Re: [squid-users] kudus
Thanks Amos and Markus who were in forefront to help me with many squid issues. Offcourse thanks to all people who replies and spend they time answering others queries. --Original Message-- From: woody To: squid-users@squid-cache.org Subject: [squid-users] kudus Sent: Aug 30, 2012 01:28 I've been watching this list for a while, and I'd like to just take a moment to give Amos Jeffries a huge pat on the back. I've been involved with the administration of a mailing list, and it is a huge job. Amos obviously spends much time dealing with the list and squid, and probably gets little enough thanks for it. He handles a lot of crap with consummate skill. He is a huge asset to the open source community, and squid in particular. So THANKS!, Amos. You get a gold star. -Sent via Blackberry
Re: [squid-users] take out something from squidguard.conf without restarting squid
After you make change to config of SG run squid -k reconfigure. If you make changes to dest urls list or domain list then you have to recreate .db files. --Original Message-- From: J Webster To: squid-users@squid-cache.org Subject: [squid-users] take out something from squidguard.conf without restarting squid Sent: Aug 11, 2012 12:05 If I want to remove one of the dest restrictions form squidguard, how can I do this without restarting squid? -Sent via Blackberry
Re: [squid-users] squidguard not blocking
Your SG process is stopping, so after you start SG do a ps aux l grep squidGuard and check whether SG process is running. -Sent via Blackberry -Original Message- From: J Webster Date: Sat, 11 Aug 2012 09:29:32 To: Cc: squid-users@squid-cache.org Subject: Re: [squid-users] squidguard not blocking # # CONFIG FILE FOR SQUIDGUARD # #dbhome /usr/local/squidGuard/db #logdir /usr/local/squidGuard/logs dbhome /var/lib/squidguard logdir /var/log/squidguard dest porn { domainlist porn/domains urllist porn/urls } dest aggressive { domainlist aggressive/domains urllist aggressive/urls } dest hacking{ domainlist hacking/domains urllist hacking/urls } dest religion { domainlist religion/domains urllist religion/urls } dest spyware{ domainlist spyware/domains urllist spyware/urls } dest violence { domainlist violence/domains urllist violence/urls } dest weapons{ domainlist weapons/domains urllist weapons/urls } acl { default { pass !porn !aggressive !hacking !religion !spyware !violence !weapons !in-addr all redirect http://www.mysite.co.uk/blockaccess.php } } [root ~]# service squid restart Stopping squid: [ OK ] Starting squid: . [ OK ] [root squidguard]# date Sat Aug 11 08:27:00 BST 2012 [root squidguard]# tail -f squidGuard.log 2012-08-10 17:26:39 [28522] loading dbfile /var/lib/squidguard/violence/domains.db 2012-08-10 17:26:39 [28522] init urllist /var/lib/squidguard/violence/urls 2012-08-10 17:26:39 [28522] loading dbfile /var/lib/squidguard/violence/urls.db 2012-08-10 17:26:39 [28522] init domainlist /var/lib/squidguard/weapons/domains 2012-08-10 17:26:39 [28522] loading dbfile /var/lib/squidguard/weapons/domains.db 2012-08-10 17:26:39 [28522] init urllist /var/lib/squidguard/weapons/urls 2012-08-10 17:26:39 [28522] loading dbfile /var/lib/squidguard/weapons/urls.db 2012-08-10 17:26:39 [28522] squidGuard 1.3 started (1344615999.035) 2012-08-10 17:26:39 [28522] squidGuard ready for requests (1344615999.039) 2012-08-10 17:26:39 [28522] squidGuard stopped (1344615999.040) On 10/08/12 23:49, Go Wow wrote: > Is squidguard log config in squidguard.conf file? If not config the log and > watch the log whether the traffic is hitting SG or not. I feel there some > config issue in SG. > > Let us see your config files and client IP or username. > -Sent via Blackberry > >
Re: [squid-users] squidguard not blocking
Is squidguard log config in squidguard.conf file? If not config the log and watch the log whether the traffic is hitting SG or not. I feel there some config issue in SG. Let us see your config files and client IP or username. -Sent via Blackberry -Original Message- From: J Webster Date: Fri, 10 Aug 2012 23:21:54 To: gow...@gmail.com Cc: squid-users@squid-cache.org Subject: Re: [squid-users] squidguard not blocking it is, I get the server IP address when browsing and log is full of HIT MISS lines etc On 10 Aug 2012, at 22:30, "Go Wow" wrote: > Check access.log and verify whether the traffic is passing through squid from > the client machine. > > -Sent via Blackberry > > -Original Message- > From: J Webster > Date: Fri, 10 Aug 2012 20:34:31 > To: > Subject: [squid-users] squidguard not blocking > squidguard correctly blocks when I run from the command line: > [root squidguard]# echo "http://www.porn.com/ - - GET" | squidGuard -c > /etc/squid/squidguard.conf -d > 2012-08-10 17:45:22 [28923] New setting: dbhome: /var/lib/squidguard > 2012-08-10 17:45:22 [28923] New setting: logdir: /var/log/squidguard > 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/porn/domains > 2012-08-10 17:45:22 [28923] loading dbfile > /var/lib/squidguard/porn/domains.db > 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/porn/urls > 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/porn/urls.db > 2012-08-10 17:45:22 [28923] init domainlist > /var/lib/squidguard/aggressive/domains > 2012-08-10 17:45:22 [28923] loading dbfile > /var/lib/squidguard/aggressive/domains.db > 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/aggressive/urls > 2012-08-10 17:45:22 [28923] loading dbfile > /var/lib/squidguard/aggressive/urls.db > 2012-08-10 17:45:22 [28923] init domainlist > /var/lib/squidguard/hacking/domains > 2012-08-10 17:45:22 [28923] loading dbfile > /var/lib/squidguard/hacking/domains.db > 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/hacking/urls > 2012-08-10 17:45:22 [28923] loading dbfile > /var/lib/squidguard/hacking/urls.db > 2012-08-10 17:45:22 [28923] init domainlist > /var/lib/squidguard/religion/domains > 2012-08-10 17:45:22 [28923] loading dbfile > /var/lib/squidguard/religion/domains.db > 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/religion/urls > 2012-08-10 17:45:22 [28923] loading dbfile > /var/lib/squidguard/religion/urls.db > 2012-08-10 17:45:22 [28923] init domainlist > /var/lib/squidguard/spyware/domains > 2012-08-10 17:45:22 [28923] loading dbfile > /var/lib/squidguard/spyware/domains.db > 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/spyware/urls > 2012-08-10 17:45:22 [28923] loading dbfile > /var/lib/squidguard/spyware/urls.db > 2012-08-10 17:45:22 [28923] init domainlist > /var/lib/squidguard/violence/domains > 2012-08-10 17:45:22 [28923] loading dbfile > /var/lib/squidguard/violence/domains.db > 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/violence/urls > 2012-08-10 17:45:22 [28923] loading dbfile > /var/lib/squidguard/violence/urls.db > 2012-08-10 17:45:22 [28923] init domainlist > /var/lib/squidguard/weapons/domains > 2012-08-10 17:45:22 [28923] loading dbfile > /var/lib/squidguard/weapons/domains.db > 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/weapons/urls > 2012-08-10 17:45:22 [28923] loading dbfile > /var/lib/squidguard/weapons/urls.db > 2012-08-10 17:45:22 [28923] squidGuard 1.3 started (1344617122.190) > 2012-08-10 17:45:22 [28923] squidGuard ready for requests (1344617122.193) > 2012-08-10 17:45:22 [28923] source not found > 2012-08-10 17:45:22 [28923] no ACL matching source, using default > http://localhost/block.html -/- - GET > 2012-08-10 17:45:22 [28923] squidGuard stopped (1344617122.193) > > Does the url rewriter need to be further up the squid.conf? > It is right at the end of the conf file at the moment: > url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf
Re: [squid-users] squidguard not blocking
Check access.log and verify whether the traffic is passing through squid from the client machine. -Sent via Blackberry -Original Message- From: J Webster Date: Fri, 10 Aug 2012 20:34:31 To: Subject: [squid-users] squidguard not blocking squidguard correctly blocks when I run from the command line: [root squidguard]# echo "http://www.porn.com/ - - GET" | squidGuard -c /etc/squid/squidguard.conf -d 2012-08-10 17:45:22 [28923] New setting: dbhome: /var/lib/squidguard 2012-08-10 17:45:22 [28923] New setting: logdir: /var/log/squidguard 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/porn/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/porn/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/porn/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/porn/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/aggressive/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/aggressive/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/aggressive/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/aggressive/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/hacking/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/hacking/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/hacking/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/hacking/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/religion/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/religion/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/religion/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/religion/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/spyware/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/spyware/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/spyware/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/spyware/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/violence/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/violence/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/violence/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/violence/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/weapons/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/weapons/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/weapons/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/weapons/urls.db 2012-08-10 17:45:22 [28923] squidGuard 1.3 started (1344617122.190) 2012-08-10 17:45:22 [28923] squidGuard ready for requests (1344617122.193) 2012-08-10 17:45:22 [28923] source not found 2012-08-10 17:45:22 [28923] no ACL matching source, using default http://localhost/block.html -/- - GET 2012-08-10 17:45:22 [28923] squidGuard stopped (1344617122.193) Does the url rewriter need to be further up the squid.conf? It is right at the end of the conf file at the moment: url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf
Re: [squid-users] Memory issues
I forgot to mention the other day, I searched for latest versions rpm and couldn't find it. Do you know of any location which provides rpms for centos 5.4. On 28 June 2011 14:42, Amos Jeffries wrote: > On 28/06/11 22:31, Go Wow wrote: >> >> Look at these graphs which shows swap being used. >> >> Memory usage --> http://img.myph.us/Cr8.jpg >> CPU usage --> http://img.myph.us/PgM.jpg >> >> The squid box is serving only 12 users now, the plan is to implement >> this for 150 users and maybe more in future. I dont want it to break >> in middle. > > Like I said at the beginning. You _might_ have been hitting one or more of > the 8 memory leaks and pseudo-leaks we fixed in 3.1.8, 3.1.9, and 3.1.10. > > Please confirm whether 3.1.11 or later still show these types of graphs. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.12 > Beta testers wanted for 3.2.0.9 and 3.1.12.3 >
Re: [squid-users] Memory issues
