Re: [squid-users] Re: Re: squid_kerb_ldap -> "Error while initialising credentials from keytab"
Hi Markus Is it necessary to renew periodically the kerberos-ticket? I've defined a a ticket_lifetime for 24h. I've now the following output: proxy-test-01:~ # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: u...@xx.yy Valid starting ExpiresService principal 07/01/10 08:47:31 07/01/10 18:47:33 krbtgt/xx...@xx.yy renew until 07/02/10 07:34:41 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Now, the ticket seems to be expired. But I'm still able to authenticate. Why? What is the behavior, if the kerberos-ticket is expired? If I try to renew with "kinit -R", I got the following error: proxy-test-01:~ # kinit -R kinit(v5): Ticket expired while renewing credentials Is this normal? How can I solve this behavior? Thanks you. Regards, Tom 2010/7/1 Markus Moeller : > You could have used a tool like kerbtray or just lock and unlock the PC > which would have refreshed the cache. > > Regards > Markus > > "Tom Tux" wrote in message > news:aanlktiljgrnzru9wxivap0tj22onxaknjanbczlvs...@mail.gmail.com... > Hi Markus > > This problem is solved now. I rebootet the client, which results in > clearing the client-kerberos cache. Now I'm able to authenticate and I > can use the squid_kerb_ldap-helper. > > Thanks a lot for your hints. > Regards > Tom > > > > > 2010/7/1 Tom Tux : >> >> Hi Markus >> >> Thank you. >> So, I made my kerberos-configuration from scratch. This will mean: >> - Delete computer-account in AD >> - Remove /etc/krb5.keytab >> - Check with "setspn -L proxy-test-01" if there were no SPN's -> OK. >> >> Then I created the account again with the following command: >> >> ./msktutil -c -s HTTP/proxy-test-01.xx.yy -h proxy-test-01.xx.yy -k >> /etc/krb5.keytab --computer-name proxy-test-01 --upn >> HTTP/proxy-test-01.xx.yy --server dc 1.xx.yy --verbose >> >> The computer-account was created successfully. In the msktutil-output, >> I can see, that the KVNO is set to "2". >> >> On the Domain-Controller, I can also see, that the >> "msDS-KeyVersionNumber" is also set to "2". >> >> But I'm not able to authenticate. I got the following squid-cache-error: >> 2010/07/01 07:37:04| authenticateNegotiateHandleReply: Error >> validating user via Negotiate. Error returned 'BH >> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code >> may provide more information. Key version number for principal in key >> table is incorrect' >> >> What's wrong here? I tried with "kinit" and "kinit -R" again -> no >> success. How can I fix this problem? >> Regards >> Tom >> >> >> 2010/6/30 Markus Moeller : >>> >>> Hi Tom >>> >>> squid_kerb_ldap tries to use the keytab to authenticate squid against AD. >>> The keytab contains basically the password for the "user" http/ >>> which >>> maps in AD to the userprincipalname attribute. In your case >>> squid_kerb_ldap >>> tries to use host/proxy-test-01.xx...@xx.yy but does not find in AD an >>> entry >>> which has the userprincipalname attribute with that value and therfore >>> can >>> not check group memberships. msktutil has the option --upn which will set >>> the AD attribute accordingly (see >>> alsohttp://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). >>> >>> >>> 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name >>> host/proxy-test-01.xx...@xx.yy >>> 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising >>> credentials >>> from keytab : Client not found in Kerberos database >>> >>> Regards >>> Markus >>> >>> "Tom Tux" wrote in message >>> news:aanlktilz_wefjeu1bmnpsgvnhahte6rjmr6bja-uu...@mail.gmail.com... Hi I'm trying to authenticate our clients with squid_kerb_ldap against our ad. There exists a global-group called "Internet". My squid.conf looks like this: auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i auth_param negotiate children 10 auth_param negotiate keep_alive on external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g Internet acl inetAccess external SQUID_KERB_LDAP http_access allow inetAccess My "klist -k" looks like this: proxy-test-01:/usr/local/squid_kerb_ldap/bin # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 4 host/proxy-test-01.xx...@xx.yy 4 host/proxy-test-01.xx...@xx.yy 4 host/proxy-test-01.xx...@xx.yy 4 host/proxy-test...@xx.yy 4 host/proxy-test...@xx.yy 4 host/proxy-test...@xx.yy 4 proxy-test-...@xx.yy 4 proxy-test-...@xx.yy 4 proxy-test-...@xx.yy 4 HTTP/proxy-test-01.xx...@xx.yy 4 HTTP/proxy-test-01.xx...@xx.yy 4 HTTP/proxy-test-01.xx...@xx.yy 4 HTTP/proxy-test...@xx.yy 4 HTTP/proxy-test...@xx.yy 4 HTTP/proxy-test...@xx.yy 5 proxy-test-...@xx.yy 5 proxy-test-...@xx.yy 5 proxy-test
