[squid-users] using round-robin cache_peers and another cache_peer together
Dear all, as describe we like to use a round-robin environment with two cache_peers and a third cache_peer to which some domains should be directed. Squid version is Squid Cache (version 3.1.6)... cache_peer config: cache_peer x.x.x.x parent 3128 0 round-robin no-query no-digest cache_peer y.y.y.y parent 3128 0 round-robin no-query no-digest and in the acl section: acl POST_CONNECT method POST CONNECT cache_peer z.z.z.z parent 80 0 proxy-only acl POST_CONNECT method POST CONNECT cache_peer_domain z.z.z.zsample.com cache_peer_domain z.z.z.z sample1.com cache_peer_domain z.z.z.z sample2.com acl 1st dstdomain sample.com sample1.com sample2.com if we are using this conf all redirects to sample.com are ignored. if we reconfigure the config to use only x.x.x.x parent without round-robin the redirects to sample.com via z.z.z.z cache_peer are working. Any ideas to solve it? Many thanks and best regards -- Renesas Electronics Europe GmbH Ralf Golfels Senior Engineer Information Systems Network, Security Communication Arcadiastr. 10 40472 Duesseldorf Germany Phone:+49 211 65 03-1478 Fax: +49 211 65 03-1509 mailto:ralf.golf...@renesas.com http://www.renesas.eu This message is intended only for the use of the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient, you are hereby notified that any dissemination of this email (including any attachments thereto) is strictly prohibited. If you have received this email in error,please notify the sender immediately by telephone or email and permanently destroy the original without making any copy. Please note that any material and advise from this mail is provided free of charge and shall be used as an example for demonstration purposes only. RENESAS MAKES NO WARRANTIES THAT THEIR USAGE WILL NOT INFRINGE ANY INTELLECTUAL PROPERTY RIGHTS (E.G. PATENTS, COPYRIGHTS). RENESAS CANNOT GUARANTEE BUG FREE OPERATION AND THE RECIPIENT WILL USE AND/OR DISTRIBUTE IT ONLY AT HIS OWN RISK. IN NO EVENT SHALL RENESAS BE LIABLE FOR ANY DAMAGE. The communication with Renesas Electronics Europe GmbH does not amend any written agreement in place. Thank you. Renesas Electronics Europe GmbH Geschaeftsfuehrer/Managing Directors: Robert Green, Tsutomu Miki Sitz der Gesellschaft/Registered office: Duesseldorf, Arcadiastrasse 10, 40472 Duesseldorf, Germany Handelsregister/Commercial Register: Duesseldorf, HRB 3708 USt-IDNr./Tax identification no.: DE 119353406 WEEE-Reg.-Nr./WEEE reg. no.: DE 14978647
Re: [squid-users] using round-robin cache_peers and another cache_peer together
On 08/12/10 21:58, ralf.golf...@renesas.com wrote: Dear all, as describe we like to use a round-robin environment with two cache_peers and a third cache_peer to which some domains should be directed. Squid version is Squid Cache (version 3.1.6)... cache_peer config: cache_peer x.x.x.x parent 3128 0 round-robin no-query no-digest cache_peer y.y.y.y parent 3128 0 round-robin no-query no-digest and in the acl section: acl POST_CONNECT method POST CONNECT cache_peer z.z.z.z parent 80 0 proxy-only acl POST_CONNECT method POST CONNECT cache_peer_domain z.z.z.zsample.com cache_peer_domain z.z.z.z sample1.com cache_peer_domain z.z.z.z sample2.com acl 1st dstdomain sample.com sample1.com sample2.com if we are using this conf all redirects to sample.com are ignored. if we reconfigure the config to use only x.x.x.x parent without round-robin the redirects to sample.com via z.z.z.z cache_peer are working. Any ideas to solve it? Many thanks and best regards Order is important. either: Place cache_peer z.z.z.z ... first. OR configure explicit access controls: cache_peer_access x.x.x.x deny 1st cache_peer_access y.y.y.y deny 1st cache_peer_access z.z.z.z allow 1st (the cache_peer_domain can then be removed) z.z.z.z peer also appears to possibly be lacking the originserver flag. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
[squid-users] Cache gain measurement
Hi Friends, Is there any tool or how to measure cache gain from squid...? Thanks, Benjo
[squid-users] squid service keeps restarting
Dear Squid users, I am running Squid Cache: Version 3.1.8 on Fedora core 12, 8 GB RAM, Intel xeon quad core 2.4 GHz processor. my HTTP requests: client_http.requests = 245.456913/sec client_http.hits = 75.313005/sec File descriptor usage for squid: Maximum number of file descriptors: 32768 Largest file desc currently in use: 8097 Number of file desc currently in use: 7108 Files queued for open: 46 Available number of file descriptors: 25614 Reserved number of file descriptors: 100 Store Disk files open: 126 cache_mem 3 GB the problem i m facing is the squid service keep restarting ever 3 hours. can any suggest me why its happening. Thanks in advance.