Look at these graphs which shows swap being used. Memory usage --> http://img.myph.us/Cr8.jpg CPU usage --> http://img.myph.us/PgM.jpg The squid box is serving only 12 users now, the plan is to implement this for 150 users and maybe more in future. I dont want it to break in middle. On 28 June 2011 14:14, Jenny Lee wrote: > > Subject: Re: [squid-users] Memory issues >> >> free -m >> total used free shared buffers cached >> Mem: 3722 3011 710 0 305 1352 >> -/+ buffers/cache: 1353 2369 >> Swap: 2047 21 2025 >> >> Do I genuinely require to increase the memory of this system? >> > > > No. It looks good. > > I don't understand where you came up with the idea that you have memory > issues. > > Jenny >
Re: [squid-users] Memory issues
free -m total used free sharedbuffers cached Mem: 3722 3011710 0305 1352 -/+ buffers/cache: 1353 2369 Swap: 2047 21 2025 Do I genuinely require to increase the memory of this system? On 28 June 2011 13:19, Jenny Lee wrote: > >> Good Lord!!! >> >> The amount of free RAM in my system keeps decreasing, What happens >> when it RAM reaches to zero? Is it that it remove old object and free >> up space? > > It is probably being used by buffer and cache. > > free -m > > should show you how much available memory and cache there is. > > Jenny
Re: [squid-users] Memory issues
Good Lord!!! The amount of free RAM in my system keeps decreasing, What happens when it RAM reaches to zero? Is it that it remove old object and free up space? On 28 June 2011 11:45, Amos Jeffries wrote: > On 28/06/11 19:12, Go Wow wrote: >> >> That's good to hear. >> >> ps aux | wc -l shows me 165 >> >> ps aux | grep squid |wc -l shows me 46 >> ps aux | grep httpd |wc -l shows me 10 >> ps aux | grep perl |wc -l shows me 7 >> >> What are these rest 100 processes used for, below is the extract of my >> ps aux command. >> >> http://pastebin.com/0ZVDAL0S >> >> Thanks for your feedback. >> > > The rest are pieces of the operating system. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.12 > Beta testers wanted for 3.2.0.9 and 3.1.12.3 >
Re: [squid-users] Memory issues
That's good to hear. ps aux | wc -l shows me 165 ps aux | grep squid |wc -l shows me 46 ps aux | grep httpd |wc -l shows me 10 ps aux | grep perl |wc -l shows me 7 What are these rest 100 processes used for, below is the extract of my ps aux command. http://pastebin.com/0ZVDAL0S Thanks for your feedback. On 28 June 2011 09:11, Amos Jeffries wrote: > On 27/06/11 21:02, Go Wow wrote: >> >> Pls find below the link to excel file containing memory info from >> squid cache manager. >> >> https://www.yousendit.com/download/MFo3c0w5bTh0TW14dnc9PQ >> > > Shows Squid using 4MB of RAM. > > >> Now my squid.conf looks like this, is this okay? >> > > Looks fine now. > > >>> >>> Are you sure it is Squid consuming that memory? Its possibly another >>> application. >>> If you are sure it is Squid please upgrade to a later version. There >>> were >>> some memory overuse issues fixed between 3.1.8 and 3.1.11. >>> > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.12 > Beta testers wanted for 3.2.0.9 and 3.1.12.3 >
Re: [squid-users] Memory issues
Any info for me regarding my last post? On 27 June 2011 13:02, Go Wow wrote: > Pls find below the link to excel file containing memory info from > squid cache manager. > > https://www.yousendit.com/download/MFo3c0w5bTh0TW14dnc9PQ > > Now my squid.conf looks like this, is this okay? > > auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -s > GSS_C_NO_NAME > auth_param negotiate children 10 > auth_param negotiate keep_alive on > auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 8 > auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic > auth_param basic credentialsttl 4 hour > auth_param basic casesensitive off > auth_param basic children 7 > auth_param basic realm DOMAIN > authenticate_cache_garbage_interval 10 seconds > authenticate_ttl 0 seconds > acl ad-auth proxy_auth REQUIRED > acl manager proto cache_object > acl localhost src 127.0.0.1/32 > acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 > acl allow_localnet dst 192.168.100.0/24 192.168.18.0/24 > acl allow_localdomain dstdomain .domain.com > acl local_net_dst dst 192.168.127.0/24 > acl local_net_src src 192.168.137.0/24 > acl Unsafe_Ports port 5050 843 5100 5101 5000-5010 9085 > acl Unsafe_Ports port 1863 > acl Unsafe_Ports port 5222 > acl SSL_ports port 443 > acl Safe_ports port 80 53 443 3268 88 5060 5061 5062 5075 5076 5077 > 50636 587 50389 58941 110 995 993 143 389 636 119 25 465 135 102 3000 > # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > http_access allow manager localhost > http_access deny manager > http_access deny Unsafe_Ports > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost > http_access allow allow_localnet > http_access allow allow_localdomain > http_access allow ad-auth > http_access deny all > http_port 3128 > hierarchy_stoplist cgi-bin ? > cache_dir aufs /var/squid/cache 128 16 256 > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > redirect_program /usr/local/bin/squidGuard -c > /usr/local/squidGuard/squidGuard.conf > redirect_children 15 > icp_access deny all > htcp_access deny all > cache_mem 128 MB > access_log /var/log/squid/access.log squid > icp_port 3130 > pipeline_prefetch off > cache_mgr m...