[squid-users] Squid 3.1.5 is available
The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.1.5 release! This release brings fixes for several bugs found in the previous release. Users seeing unexpected re-authentication challenges with NTLM and Kerberos are advised to check persistent_connection_after_error. This directive should have been changed to ON by default when NTLM connection pinning support was added. It makes persistent connections annoyingly fragile to unpredictable 4xx and 5xx responses. The max_filedescriptor config option has been ported from Squid-2.7 to further assist upgrades. Other bugs resolved by this release: - Bug 2967: raw-IPv6 address URL with append_domain broken - Bug 2950: Responses with no Date, L-M or Expires can be cached - Bug 2943: ICAP tokens not logged when using multiple access - Bug 2937: Fails to detect all chunked encoding spelling cases - Bug 2903: does not send indirect X-Client-Ip in ICAP respmod - free memory corruption and off-by-one error when comparing SNMP OIDs The release announcement for 3.1.4 seems to have disappeared, so here are the major fixes this package inherits from last months release. - IPv6 fail-over to IPv4 fixed - LDAP helpers using version 3 LDAP by default - Memory handling fixes, particular impact for 64-bit systems. see the ChangeLog for a more detailed list. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.1/RELEASENOTES.html if and when you are ready to make the switch to Squid-3.1 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.1/ ftp://ftp.squid-cache.org/pub/squid/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.dyn http://www.squid-cache.org/Download/mirrors.dyn If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries
Re: [squid-users] Error Compiling Squid 3.1.4
Babelo Gmvsdm wrote: Hi, I'm facing these error message when I do a "make" to compile Squid 3.1.4: Please send reports of compile errors to squid-dev where the people who can fix it reside. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.4
Re: [squid-users] Destination domain and regular expression
Alberto Cappadonia wrote: Hi all, If I want to deny the access, for example, to google and I want that every google web site (in any language) cannot be accessed, can I write an acl like the following? -- acl googleDomains dstdom_regex -i .*\.google\..* http_access deny googleDomains -- or i have to use other acl like url_regex ? For that use yes dstdom_regex is appropriate. The .* at the start and end of the pattern can be removed. Giving you: acl googleDomains dstdom_regex -i \.google\. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.4
[squid-users] Re: Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102)
Hi 1) 1.2.1a is just a minor patch version to 1.2.1. 2) This happens only when you use the -d debug option 3) You can use the options -u BIND_DN -p BIND_PW -b BIND_PATH -l LDAP_URL 4) If they have different access needs then that is the only way. If they have the same access right you can use -g inetgrl...@mailserver.v.local:inetgrl...@mailserver.v.local:inetgrl...@mailserver.v.local Regards Markus - Original Message - From: "GIGO ." To: "squidsuperuser2" ; "SquidHelp" Sent: Thursday, July 01, 2010 11:31 AM Subject: RE: [squid-users] Re: Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102) Dear Markus, Thank you so much for your help as i diagnosed the problem back to KRB5_KTNAME not exported properly through my startup script. For the completion sake and your analysis i have appended the cache.log at the bottom. Please i have few queries: 1. I am using squid_kerb_ldap version 1.2.1a as per your recommendation and which is the latest but is the "a" in 1.2.1(a) means alpha. Can i use this latest version in the production or i should switch back to 1.2.1. 