[squid-users] squid 64bit compile
hello ppl; is there a special way of compiling 64 squid; i dont see any configure options for 64bit compile. i have compiled it but it seems it is possibly causing kernel panic. i m using squid 2.7stable6 , kernel 2.6.31.13 , 64bit debian lenny. any help will be much appreciated. thanks. _ http://clk.atdmt.com/UKM/go/195013117/direct/01/
Re: [squid-users] squid 64bit compile
On Tue, May 11, 2010 at 11:47 AM, sameer khan khanza...@hotmail.com wrote: hello ppl; is there a special way of compiling 64 squid; i dont see any configure options for 64bit compile. i have compiled it but it seems it is possibly causing kernel panic. i m using squid 2.7stable6 , kernel 2.6.31.13 , 64bit debian lenny. any help will be much appreciated. Recent squid versions should work out of the box on 64bit platforms. -- /kinkie
Re: [squid-users] squid 64bit compile
I also also using squid 2.7stable 6 on 64 bit but it causing kernel panic regards senthil sameer khan wrote: hello ppl; is there a special way of compiling 64 squid; i dont see any configure options for 64bit compile. i have compiled it but it seems it is possibly causing kernel panic. i m using squid 2.7stable6 , kernel 2.6.31.13 , 64bit debian lenny. any help will be much appreciated. thanks. _ http://clk.atdmt.com/UKM/go/195013117/direct/01/
Re: [squid-users] squid 64bit compile
On Tue, May 11, 2010 at 12:54 PM, senthilkumaar2021 senthilkumaar2...@gmail.com wrote: I also also using squid 2.7stable 6 on 64 bit but it causing kernel panic Now THIS is weird. NOTHING in squid should be able to cause a kernel panic. What are you running it on? -- /kinkie
RE: [squid-users] squid 64bit compile
senthil what kernel are u using ? is it causing kernel panic after certain memory usage ( i m guessing it is causing after 3.5GB memory) thanks for reply Date: Tue, 11 May 2010 16:24:03 +0530 From: senthilkumaar2...@gmail.com To: squid-users@squid-cache.org Subject: Re: [squid-users] squid 64bit compile I also also using squid 2.7stable 6 on 64 bit but it causing kernel panic regards senthil sameer khan wrote: hello ppl; is there a special way of compiling 64 squid; i dont see any configure options for 64bit compile. i have compiled it but it seems it is possibly causing kernel panic. i m using squid 2.7stable6 , kernel 2.6.31.13 , 64bit debian lenny. any help will be much appreciated. thanks. _ http://clk.atdmt.com/UKM/go/195013117/direct/01/ _ http://clk.atdmt.com/UKM/go/195013117/direct/01/ We want to hear all your funny, exciting and crazy Hotmail stories. Tell us now
Re: [squid-users] squid 64bit compile
Hi, Operating system is 64 bit.I tried kernel 2.6.28.5 and 2.6.30.5 .The squid is running fine from morning till evening but during peak hours it is causing kernel panic .I actually dono reason why this happens i tried all possible ways. let me know your problem in detail so that it can help me in finding out my issue. Regards senthil sameer khan wrote: senthil what kernel are u using ? is it causing kernel panic after certain memory usage ( i m guessing it is causing after 3.5GB memory) thanks for reply Date: Tue, 11 May 2010 16:24:03 +0530 From: senthilkumaar2...@gmail.com To: squid-users@squid-cache.org Subject: Re: [squid-users] squid 64bit compile I also also using squid 2.7stable 6 on 64 bit but it causing kernel panic regards senthil sameer khan wrote: hello ppl; is there a special way of compiling 64 squid; i dont see any configure options for 64bit compile. i have compiled it but it seems it is possibly causing kernel panic. i m using squid 2.7stable6 , kernel 2.6.31.13 , 64bit debian lenny. any help will be much appreciated. thanks. _ http://clk.atdmt.com/UKM/go/195013117/direct/01/ _ http://clk.atdmt.com/UKM/go/195013117/direct/01/ We want to hear all your funny, exciting and crazy Hotmail stories. Tell us now
