Can you capture the traffic on port 88 from the PC to AD after a clean boot
and when you access squid ?
Markus
masterx81 wrote in message
news:1412360733691-4667648.p...@n4.nabble.com...
All solved!
Seem that kerberos is ALWAYS not working only on a specific worstation.
If i use kerberos
Hi Victor,
That sounds a bit strange. Can you capture with wireshark the traffic on
port 88 on the system which has squiduser in the cache ( best after a clear
the cache with kerbtray first) when accessing squid and send it to me as cap
file ?
Markus
Victor Sudakov wrote in message
Hi Pedro,
How did you create your keytab ? What does klist –ekt squid.keytab show ( I
assume you use MIT Kerberos) ?
Markus
Pedro Lobo pal...@gmail.com wrote in message
news:40e1e0e7-50c6-4117-94aa-50b065734...@gmail.com...
Hi Squid Gurus,
I'm at my wit's end and in dire need of some squid
and XP/2003 machines are working just fine.
I've also checked the permissions on the keytab file and they haven't changed
since Saturday, so it's not that... ARGH
Craving ideas and solutions right now... Pilot users are less than satisfied ;)
Cheers,
Pedro
On 25 Oct 2014, at 14:13, Markus
in message
news:b4adceec-5a53-4212-b16c-106237fc4504@Pedros-iPhone...
Hi Markus Moeller,
Hi Markus,
Yeah, I'm currently using that option and permissions are correct too.
On 27 Oct 2014 19:47, Markus Moeller wrote:
Hi Pedro,
Did you try the –s GSS_C_NO_NAME option ?
Markus
Pedro
I thought it wasn't trivial, otherwise it would have been already done. ;-)
Thank you
Markus
Amos Jeffries wrote in message news:54a3416f.9060...@treenet.co.nz...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 31/12/2014 7:59 a.m., Markus Moeller wrote:
Hi Amos,
On 30/12/2014 3:31
Amos Jeffries wrote in message news:54be3b5c.8040...@treenet.co.nz...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 20/01/2015 11:31 p.m., Simon Stäheli wrote:
Are there any other benefits in using ext_kerberos_ldap_group_acl
instead of ext_ldap_group_acl except the Netbios name to
between the two
helpers are and which one does fit my needs better. Any others?
Nothing I can pick out easily.
Do you know anything about the feature in
ext_kerberos_ldap_group_acl mentioned by Markus Moeller in an
earlier post?
I have a new method in my squid 3.4 patch which uses the Group
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 20/01/2015 11:31 p.m., Simon Stäheli wrote:
Are there any other benefits in using ext_kerberos_ldap_group_acl
instead of ext_ldap_group_acl except the Netbios name to Kerberos
domain name” mappings provided by the -N option. As far as I can
tell,
=5manpath=FreeBSD+Ports+10.1-RELEASEarch=defaultformat=html
default_tgs_enctypes, default_tkt_enctypes and permitted_enctypes
Markus
Ludovit Koren wrote in message news:86h9usfpsk@gmail.com...
Markus Moeller hua...@moeller.plus.com writes:
Hi Ludovit,
Which Kerberos library
Type Principal Aliases
8 aes128-cts-hmac-sha1-96 HTTP/squid1.mdpt.local@MDPT.LOCAL
Markus
Ludovit Koren wrote in message news:86d25i9plr@gmail.com...
Markus Moeller hua...@moeller.plus.com writes:
Hi Ludovit,
I haven't seen that error
Hi Ludovit,
I haven't seen that error before either, but when you test you sould have
your own user credentials in the cache. You should use kinit
user@MDPT.LOCAL and then try again the test. is the hostname correctly set
to squid1.mdpt.local ? If not try
Amos Jeffries wrote in message news:54BE3B5C.8040800 at
treenet.co.nz...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 20/01/2015 11:31 p.m., Simon Stäheli wrote:
Are there any other benefits in using ext_kerberos_ldap_group_acl
instead of ext_ldap_group_acl except the Netbios name to
How does the config file look like ?
Markus
Joao Paulo Monticelli Gaspar jaumsh...@gmail.com wrote in message
news:CAFjXhx=idbdxeqxbzy56tr5m3fztasu2tqgwlclydi_s-s3...@mail.gmail.com...
Hey people
I have a doubt and couldn't find the answer anywhere yet, I'm using SQUID
integrate to a W2K8
Hi Joao,
OK now you use the authentication rule.
How did you create the keytab ? Does the hostname match the keytab entry ?
Can you run the helper with –d to get more debug ?