2. i have just figured out that squid_kerb_ldap gets all the groups for a user in question even if the first group it find matches. Is this the normal behaviour? 3. Is there a way to bind to a specific or multiple(chosen) ldap servers rather than using DNS. (what is the syntax and how) 4. As i have different categories of users so i had defined the following directives. Is it ok to do this way as it does not look very neet to me and looks like squid_kerb_ldap being called redundantly. -Portion of squid.conf- auth_param negotiate program /usr/libexec/squid/squid_kerb_auth/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on # basic auth ACL controls to make use of it are.(if and only if squid_kerb_ldap(authorization) is not used) #acl auth proxy_auth REQUIRED #http_access deny !auth #http_access allow auth #Groups fom Mailserver Domain: external_acl_type squid_kerb_ldap_msgroup1 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetgrl...@mailserver.v.local external_acl_type squid_kerb_ldap_msgroup2 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetgrl...@mailserver.v.local external_acl_type squid_kerb_ldap_msgroup3 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetgrl...@mailserver.v.local acl msgroup1 external squid_kerb_ldap_msgroup1 acl msgroup2 external squid_kerb_ldap_msgroup2 acl msgroup3 external squid_kerb_ldap_msgroup3 http_access deny msgroup2 msn http_access deny msgroup3 msn http_access deny msgroup2 ym http_access deny msgroup3 ym ###Most Restricted settings Exclusive for Normal users..### http_access deny msgroup3 Movies http_access deny msgroup3 downloads http_access deny msgroup3 torrentSeeds http_access deny all
Re: [squid-users] empty basic/digest realm
The normal digest ldap helper in plain text passord mode expects just the plain text password in ldap, without realm. If you store H(A1) value then it`s always realm specific. And to my knowledge there is no basic auth helper capable of verifying to a H(A1) value but technically it can be done regardless of what realm were used in the H(A1). If you use some other helper which expects realm:password or realm:H(A1) then it would most likely expect :H(A1) and not H(A1) if realm is empty. Keep in mind that Digest A1 value is login:realm:password. And H is HEX MD5 which makes H(A1) == HEX(MD5(login ":" realm ":" password)) So i still do not quite umderstand what yo want to accomplish with an empty realm. Regards Henrik - Ursprungsmeddelande - > Sorry for my late reply, Henrik. I want to be able to use an empty > realm because we use Digest Auth in conjunction with an LDAP backend. > In this LDAP backend the admin can specifiy combinations of > : or :. The empty realm would thus lead > to either or standing by themselves. We want to > support this latter case as well and the empty realm would make that a > lot easier. > > Regards, > Khaled > > 2010/6/22 Henrik Nordström : > > tis 2010-06-22 klockan 00:22 +0200 skrev Khaled Blah: > > > That's not completely true. RFC 2617 states that the realm of either > > > digest/basic auth is a quoted string but it doesn't say that this > > > string has to be a minimum number of characters. > > > > True, but is clearly not the intention that this should be empty. > > > > I asked why you want to use an empty realm. > > > > Regards > > Henrik > > > >
[squid-users] Re: Authenticate domain user
What is you access config ? Maybe you have a line which gives also unauthenticated users access to hotmail. BTW Do you want the workgroup users to have access after authentication ? I tested that it might work if you provide via dhcp a WINS server which has an entry for the Kerberos domain. Then users can use a domain username/password from a workgroup PC. Markus "Nick Cairncross" wrote in message news:7c792063a22dfb40a9387b1d11b012f660cbfef...