Re: [squid-users] Kerberos authentication with MIT KDC
Rolf Loudon r...@ses.tas.gov.au 12/06/10 7:46 PM Hello I've done this but against AD. As far as I can see the squid helpers squid_kerb_auth and squidkerb_ldap are not AD specific and implement pure kerberos authentication. The former comes with squid 2.7 but getting the latest and compiling provides a few extra features. (like the -r switch which I like). You will need these helpers and you will need to create a service principal. http://squidkerbauth.sourceforge.net/ is where the files are. Markus Moeller is the author of these helpers and is very helpful - and is active on this list. I found this helpful http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/ regards rolf. Thanks Rolf, I'd already downloaded the latest squidkerbauth 1.0.7 from sourceforge and compiled it. Mostly just to test with squid_kerb_auth_test since it wasn't included in the binary package for CentOS I used. Squid was compiled with all the required helpers though I believe: Squid Cache: Version 2.7.STABLE9 configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-epoll' '--enable-snmp' '--enable-removal-policies=heap,lru' '--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl' '--with-openssl=/usr/kerberos' '--enable-delay-pools' '--enable-linux-netfilter' '--with-pthreads' '--enable-ntlm-auth-helpers=SMB,fakeauth' '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-digest-auth-helpers=password' '--enable-useragent-log' '--enable-referer-log' '--disable-dependency-tracking' '--enable-cachemgr-hostname=localhost' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-cache-digests' '--enable-ident-lookups' '--enable-follow-x-forwarded-for' '--enable-wccpv2' '--with-maxfd=16384' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-fPIE -Os -g -pipe -fsigned-char -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'LDFLAGS=-pie' I've actually loosely followed the link you provided for Klaubert's guide setting this up. Also referenced the guide on the wiki here http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos The one thread in the mailing list archives most closely to what I'm trying to do was this one: http://www.squid-cache.org/mail-archive/squid-users/201009/0405.html I've added a HTTP service principal to the KDC on the mac server but nothing else. Hopefully I exported the keytab and copied it to the squid server correctly since I couldn't find any documentation specific for that. I'm sure I've missed a step somewhere here or there that was implied or I've hosed something making changes along the way. I'm at a loss now as to what to look for or change. Best Regards, Rob Rob Asher Network Systems Technician Paragould School District 870-236-7744 x169 -- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean.