Re: [squid-users] squid 64bit compile
Em 11/05/2010 06:47, sameer khan escreveu: is there a special way of compiling 64 squid; i dont see any configure options for 64bit compile. i have compiled it but it seems it is possibly causing kernel panic. i m using squid 2.7stable6 , kernel 2.6.31.13 , 64bit debian lenny. i'm using squid 2.7 on SEVERAL 64 bit machines (running CentOS 5.3 or 5.4) and have never experienced problems. It compiles fine just out of the box and simply works. interesting is that squid is a complete user-space daemon, and should NEVER be able to cause DIRECTLY a kernel panic . -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
Re: [squid-users] squid 64bit compile
On Tue, May 11, 2010 at 1:35 PM, senthilkumaar2021 senthilkumaar2...@gmail.com wrote: Thanks for the reply I tried kernel 2.6.28.5 and 2.6.30.5 but same result I was using squid2.7stable6 with tproxy in bridge mode .My network traffic is 100 MBps and request rate around 400-450req/sec.At evening time it causes kernel panic part of kernal panic message:this message was obtained in kernal 2.6.28.5 a0152a4b] bnx2_poll_work+0xea0/0xfb9 [bnx2] [81029713] enqueue_task+0x50/0x5b [8104d2ab] getnstimeofday+0x53/0xb2 [a0152f31] bnx2_poll+0xd1/0x1ae [bnx2] [8120724a] net_rx_action+0x9d/0x158 [8103af44] __do_softirq+0x7a/0x13d [a0151b6e] bnx2_msi+0x40/0x47 [bnx2] [8100cf5c] call_softirq+0x1c/0x28 [8100ddc0] do_softirq+0x2c/0x68 [8103ae84] irq_exit+0x3f/0x85 [8100e06f] do_IRQ+0x14a/0x16b [8100c216] ret_from_intr+0x0/0xa EOI 0 [81174711] acpi_idle_enter_bm+0x2a3/0x30e [81174707] acpi_idle_enter_bm+0x299/0x30e [8106bac3] rcu_needs_cpu+0x35/0x44 [811e8269] cpuidle_idle_call+0x7f/0xbe [8100abd4] cpu_idle+0x4a/0x6d Code: 5e 5b 5d 31 c0 c3 41 55 41 54 55 53 48 89 fb 48 83 ec 68 4c 8b a7 98 00 00 00 4c 8b 6f 20 48 8b b7 d0 00 00 00 8b 8f bc 00 00 00 41 f6 44 24 18 01 74 12 8a 47 7d 83 e0 f8 83 c8 03 88 47 7d 41 RIP [a02c405f] br_nf_pre_routing_finish+0x25/0x2af [bridge] RSP 8155fb40 CR2: 0018 Kernel panic - not syncing: Fatal exception in interrupt Regards senthil Kinkie wrote: On Tue, May 11, 2010 at 12:54 PM, senthilkumaar2021 senthilkumaar2...@gmail.com wrote: I also also using squid 2.7stable 6 on 64 bit but it causing kernel panic Now THIS is weird. NOTHING in squid should be able to cause a kernel panic. What are you running it on? senthil, it seems that you're hitting a bug in the driver of your network interface. Squid has nothing to do with it, but since it causes lots of network traffic, it triggers the bug. If you try googling for bnx2_poll you'll find quite a few reports of kernel panics caused by that driver. Suggesstions include trying alternate drivers or alternate kernels in general. (or trying with a different NIC, if possible) -- /kinkie
[squid-users] Re: squid_kerb_auth received type 1 NTLM token
Hello again,
This time, I got access to a pc in the AD domain.
When I monitor for both udp and tcp port 88, there is krb communication
to be seen but it doesn't look right.
From AD server to client I see the following error:
krb5kdc_err_s_principal_unknown
It looks like this: (only krb5 and some tcp lines)
1. server - client: Krb Error: krb5kdc_err_s_principal_unknown
2. client - server: AS-REQ
3. server - client: KRB Error: krb5kdc_err_preauth_required
4. client - server: AS-REQ
5. server - client: AS-REP
6. client - server: AS-REQ
7. server - client: KRB Error: krb5kdc_err_preauth_required
...{4-7} X7
this sequence, starting from 3 is repeated a few times, as many times as
I had to enter credentials in IE popup.