@exmb01.uk.conde-nast.biz... Hi All, I use Kerberos authentication for my domain computers and users. All works well except for the following scenario: If a non-domain PC (i.e. workgroup) is pointed to squid (fqdn) I receive an unsatisfiable login prompt for my squid proxy. After three attempts with domain\username and password if I then click on the link displayed on the Access Denied squid error (e.g. www.Hotmail.com) I am able to access the browse the internet. Strange, no? Cache.log show for the three fails 2010/06/30 15:03:56| squid_kerb_auth: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2010/06/30 15:03:56| squid_kerb_auth: Decode 'TlRMTVNTUAABB4IIogAFASgKDw==' (decoded length: 40). 2010/06/30 15:03:56| squid_kerb_auth: received type 1 NTLM token 2010/06/30 15:03:56| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2010/06/30 15:03:56| squid_kerb_auth: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2010/06/30 15:03:56| squid_kerb_auth: Decode 'TlRMTVNTUAABB4IIogAFASgKDw==' (decoded length: 40). 2010/06/30 15:03:56| squid_kerb_auth: received type 1 NTLM token 2010/06/30 15:03:56| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' And then shows my token & username etc as expected when I click on the 'denied' web-link.. Any help would be greatly appreciated N The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
[squid-users] Re: Re: squid_kerb_ldap -> "Error while initialising credentials from keytab"
You could have used a tool like kerbtray or just lock and unlock the PC which would have refreshed the cache. Regards Markus "Tom Tux" wrote in message news:aanlktiljgrnzru9wxivap0tj22onxaknjanbczlvs...@mail.gmail.com... Hi Markus This problem is solved now. I rebootet the client, which results in clearing the client-kerberos cache. Now I'm able to authenticate and I can use the squid_kerb_ldap-helper. Thanks a lot for your hints. Regards Tom 2010/7/1 Tom Tux : Hi Markus Thank you. So, I made my kerberos-configuration from scratch. This will mean: - Delete computer-account in AD - Remove /etc/krb5.keytab - Check with "setspn -L proxy-test-01" if there were no SPN's -> OK. Then I created the account again with the following command: ./msktutil -c -s HTTP/proxy-test-01.xx.yy -h proxy-test-01.xx.yy -k /etc/krb5.keytab --computer-name proxy-test-01 --upn HTTP/proxy-test-01.xx.yy --server dc 1.xx.yy --verbose The computer-account was created successfully. In the msktutil-output, I can see, that the KVNO is set to "2". On the Domain-Controller, I can also see, that the "msDS-KeyVersionNumber" is also set to "2". But I'm not able to authenticate. I got the following squid-cache-error: 2010/07/01 07:37:04| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key version number for principal in key table is incorrect' What's wrong here? I tried with "kinit" and "kinit -R" again -> no success. How can I fix this problem? Regards Tom 2010/6/30 Markus Moeller : Hi Tom squid_kerb_ldap tries to use the keytab to authenticate squid against AD. The keytab contains basically the password for the "user" http/ which maps in AD to the userprincipalname attribute. In your case squid_kerb_ldap tries to use host/proxy-test-01.xx...@xx.yy but does not find in AD an entry which has the userprincipalname attribute with that value and therfore can not check group memberships. msktutil has the option --upn which will set the AD attribute accordingly (see alsohttp://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name host/proxy-test-01.xx...@xx.yy 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising credentials from keytab : Client not found in Kerberos database Regards Markus "Tom Tux" wrote in message news:aanlktilz_wefjeu1bmnpsgvnhahte6rjmr6bja-uu...@mail.gmail.com... Hi I'm trying to authenticate our clients with squid_kerb_ldap against our ad. There exists a global-group called "Internet". My squid.conf looks like this: auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i auth_param negotiate children 10 auth_param negotiate keep_alive on external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g Internet acl inetAccess external SQUID_KERB_LDAP http_access allow inetAccess My "klist -k" looks like this: proxy-test-01:/usr/local/squid_kerb_ldap/bin # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 4 host/proxy-test-01.xx...@xx.yy 4 host/proxy-test-01.xx...@xx.yy 4 host/proxy-test-01.xx...@xx.yy 4 host/proxy-test...@xx.yy 4 host/proxy-test...