@domain.com > cachemgr_passwd password all > #delay_pools 2 > #delay_class 1 4 > #delay_class 2 4 > #delay_access 1 allow local_net_src > #delay_access 2 allow local_net_dst > #delay_parameters 1 -1/-1 -1/-1 -1/-1 51200/51200 > #delay_parameters 2 -1/-1 -1/-1 -1/-1 -1/-1 > #delay_initial_bucket_level 75 > httpd_suppress_version_string on > forwarded_for off > hosts_file /etc/hosts > cache_replacement_policy heap LFUDA > cache_swap_low 90 > cache_swap_high 95 > maximum_object_size_in_memory 50 KB > memory_pools off > maximum_object_size 50 MB > quick_abort_min 0 KB > quick_abort_max 0 KB > log_icp_queries off > client_db off > buffered_logs on > half_closed_clients off > > On 26 June 2011 16:19, Amos Jeffries wrote: >> On 26/06/11 21:24, Go Wow wrote: >>> >>> Hi, >>> >>> I'm using squid 3.1.8 on centos 5.4 with 3.8GB RAM and Dual Core >>> Processor. My swap is been used and 50% of RAM is used by cache& >>> buffers. Below link has one week's memory& CPU utilization >>> information in form of graph. >>> >>> Memory usage --> http://img.myph.us/Cr8.jpg >>> CPU usage --> http://img.myph.us/PgM.jpg >>> >>> I'm worried as to why the usage of swap is coming into picture, >>> logically if Swap is used then I need to increase the RAM but this >>> machine is serving only 12 users. >>> >>> My squid.conf is here >>> >>> auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -s >>> GSS_C_NO_NAME >>> auth_param negotiate children 10 >>> auth_param negotiate keep_alive on >>> auth_param ntlm program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5-ntlmssp >>> auth_param ntlm children
Re: [squid-users] Memory issues
Pls find below the link to excel file containing memory info from squid cache manager. https://www.yousendit.com/download/MFo3c0w5bTh0TW14dnc9PQ Now my squid.conf looks like this, is this okay? auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 8 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic credentialsttl 4 hour auth_param basic casesensitive off auth_param basic children 7 auth_param basic realm DOMAIN authenticate_cache_garbage_interval 10 seconds authenticate_ttl 0 seconds acl ad-auth proxy_auth REQUIRED acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl allow_localnet dst 192.168.100.0/24 192.168.18.0/24 acl allow_localdomain dstdomain .domain.com acl local_net_dst dst 192.168.127.0/24 acl local_net_src src 192.168.137.0/24 acl Unsafe_Ports port 5050 843 5100 5101 5000-5010 9085 acl Unsafe_Ports port 1863 acl Unsafe_Ports port 5222 acl SSL_ports port 443 acl Safe_ports port 80 53 443 3268 88 5060 5061 5062 5075 5076 5077 50636 587 50389 58941 110 995 993 143 389 636 119 25 465 135 102 3000 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny Unsafe_Ports http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow allow_localnet http_access allow allow_localdomain http_access allow ad-auth http_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? cache_dir aufs /var/squid/cache 128 16 256 refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?)0 0% 0 refresh_pattern . 0 20% 4320 redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf redirect_children 15 icp_access deny all htcp_access deny all cache_mem 128 MB access_log /var/log/squid/access.log squid icp_port 3130 pipeline_prefetch off cache_mgr m...@domain.com cachemgr_passwd password all #delay_pools 2 #delay_class 1 4 #delay_class 2 4 #delay_access 1 allow local_net_src #delay_access 2 allow local_net_dst #delay_parameters 1 -1/-1 -1/-1 -1/-1 51200/51200 #delay_parameters 2 -1/-1 -1/-1 -1/-1 -1/-1 #delay_initial_bucket_level 75 httpd_suppress_version_string on forwarded_for off hosts_file /etc/hosts cache_replacement_policy heap LFUDA cache_swap_low 90 cache_swap_high 95 maximum_object_size_in_memory 50 KB memory_pools off maximum_object_size 50 MB quick_abort_min 0 KB quick_abort_max 0 KB log_icp_queries off client_db off buffered_logs on half_closed_clients off On 26 June 2011 16:19, Amos Jeffries wrote: > On 26/06/11 21:24, Go Wow wrote: >> >> Hi, >> >> I'm using squid 3.1.8 on centos 5.4 with 3.8GB RAM and Dual Core >> Processor. My swap is been used and 50% of RAM is used by cache& >> buffers. Below link has one week's memory& CPU utilization >> information in form of graph. >> >> Memory usage --> http://img.myph.us/Cr8.jpg >> CPU usage --> http://img.myph.us/PgM.jpg >> >> I'm worried as to why the usage of swap is coming into picture, >> logically if Swap is used then I need to increase the RAM but this >> machine is serving only 12 users. >> >> My squid.conf is here >> >> auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -s >> GSS_C_NO_NAME >> auth_param negotiate children 10 >> auth_param negotiate keep_alive on >> auth_param ntlm program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp >> auth_param ntlm children 8 >> auth_param basic program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-basic >> auth_param basic credentialsttl 4 hour >> auth_param basic casesensitive off >> auth_param basic children 7 >> auth_param basic realm DOMAINNAME >> authenticate_cache_garbage_interval 10 seconds >> authenticate_ttl 0 seconds >> acl ad-auth proxy_auth REQUIRED >> acl manager proto cache_object >> acl localhost src 127.0.0.1/32 >> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 >> acl allow_localnet dst 192.168.110.0/24 192.168.188.0/24 >> acl allow_localdomain dstdomain .domain.com >> acl local_net
[squid-users] Memory issues
Hi, I'm using squid 3.1.8 on centos 5.4 with 3.8GB RAM and Dual Core Processor. My swap is been used and 50% of RAM is used by cache & buffers. Below link has one week's memory & CPU utilization information in form of graph. Memory usage --> http://img.myph.us/Cr8.jpg CPU usage --> http://img.myph.us/PgM.jpg I'm worried as to why the usage of swap is coming into picture, logically if Swap is used then I need to increase the RAM but this machine is serving only 12 users. My squid.conf is here auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 8 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic credentialsttl 4 hour auth_param basic casesensitive off auth_param basic children 7 auth_param basic realm DOMAINNAME authenticate_cache_garbage_interval 10 seconds authenticate_ttl 0 seconds acl ad-auth proxy_auth REQUIRED acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl allow_localnet dst 192.168.110.0/24 192.168.188.0/24 acl allow_localdomain dstdomain .domain.com acl local_net_dst dst 192.168.117.0/24 acl local_net_src src 192.168.117.0/24 acl Unsafe_Ports port 5050 843 5100 5101 5000-5010 9085 acl Unsafe_Ports port 1863 acl Unsafe_Ports port 5222 acl SSL_ports port 443 acl Safe_ports port 80 53 3268 88 5060 5061 5062 5075 5076 5077 50636 587 50389 58941 110 995 993 143 389 636 119 25 465 135 102 3000 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow localhost allow_localnet allow_localdomain http_access allow manager localhost http_access allow ad-auth http_access deny manager http_access deny Unsafe_Ports !