
On 10/04/2012 10:21 p.m., Markus Moeller wrote:
Hi Amos,
These are my system settings:
/etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
Okay, that should be enough.
networking restarted after changing that?
ifconfig -a
Hi Simon,
This looks like a client PC issue. Can you check with kerbtray that the
client gets a TGS for HTTP/ ? If you can look at the traffic
between the client and AD with wireshark you should see first an AS request
from the client to AD on port 88 and when you the user opens IE and acce
mind max
length is 15 characters)
Regards
Markus
"Brett Lymn" wrote in message
news:20120416061457.gj...@baea.com.au...
On Mon, Apr 16, 2012 at 07:05:23AM +0100, Markus Moeller wrote:
BTW I would not recommend using ktpass and a user account. ktpass uses
DES
as a default wh
Are you sure /etc/sysconfig/squid is sourced by the squid startup script ?
Markus
"Simon Dwyer" wrote in message
news:1334789097.2408.17.ca...@sdwyer.federalit.net...
Hi all,
I have got kerberos working and moved it to production but then the
server started smashing its cpu. It seems that th
th process when used?
Cheers,
Simon
On Thu, 2012-04-19 at 06:15 +0100, Markus Moeller wrote:
Are you sure /etc/sysconfig/squid is sourced by the squid startup script
?
Markus
"Simon Dwyer" wrote in message
news:1334789097.2408.17.ca...@sdwyer.federalit.net...
> Hi all,
>
&g
ast time i tried to run it this morning.
>
> I wont be able to try it again till tomorrow morning to see if it
> modifies it
>
> Cheers,
>
> Simon
>
> On Thu, 2012-04-19 at 06:44 +0100, Markus Moeller wrote:
> > Hi Simon,
> >
> > Unfortunately I do n
s_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
[realms]
MULAWA.INTERNAL = {
kdc = dc-hbt-01.mulawa.internal
kdc = dc-hbt-02.mualwa.internal
}
[domain_realm]
mulawa.internal = MULAWA.internal
.mulawa.internal = MULAWA.internal
On Thu, 2012-04-19 at 23:36 +0100, Markus Moeller wrote:
How ma
Can you also send me the extract from cache.log for the same period ? Do you
use the -d debug flag with squid_kerb_auth ?
Markus
"Markus Moeller" wrote in message
news:jmrkhi$42v$1...@dough.gmane.org...
Hi Simon,
The config is standard and looks OK. Can you run strace (strac
Hi Markus,
The answers are:
1) Yes
2) The keytab contains the hostname of the squid server. So you would
need multiple keytabs
3) The principal name will be based on a fixed part HTTP and the name you
use in the Browser configuration. If you use in IE squid1.domain.com then
you must hav
Hi Amos,
http://squidkerbauth.sourceforge.net/ has only my helper squid_kerb_auth
and squid_kerb_ldap which are both availabel in squid 3.2 as
negotiate_kerberos_auth authentication helper and kerberos_ldap_group as
external acl helper.
So not exactly what was asked for I think.
Markus
"Павел Бычихин" wrote in message
news:4fdc3921.9010...@hte.vl.net.ua...
15.06.2012 20:17, Markus Moeller пишет:
Hi Amos,
http://squidkerbauth.sourceforge.net/ has only my helper
squid_kerb_auth and squid_kerb_ldap which are both availabel in squid 3.2
as
negotiate_ker
Hi Mark,
Do you have the token you received as base64 encoded in the log or
better in a wireshark capture ? This could help identifying if the
un-encrypted elements in the tokebn are correct.
Markus
"Mark Davies" wrote in message
news:201206201520.52498.m...@ecs.vuw.ac.nz...
Hi,
we
Can you check that the squid user has read access to the Kerberos keytab ?
Did you set the environment variable KRB5_KTNAME pointing to the Kerberos
keytab in the startup script ?
Markus
"Navas" wrote in message
news:000301cd51e5$7f9e64e0$7edb2ea0$@gmail.com...
Hi,
I am trying to setup squ
com...
One more thing I am using Samba, I could not use mskutil. Is there any
issue
with Kerberos and Samba.