Markus
From: Joao Paulo Monticelli Gaspar
Sent: Thursday, March 19, 2015 12:41 AM
To: Markus Moeller
Oh pretty old bug.
Thank you
Markus
Amos Jeffries wrote in message news:54f26815.4020...@treenet.co.nz...
On 1/03/2015 4:55 a.m., Markus Moeller wrote:
Hi,
I wonder about the total size variables st and st for squid logs
# st Sent reply size including HTTP headers
# st Received
Which OS and Kerberos version do you have ? There might be some issue with the
cache used KEYRING:persistent:0:0
Markus
Olivier CALVANO o.calv...@gmail.com wrote in message
news:CAJajPefo3t8b1=_v5pfj3h0gq4jk3oosutw8gnhy7z-gs21...@mail.gmail.com...
Hi
I request your help because i want use
.x86_64
krb5-libs-1.12.2-14.el7.x86_64
regards
olivier
2015-05-03 0:25 GMT+02:00 Markus Moeller hua...@moeller.plus.com:
Which OS and Kerberos version do you have ? There might be some issue with
the cache used KEYRING:persistent:0:0
Markus
Olivier CALVANO o.calv...@gmail.com wrote
is 130751472429170776
Error: Unable to set machine password for OPHTCYSRV1V4-K$: (3) Authentication
error
Error: set_password failed
-- ~KRB5Context: Destroying Kerberos Context
2015-05-03 13:25 GMT+02:00 Markus Moeller hua...@moeller.plus.com:
Did you compile msktutil or is it a package
Hi Louis,
When you have an offline PC do you use DHCP to give an IP ? If so can you
also provide the PC with a WINS server via DHCP ? If that is possible and you
run WINS you can authenticate the user with u...@domain.com when you get the
authentication popup. The WINS server will point
Hi Olivier,
Which Kerberos version do you use ? MIT or Heimdal ?
Markus
"Olivier CALVANO" wrote in message
news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com...
Hi
i test a authentification AD with Kerberos/Ntlm
### negotiate kerberos and ntlm
Hi Olivier,
If I decode a token I see
/base64> hexdump -c base64_dec.out
000 ` 201 236 006 006 + 006 001 005 005 002 240 201 223 0 201
010 220 240 032 0 030 006 \n + 006 001 004 001 202 7 002 002
020 036 006 \n + 006 001 004 001 202 7 002 002 \n 242 r 004
, November 03, 2015 9:22 AM
To: Markus Moeller
Subject: Re: [squid-users] Squit with NTLM and Kerberos auth => a error
that's said that squid can by used with Windows AD ?
2015-11-02 22:46 GMT+01:00 Markus Moeller <hua...@moeller.plus.com>:
Hi Olivier,
If I decode a to
What happens if you adjust the system time to be in sync with the AD server ?
Markus
"Михаил" wrote in message
news:1462781444845...@web15m.yandex.ru...
Hi All!
Sometime I get a error message and squid stop:
2015/10/14 14:31:51| WARNING: All 300/300 negotiateauthenticator
Hi Enrico,
The Kerberos helper will authenticate only for now ( There is a now code to
get the group information, but it is not further processed). It does not do
anything to group membership like the winbind cache. Also keep in mind
Kerberos cache for about 10 hours the ticket on the
Hi Paul,
negotiate_kerberos_auth is for Unix only.
Regards
Markus
"MORRIS Paul [Tuart College]" wrote in message
news:508E8480E38F464FA0778ECCA1DB51F41FE95135@E7359SVIN1052.resources.internal...
Hi,
I am trying without success to use the "negotiate_kerberos_auth.exe" helper
and
Hi,
The issue appears if you use the same AD account for samba and the
kerberos keytab creation. As samba will reset the password of the AD
account and thereby invalidate the extracted keytab.
Markus
"Alex Samad" wrote in message
th winbind, I kinit with my personal admin account and
also do a net ads join -U .
the password on the doesn't / hasn't changed.
are you talking about the computer account password ?
if so, then I setup a different computer account for the squid
kerberos application !
On 9 December 2015 at 07:
What other output do you get when using –d ( i.e. enable debug output) ? It
may indicate the reason for your return message.
Markus
"Michael Pelletier" wrote in message
news:CAEnCSG7hVR5DQ7d8awR1ax_qvmOeXBCZOY=mkvflwgji8-+...@mail.gmail.com...
Hello,
/hostname.domain@domain.org –d
Then you get debug output in your cache.log file.