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf redirect_children 15 icp_access deny all htcp_access deny all http_port 3128 cache_mem 128 MB cache_dir aufs /var/squid/cache 128 16 256 hierarchy_stoplist cgi-bin ? access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 pipeline_prefetch off #delay_pools 2 #delay_class 1 4 #delay_class 2 4 #delay_access 1 allow local_net_src #delay_access 2 allow local_net_dst #delay_parameters 1 -1/-1 -1/-1 -1/-1 51200/51200 #delay_parameters 2 -1/-1 -1/-1 -1/-1 -1/-1 #delay_initial_bucket_level 75 httpd_suppress_version_string on forwarded_for off hosts_file /etc/hosts cache_replacement_policy heap LFUDA cache_swap_low 90 cache_swap_high 95 maximum_object_size_in_memory 50 KB memory_pools off maximum_object_size 50 MB quick_abort_min 0 KB quick_abort_max 0 KB log_icp_queries off client_db off buffered_logs on half_closed_clients off I had delay pools but I later disabled them as well.
Re: [squid-users] proxy single sign-on
I thought squid with kerberos works like SSO, isnt it? On 4 May 2011 11:48, Amos Jeffries wrote: > On 04/05/11 19:31, patrick.oesch...@bluewin.ch wrote: >> >> proxy (basic) authorization works well for the moment - so far so good... >> i had a look at one of the commercial >> products recently and they do some kind of single sign-on for their proxy >> service >> - the user will logon for the first >> time with username/password >> - a flash cookie (LSO - local stored object) will be set in the users >> broswer with no >> expiration time >> - further authorizations (after browser was closed / machine restarted) >> will be granted based on this >> flash cookie >> >> i am in no way a squid/auth/flash guru... >> has anyone tried a similar approach on squid? > > BlueCoat? (they seems to like this style of login). > >> it seems that >> flash can be used to set various headers in the browser (if flash plugin >> installed...) >> so lets say the authentication >> succeeds and flash will set the 'proxy-auth' header >> ...will this header then be used in all subsequent browser >> requests? > > Interesting question. Try it? > >> >> a bit flash centric i know - pardon me ;D >> /pat > > Not at all. We dearly need somebody with the will to try and see good > proxy-auth methods documented for Flash, Java libraries, and quite a few > other applications as well. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.12 > Beta testers wanted for 3.2.0.7 and 3.1.12.1 >
Re: [squid-users] Re: Re: Re: Re: Help me configure Kerberos Authentication
Hi Markus, Thanks for your reply. Is it safe to use negotiate wrapper with squid 3.1.8? I didnt add delegation to that system, I have just given full permisions to admin user and that computer. Does it matter? Regards On 2 May 2011 17:56, Markus Moeller wrote: > Hi Go, > > There is no need to use delegation and you must not enable delegation as it > creates a risk that your squid system can create tickets for other users > (e.g. impersonate another user). > > Negotiate handles both Kerberos and NTLM authentication. If Kerberos is > setup correctly it is the preferred option for the client, but if Kerberos > fails for some reason the client will fall back to NTLM and replies to an > Negotiate authentication request with a NTLM token. To deal with this > situation I created the negotiate wrapper which sends Kerberos tokens to the > kerberos authentication handler and NTLM token to the NTLM authentication > handler. Unfortunately there are applications like IM clients which use > proxies, but only support NTLM (not Negotiate). To cater for this case squid > has to offer NTLM too. So you need: > > negotiate_wrapper with negotiate_kerberos_auth and ntlm_auth for Negotiate > Kerberos/NTLM > > and > > ntlm_auth for pure NTLM > > Squid trunk (3.2) has still a problem with the negotiate_wrapper and NTLM. I > haven't found the reason yet. > > Markus > > > "Go Wow" wrote in message > news:BANLkTi=ikahhul8tuoght4qn08ckcdz...@mail.gmail.com... > I changed my approach a lil bit and swicthed to centos from ubuntu hehe. > > I installed centos and configured kerberos/squid as mentioned in > squid-cache kerberos guide, I used msktutil to create the keytab file. > On the windows server I checked the machine, it was listed as a > workstation I went on to properties and selected delegation tab and > tried to allow delagation of kerberos but it didnt work. So I right > clicked on the computer name and clicked on properties >> security and > given full permission to Administrator and then gave full permission > to same computer name. > > Now im able to authenticate users and use squid to browse. > > I will be monitoring squid for next couple of days and see if it gives > that log entries of libntlmssp. > > How safe is it to use negotiate_wrapper in production? What is the > difference between using negogiate_wrapper and a 2nd auth param > statement for ntlm in squid.conf > > > Regards > > On 2 May 2011 09:20, Go Wow wrote: >> >> I will check that and inform you. But how did you troubleshoot that >> the entry is missing from AD? >> >> On 1 May 2011 14:51, Markus Moeller wrote: >>> >>> It looks like you do not have an entry in AD. Can you search AD for >>> entries >>> with serviceprincipalname = HTTP/proxyserver.orangegroup.com ? >>> >>> Markus >>> >>> >>> "Go Wow" wrote in message >>> news:banlktinuivd8yfnnx+gp6azxd0rhztk...