OS: Redhat EL6.2
squid-3.1
thanks,
-Original Message-----
From: Markus Moeller [mailto:hua...@moeller.plus.com]
Sent: Sunday, June 24, 2012 2:59 PM
To: squid-users@squid-cache.org
Subjec
rb5.keytab
Thanks,
Br
abusam
-----Original Message-
From: Markus Moeller [mailto:hua...@moeller.plus.com]
Sent: Sunday, June 24, 2012 9:39 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Re: Re: Squid Kerberos authentication error
You can use samba to create the keytab, but you mus
windows XP. My active
directory is in windows 2003
--Original Message--
From: Mohamed Navas
To: 'Markus Moeller'
To: squid-users@squid-cache.org
Subject: RE: [squid-users] Re: Re: Squid Kerberos authentication error
Sent: 26 Jun 2012 9:27 AM
I could solve the issue by creati
-
From: "Markus Moeller"
Date: Tue, 26 Jun 2012 21:16:54
To:
Subject: [squid-users] Re: Re: Re: Squid Kerberos authentication error
What is the proxy name you use in the IE configuration ? What are the
other browsers / systems which work ?
Markus
wrote in message
news:903157024-
How does your configuration look like ? How did you create the keytab file ?
Markus
"Mohamed Navas" wrote in message
news:CAJa81O71_pG63hu7XGW2om6EOBGTS8y-=xdbsrayazgcana...@mail.gmail.com...
Hi,
I have setup the squid authentication with windows 2003 Domain
controller. But it's working wel
keep_alive on
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ACCT.SYSNET.LOCAL
auth_param ntlm children 10
auth_param ntlm keep_alive off
acl auth proxy_auth REQUIRED
On Tue, Jul 3, 2012 at 1:39 AM, Markus Moell
Hi Eugene,
For squid_kerb_ldap to work with automatic ldap server detection you need
to setup your DNS correctly. All SRV records must be hostnames (not IPs as
in your cases some are). The the hostname will be resolved in an IP and
back into a hostname to eliminated CNAMEs. For the final ho
How are special characters converted in squid ? For example my
squid_kerb_auth would return müller for müller, but when using %LOGIN for
the authorisation helper I get m%C3%BCller which I don't expect in
squid_kerb_ldap.
Are there fucntions in squid which convert strings into different chra
9c1b5cd694...@treenet.co.nz...
On 31.07.2012 11:09, Markus Moeller wrote:
How are special characters converted in squid ? For example my
squid_kerb_auth would return müller for müller, but when using
%LOGIN for the authorisation helper I get m%C3%BCller which I don't
expect in squid_kerb_l
Hi Eugene,
Are all 12 groups for the same control ? If so you can use -g
Group1:Group2:Group3:.
Markus
"Eugene M. Zheganin" wrote in message
news:5019446a.3060...@norma.perm.ru...
Hi.
One more question - is there any way to parametrize the group name, so it
will be able not to p
Hi Eugene,
What do you suggest squid_kerb_ldap should do to make it simpler for you ?
Markus
"Eugene M. Zheganin" wrote in message
news:501a1d2c.9060...@norma.perm.ru...
Hi.
On 01.08.2012 23:02, Markus Moeller wrote:
Hi Eugene,
Are all 12 groups for the same control ? If
What debug setting do I need to know which client connection is sent to
which helper process ?
Thank you
Markus
Hi Viorel,
It is the first time I hear that x64 performs differently to x86. I have
no idea how to debug such a situation.
Markus
"Viorel Robu" wrote in message
news:loom.20120803t121805-...@post.gmane.org...
Simon Dwyer simmyd.net> writes:
Hi all,
I have got kerberos working and m
Hi Viorel,
What you mean with a list of high load sites ? Are you saying that the
performance depends on which sites you are accessing via squid ?
Regards
Markus
"Viorel Robu" wrote in message
news:loom.20120806t080838-...@post.gmane.org...
Markus Moeller moeller.plus.c
Hi Eugene,
How would a squid_group_ldap line look like ? From where would the
group name come from ? I could try to add this feature.
Thank you
Markus
"Eugene M. Zheganin" wrote in message
news:501f74f7.2090...@norma.perm.ru...
Hi.
On 03.08.2012 04:02, Markus Moeller
"Amos Jeffries" wrote in message
news:61820e9d911d198441ff3778b6f10...@treenet.co.nz...
On 01.08.2012 06:37, Markus Moeller wrote:
Hi Amos,
Does squid have an inverse function ? I need UTF-8 encoded strings
for ldap matches and squid_kerb_auth gives me that (as far as I
recall) . Would
Good news.
Thank you for sharing.
Markus
"Viorel Robu" wrote in message
news:loom.20120810t112710-...@post.gmane.org...
Hooray!!! I solved my problem with squid_kerb_auth!!!
The problem was not in architecture, as I wrongly supposed. The problem is
SELINUX, even in permissive mode it make a
Hi Rickifer,
squid_kerb_ldap does not require squid_kerb_auth. You can use command line
options for ldap and a default realm.
ext_kerberos_ldap_group_acl [-h] [-d] [-i] [-s] [-a] [-D Realm ] [-N
Netbios-Realm-List] [-m Max-Depth] [-u Ldap-User] [-p Ldap-Password] [-b
Ldap-Bind-Path] [-l Lda
You probably need to ask on a SELINUX mailing list. I don't see a reason
why SELINUX behaves different on x64 compared to x86.
