Re: [squid-users] Kerberos auth not working

Can you capture the traffic on port 88 from the PC to AD after a clean boot and when you access squid ? Markus masterx81 wrote in message news:1412360733691-4667648.p...@n4.nabble.com... All solved! Seem that kerberos is ALWAYS not working only on a specific worstation. If i use kerberos

Re: [squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)

Hi Victor, That sounds a bit strange. Can you capture with wireshark the traffic on port 88 on the system which has squiduser in the cache ( best after a clear the cache with kerbtray first) when accessing squid and send it to me as cap file ? Markus Victor Sudakov wrote in message

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

Hi Pedro, How did you create your keytab ? What does klist –ekt squid.keytab show ( I assume you use MIT Kerberos) ? Markus Pedro Lobo pal...@gmail.com wrote in message news:40e1e0e7-50c6-4117-94aa-50b065734...@gmail.com... Hi Squid Gurus, I'm at my wit's end and in dire need of some squid

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

and XP/2003 machines are working just fine. I've also checked the permissions on the keytab file and they haven't changed since Saturday, so it's not that... ARGH Craving ideas and solutions right now... Pilot users are less than satisfied ;) Cheers, Pedro On 25 Oct 2014, at 14:13, Markus

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

in message news:b4adceec-5a53-4212-b16c-106237fc4504@Pedros-iPhone... Hi Markus Moeller, Hi Markus, Yeah, I'm currently using that option and permissions are correct too. On 27 Oct 2014 19:47, Markus Moeller wrote: Hi Pedro, Did you try the –s GSS_C_NO_NAME option ? Markus Pedro

Re: [squid-users] Proxy to proxy authentication

I thought it wasn't trivial, otherwise it would have been already done. ;-) Thank you Markus Amos Jeffries wrote in message news:54a3416f.9060...@treenet.co.nz... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 31/12/2014 7:59 a.m., Markus Moeller wrote: Hi Amos, On 30/12/2014 3:31

Re: [squid-users] benefits of using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl

Amos Jeffries wrote in message news:54be3b5c.8040...@treenet.co.nz... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/01/2015 11:31 p.m., Simon Stäheli wrote: Are there any other benefits in using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl except the Netbios name to

Re: [squid-users] benefits of using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl

between the two helpers are and which one does fit my needs better. Any others? Nothing I can pick out easily. Do you know anything about the feature in ext_kerberos_ldap_group_acl mentioned by Markus Moeller in an earlier post? I have a new method in my squid 3.4 patch which uses the Group

Re: [squid-users] benefits of usingext_kerberos_ldap_group_aclinstead of ext_ldap_group_acl

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/01/2015 11:31 p.m., Simon Stäheli wrote: Are there any other benefits in using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl except the Netbios name to Kerberos domain name” mappings provided by the -N option. As far as I can tell,

Re: [squid-users] Kerberos authentication problem - squid 3.4.11

=5manpath=FreeBSD+Ports+10.1-RELEASEarch=defaultformat=html default_tgs_enctypes, default_tkt_enctypes and permitted_enctypes Markus Ludovit Koren wrote in message news:86h9usfpsk@gmail.com... Markus Moeller hua...@moeller.plus.com writes: Hi Ludovit, Which Kerberos library

Re: [squid-users] Kerberos authentication problem - squid 3.4.11

Type Principal Aliases 8 aes128-cts-hmac-sha1-96 HTTP/squid1.mdpt.local@MDPT.LOCAL Markus Ludovit Koren wrote in message news:86d25i9plr@gmail.com... Markus Moeller hua...@moeller.plus.com writes: Hi Ludovit, I haven't seen that error

Re: [squid-users] Kerberos authentication problem - squid 3.4.11

Hi Ludovit, I haven't seen that error before either, but when you test you sould have your own user credentials in the cache. You should use kinit user@MDPT.LOCAL and then try again the test. is the hostname correctly set to squid1.mdpt.local ? If not try

Re: [squid-users] benefits of using ext_kerberos_ldap_group_aclinstead of ext_ldap_group_acl