@mail.gmail.com... >>> On 1 May 2011 00:00, Markus Moeller wrote: >>>> >>>> Hi Go, >>>> >>>> For Windows 2008 the wiki says "use --enctypes 28". Did you use it ? >>> >>> Yes I used --enctypes 28 >>> >>>> >>>> what does klist -e show and what does >>>> kinit >>>> kvno HTTP/proxyserver.orangegroup.com >>>> >>>> show ( being your userid ) ? >>> >>> Here is the complete output >>> >>> root@proxyserver:/home/owner# whoami >>> root >>> root@proxyserver:/home/owner# klist >>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) >>> root@proxyserver:/home/owner# klist -e >>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) >>> root@proxyserver:/home/owner# kinit Administrator >>> Password for administra...@orangegroup.com: >>> root@proxyserver:/home/owner# klist -e >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: administra...@orangegroup.com >>> >>> Valid starting Expires Service principal >>> 05/01/11 09:36:33 05/01/11 19:36:38 >>> krbtgt/orangegroup@orangegroup.com >>> renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with >>> HMAC/md5,ArcFour with HMAC/md5 >>> root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com >>> kvno: Server not found in Kerberos database while getting credentials >>> for http/proxyserver.orangegroup@orangegroup.com >>> root@proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com >>> kvno: Server
Re: [squid-users] Re: Re: Re: Help me configure Kerberos Authentication
I changed my approach a lil bit and swicthed to centos from ubuntu hehe. I installed centos and configured kerberos/squid as mentioned in squid-cache kerberos guide, I used msktutil to create the keytab file. On the windows server I checked the machine, it was listed as a workstation I went on to properties and selected delegation tab and tried to allow delagation of kerberos but it didnt work. So I right clicked on the computer name and clicked on properties >> security and given full permission to Administrator and then gave full permission to same computer name. Now im able to authenticate users and use squid to browse. I will be monitoring squid for next couple of days and see if it gives that log entries of libntlmssp. How safe is it to use negotiate_wrapper in production? What is the difference between using negogiate_wrapper and a 2nd auth param statement for ntlm in squid.conf Regards On 2 May 2011 09:20, Go Wow wrote: > I will check that and inform you. But how did you troubleshoot that > the entry is missing from AD? > > On 1 May 2011 14:51, Markus Moeller wrote: >> It looks like you do not have an entry in AD. Can you search AD for entries >> with serviceprincipalname = HTTP/proxyserver.orangegroup.com ? >> >> Markus >> >> >> "Go Wow" wrote in message >> news:banlktinuivd8yfnnx+gp6azxd0rhztk...@mail.gmail.com... >> On 1 May 2011 00:00, Markus Moeller wrote: >>> >>> Hi Go, >>> >>> For Windows 2008 the wiki says "use --enctypes 28". Did you use it ? >> >> Yes I used --enctypes 28 >> >>> >>> what does klist -e show and what does >>> kinit >>> kvno HTTP/proxyserver.orangegroup.com >>> >>> show ( being your userid ) ? >> >> Here is the complete output >> >> root@proxyserver:/home/owner# whoami >> root >> root@proxyserver:/home/owner# klist >> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) >> root@proxyserver:/home/owner# klist -e >> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) >> root@proxyserver:/home/owner# kinit Administrator >> Password for administra...@orangegroup.com: >> root@proxyserver:/home/owner# klist -e >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: administra...@orangegroup.com >> >> Valid starting Expires Service principal >> 05/01/11 09:36:33 05/01/11 19:36:38 krbtgt/orangegroup@orangegroup.com >> renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with >> HMAC/md5,ArcFour with HMAC/md5 >> root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com >> kvno: Server not found in Kerberos database while getting credentials >> for http/proxyserver.orangegroup@orangegroup.com >> root@proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com >> kvno: Server not found in Kerberos database while getting credentials >> for HTTP/proxyserver.orangegroup@orangegroup.com >> >>> When you purge tickets (with kerbtray) , start wireshark with a filter on >>> port 88 and access a webpage via the proxy do you see any errors in >>> wireshark ? Can you send me the capture ? >> >> I will email you the port 88 capture in a sec. >> >> Thanks for your help. >> >>> Markus >>> >>> >>> "Go Wow" wrote in message >>> news:banlktinski+d9qe6nxrfglxjjkad2gn...@mail.gmail.com... >>> I tried with msktutil version 0.4 but same thing is happening. >>> >>> I followed your guide, firstly with samba/winbind, I created the >>> keytab and configure negotiate parameters in squid.conf but when I >>> open browser pointing to squid3 as proxy server (with fqdn not IP) it >>> prompts for username/password. This system is Windows 7 64 Bit. >>> >>> Then I tried msktutil. The command I used is same as I mentioned below. >>> >>> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h >>> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name >>> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server >>> ad01.orangegroup.com --verbose >>> >>> The output of the command gives me one error saying but creates the keytab >>> file >>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed >>> (Client not found in Kerberos database) >>> >>> I have kerbtray installed on client system and I can see my domains >>> krtgt/domain.com listed. As a matter of fact I'm using sharepoint >>> server which uses the sa