Markus
"Markus Moeller" <hua...@moeller.plus.com> wrote in message
news:nikoqr$i2m$1...@ger.gmane.org...
What does the log say when you use the –d option with the helper
Markus
"Niles
Hi Markus,
When you say authentication does not work, do you mean Kerberos
authentication or Kerberos and NTLM ? Can you add a -d for debug to the
Kerberos authentication helper and provide the log file messages ?
Can you also provide the content of the keytab ?
Regards
Markus
"Markus
Hi,
Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ?
Can you get a wireshark capture on your client on port 88 ? You should
see some TGS –REQs in the capture and I assume also TGS-REPs with error
messages. Can you share these error messages ?
Regards
KNOWN
User's PC belonging to EXTERNALS.COM are joined to EXTERNALS.COM
Best Regards.
Sent: Saturday, March 19, 2016 at 12:28 AM
From: "Markus Moeller" <hua...@moeller.plus.com>
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] NEGOTIATE Kerberos Auth
Hi,
Is you client
Hi Michael,
Yes you should be able to set a environment variable KRB5RCACHEDIR in your
startup script. You can also use KRB5RCACHETYPE to set (or disable) the cache
type.
Markus
"Michael Pelletier" wrote in message
have /usr/lib64/squid/negotiate_kerberos_auth_test, thus I'm using it.
My Linux distribution is CentOS 7
Regards,
Márcio
2016-08-28 15:24 GMT-03:00 Markus Moeller <hua...@moeller.plus.com>:
HI Marcio,
The helper need a Kerberos token as input. Please have a look at
test
---
Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
Markus Moeller
Verzonden: zaterdag 27 augustus 2016 16:52
Aan: squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] ext_kerberos_ldap_grou
Hi Silamael,
Can you perform a kinit u...@example.com ? Does the squid user have
read access to krb5.conf ?
Markus
"Silamael Darkomen" wrote in message
news:955b9071-4d07-f0a2-2925-8f63fa332...@coronamundi.de...
Hello,
I'm currently working on setting up our proxy to authenticate
Hi
Did you try the debug option -d for ext_kerberos_ldap_group_acl to get
some debug ? Maybe it gives some indication of the problem ?
Markus
"erdosain9" wrote in message
news:1474570767416-4679652.p...@n4.nabble.com...
So, i have a little more of info
this is config
###Kerberos Auth
Hi Louis,
I made lately a change in how the SSL certifcate verification is done. Did
you use the latest version from trunk ? Also set the variable TLS_CACERTFILE
in your startup script (e.g. export TLS_CACERTFILE=/etc/mydir/cas.pem ). I do
not read any ldap.conf file for this yet.
Hi,
I would say they are bugs. The first “issue” is as you say more about
understanding the difference between UPN and SPN and how the tools use them.
The helper tries to “authenticate” squid to AD as a user with the found SPN
name, so the UPN must be the same as the SPN. There is no easy
HI Marcio,
The helper need a Kerberos token as input. Please have a look at
test_negotiate_auth.sh which is in src/auth/negotiate/kerberos of the trunk
version. The squid hostname must match the entry in your keytab and you must
have done kinit to authenticate against a Kerberos server
Hi Rick,
The log indicates that your Browser sned a NTLM token not a Kerberors
token. This can be easily seen from the first characters of the token
(TlRM). Check the Kerberos communication on the client ( i.e. port 88). The
client should request a token for HTTP/ and receive it. If not
Hi,
When using the latest squid 4 release you can use %note{group} to get
the group information from the Negotiate Kerberos helper to transfer the PAC
group SIDs to the external ACL helper.
squid.conf
...
external_acl_type test_acl ipv4 %LOGIN %note{group}
You don't have to join a domain. You only need a Kerberos authentication
server to get a ticket.
You only need AD (or Samba) if you want also authorisation (PAC data) in you
Kerberos ticket.
As Amos said you need a Kerberos client and a Browser supporting
Proxy-Negotiate.
Markus
"Amos
You don't have to join a domain. You only need a Kerberos authentication
server to get a ticket.
You only need AD (or Samba) if you want also authorisation (PAC data) in you
Kerberos ticket.
As Amos said you need a Kerberos client and a Browser supporting
Proxy-Negotiate.
Markus
"Amos
Can you capture the traffic on port 88 ? Heimdal has not helpful messages, so
seeing the real traffic may help identifying the issue.
Kinit should create an AS req/rep
the test program creates a TGS req/rep
Example attached if it gets through.