Here is a detail from the error packet principal unknown:
No. TimeSourceDestination Protocol
Info
6 0.009940X.X.X.X X.X.X.X KRB5 KRB
Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
Frame 6 (179 bytes on wire, 179 bytes captured)
Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst:
Dell_48:f3:90 (00:24:e8:48:f3:90)
Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X)
Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248
(65248), Seq: 1, Ack: 1660, Len: 125
Kerberos KRB-ERROR
Record Mark: 121 bytes
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2010-05-11 10:44:11 (UTC)
susec: 313474
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: DOMAIN.LOCAL
Server Name (Service and Instance): HTTP/squid3-proxy.domain.local
Name-type: Service and Instance (2)
Name: HTTP
Name: squid3-proxy.domain.local
On this client pc, it is a windows vista, I have different kerberos
tickets: (as per kerbtray)
DOMAIN.LOCAL
|_ cifs/adserver1.domain.local
|_ krbtgt/DOMAIN.LOCAL
|_ krbtgt/DOMAIN.LOCAL
|_ LDAP/adserver1.domin.local/domain.local
|_ ProtectedStorage/adserver1.domain.local
The encryption types are for all tickets:
Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption type)
The client principal is use...@domain.local
I also traced DNS on udp and tcp 53, this seems to work ok; it shows a
lookup of the requested site and then a reply from the adserver (also
dns) with the ip of the site.
I don't see any lookup of the proxy-server fqdn that is put as the
connection proxy setting in the browser. (it is squid3-proxy.domain.local)
Next, I tried to follow the requests on port 3128 tcp to the proxyserver:
1) the client requests a webpage to the proxyserver on port 3128: GET
http://www.google.be/ HTTP/1.1 (http protocol)
2) proxy sends back a 407: (http) HTTP/1.0 407 Proxy Authentication
Requied (text/html)
3) client responds with (http) GET http://www.google.be/ HTTP/1.1 ,
NTLMSSP_NEGOTIATE
Between each point there is some tcp syn/ack/fin traffic which I can
post if needed.
The last 2 points are repeated a few times where the proxy requests
authentication, expecting kerberos and the client responding with ntlm
for some reason.
In Firefox, It is the same as IE, proxy auth required followd by an
ntlmssp_negotiate from the client.
Why I don't get kerberos to work is a mistery to me as it seems to work
in the domain itself when computers authenticate to get access to shares
etc...
Any clues welcome.
thanks,
Lieven
--
Please Visit us at V-ICT-OR shopt IT
25 May 2010 - De Montil - Affligem
Lieven De Puysseleir
BA N.V. - http://www.ba.be
Dalemhof 28, 3000 Leuven
tel: 0032 (0)16 29 80 45
attachment: lieven.vcf
[squid-users] squid non-accel default website
Hi, i have a non-accel non-transparent squid 3.1 running on port 80, and when someone accesses the proxy directly (via http://hostname or http://ip) i want the proxy to show an explanation website. At the current state, it shows an invalid URL ... while trying to retrieve the URL: / error on direct access, which prevents using url rewriters(and deny_info too?!) so how to do this?... Thanks Nils
Re: [squid-users] squid non-accel default website
I might be completely misunderstanding your request but can't you just run a http daemon like apache on your proxyserver that serves a page with explanations? rgds, Lieven Nils Hügelmann wrote: Hi, i have a non-accel non-transparent squid 3.1 running on port 80, and when someone accesses the proxy directly (via http://hostname or http://ip) i want the proxy to show an explanation website. At the current state, it shows an invalid URL ... while trying to retrieve the URL: / error on direct access, which prevents using url rewriters(and deny_info too?!) so how to do this?... Thanks Nils
[squid-users] Re: squid_kerb_auth received type 1 NTLM token
Hi Lieven,
The problem seems to be the krb5kdc_err_s_principal_unknown error. If you
took the capture earlier shoudl have seen a TGS REQ in wireshark for
HTTP/squid3-proxy.domain.local and AD says it does not anything about this
principal. Can you search AD if you have an entry with
serviceprincipalname=HTTP/squid3-proxy.domain.local using adsiedit.msc for
example ?
If you would have got a successful reply it would be a TGS REP and kerbtray
would show
DOMAIN.LOCAL
|_ cifs/adserver1.domain.local
|_ krbtgt/DOMAIN.LOCAL
|_ krbtgt/DOMAIN.LOCAL
|_ LDAP/adserver1.domin.local/domain.local
|_ ProtectedStorage/adserver1.domain.local
|_ HTTP/asquid3-proxy.domain.local/domain.local
Regards
Markus
lieven lie...@ba.be wrote in message news:4be94d3c.6040...@ba.be...