Amos Jeffries wrote in message news:54BE3B5C.8040800 at treenet.co.nz... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/01/2015 11:31 p.m., Simon Stäheli wrote: Are there any other benefits in using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl except the Netbios name to

Re: [squid-users] Squid + AD + Kerb auth question

How does the config file look like ? Markus Joao Paulo Monticelli Gaspar jaumsh...@gmail.com wrote in message news:CAFjXhx=idbdxeqxbzy56tr5m3fztasu2tqgwlclydi_s-s3...@mail.gmail.com... Hey people I have a doubt and couldn't find the answer anywhere yet, I'm using SQUID integrate to a W2K8

Re: [squid-users] Squid + AD + Kerb auth question

Hi Joao, OK now you use the authentication rule. How did you create the keytab ? Does the hostname match the keytab entry ? Can you run the helper with –d to get more debug ? Markus From: Joao Paulo Monticelli Gaspar Sent: Thursday, March 19, 2015 12:41 AM To: Markus Moeller

Re: [squid-users] Logging variable question

Oh pretty old bug. Thank you Markus Amos Jeffries wrote in message news:54f26815.4020...@treenet.co.nz... On 1/03/2015 4:55 a.m., Markus Moeller wrote: Hi, I wonder about the total size variables st and st for squid logs # st Sent reply size including HTTP headers # st Received

Re: [squid-users] Squid and Kerberos problems

Which OS and Kerberos version do you have ? There might be some issue with the cache used KEYRING:persistent:0:0 Markus Olivier CALVANO o.calv...@gmail.com wrote in message news:CAJajPefo3t8b1=_v5pfj3h0gq4jk3oosutw8gnhy7z-gs21...@mail.gmail.com... Hi I request your help because i want use

Re: [squid-users] Squid and Kerberos problems

.x86_64 krb5-libs-1.12.2-14.el7.x86_64 regards olivier 2015-05-03 0:25 GMT+02:00 Markus Moeller hua...@moeller.plus.com: Which OS and Kerberos version do you have ? There might be some issue with the cache used KEYRING:persistent:0:0 Markus Olivier CALVANO o.calv...@gmail.com wrote

Re: [squid-users] Squid and Kerberos problems

is 130751472429170776 Error: Unable to set machine password for OPHTCYSRV1V4-K$: (3) Authentication error Error: set_password failed -- ~KRB5Context: Destroying Kerberos Context 2015-05-03 13:25 GMT+02:00 Markus Moeller hua...@moeller.plus.com: Did you compile msktutil or is it a package

Re: [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3

Hi Louis, When you have an offline PC do you use DHCP to give an IP ? If so can you also provide the PC with a WINS server via DHCP ? If that is possible and you run WINS you can authenticate the user with u...@domain.com when you get the authentication popup. The WINS server will point

Re: [squid-users] Squit with NTLM and Kerberos auth => a error

Hi Olivier, Which Kerberos version do you use ? MIT or Heimdal ? Markus "Olivier CALVANO" wrote in message news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com... Hi i test a authentification AD with Kerberos/Ntlm ### negotiate kerberos and ntlm

Re: [squid-users] Squit with NTLM and Kerberos auth => a error

Hi Olivier, If I decode a token I see /base64> hexdump -c base64_dec.out 000 ` 201 236 006 006 + 006 001 005 005 002 240 201 223 0 201 010 220 240 032 0 030 006 \n + 006 001 004 001 202 7 002 002 020 036 006 \n + 006 001 004 001 202 7 002 002 \n 242 r 004

Re: [squid-users] Squit with NTLM and Kerberos auth => a error

, November 03, 2015 9:22 AM To: Markus Moeller Subject: Re: [squid-users] Squit with NTLM and Kerberos auth => a error that's said that squid can by used with Windows AD ? 2015-11-02 22:46 GMT+01:00 Markus Moeller <hua...@moeller.plus.com>: Hi Olivier, If I decode a to