[squid-users] Re: Kerberos authentication with MIT KDC
Hi Rob, It looks like your kdc does not know about the service principal HTTP/proxyserver.paragould@xserve.paragould.psd How did you create the entry and keytab ? Markus Rob Asher ras...@paragould.k12.ar.us wrote in message news:4cfcf8e3.0172.003...@paragould.k12.ar.us... I've looked through some of the mailing list archives and can't find anything specific on kerberos authentic ation to a MIT KDC for windows clients. Everything I've found mentions AD. What I'd like, if possible, is t o have single sign on capabilities to between OS X server's Open Directory, squid 2.7stable9 on CentOS 5.5, a nd Windows XP clients. With pGina and kerberos for windows installed on the XP clients, I successfully get a ticket from the OD server. What I'm having problems with is getting firefox or IE to use the ticket for neg otiation with the squid server. I'm guessing that I've missed setting up a principal correctly, copied keyta b, or possibly a DNS issue but I'm not familiar enough with kerberos to know what's wrong. Packet captures f or kerberos return KRB-ERROR like this after the TGS_REQ when opening a browser session with FF: Kerberos KRB-ERROR Pvno: 5 MSG Type: KRB-ERROR (30) ctime: 2010-12-03 21:05:34 (UTC) stime: 2010-12-03 21:05:26 (UTC) susec: 714271 error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Client Realm: XSERVE.PARAGOULD.PSD Client Name (Principal): HTTP/proxyserver.paragould.psd Name-type: Principal (1) Name: HTTP Name: proxyserver.paragould.psd Realm: XSERVE.PARAGOULD.PSD Server Name (Unknown): krbtgt/xserve.paragould.psd Name-type: Unknown (0) Name: krbtgt Name: xserve.paragould.psd e-text: UNKNOWN_SERVER If anyone has any ideas or what to look for, I'd appreciate any help. If this isn't enough information from the capture to make an educated guess as to where I need to look further, I have the entire sequence I could post as well. Thanks, Rob Rob Asher Network Systems Technician Paragould School District 870-236-7744 x169 -- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean.
Re: [squid-users] Cache gain measurement
On Wed, 8 Dec 2010 18:33:19 +0530, benjamin fernandis benjo11...@gmail.com wrote: Hi Friends, Is there any tool or how to measure cache gain from squid...? Yes, but... please define cache gain. speed? bandwidth? other? Most of the log analysis tools provide measure of speed and bandwidth in some form or another. IIRC its called cache gain by Calamaris. savings by others. The Squid internal cachemgr calls these measures the Hit Ratio. Amos
Re: [squid-users] squid service keeps restarting
On Wed, 8 Dec 2010 15:41:49 +0200, Ananth wrote: Dear Squid users, I am running Squid Cache: Version 3.1.8 on Fedora core 12, 8 GB RAM, Intel xeon quad core 2.4 GHz processor. my HTTP requests: client_http.requests = 245.456913/sec client_http.hits = 75.313005/sec File descriptor usage for squid: Maximum number of file descriptors: 32768 Largest file desc currently in use: 8097 Number of file desc currently in use: 7108 Files queued for open: 46 Available number of file descriptors: 25614 Reserved number of file descriptors: 100 Store Disk files open: 126 cache_mem 3 GB the problem i m facing is the squid service keep restarting ever 3 hours. can any suggest me why its happening. Check cache.log. Squid dumps out a failure reason when the worker dies. Look for FATAL and a few lines beforehand just before the Starting Squid lines. If all you can find is Squid exiting normally then it is caused by someone or something sending Squid a shutdown/restart message. Amos
[squid-users] Re: Kerberos authentication with MIT KDC
Hi Markus, I created the service principal with kadmin on the apple server. The actual command was kadmin.local -q add_principal HTTP/proxyserver.paragould.psd. I used kadmin also to export the keytab. Here's exactly what I did: xserve:~ root# kadmin.local Authenticating as principal root/ad...