@xx.yy 4 host/proxy-test...@xx.yy 4 proxy-test-...@xx.yy 4 proxy-test-...@xx.yy 4 proxy-test-...@xx.yy 4 HTTP/proxy-test-01.xx...@xx.yy 4 HTTP/proxy-test-01.xx...@xx.yy 4 HTTP/proxy-test-01.xx...@xx.yy 4 HTTP/proxy-test...@xx.yy 4 HTTP/proxy-test...@xx.yy 4 HTTP/proxy-test...@xx.yy 5 proxy-test-...@xx.yy 5 proxy-test-...@xx.yy 5 proxy-test-...@xx.yy 5 HTTP/proxy-test-01.xx...@xx.yy 5 HTTP/proxy-test-01.xx...@xx.yy 5 HTTP/proxy-test-01.xx...@xx.yy 5 HTTP/proxy-test...@xx.yy 5 HTTP/proxy-test...@xx.yy 5 HTTP/proxy-test...@xx.yy 5 host/proxy-test-01.xx...@xx.yy 5 host/proxy-test-01.xx...@xx.yy 5 host/proxy-test-01.xx...@xx.yy Without squid_kerb_ldap, the internet-access is working fine. With the helper, I got the following errors in the cache.log: 2010/06/30 09:45:48| squid_kerb_auth: INFO: User testu...@xx.yy authenticated 2010/06/30 09:45:48| squid_kerb_ldap: Got User: TESTUSER Domain: XX.YY 2010/06/30 09:45:48| squid_kerb_ldap: User domain loop: gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: Default domain loop: gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: Default group loop: gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: Found gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: Setup Kerberos credential cache 2010/06/30 09:45:48| squid_kerb_ldap: Get default keytab file name 2010/06/30 09:45:48| squid_kerb_ldap: Got default keytab file name /etc/krb5.keytab 2010/06/30 09:45:48| squid_kerb_ldap: Get principal name from keytab /etc/krb5.keytab 2010/06/30 09:45:48| squid_kerb_ldap: Keytab entry has realm nam
[squid-users] Destination domain and regular expression
Hi all, If I want to deny the access, for example, to google and I want that every google web site (in any language) cannot be accessed, can I write an acl like the following? -- acl googleDomains dstdom_regex -i .*\.google\..* http_access deny googleDomains -- or i have to use other acl like url_regex ? Thanks in advance Regards Alberto smime.p7s Description: S/MIME Cryptographic Signature
Re: [squid-users] IE6 and Kerberos-Authentication doesn't work
Hi Guido OK, thank you for this answer. I'm already using FireFox with W2K...and this works really fine. Regards, Tom 2010/7/1 Guido Serassio : > Hi, > > Sorry, You cannot. > > IE6 supports Kerberos Auth only for Web server authentication, not for proxy > Authentication. > Kerberos support for proxy authentication was first added in IE7, but you > cannot use it on Windows 2000 > > On Windows 2000 Firefox works fine with Kerberos proxy authentication, so you > could try it. > > Regards > > Guido Serassio > Acme Consulting S.r.l. > Microsoft Gold Certified Partner > VMware Professional Partner > Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY > Tel. : +39.011.9530135 Fax. : +39.011.9781115 > Email: guido.seras...@acmeconsulting.it > WWW: http://www.acmeconsulting.it > > > -Messaggio originale- > Da: Tom Tux [mailto:tomtu...@gmail.com] > Inviato: giovedì 1 luglio 2010 13.27 > A: squid-users > Oggetto: [squid-users] IE6 and Kerberos-Authentication doesn't work > > Hi > > I've found several documents describing that IE6 SP1 doesn't support > kerberos-authentication and other documents like > http://support.microsoft.com/kb/299838 which describes a solution, how > I can enable the kerberos-authentication in IE6. > > I've enabled it and rebootet the client, but I'm not able to > authenticate with kerberos with IE6 & Windows2000. > > Any hints or is it definitely not possible to authenticate the W2K-IE6 > with kerberos? > Thanks. > > Regards, > Tom >
Re: [squid-users] Log dns error
Luis Daniel Lucio Quiroz wrote: Hi I wonder if there is a specifiq way to identify what sites has been logged by a dns resolution error? Meh. Just sent off the other reply and thought of ipcache. The squid ipcache records all DNS for a period, it lists the NXDOMAIN lookups as "N" flagged entries with no IPs. Could also be usable within the fuzzy DNS caching period. squidclient mgr:ipcache Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.4
Re: [squid-users] Log dns error