Markus
"Viorel Robu" wrote in message
news:loom.20120813t094910-...@post.gmane.org...
Markus Moeller moeller.plus.com> writes:
Good ne
Hi Paul,
Does squid running user have read access to the keytab ? Did you use
export KRB5_KTNAME to point to the keytab in the startup script ? What is
the hostname of your squid host ? Did you get a minor code message ?
Check also my page for some further hints
http://wiki.squid-cache.org/
s
"Username@DOMAIN". Is there any way to alter the format of the
returned username?
Thanks again
Paul
On 18 August 2012 13:30, Markus Moeller wrote:
Hi Paul,
Does squid running user have read access to the keytab ? Did you use
export KRB5_KTNAME to point to the keytab in the start
Hi Vaelenor,
What does the logfile say when you run squid_kerb_auth with -d as an
option ?
Markus
"Vaelenor" wrote in message
news:1345467274306-4656269.p...@n4.nabble.com...
Hiya,
Thnx for the fast reply, and yes, I did give it permission...
--
View this message in context:
http://
You may need a third entry in the keytab for the VIP. IE will look for a
HTTP/ ticket.
Regards
Markus
"brendan" wrote in message
news:1346159765625-4656345.p...@n4.nabble.com...
i have two squid instances on two separate servers. each is configured
with
kerberos auth, and when i point at
Hi Sean,
If you see NTLM tokens in squid_kerb_auth then either you have not
created a keytab for squid or the client can not get a HTTP/ ticket
from AD. Please capture traffic on port 88 for kerberos traffic on the
client and 3128 for squid traffic.
Markus
"Sean Boran" wrote in message
Hi Sean,
When I said client I meant the Windows client ( or do you have also Unix
clients ?) On Windows you can install a tool called kerbtay which shows you
the ticket you have. If you dont' see any ticket for HTTP/ you
need to use a capture tool like wireshark and loot at the traffic on p
Hi,
I try to upload a file with curl which works fine without squid. But when
I try the upload with squid I get an error 417 Expectation Failed. I use
squid 3.1.16.
What does that mean ?
Thank you
Markus
curl -v --proxy-negotiate --form file_upload=@test.txt --form
do=test --form subdo=fi
Hi Ralph,
If you use NTLM and Kerberos make sure you do NOT use the sam AD account for
both. The samba daemon will change the password on a regular basis which
will bring the keytab out of sync with the AD acccount.
Your proxy will not need any kerberos cache (except if you use my
squid_ker
I try to create the cache with squid 3.2.2 but without success. How can I
debug this ? -X does not give anything useful.
# /opt/squid-3.2/sbin/squid -z -F
2012/11/01 23:56:09| WARNING: (B) '127.0.0.1' is a subnetwork of (A)
'127.0.0.1'
2012/11/01 23:56:09| WARNING: because of this '127.0.0.1' i
t-
Von: Jarosch, Ralph [mailto:ralph.jaro...@justiz.niedersachsen.de]
Gesendet: Donnerstag, 1. November 2012 13:49
An: Jarosch, Ralph; Markus Moeller; squid-users@squid-cache.org
Betreff: AW: [squid-users] Re: No Kerberos Auth
Hello Markus,
i`ve found some answere from you in this thread
http://squid
I found my error. squid was looking into the wrong conf file.
Markus
"Markus Moeller" wrote in message
news:k6v2q5$lmn$1...@ger.gmane.org...
I try to create the cache with squid 3.2.2 but without success. How can I
debug this ? -X does not give anything useful.
# /opt/squid-3.2/
- Original Message -
From: "Ken Dreyer"
Newsgroups: comp.protocols.kerberos
To:
Sent: Friday, November 23, 2012 7:57 PM
Subject: new msktutil release (v0.4.2)
I'm pleased to announce release 0.4.2 of msktutil.
msktutil is a program for interoperability with Active Directory. It
ca
Hi
I assume you use openldap on your freebsd build. Can you try from the
command line:
# kinit -kt /usr/local/etc/HTTP.keytab
HTTP/proxy.m-tisiz.local@M-TISIZ.LOCAL
# ldapsearch -d 999 -H ldap://pollux.m-tisiz.local:389 -Y GSSAPI -O
"maxssf=56" -b dc=M-TISIZ,dc=LOCAL -s sub "(samaccountn
101 - 200 of 498 matches
Mail list logo