@xserve.paragould.psd with password. kadmin.local: xst -k proxyserver.keytab HTTP/proxyserver.paragould@xserve.paragould.psd Entry for principal HTTP/proxyserver.paragould@xserve.paragould.psd with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:proxyserver.keytab. Entry for principal HTTP/proxyserver.paragould@xserve.paragould.psd with kvno 5, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:proxyserver.keytab. Entry for principal HTTP/proxyserver.paragould@xserve.paragould.psd with kvno 5, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:proxyserver.keytab. Entry for principal HTTP/proxyserver.paragould@xserve.paragould.psd with kvno 5, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:proxyserver.keytab. kadmin.local: q xserve:~ root# klist -k proxyserver.keytab Keytab name: WRFILE:proxyserver.keytab KVNO Principal -- 5 HTTP/proxyserver.paragould@xserve.paragould.psd 5 HTTP/proxyserver.paragould@xserve.paragould.psd 5 HTTP/proxyserver.paragould@xserve.paragould.psd 5 HTTP/proxyserver.paragould@xserve.paragould.psd xserve:~ root# kadmin.local -q list_principals | grep -i http HTTP/proxyserver.paragould@xserve.paragould.psd HTTP/xserve.paragould@xserve.paragould.psd http/xserve.paragould@xserve.paragould.psd That last command to list the http principals confused me and I'm not familiar with kerberos at all really. Is it showing there are http service principals for both proxyserver.paragould.psd and xserve.paragould.psd or does the KDC automatically add a http service principal for itself too? In this case, xserve.paragould.psd is the KDC server running on OS X Server 10.6.2 and proxserver.paragould.psd is the squid server running on CentOS 5.5. I copied the exported proxyserver.keytab to /etc/squid/ on the host proxyserver.paragould.psd and made sure the squid user had read access to it. Running kinit squidserver and giving it's password works I think. klist after that shows: [r...@proxyserver squid]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: squidser...@xserve.paragould.psd Valid starting ExpiresService principal 12/08/10 15:38:42 12/09/10 01:38:42 krbtgt/xserve.paragould@xserve.paragould.psd renew until 12/09/10 15:38:42 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I'm sure I've missed something or messed something up but I'm at a loss as what it is or where to even start looking. Thanks for any help! Regards, Rob Rob Asher Network Systems Technician Paragould School District 870-236-7744 x169 Markus Moeller hua...@moeller.plus.com 12/08/10 2:39 PM Hi Rob, It looks like your kdc does not know about the service principal HTTP/proxyserver.paragould@xserve.paragould.psd How did you create the entry and keytab ? Markus Rob Asher ras...@paragould.k12.ar.us wrote in message news:4cfcf8e3.0172.003...@paragould.k12.ar.us... I've looked through some of the mailing list archives and can't find anything specific on kerberos authentic ation to a MIT KDC for windows clients. Everything I've found mentions AD. What I'd like, if possible, is t o have single sign on capabilities to between OS X server's Open Directory, squid 2.7stable9 on CentOS 5.5, a nd Windows XP clients. With pGina and kerberos for windows installed on the XP clients, I successfully get a ticket from the OD server. What I'm having problems with is getting firefox or IE to use the ticket for neg otiation with the squid server. I'm guessing that I've missed setting up a principal correctly, copied keyta b, or possibly a DNS issue but I'm not familiar enough with kerberos to know what's wrong. Packet captures f or kerberos return KRB-ERROR like this after the TGS_REQ when opening a browser session with FF: Kerberos KRB-ERROR Pvno: 5 MSG Type: KRB-ERROR (30) ctime: 2010-12-03 21:05:34 (UTC) stime: 2010-12-03 21:05:26 (UTC) susec: 714271 error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Client Realm: XSERVE.PARAGOULD.PSD Client Name (Principal): HTTP/proxyserver.paragould.psd Name-type: Principal (1) Name: HTTP Name: proxyserver.paragould.psd Realm: XSERVE.PARAGOULD.PSD Server Name (Unknown): krbtgt/xserve.paragould.psd Name-type: Unknown (0) Name: krbtgt Name: xserve.paragould.psd e-text: UNKNOWN_SERVER If anyone has any ideas or what to
[squid-users] Re: Kerberos authentication with MIT KDC