Luis Daniel Lucio Quiroz wrote: Hi I wonder if there is a specifiq way to identify what sites has been logged by a dns resolution error? Not easily in the current Squid. A logging upgrade is underway for the future release to record error pages sent. Meanwhile your DNS server logs are probably the best place to look for resolution failures (assuming you log that stuff there, its huge). Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.4
Re: [squid-users] empty basic/digest realm
Khaled Blah wrote: Sorry for my late reply, Henrik. I want to be able to use an empty realm because we use Digest Auth in conjunction with an LDAP backend. In this LDAP backend the admin can specifiy combinations of : or :. The empty realm would thus lead to either or standing by themselves. We want to support this latter case as well and the empty realm would make that a lot easier. Regards, Khaled Unless I'm confused and mixing up my protocols ... the realm is used as salting value and HA(1) is compared to a hash sent by the user combining realm+user+password. Very hard for the user to generate a secure hash correctly when the realm salt is empty. Amos 2010/6/22 Henrik Nordström : tis 2010-06-22 klockan 00:22 +0200 skrev Khaled Blah: That's not completely true. RFC 2617 states that the realm of either digest/basic auth is a quoted string but it doesn't say that this string has to be a minimum number of characters. True, but is clearly not the intention that this should be empty. I asked why you want to use an empty realm. Regards Henrik -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.4
[squid-users] Error Compiling Squid 3.1.4
Hi, I'm facing these error message when I do a "make" to compile Squid 3.1.4: In file included from md5.c:34: ../md5.h:27: error: expected specifier-qualifier-list before ‘UINT4’ ../md5.h:36: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘PROTO_LIST’ ../md5.h:37: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘PROTO_LIST’ ../md5.h:39: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘PROTO_LIST’ cc1: warnings being treated as errors md5.c:64: error: ‘struct SquidMD5Context’ declared inside parameter list md5.c:64: error: its scope is only this definition or declaration, which is probably not what you want md5.c:64: error: no previous prototype for ‘SquidMD5Init’ md5.c: In function ‘SquidMD5Init’: md5.c:66: error: dereferencing pointer to incomplete type md5.c:67: error: dereferencing pointer to incomplete type md5.c:68: error: dereferencing pointer to incomplete type md5.c:69: error: dereferencing pointer to incomplete type md5.c:71: error: dereferencing pointer to incomplete type md5.c:72: error: dereferencing pointer to incomplete type ... ... Thanks bye advance for your help Cheers Herc. _ Messenger arrive enfin sur iPhone ! Venez le télécharger gratuitement ! http://www.messengersurvotremobile.com/?d=iPhone
RE: [squid-users] Errors with sasl while compiling Squid 3.1.4
Good Morning!!!, Amos thx for yur answer. Now i'm facing a new problem at start of compiling: In file included from md5.c:34: ../md5.h:27: error: expected specifier-qualifier-list before ‘UINT4’ ../md5.h:36: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘PROTO_LIST’ ../md5.h:37: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘PROTO_LIST’ ../md5.h:39: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘PROTO_LIST’ cc1: warnings being treated as errors md5.c:64: error: ‘struct SquidMD5Context’ declared inside parameter list md5.c:64: error: its scope is only this definition or declaration, which is probably not what you want md5.c:64: error: no previous prototype for ‘SquidMD5Init’ md5.c: In function ‘SquidMD5Init’: md5.c:66: error: dereferencing pointer to incomplete type md5.c:67: error: dereferencing pointer to incomplete type md5.c:68: error: dereferencing pointer to incomplete type ... ... thx at those who can help me! > From: hercul...