Re: [squid-users] Re: Re: Re: Help me configure Kerberos Authentication
I will check that and inform you. But how did you troubleshoot that the entry is missing from AD? On 1 May 2011 14:51, Markus Moeller wrote: > It looks like you do not have an entry in AD. Can you search AD for entries > with serviceprincipalname = HTTP/proxyserver.orangegroup.com ? > > Markus > > > "Go Wow" wrote in message > news:banlktinuivd8yfnnx+gp6azxd0rhztk...@mail.gmail.com... > On 1 May 2011 00:00, Markus Moeller wrote: >> >> Hi Go, >> >> For Windows 2008 the wiki says "use --enctypes 28". Did you use it ? > > Yes I used --enctypes 28 > >> >> what does klist -e show and what does >> kinit >> kvno HTTP/proxyserver.orangegroup.com >> >> show ( being your userid ) ? > > Here is the complete output > > root@proxyserver:/home/owner# whoami > root > root@proxyserver:/home/owner# klist > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) > root@proxyserver:/home/owner# klist -e > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) > root@proxyserver:/home/owner# kinit Administrator > Password for administra...@orangegroup.com: > root@proxyserver:/home/owner# klist -e > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administra...@orangegroup.com > > Valid starting Expires Service principal > 05/01/11 09:36:33 05/01/11 19:36:38 krbtgt/orangegroup@orangegroup.com > renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with > HMAC/md5,ArcFour with HMAC/md5 > root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com > kvno: Server not found in Kerberos database while getting credentials > for http/proxyserver.orangegroup@orangegroup.com > root@proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com > kvno: Server not found in Kerberos database while getting credentials > for HTTP/proxyserver.orangegroup@orangegroup.com > >> When you purge tickets (with kerbtray) , start wireshark with a filter on >> port 88 and access a webpage via the proxy do you see any errors in >> wireshark ? Can you send me the capture ? > > I will email you the port 88 capture in a sec. > > Thanks for your help. > >> Markus >> >> >> "Go Wow" wrote in message >> news:banlktinski+d9qe6nxrfglxjjkad2gn...@mail.gmail.com... >> I tried with msktutil version 0.4 but same thing is happening. >> >> I followed your guide, firstly with samba/winbind, I created the >> keytab and configure negotiate parameters in squid.conf but when I >> open browser pointing to squid3 as proxy server (with fqdn not IP) it >> prompts for username/password. This system is Windows 7 64 Bit. >> >> Then I tried msktutil. The command I used is same as I mentioned below. >> >> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h >> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name >> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server >> ad01.orangegroup.com --verbose >> >> The output of the command gives me one error saying but creates the keytab >> file >> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed >> (Client not found in Kerberos database) >> >> I have kerbtray installed on client system and I can see my domains >> krtgt/domain.com listed. As a matter of fact I'm using sharepoint >> server which uses the same method to authenticate and im able to login >> to it without entering username/password. I tried with purging tickets >> but no change. >> >> Regards >> >> >> On 30 April 2011 16:17, Markus Moeller wrote: >>> >>> Hi Go, >>> >>> Can you describe in detail what you did ( e.g. exact msktutil command). >>> BTW >>> I updated yesterday the wiki pointing to a newer msktutil (version 0.4) >>> which you should try in the case you use an older version. >>> >>> It looks to me that your client is not able to get the Kerberos ticket >>> from >>> AD why the client falls back to NTLM and the negotiate wrapper deals now >>> with these case. >>> >>> To find out why the client does not get the ticket you can run wireshark >>> and look for traffic on port 88. >>> >>> Markus >>> >>> >>> "Go Wow" wrote in message >>> news:banlktinqnrms5t2tq7frn+-noezsmy5...@mail.gmail.com... >>> When I run msktutil I get this line in the output. >>> >>> krb5_get_init_creds_keytab failed (Client not found in Kerberos database) >>> >>> I did k
Re: [squid-users] Re: Re: Help me configure Kerberos Authentication
On 1 May 2011 00:00, Markus Moeller wrote: > Hi Go, > > For Windows 2008 the wiki says "use --enctypes 28". Did you use it ? Yes I used --enctypes 28 > > what does klist -e show and what does > kinit > kvno HTTP/proxyserver.orangegroup.com > > show ( being your userid ) ? Here is the complete output root@proxyserver:/home/owner# whoami root root@proxyserver:/home/owner# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) root@proxyserver:/home/owner# klist -e klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) root@proxyserver:/home/owner# kinit Administrator Password for administra...@orangegroup.com: root@proxyserver:/home/owner# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@orangegroup.com Valid starting ExpiresService principal 05/01/11 09:36:33 05/01/11 19:36:38 krbtgt/orangegroup@orangegroup.com renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with HMAC/md5,ArcFour with HMAC/md5 root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com kvno: Server not found in Kerberos database while getting credentials for http/proxyserver.orangegroup@orangegroup.com root@proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com kvno: Server not found in Kerberos database while getting credentials for HTTP/proxyserver.orangegroup@orangegroup.com > When you purge tickets (with kerbtray) , start wireshark with a filter on > port 88 and access a webpage via the proxy do you see any errors in > wireshark ? Can you send me the capture ? I will email you the port 88 capture in a sec. Thanks for your help. > Markus > > > "Go Wow" wrote in message > news:banlktinski+d9qe6nxrfglxjjkad2gn...