Markus
"Panagiotis Bariamis"
Hi Jeroen,
Do you use Active Directory as ldap server ? My automated test says it is
not. I use this check to determine the group attribute check.
support_ldap.cc(342): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Search ldap server with bind path
Hi Amos,
Is there any reason that kerberos_sid_group is not included in the tar ?
Thank you
Markus
"Amos Jeffries" wrote in message
news:d6159d58-f75b-1af7-4690-5819cd465188__18406.7017086365$1546614300$gmane$o...@treenet.co.nz...
The Squid HTTP Proxy team is very pleased to announce the
Hi Klaus,
Is the group you added a security group ? Only security groups are part
of the Kerberos ticket. Which authorisation helper do you use or is this
just based on the auth helper output ?
What do you see on the client ? e.g. in powershell run whoami /groups
Did you clear
Hi
Maybe some general comments about LB, CNAMEs and Squid Kerberos will help. The
kerberos client will try to request a ticket based on the used hostname. e.g.
if you configure in your browser the proxy name as ha-proxy.slb.example.com
then the client will look for a serviceprincipal of
Hi Klaus,
The negotiate_kerberos_auth helper is not intended to run on Windows.
How did you compile it ?
Markus
"Klaus Westkamp" wrote in message
news:8251c91f-1b08-82f2-f6ec-46ef92fe9...@westkamp.net...
Hi,
i digged a little further (but i'm no exert in WinDBG):
Attachimng to the
What does he cache log show ?
Markus
"Alex Gutiérrez" wrote in message
news:acd33a78-c0dc-d539-1028-ed1c700db...@esines.cu...
HI community, reciently I install an old UBT 18.04 with squid 3. I use to
authenticate my users kerberos.
Everithing seem´s great, but my all my users are able to
"Alex Rousskov" wrote in message
news:cbe23671-7b3c-e270-f3f4-593d4f030...@measurement-factory.com...
On 10/9/21 9:06 AM, Markus Moeller wrote:
Hi,
I have now tested with the below config and I see my first request
works, but the second fails. So I am not sure if it is still a
con
I understand now better the concept.
Thank you
Markus
"Alex Rousskov" wrote in message
news:3dec529a-b62e-1e95-6cb7-0b68f6bf3...@measurement-factory.com...
On 10/8/21 8:02 PM, Markus Moeller wrote:
I try to setup a proxy chain, but don't get the setup right. I have one
sq
ISS from clientproxy
X-Cache-Lookup: MISS from clientproxy:3128
Connection: keep-alive
--
Thank you
Markus
"Markus Moeller" wrote in message news:sjrrhc$lat$1...@ciao.gmane.io...
I understand now better the concept.
Thank you
Markus
"Alex Rousskov" wrote in message
news:3dec
"Alex Rousskov" wrote in message
news:7e75c2bf-51db-f8c3-73f0-ba7fca55e...@measurement-factory.com...
On 10/9/21 1:46 PM, Markus Moeller wrote:
i try to find a way how squid can "route" all Internet
domains to a default proxy and a subset of well defined domains to
I think you talk about a kdc proxy, which is for another case.
Regards
Markus
"Grant Taylor" wrote in message
news:b815528d-34ff-0fed-3194-dc6f34199...@spamtrap.tnetconsulting.net...
On 10/13/21 1:48 PM, Markus Moeller wrote:
The problem lies more in the way how Kerb
GSS_C_NO_NAME option to select either key.
A second option is to add a second service principal name to the proxy2 AD
account and use -s GSS_C_NO_NAME.
Regards
Markus
"Amos Jeffries" wrote in message
news:95c70ccd-5c15-3395-2103-3025ef043...@treenet.co.nz...
On 14/10/21 8:48 am, Mark
-551c1fe77...@spamtrap.tnetconsulting.net...
On 10/16/21 1:31 PM, Markus Moeller wrote:
I think you talk about a kdc proxy, which is for another case.
I don't think so. I'm not talking about using a proxy to access the KDC.
I'm talking about using a component of the following scenario:
1) C
Hi,
I try to setup a proxy chain, but don't get the setup right. I have one
squid with 2 parents. One with auth for domainA.com and one w/o auth for the
non local IPs (i.e. Internet).
With the below config I see domainA.com still going to the unauthenticated
parent proxy. Any hint why ?
The problem lies more in the way how Kerberos proxy authentication works.
The client uses the proxy name to create a ticket and in this case it would
be the name of the first proxy e.g. proxy1.internal. The first proxy will
pass it through to the authenticating proxy for authentication
61 matches
Mail list logo