Hello again,
This time, I got access to a pc in the AD domain.
When I monitor for both udp and tcp port 88, there is krb communication
to be seen but it doesn't look right.
From AD server to client I see the following error:
krb5kdc_err_s_principal_unknown
It looks like this: (only krb5 and some tcp lines)
1. server - client: Krb Error: krb5kdc_err_s_principal_unknown
2. client - server: AS-REQ
3. server - client: KRB Error: krb5kdc_err_preauth_required
4. client - server: AS-REQ
5. server - client: AS-REP
6. client - server: AS-REQ
7. server - client: KRB Error: krb5kdc_err_preauth_required
...{4-7} X7
this sequence, starting from 3 is repeated a few times, as many times as
I had to enter credentials in IE popup.
Here is a detail from the error packet principal unknown:
No. TimeSourceDestination Protocol
Info
6 0.009940X.X.X.X X.X.X.X KRB5 KRB
Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
Frame 6 (179 bytes on wire, 179 bytes captured)
Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst:
Dell_48:f3:90 (00:24:e8:48:f3:90)
Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X)
Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248
(65248), Seq: 1, Ack: 1660, Len: 125
Kerberos KRB-ERROR
Record Mark: 121 bytes
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2010-05-11 10:44:11 (UTC)
susec: 313474
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: DOMAIN.LOCAL
Server Name (Service and Instance): HTTP/squid3-proxy.domain.local
Name-type: Service and Instance (2)
Name: HTTP
Name: squid3-proxy.domain.local
On this client pc, it is a windows vista, I have different kerberos
tickets: (as per kerbtray)
DOMAIN.LOCAL
|_ cifs/adserver1.domain.local
|_ krbtgt/DOMAIN.LOCAL
|_ krbtgt/DOMAIN.LOCAL
|_ LDAP/adserver1.domin.local/domain.local
|_ ProtectedStorage/adserver1.domain.local
The encryption types are for all tickets:
Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption type)
The client principal is use...@domain.local
I also traced DNS on udp and tcp 53, this seems to work ok; it shows a
lookup of the requested site and then a reply from the adserver (also
dns) with the ip of the site.
I don't see any lookup of the proxy-server fqdn that is put as the
connection proxy setting in the browser. (it is squid3-proxy.domain.local)
Next, I tried to follow the requests on port 3128 tcp to the proxyserver:
1) the client requests a webpage to the proxyserver on port 3128: GET
http://www.google.be/ HTTP/1.1 (http protocol)
2) proxy sends back a 407: (http) HTTP/1.0 407 Proxy Authentication
Requied (text/html)
3) client responds with (http) GET http://www.google.be/ HTTP/1.1 ,
NTLMSSP_NEGOTIATE
Between each point there is some tcp syn/ack/fin traffic which I can
post if needed.
The last 2 points are repeated a few times where the proxy requests
authentication, expecting kerberos and the client responding with ntlm
for some reason.
In Firefox, It is the same as IE, proxy auth required followd by an
ntlmssp_negotiate from the client.
Why I don't get kerberos to work is a mistery to me as it seems to work
in the domain itself when computers authenticate to get access to shares
etc...
Any clues welcome.
thanks,
Lieven
--
Please Visit us at V-ICT-OR shopt IT
25 May 2010 - De Montil - Affligem
Lieven De Puysseleir
BA N.V. - http://www.ba.be
Dalemhof 28, 3000 Leuven
tel: 0032 (0)16 29 80 45
Re: [squid-users] Re: squid_kerb_auth received type 1 NTLM token
That seems to clarify my problems. thank you.
After the mkstutil, I saw that a new computer object had been made in
the AD.
In adsiedit, I opened this squid3-proxy computeraccount and checked it's
principalname service.
There was only HTTP/domain.local so I manually added
HTTP/squid3-proxy.domain.local.
Then after I did a new webrequest via the proxyserver, I saw this
HTTP/squid3-proxy.domain.local service principal in kerbtray.
Only, it still pops up with a authentication request so I'm not yet there.
Anyway, tomorrow I'll have access to the local pc and a wireshark trace
will probably help me solve this further.
thanks for all the effort already.
cheers.