Re: [squid-users] Negotiateauthenticator processes are busy

What happens if you adjust the system time to be in sync with the AD server ? Markus "Михаил" wrote in message news:1462781444845...@web15m.yandex.ru... Hi All! Sometime I get a error message and squid stop: 2015/10/14 14:31:51| WARNING: All 300/300 negotiateauthenticator

Re: [squid-users] Squid3 Kerberos Auth works but does not update theusers group membership in the winbind cache of samba as forexamle ntlm_auth does

Hi Enrico, The Kerberos helper will authenticate only for now ( There is a now code to get the group information, but it is not further processed). It does not do anything to group membership like the winbind cache. Also keep in mind Kerberos cache for about 10 hours the ticket on the

Re: [squid-users] squid 3.5.7 for Windows (from Diladele) and kerberosauth

Hi Paul, negotiate_kerberos_auth is for Unix only. Regards Markus "MORRIS Paul [Tuart College]" wrote in message news:508E8480E38F464FA0778ECCA1DB51F41FE95135@E7359SVIN1052.resources.internal... Hi, I am trying without success to use the "negotiate_kerberos_auth.exe" helper and

Re: [squid-users] squid auth

Hi, The issue appears if you use the same AD account for samba and the kerberos keytab creation. As samba will reset the password of the AD account and thereby invalidate the extracted keytab. Markus "Alex Samad" wrote in message

Re: [squid-users] squid auth

th winbind, I kinit with my personal admin account and also do a net ads join -U . the password on the doesn't / hasn't changed. are you talking about the computer account password ? if so, then I setup a different computer account for the squid kerberos application ! On 9 December 2015 at 07:

Re: [squid-users] negotiate_wrapper: Return 'AF = * username

What other output do you get when using –d ( i.e. enable debug output) ? It may indicate the reason for your return message. Markus "Michael Pelletier" wrote in message news:CAEnCSG7hVR5DQ7d8awR1ax_qvmOeXBCZOY=mkvflwgji8-+...@mail.gmail.com... Hello,

Re: [squid-users] missing negotiate_kerberos_auth on my squid

/hostname.domain@domain.org –d Then you get debug output in your cache.log file. Markus "Markus Moeller" <hua...@moeller.plus.com> wrote in message news:nikoqr$i2m$1...@ger.gmane.org... What does the log say when you use the –d option with the helper Markus "Niles

Re: [squid-users] Squid 3.3.8 -- Authentication Problems when usingAlias Host Name

Hi Markus, When you say authentication does not work, do you mean Kerberos authentication or Kerberos and NTLM ? Can you add a -d for debug to the Kerberos authentication helper and provide the log file messages ? Can you also provide the content of the keytab ? Regards Markus "Markus

Re: [squid-users] NEGOTIATE Kerberos Auth

Hi, Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ? Can you get a wireshark capture on your client on port 88 ? You should see some TGS –REQs in the capture and I assume also TGS-REPs with error messages. Can you share these error messages ? Regards

Re: [squid-users] NEGOTIATE Kerberos Auth

KNOWN User's PC belonging to EXTERNALS.COM are joined to EXTERNALS.COM Best Regards. Sent: Saturday, March 19, 2016 at 12:28 AM From: "Markus Moeller" <hua...@moeller.plus.com> To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] NEGOTIATE Kerberos Auth Hi, Is you client

Re: [squid-users] Changing negotiate_kerberos_auth default location forrcache

Hi Michael, Yes you should be able to set a environment variable KRB5RCACHEDIR in your startup script. You can also use KRB5RCACHETYPE to set (or disable) the cache type. Markus "Michael Pelletier" wrote in message

Re: [squid-users] Trouble negotiate_kerberos_auth

have /usr/lib64/squid/negotiate_kerberos_auth_test, thus I'm using it. My Linux distribution is CentOS 7 Regards, Márcio 2016-08-28 15:24 GMT-03:00 Markus Moeller <hua...@moeller.plus.com>: HI Marcio, The helper need a Kerberos token as input. Please have a look at test

Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )

--- Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Markus Moeller Verzonden: zaterdag 27 augustus 2016 16:52 Aan: squid-users@lists.squid-cache.org Onderwerp: Re: [squid-users] ext_kerberos_ldap_grou

Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC

Hi Silamael, Can you perform a kinit u...@example.com ? Does the squid user have read access to krb5.conf ? Markus "Silamael Darkomen" wrote in message news:955b9071-4d07-f0a2-2925-8f63fa332...@coronamundi.de... Hello, I'm currently working on setting up our proxy to authenticate

Re: [squid-users] SSO (kerberos)

Hi Did you try the debug option -d for ext_kerberos_ldap_group_acl to get some debug ? Maybe it gives some indication of the problem ? Markus "erdosain9" wrote in message news:1474570767416-4679652.p...@n4.nabble.com... So, i have a little more of info this is config ###Kerberos Auth

Re: [squid-users] ext_kerberos_ldap_group_acl problem

Hi Louis, I made lately a change in how the SSL certifcate verification is done. Did you use the latest version from trunk ? Also set the variable TLS_CACERTFILE in your startup script (e.g. export TLS_CACERTFILE=/etc/mydir/cas.pem ). I do not read any ldap.conf file for this yet.

Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )

Hi, I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy

Re: [squid-users] Trouble negotiate_kerberos_auth

HI Marcio, The helper need a Kerberos token as input. Please have a look at test_negotiate_auth.sh which is in src/auth/negotiate/kerberos of the trunk version. The squid hostname must match the entry in your keytab and you must have done kinit to authenticate against a Kerberos server

Re: [squid-users] AD / Kerberos Issues

Hi Rick, The log indicates that your Browser sned a NTLM token not a Kerberors token. This can be easily seen from the first characters of the token (TlRM). Check the Kerberos communication on the client ( i.e. port 88). The client should request a token for HTTP/ and receive it. If not

[squid-users] Simple ACL help for Kerberos authenticated sessions

Hi, When using the latest squid 4 release you can use %note{group} to get the group information from the Negotiate Kerberos helper to transfer the PAC group SIDs to the external ACL helper. squid.conf ... external_acl_type test_acl ipv4 %LOGIN %note{group}

Re: [squid-users] Kerberos authentication on mobile phones

You don't have to join a domain. You only need a Kerberos authentication server to get a ticket. You only need AD (or Samba) if you want also authorisation (PAC data) in you Kerberos ticket. As Amos said you need a Kerberos client and a Browser supporting Proxy-Negotiate. Markus "Amos

Re: [squid-users] Kerberos authentication on mobile phones

You don't have to join a domain. You only need a Kerberos authentication server to get a ticket. You only need AD (or Samba) if you want also authorisation (PAC data) in you Kerberos ticket. As Amos said you need a Kerberos client and a Browser supporting Proxy-Negotiate. Markus "Amos

Re: [squid-users] Kerberos Heimdal Server Authentication

Can you capture the traffic on port 88 ? Heimdal has not helpful messages, so seeing the real traffic may help identifying the issue. Kinit should create an AS req/rep the test program creates a TGS req/rep Example attached if it gets through. Markus "Panagiotis Bariamis"

Re: [squid-users] kerberos authentication with kerberos groups

Hi Jeroen, Do you use Active Directory as ldap server ? My automated test says it is not. I use this check to determine the group attribute check. support_ldap.cc(342): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap server with bind path

Re: [squid-users] [squid-announce] Squid-4.5 is available

Hi Amos, Is there any reason that kerberos_sid_group is not included in the tar ? Thank you Markus "Amos Jeffries" wrote in message news:d6159d58-f75b-1af7-4690-5819cd465188__18406.7017086365$1546614300$gmane$o...@treenet.co.nz... The Squid HTTP Proxy team is very pleased to announce the

Re: [squid-users] squid kerberos auth, acl note group

Hi Klaus, Is the group you added a security group ? Only security groups are part of the Kerberos ticket. Which authorisation helper do you use or is this just based on the auth helper output ? What do you see on the client ? e.g. in powershell run whoami /groups Did you clear