@hotmail.com > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Errors with sasl while compiling Squid 3.1.4 > Date: Wed, 30 Jun 2010 19:05:17 +0200 > > > Found, > > > > Did not installed C++, just everything is working well except that in > > the config.log the file ip_tproxy.h is not found. > > I did not found any package containing this file. > > > > If someone can help. > > > > Cheers > > > > Herc. > > > > 2010/6/30 Babelo Gmvsdm > > - Masquer le texte des messages précédents -> > >> Hi When I run ./configure to prepare compilation on Squid 3.1.4 I got this = > >> errors: > >> > >> checking /usr/include/sasl.h usability... no > >> checking /usr/include/sasl.h presence... no > >> checking for /usr/include/sasl.h... no > >> > >> checking sasl.h usability... no > >> checking sasl.h presence... no > >> checking for sasl.h... no > >> configure: error: Neither SASL nor SASL2 found > >> > >> > >> Whereas /usr/include/sasl.h is present in the right directory=20 > >> > >> > >> Please help > >> > >> Cheers > >> > >> Herc. > >> > >> _ > > > > _ > Hotmail : Simple et Efficace qui vous facilite la vie… Découvrez la NOW > génération ! > http://www.windowslive.fr/hotmail/nowgeneration/ _ Allumez et éteignez votre PC en un instant avec Windows 7 ! http://clk.atdmt.com/FRM/go/238030931/direct/01/
[squid-users] R: [squid-users] IE6 and Kerberos-Authentication doesn't work
Hi, Sorry, You cannot. IE6 supports Kerberos Auth only for Web server authentication, not for proxy Authentication. Kerberos support for proxy authentication was first added in IE7, but you cannot use it on Windows 2000 On Windows 2000 Firefox works fine with Kerberos proxy authentication, so you could try it. Regards Guido Serassio Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it -Messaggio originale- Da: Tom Tux [mailto:tomtu...@gmail.com] Inviato: giovedì 1 luglio 2010 13.27 A: squid-users Oggetto: [squid-users] IE6 and Kerberos-Authentication doesn't work Hi I've found several documents describing that IE6 SP1 doesn't support kerberos-authentication and other documents like http://support.microsoft.com/kb/299838 which describes a solution, how I can enable the kerberos-authentication in IE6. I've enabled it and rebootet the client, but I'm not able to authenticate with kerberos with IE6 & Windows2000. Any hints or is it definitely not possible to authenticate the W2K-IE6 with kerberos? Thanks. Regards, Tom
[squid-users] IE6 and Kerberos-Authentication doesn't work
Hi I've found several documents describing that IE6 SP1 doesn't support kerberos-authentication and other documents like http://support.microsoft.com/kb/299838 which describes a solution, how I can enable the kerberos-authentication in IE6. I've enabled it and rebootet the client, but I'm not able to authenticate with kerberos with IE6 & Windows2000. Any hints or is it definitely not possible to authenticate the W2K-IE6 with kerberos? Thanks. Regards, Tom
Re: [squid-users] empty basic/digest realm
Sorry for my late reply, Henrik. I want to be able to use an empty realm because we use Digest Auth in conjunction with an LDAP backend. In this LDAP backend the admin can specifiy combinations of : or :. The empty realm would thus lead to either or standing by themselves. We want to support this latter case as well and the empty realm would make that a lot easier. Regards, Khaled 2010/6/22 Henrik Nordström : > tis 2010-06-22 klockan 00:22 +0200 skrev Khaled Blah: >> That's not completely true. RFC 2617 states that the realm of either >> digest/basic auth is a quoted string but it doesn't say that this >> string has to be a minimum number of characters. > > True, but is clearly not the intention that this should be empty. > > I asked why you want to use an empty realm. > > Regards > Henrik > >
Re: Re: [squid-users] Antwort: Re: [squid-users] Memory and CPU usage squid-3.1.4
Hello list, I just wanted to post the results with valgrind. Unfortunately the memcheck thread needs so much CPU that I could not put a high load on the squid as maximum only about 5-10 req/s. # ./squid -v Squid Cache: Version 3.1.3 configure options: '--prefix=/appl' '--localstate=/var' '--with-filedescriptors=16384' '--enable-storeio=aufs' '--enable-auth=ntlm,basic' '--enable-external-acl-helpers=wbinfo_group' '--enable-icap-client' --enable-ltdl-convenience also recompiled and tried with: # squid -v Squid Cache: Version 3.1.3 configure options: '--prefix=/appl' '--localstate=/var' '--with-filedescriptors=16384' '--enable-storeio=aufs' '--enable-auth=ntlm,basic' '--enable-external-acl-helpers=wbinfo_group' '--enable-icap-client' '--with-valgrind-debug' 