Lieven
Markus Moeller wrote:
Hi Lieven,
The problem seems to be the krb5kdc_err_s_principal_unknown error. If
you took the capture earlier shoudl have seen a TGS REQ in wireshark
for HTTP/squid3-proxy.domain.local and AD says it does not anything
about this principal. Can you search AD if you have an entry with
serviceprincipalname=HTTP/squid3-proxy.domain.local using adsiedit.msc
for example ?
If you would have got a successful reply it would be a TGS REP and
kerbtray would show
DOMAIN.LOCAL
|_ cifs/adserver1.domain.local
|_ krbtgt/DOMAIN.LOCAL
|_ krbtgt/DOMAIN.LOCAL
|_ LDAP/adserver1.domin.local/domain.local
|_ ProtectedStorage/adserver1.domain.local
|_ HTTP/asquid3-proxy.domain.local/domain.local
Regards
Markus
lieven lie...@ba.be wrote in message news:4be94d3c.6040...@ba.be...
Hello again,
This time, I got access to a pc in the AD domain.
When I monitor for both udp and tcp port 88, there is krb communication
to be seen but it doesn't look right.
From AD server to client I see the following error:
krb5kdc_err_s_principal_unknown
It looks like this: (only krb5 and some tcp lines)
1. server - client: Krb Error: krb5kdc_err_s_principal_unknown
2. client - server: AS-REQ
3. server - client: KRB Error: krb5kdc_err_preauth_required
4. client - server: AS-REQ
5. server - client: AS-REP
6. client - server: AS-REQ
7. server - client: KRB Error: krb5kdc_err_preauth_required
...{4-7} X7
this sequence, starting from 3 is repeated a few times, as many times as
I had to enter credentials in IE popup.
Here is a detail from the error packet principal unknown:
No. TimeSourceDestination Protocol
Info
6 0.009940X.X.X.X X.X.X.X KRB5 KRB
Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
Frame 6 (179 bytes on wire, 179 bytes captured)
Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst:
Dell_48:f3:90 (00:24:e8:48:f3:90)
Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X)
Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248
(65248), Seq: 1, Ack: 1660, Len: 125
Kerberos KRB-ERROR
Record Mark: 121 bytes
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2010-05-11 10:44:11 (UTC)
susec: 313474
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: DOMAIN.LOCAL
Server Name (Service and Instance): HTTP/squid3-proxy.domain.local
Name-type: Service and Instance (2)
Name: HTTP
Name: squid3-proxy.domain.local
On this client pc, it is a windows vista, I have different kerberos
tickets: (as per kerbtray)
DOMAIN.LOCAL
|_ cifs/adserver1.domain.local
|_ krbtgt/DOMAIN.LOCAL
|_ krbtgt/DOMAIN.LOCAL
|_ LDAP/adserver1.domin.local/domain.local
|_ ProtectedStorage/adserver1.domain.local
The encryption types are for all tickets:
Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption
type)
The client principal is use...@domain.local
I also traced DNS on udp and tcp 53, this seems to work ok; it shows a
lookup of the requested site and then a reply from the adserver (also
dns) with the ip of the site.
I don't see any lookup of the proxy-server fqdn that is put as the
connection proxy setting in the browser. (it is
squid3-proxy.domain.local)
Next, I tried to follow the requests on port 3128 tcp to the
proxyserver:
1) the client requests a webpage to the proxyserver on port 3128: GET
http://www.google.be/ HTTP/1.1 (http protocol)
2) proxy sends back a 407: (http) HTTP/1.0 407 Proxy Authentication
Requied (text/html)
3) client responds with (http) GET http://www.google.be/ HTTP/1.1 ,
NTLMSSP_NEGOTIATE
Between each point there is some tcp syn/ack/fin traffic which I can
post if needed.
The last 2 points are repeated a few times where the proxy requests
authentication, expecting kerberos and the client responding with ntlm
for some reason.
In Firefox, It is the same as IE, proxy auth required followd by an
ntlmssp_negotiate from the client.
Why I don't get kerberos to work is a mistery to me as it seems to work
in the domain itself when computers authenticate to get access to shares
etc...
Any clues welcome.
thanks,
Lieven
--
Please Visit us at V-ICT-OR shopt IT
25 May 2010 - De Montil - Affligem
Lieven De Puysseleir
BA N.V. - http://www.ba.be
Dalemhof 28, 3000 Leuven
tel: 0032
[squid-users] Re: Re: squid_kerb_auth received type 1 NTLM token
Changing the name may not be enough. Delete the AD entry and the keytab and
create a new entry with keytab.