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

Hi Maybe some general comments about LB, CNAMEs and Squid Kerberos will help. The kerberos client will try to request a ticket based on the used hostname. e.g. if you configure in your browser the proxy name as ha-proxy.slb.example.com then the client will look for a serviceprincipal of

Re: [squid-users] Squid for Windows: negotiate_kerberos_auth helper seems to leak(?) handles

Hi Klaus, The negotiate_kerberos_auth helper is not intended to run on Windows. How did you compile it ? Markus "Klaus Westkamp" wrote in message news:8251c91f-1b08-82f2-f6ec-46ef92fe9...@westkamp.net... Hi, i digged a little further (but i'm no exert in WinDBG): Attachimng to the

Re: [squid-users] problen whith authentication

What does he cache log show ? Markus "Alex Gutiérrez" wrote in message news:acd33a78-c0dc-d539-1028-ed1c700db...@esines.cu... HI community, reciently I install an old UBT 18.04 with squid 3. I use to authenticate my users kerberos. Everithing seem´s great, but my all my users are able to

Re: [squid-users] squid 5 and parent peers

"Alex Rousskov" wrote in message news:cbe23671-7b3c-e270-f3f4-593d4f030...@measurement-factory.com... On 10/9/21 9:06 AM, Markus Moeller wrote: Hi, I have now tested with the below config and I see my first request works, but the second fails. So I am not sure if it is still a con

Re: [squid-users] squid 5 and parent peers

I understand now better the concept. Thank you Markus "Alex Rousskov" wrote in message news:3dec529a-b62e-1e95-6cb7-0b68f6bf3...@measurement-factory.com... On 10/8/21 8:02 PM, Markus Moeller wrote: I try to setup a proxy chain, but don't get the setup right. I have one sq

Re: [squid-users] squid 5 and parent peers

ISS from clientproxy X-Cache-Lookup: MISS from clientproxy:3128 Connection: keep-alive -- Thank you Markus "Markus Moeller" wrote in message news:sjrrhc$lat$1...@ciao.gmane.io... I understand now better the concept. Thank you Markus "Alex Rousskov" wrote in message news:3dec

Re: [squid-users] squid 5 and parent peers

"Alex Rousskov" wrote in message news:7e75c2bf-51db-f8c3-73f0-ba7fca55e...@measurement-factory.com... On 10/9/21 1:46 PM, Markus Moeller wrote: i try to find a way how squid can "route" all Internet domains to a default proxy and a subset of well defined domains to

Re: [squid-users] Kerberos authentication with multiple squids

I think you talk about a kdc proxy, which is for another case. Regards Markus "Grant Taylor" wrote in message news:b815528d-34ff-0fed-3194-dc6f34199...@spamtrap.tnetconsulting.net... On 10/13/21 1:48 PM, Markus Moeller wrote: The problem lies more in the way how Kerb

Re: [squid-users] Kerberos authentication with multiple squids

GSS_C_NO_NAME option to select either key. A second option is to add a second service principal name to the proxy2 AD account and use -s GSS_C_NO_NAME. Regards Markus "Amos Jeffries" wrote in message news:95c70ccd-5c15-3395-2103-3025ef043...@treenet.co.nz... On 14/10/21 8:48 am, Mark

Re: [squid-users] Kerberos authentication with multiple squids

-551c1fe77...@spamtrap.tnetconsulting.net... On 10/16/21 1:31 PM, Markus Moeller wrote: I think you talk about a kdc proxy, which is for another case. I don't think so. I'm not talking about using a proxy to access the KDC. I'm talking about using a component of the following scenario: 1) C

[squid-users] squid 5 and parent peers

Hi, I try to setup a proxy chain, but don't get the setup right. I have one squid with 2 parents. One with auth for domainA.com and one w/o auth for the non local IPs (i.e. Internet). With the below config I see domainA.com still going to the unauthenticated parent proxy. Any hint why ?

Re: [squid-users] Kerberos authentication with multiple squids

The problem lies more in the way how Kerberos proxy authentication works. The client uses the proxy name to create a ticket and in this case it would be the name of the first proxy e.g. proxy1.internal. The first proxy will pass it through to the authenticating proxy for authentication