Hi Rob, What happens when you type kinit HTTP/proxyserver.paragould.psd on your kdc server ? Do you get a password prompt ? Markus Rob Asher ras...@paragould.k12.ar.us wrote in message news:4cffadf6.0172.003...@paragould.k12.ar.us... Hi Markus, I created the service principal with kadmin on the apple server. The actual command was kadmin.local -q add_principal HTTP/proxyserver.paragould.psd. I used kadmin also to export the keytab. Here's exactly what I did: xserve:~ root# kadmin.local Authenticating as principal root/ad...@xserve.paragould.psd with password. kadmin.local: xst -k proxyserver.keytab HTTP/proxyserver.paragould@xserve.paragould.psd Entry for principal HTTP/proxyserver.paragould@xserve.paragould.psd with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:proxyserver.keytab. Entry for principal HTTP/proxyserver.paragould@xserve.paragould.psd with kvno 5, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:proxyserver.keytab. Entry for principal HTTP/proxyserver.paragould@xserve.paragould.psd with kvno 5, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:proxyserver.keytab. Entry for principal HTTP/proxyserver.paragould@xserve.paragould.psd with kvno 5, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:proxyserver.keytab. kadmin.local: q xserve:~ root# klist -k proxyserver.keytab Keytab name: WRFILE:proxyserver.keytab KVNO Principal -- 5 HTTP/proxyserver.paragould@xserve.paragould.psd 5 HTTP/proxyserver.paragould@xserve.paragould.psd 5 HTTP/proxyserver.paragould@xserve.paragould.psd 5 HTTP/proxyserver.paragould@xserve.paragould.psd xserve:~ root# kadmin.local -q list_principals | grep -i http HTTP/proxyserver.paragould@xserve.paragould.psd HTTP/xserve.paragould@xserve.paragould.psd http/xserve.paragould@xserve.paragould.psd That last command to list the http principals confused me and I'm not familiar with kerberos at all really. Is it showing there are http service principals for both proxyserver.paragould.psd and xserve.paragould.psd or does the KDC automatically add a http service principal for itself too? In this case, xserve.paragould.psd is the KDC server running on OS X Server 10.6.2 and proxserver.paragould.psd is the squid server running on CentOS 5.5. I copied the exported proxyserver.keytab to /etc/squid/ on the host proxyserver.paragould.psd and made sure the squid user had read access to it. Running kinit squidserver and giving it's password works I think. klist after that shows: [r...@proxyserver squid]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: squidser...@xserve.paragould.psd Valid starting ExpiresService principal 12/08/10 15:38:42 12/09/10 01:38:42 krbtgt/xserve.paragould@xserve.paragould.psd renew until 12/09/10 15:38:42 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I'm sure I've missed something or messed something up but I'm at a loss as what it is or where to even start looking. Thanks for any help! Regards, Rob Rob Asher Network Systems Technician Paragould School District 870-236-7744 x169 Markus Moeller hua...@moeller.plus.com 12/08/10 2:39 PM Hi Rob, It looks like your kdc does not know about the service principal HTTP/proxyserver.paragould@xserve.paragould.psd How did you create the entry and keytab ? Markus
[squid-users] do I have peering configured correctly?
I'm not convinced I have peering configured correctly. Here is my environment: These are internal specialized squid servers for serving internal web sites/deliverables. The main squid server at corporate is intended to accelerate a few sites. At corporate, we have 4 squid servers fronted by haproxy to load balance them. We have ACL's setup so that by default everything goes to the download web servers, but a few specific url's get proxied to some other servers. What I'm unsure about is whether the ACL's are preventing the cache_peer squid1-4 directives from being actually used... http_port 80 defaultsite=squid http_port 8081 defaultsite=squid icp_port 3130 cache_peer download1 parent 80 0 no-query originserver name=download1 round-robin connect-fail-limit=1 cache_peer download2 parent 80 0 no-query originserver name=download2 round-robin connect-fail-limit=1 cache_peer download3 parent 80 0 no-query originserver name=download3 round-robin connect-fail-limit=1 cache_peer maven-repo parent 8081 0 no-query originserver name=mavenrepo cache_peer foo parent 80 0 no-query originserver name=foo cache_peer squid1 sibling 80 3130 proxy-only name=squid1 cache_peer squid2 sibling 80 3130 proxy-only name=squid2 cache_peer squid3 sibling 80 3130 proxy-only name=squid3 cache_peer squid4 sibling 80 3130 proxy-only name=squid4 http_access allow all acl mavenpath urlpath_regex ^/artifactory acl mavenpath urlpath_regex ^/nexus acl