Regards
Markus
Lieven lieve...@gmail.com wrote in message
news:4be9c40a.1090...@gmail.com...
That seems to clarify my problems. thank you.
After the mkstutil, I saw that a new computer object had been made in the
AD.
In adsiedit, I opened this squid3-proxy computeraccount and checked it's
principalname service.
There was only HTTP/domain.local so I manually added
HTTP/squid3-proxy.domain.local.
Then after I did a new webrequest via the proxyserver, I saw this
HTTP/squid3-proxy.domain.local service principal in kerbtray.
Only, it still pops up with a authentication request so I'm not yet there.
Anyway, tomorrow I'll have access to the local pc and a wireshark trace
will probably help me solve this further.
thanks for all the effort already.
cheers.
Lieven
Markus Moeller wrote:
Hi Lieven,
The problem seems to be the krb5kdc_err_s_principal_unknown error. If you
took the capture earlier shoudl have seen a TGS REQ in wireshark for
HTTP/squid3-proxy.domain.local and AD says it does not anything about
this principal. Can you search AD if you have an entry with
serviceprincipalname=HTTP/squid3-proxy.domain.local using adsiedit.msc
for example ?
If you would have got a successful reply it would be a TGS REP and
kerbtray would show
DOMAIN.LOCAL
|_ cifs/adserver1.domain.local
|_ krbtgt/DOMAIN.LOCAL
|_ krbtgt/DOMAIN.LOCAL
|_ LDAP/adserver1.domin.local/domain.local
|_ ProtectedStorage/adserver1.domain.local
|_ HTTP/asquid3-proxy.domain.local/domain.local
Regards
Markus
lieven lie...@ba.be wrote in message news:4be94d3c.6040...@ba.be...
Hello again,
This time, I got access to a pc in the AD domain.
When I monitor for both udp and tcp port 88, there is krb communication
to be seen but it doesn't look right.
From AD server to client I see the following error:
krb5kdc_err_s_principal_unknown
It looks like this: (only krb5 and some tcp lines)
1. server - client: Krb Error: krb5kdc_err_s_principal_unknown
2. client - server: AS-REQ
3. server - client: KRB Error: krb5kdc_err_preauth_required
4. client - server: AS-REQ
5. server - client: AS-REP
6. client - server: AS-REQ
7. server - client: KRB Error: krb5kdc_err_preauth_required
...{4-7} X7
this sequence, starting from 3 is repeated a few times, as many times as
I had to enter credentials in IE popup.
Here is a detail from the error packet principal unknown:
No. TimeSourceDestination Protocol
Info
6 0.009940X.X.X.X X.X.X.X KRB5 KRB
Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
Frame 6 (179 bytes on wire, 179 bytes captured)
Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst:
Dell_48:f3:90 (00:24:e8:48:f3:90)
Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X)
Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248
(65248), Seq: 1, Ack: 1660, Len: 125
Kerberos KRB-ERROR
Record Mark: 121 bytes
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2010-05-11 10:44:11 (UTC)
susec: 313474
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: DOMAIN.LOCAL
Server Name (Service and Instance): HTTP/squid3-proxy.domain.local
Name-type: Service and Instance (2)
Name: HTTP
Name: squid3-proxy.domain.local
On this client pc, it is a windows vista, I have different kerberos
tickets: (as per kerbtray)
DOMAIN.LOCAL
|_ cifs/adserver1.domain.local
|_ krbtgt/DOMAIN.LOCAL
|_ krbtgt/DOMAIN.LOCAL
|_ LDAP/adserver1.domin.local/domain.local
|_ ProtectedStorage/adserver1.domain.local
The encryption types are for all tickets:
Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption
type)
The client principal is use...@domain.local
I also traced DNS on udp and tcp 53, this seems to work ok; it shows a
lookup of the requested site and then a reply from the adserver (also
dns) with the ip of the site.
I don't see any lookup of the proxy-server fqdn that is put as the
connection proxy setting in the browser. (it is
squid3-proxy.domain.local)
Next, I tried to follow the requests on port 3128 tcp to the
proxyserver:
1) the client requests a webpage to the proxyserver on port 3128: GET
http://www.google.be/ HTTP/1.1 (http protocol)
2) proxy sends back a 407: (http) HTTP/1.0 407 Proxy Authentication
Requied (text/html)
3) client responds with (http) GET http://www.google.be/ HTTP/1.1 ,
NTLMSSP_NEGOTIATE
Between each point there is some tcp syn/ack/fin traffic which I can
post if needed.