'CFLAGS=-g -O2' --enable-ltdl-convenience I ran valgrind repeatedly with: "valgrind --leak-check=yes -v squid -N &" and found: ==24141== 3,311,957 bytes in 3,784 blocks are definitely lost in loss record 26 of 27 ==24141==at 0x4A05809: malloc (vg_replace_malloc.c:149) ==24141==by 0x5ABAA7: xmalloc (util.c:508) ==24141==by 0x5AA35A: rfc1035MessageUnpack (rfc1035.c:433) ==24141==by 0x4B15A7: idnsGrokReply(char const*, unsigned long) (dns_interna l.cc:939) ==24141==by 0x4B22F0: idnsRead(int, void*) (dns_internal.cc:1178) ==24141==by 0x4AC154: comm_select (comm_epoll.cc:308) ==24141==by 0x5455AC: CommSelectEngine::checkEvents(int) (comm.cc:2682) ==24141==by 0x4B712D: EventLoop::checkEngine(AsyncEngine*, bool) (EventLoop.cc:51) ==24141==by 0x4B7282: EventLoop::runOnce() (EventLoop.cc:125) ==24141==by 0x4B7377: EventLoop::run() (EventLoop.cc:95) ==24141==by 0x4FB36C: SquidMain(int, char**) (main.cc:1379) ==24141==by 0x4FB975: main (main.cc:1141) I looked a bit in the source code but didn't really find what could cause this. Sometimes DNS did not seem to loose mem but I found this instead: ==29780== 987,870 (987,046 direct, 824 indirect) bytes in 1,321 blocks are definitely lost in loss record 27 of 28 ==29780==at 0x4A05809: malloc (vg_replace_malloc.c:149) ==29780==by 0x5ABAA7: xmalloc (util.c:508) ==29780==by 0x5ABBAB: xstrdup (util.c:756) ==29780==by 0x4B3E15: errorTryLoadText(char const*, char const*, bool) (errorpage.cc:313) ==29780==by 0x4B494F: ErrorState::BuildContent() (errorpage.cc:1007) ==29780==by 0x4B551D: ErrorState::BuildHttpReply() (errorpage.cc:881) ==29780==by 0x4B58E5: errorAppendEntry (errorpage.cc:432) ==29780==by 0x51D656: store_client::callback(long, bool) (store_client.cc:164) ==29780==by 0x51DA2F: store_client::scheduleMemRead() (store_client.cc:448) ==29780==by 0x51E567: storeClientCopy2(StoreEntry*, store_client*) (store_client.cc:331) ==29780==by 0x51E8D3: store_client::copy(StoreEntry*, StoreIOBuffer, void (*)(void*, StoreIOBuffer), void*) (store_client.cc:264) ==29780==by 0x4A0D0E: clientReplyContext::doGetMoreData() (client_side_reply.cc:1675) When running valgrind with 3.0.STABLE 23 I did not find similar lost blocks, only some KB lost when initializing but 3.1 looses some KB as well at that point. I monitored a squid3.0.STABLE25 and squid 3.1.3/3.1.4 over a longer period and found out that both need more memory over time but 3.0 eventually does not grow. 3.1 continues to grow until CPU rises to nearly 100%; then the memory consumption seem to stop. Has someone an idea where the problem could be? Martin Marcus Kool wrote on 17.06.2010 16:15:09: > Martin, > > Valgrind is a memory leak detection tool. > You need some developer skills to run it. > > If you have a test environment with low load you may want > to give it a try. > - download the squid sources > - run configure with CFLAGS="-g -O2" > - run squid with valgrind > - wait > - kill squid with a TERM signal and look and the valgrind log file > > Valgrind uses a lot of memory for its own administration and has > a lot of CPU overhead, so reduce cache_mem to a small value like 32MB. > > Most likely you will see many memory leaks because > Squid does not free everything when it exits. This is normal. > You need to look at repeated memory leaks; the leaks that > occur often and file a bug report. > > Please do not post the whole valgrind output to this list. > > Marcus > > > > martin.pichlma...@continental-corporation.com wrote: > > Hello, > > > > I just wanted to report back the last tests: > > > > After the memory cache is filled to 100% the squid (3.1.4 or 3.1.3) > > still needs more memory over time when under load, about 1-2 GB a day. > > memory_pool off did not change anything, the process size still rises. > > The high CPU usage seem to start when rising over a certain size limit > > but I am not sure about that. > > Example memory consuption of squid-3.1.4: > > from 8.0 GB (4pm) to 8.4 GB (7pm) to 8.5 GB (4am next day) to 9,4 GB > > (2pm). > > At night there is low load on the squid, maybe 20-50 req/s. > > 3.1.3 behaves th