mavenport myport 8081 acl foopath urlpath_regex ^/foo-packages cache_peer_access download1 deny mavenport cache_peer_access download2 deny mavenport cache_peer_access download3 deny mavenport cache_peer_access download1 deny mavenpath cache_peer_access download2 deny mavenpath cache_peer_access download3 deny mavenpath cache_peer_access download1 deny foopath cache_peer_access download2 deny foopath cache_peer_access download3 deny foopath # Only allow mavenpath and maven port to go to maven cache_peer_access mavenrepo allow mavenpath cache_peer_access mavenrepo allow mavenport cache_peer_access mavenrepo deny all # Only allow foopath to go to foo cache_peer_access foo allow foopath cache_peer_access foo deny all We have another setup for remote sites that have their own squid server. Currently these point to the download servers at corporate, but I'd also like them to peer with the four squid servers configured as above. This is what I currently have: http_port 3128 defaultsite=squid http_port 80 defaultsite=squid http_port 8081 defaultsite=squid # download is actually a round robin dns for download1,2,3 cache_peer download parent 80 0 no-query originserver name=download cache_peer maven-repo parent 8081 0 no-query originserver name=mavenrepo visible_hostname squid cache_peer squid1 sibling 80 3130 name=squid1 cache_peer squid2 sibling 80 3130 name=squid2 cache_peer squid3 sibling 80 3130 name=squid3 cache_peer squid4 sibling 80 3130 name=squid4 acl all src 0.0.0.0/0.0.0.0 http_access allow all acl maven urlpath_regex ^/artifactory ^/nexus acl mavenport myport 8081 cache_peer_access download deny maven cache_peer_access download deny mavenport cache_peer_access mavenrepo allow maven cache_peer_access mavenrepo allow mavenport cache_peer_access mavenrepo deny all What I'm concerned about is that when I tested a remote server I couldn't find evidence of it peering with the corporate squid server to pull a file -- and I'm wondering if my ACL's are somehow preventing the sibling peer relationship from being used for 'download' The corporate server is running 3.1.9 and the remotes are running 2.6.STABLE6
Re: [squid-users] Re: Kerberos authentication with MIT KDC
Markus, I do get a password prompt although I don't remember setting a password for it. xserve:~ root# kinit HTTP/proxyserver.paragould.psd Please enter the password for HTTP/proxyserver.paragould@xserve.paragould.psd: Kerberos Login Failed: Password incorrect In Open Directory, I just added a new machine(what I assumed was a host principal) named proxyserver but adding a machine via OD's workgroup manager doesn't ask for a password that I can remember. I didn't add an actual user named proxyserver because that didn't make sense to me for a host. Thanks, Rob Rob Asher Network Systems Technician Paragould School District 870-236-7744 x169 Markus Moeller hua...@moeller.plus.com 12/08/10 5:44 PM Hi Rob, What happens when you type kinit HTTP/proxyserver.paragould.psd on your kdc server ? Do you get a password prompt ? Markus Rob Asher ras...@paragould.k12.ar.us wrote in message news:4cffadf6.0172.003...@paragould.k12.ar.us... Hi Markus, I created the service principal with kadmin on the apple server. The actual command was kadmin.local -q add_principal HTTP/proxyserver.paragould.psd. I used kadmin also to export the keytab. Here's exactly what I did: xserve:~ root# kadmin.local Authenticating as principal root/ad...@xserve.paragould.psd with password. kadmin.local: xst -k proxyserver.keytab HTTP/proxyserver.paragould@xserve.paragould.psd Entry for principal HTTP/proxyserver.paragould@xserve.paragould.psd with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:proxyserver.keytab. Entry for principal HTTP/proxyserver.paragould@xserve.paragould.psd with kvno 5, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:proxyserver.keytab. Entry for principal HTTP/proxyserver.paragould@xserve.paragould.psd with kvno 5, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:proxyserver.keytab. Entry for principal HTTP/proxyserver.paragould@xserve.paragould.psd with kvno 5, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:proxyserver.keytab. kadmin.local: q xserve:~ root# klist -k proxyserver.keytab Keytab name: WRFILE:proxyserver.keytab KVNO Principal -- 5 HTTP/proxyserver.paragould@xserve.paragould.psd 