The last 2 points are repeated a few times where the proxy requests
authentication, expecting kerberos and the client responding with ntlm
for some reason.
In Firefox, It is the same as IE, proxy auth required followd by an
ntlmssp_negotiate from the client.
Why I don't get kerberos to work is a mistery to me as it seems to work
in the domain itself when computers authenticate to get access to shares
[squid-users] ident authentication and follow_x_forwarded_for
Greetings, I am configuring a Squid/Dansguardian web proxy/content filter. The flow of traffic looks like this: Client -- Proxy:8080 (Dansguardian) -- 127.0.0.1:3128 (Squid running on Proxy) -- Edge firewall The relevant portions of squid.conf follow: == acl localnet src 10.0.0.0/8 # Authentication ACLs # Allow ident lookups on internal clients #ident_lookup_access allow localnet ident_lookup_access allow localnet ident_lookup_access deny all # Allow clients with IDENT acl ident_auth ident REQUIRED # If they don't have ident login restrict access to authorized via ldap acl ldap_auth proxy_auth REQUIRED # Attempt ident, then LDAP/basic authentication. Note that Squid is only listening on 127.0.0.1:3128, so the following lines are to support acl_uses_indirect_client http_access allow ip_authenticated http_access allow ident_auth localnet http_access allow ldap_auth localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # OPTIONS FOR X-Forwarded-For # - # Allow Squid to see Dansguardian IP addresses follow_x_forwarded_for allow localhost follow_x_forwarded_for deny all # NETWORK OPTIONS # - # Listen only to Dansguardian http_port 127.0.0.1:3128 == I am attempting to configure Squid to authenticate with ident, but it seems that the 'follow_x_forwarded_for allow localhost' is not being honored by the ident authenticator. Is there any way to configure Squid to send the ident queries to the originating client? I have confirmed that follow_x_forwarded_for is functional for other things (logging of client IP addresses for example), and that ident queries are being responded to by the clients. Squid is simple never asking for ident and is skipping directly to LDAP/Basic authentication. Thanks in advance for any help you may provide, Ben Miller 6 X 9 = 42
Re: [squid-users] ident authentication and follow_x_forwarded_for
Ben Miller wrote: Greetings, I am configuring a Squid/Dansguardian web proxy/content filter. The flow of traffic looks like this: Client -- Proxy:8080 (Dansguardian) -- 127.0.0.1:3128 (Squid running on Proxy) -- Edge firewall The relevant portions of squid.conf follow: == acl localnet src 10.0.0.0/8 # Authentication ACLs # Allow ident lookups on internal clients #ident_lookup_access allow localnet ident_lookup_access allow localnet ident_lookup_access deny all # Allow clients with IDENT acl ident_auth ident REQUIRED # If they don't have ident login restrict access to authorized via ldap acl ldap_auth proxy_auth REQUIRED # Attempt ident, then LDAP/basic authentication. Note that Squid is only listening on 127.0.0.1:3128, so the following lines are to support acl_uses_indirect_client http_access allow ip_authenticated http_access allow ident_auth localnet http_access allow ldap_auth localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # OPTIONS FOR X-Forwarded-For # - # Allow Squid to see Dansguardian IP addresses follow_x_forwarded_for allow localhost follow_x_forwarded_for deny all # NETWORK OPTIONS # - # Listen only to Dansguardian http_port 127.0.0.1:3128 == I am attempting to configure Squid to authenticate with ident, but it seems that the 'follow_x_forwarded_for allow localhost' is not being honored by the ident authenticator. Is there any way to configure Squid to send the ident queries to the originating client? IDENT protocol kicks off as soon as the TCP connection is made. Well before the HTTP headers exist. Squid would need to be patched to do the IDENT lookup after header processing for XFF to be used in its ACLs. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3
[squid-users] Report of visited sites? (No filtering, just reporting)
Hello, I am sure this must be a common question... please excuse. Does there exist a tool or example configuration that will enable me to log, and display in a nice HR department friendly format, the sites that users in our small office network are visiting? We are already using OpenDNS for filtering, but we do need per-user (just ip address) reporting. No need for actual content caching, either. Any suggestions? Thank you, CB