5 HTTP/proxyserver.paragould@xserve.paragould.psd 5 HTTP/proxyserver.paragould@xserve.paragould.psd 5 HTTP/proxyserver.paragould@xserve.paragould.psd xserve:~ root# kadmin.local -q list_principals | grep -i http HTTP/proxyserver.paragould@xserve.paragould.psd HTTP/xserve.paragould@xserve.paragould.psd http/xserve.paragould@xserve.paragould.psd That last command to list the http principals confused me and I'm not familiar with kerberos at all really. Is it showing there are http service principals for both proxyserver.paragould.psd and xserve.paragould.psd or does the KDC automatically add a http service principal for itself too? In this case, xserve.paragould.psd is the KDC server running on OS X Server 10.6.2 and proxserver.paragould.psd is the squid server running on CentOS 5.5. I copied the exported proxyserver.keytab to /etc/squid/ on the host proxyserver.paragould.psd and made sure the squid user had read access to it. Running kinit squidserver and giving it's password works I think. klist after that shows: [r...@proxyserver squid]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: squidser...@xserve.paragould.psd Valid starting ExpiresService principal 12/08/10 15:38:42 12/09/10 01:38:42 krbtgt/xserve.paragould@xserve.paragould.psd renew until 12/09/10 15:38:42 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I'm sure I've missed something or messed something up but I'm at a loss as what it is or where to even start looking. Thanks for any help! Regards, Rob Rob Asher Network Systems Technician Paragould School District 870-236-7744 x169 Markus Moeller hua...@moeller.plus.com 12/08/10 2:39 PM Hi Rob, It looks like your kdc does not know about the service principal HTTP/proxyserver.paragould@xserve.paragould.psd How did you create the entry and keytab ? Markus -- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean.
[squid-users] hiding WAN IP from whatismyip.com ?
I was told that this is all I need to get this to work. I'm using the latest version of squid 3.1.9 My browser proxy setting is set to localhost 3128 I also installed this proxy on the same client machine I use to surf the web. I don't think it matters Any advice is welcome. forwarded_for off request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access All deny all
[squid-users] kerberos-authentication, msktutil, w2k8-domain-controllers and the old encryption-type rc4-hmac?
Hi We moved our W2K3-Domaincontrollers to W2K8-DC's. The active-directory operational mode is still 2003. We're using kerberos-authentication against the active-directory. Nightly runs the msktutil --auto-update on the squid-proxy. One day, this updated the computer-account and added the new msDS-SupportedEncryption-Type = 28. On one morning, nobody could be authenticated against the active-directory. On the cache.log, I saw the following error: authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Encryption type not permitted' So, I added the aes256-cts-hmac-sha1-96 encryption-type in the /etc/krb5.conf-file. Now, everything is working fine. On the computer-object in the active-directory, I see a value of 28 on the attribut msDS-SupportedEncryption Types (updated through msktutil). When I trace the kerberos-traffic between the proxy and the new w2k8-domain-controller, I still see the old encryption-type rc4-hmac is being used. Why is there not the new encryption-type aes used? Why is still the old one used? Before I updated the krb5.conf with the aes-part, nobody was able to authenticate. And now, squid talks still with the old one? Any hints for this behaviour? Thanks a lot. Tom
[squid-users] Re: squid cache not updating?
Any ideas? Do I have to revuild the cache? Really not sure what to do on this one. Unsure whether the cache is being updated or it has stopped using the cache, etc. -- From: J Webster webster_j...@hotmail.com Sent: Friday, December 03, 2010 8:03 AM To: squid-users@squid-cache.org Subject: squid cache not updating? I have my cache mounted on a drive at /var/spool/squid. The other day I tied to mount a new folder also on the same drive, which is apparently not the best thing to do. Since then, I am not sure if my squid cache is updating or not. It seems to be stuck at 35Gb use and 16% capacity. Is there anyway to check if the cache is updating?