@mail.gmail.com... > I tried with msktutil version 0.4 but same thing is happening. > > I followed your guide, firstly with samba/winbind, I created the > keytab and configure negotiate parameters in squid.conf but when I > open browser pointing to squid3 as proxy server (with fqdn not IP) it > prompts for username/password. This system is Windows 7 64 Bit. > > Then I tried msktutil. The command I used is same as I mentioned below. > > msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h > proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name > proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server > ad01.orangegroup.com --verbose > > The output of the command gives me one error saying but creates the keytab > file > -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed > (Client not found in Kerberos database) > > I have kerbtray installed on client system and I can see my domains > krtgt/domain.com listed. As a matter of fact I'm using sharepoint > server which uses the same method to authenticate and im able to login > to it without entering username/password. I tried with purging tickets > but no change. > > Regards > > > On 30 April 2011 16:17, Markus Moeller wrote: >> >> Hi Go, >> >> Can you describe in detail what you did ( e.g. exact msktutil command). >> BTW >> I updated yesterday the wiki pointing to a newer msktutil (version 0.4) >> which you should try in the case you use an older version. >> >> It looks to me that your client is not able to get the Kerberos ticket >> from >> AD why the client falls back to NTLM and the negotiate wrapper deals now >> with these case. >> >> To find out why the client does not get the ticket you can run wireshark >> and look for traffic on port 88. >> >> Markus >> >> >> "Go Wow" wrote in message >> news:banlktinqnrms5t2tq7frn+-noezsmy5...@mail.gmail.com... >> When I run msktutil I get this line in the output. >> >> krb5_get_init_creds_keytab failed (Client not found in Kerberos database) >> >> I did kinit before issuing msktutil and it ran successfully. I can see >> tickets when I issue klist. >> >> >> >> On 30 April 2011 10:43, Go Wow wrote: >>> >>> Hi, >>> >>> I'm trying to configure Kerberos Authentication for squid. I'm >>> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the >>> kerberos authentication guide on squid-cache and many other guides, I >>> always end up with these logs in my cache.log. My client browser keeps >>> prompting for username/password. Even a valid set of credentials are >>> not accepted. >>> >>> 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM token >>> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error >>> validating user via Negotiate. Error
Re: [squid-users] Re: Help me configure Kerberos Authentication
I tried with msktutil version 0.4 but same thing is happening. I followed your guide, firstly with samba/winbind, I created the keytab and configure negotiate parameters in squid.conf but when I open browser pointing to squid3 as proxy server (with fqdn not IP) it prompts for username/password. This system is Windows 7 64 Bit. Then I tried msktutil. The command I used is same as I mentioned below. msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server ad01.orangegroup.com --verbose The output of the command gives me one error saying but creates the keytab file -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) I have kerbtray installed on client system and I can see my domains krtgt/domain.com listed. As a matter of fact I'm using sharepoint server which uses the same method to authenticate and im able to login to it without entering username/password. I tried with purging tickets but no change. Regards On 30 April 2011 16:17, Markus Moeller wrote: > Hi Go, > > Can you describe in detail what you did ( e.g. exact msktutil command). BTW > I updated yesterday the wiki pointing to a newer msktutil (version 0.4) > which you should try in the case you use an older version. > > It looks to me that your client is not able to get the Kerberos ticket from > AD why the client falls back to NTLM and the negotiate wrapper deals now > with these case. > > To find out why the client does not get the ticket you can run wireshark > and look for traffic on port 88. > > Markus > > > "Go Wow" wrote in message > news:banlktinqnrms5t2tq7frn+-noezsmy5...@mail.gmail.com... > When I run msktutil I get this line in the output. > > krb5_get_init_creds_keytab failed (Client not found in Kerberos database) > > I did kinit before issuing msktutil and it ran successfully. I can see > tickets when I issue klist. > > > > On 30 April 2011 10:43, Go Wow wrote: >> >> Hi, >> >> I'm trying to configure Kerberos Authentication for squid. I'm >> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the >> kerberos authentication guide on squid-cache and many other guides, I >> always end up with these logs in my cache.log. My client browser keeps >> prompting for username/password. Even a valid set of credentials are >> not accepted. >> >> 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM token >> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error >> validating user via Negotiate. Error returned 'BH received type 1 NTLM >> token' >> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR >> TlRMTVNTUAABl4II4gAGAbAdDw==' from squid >> (length: 59). >> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode >> 'TlRMTVNTUAABl4II4gAGAbAdDw==' (decoded >> length: 40). >> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token >> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error >> validating user via Negotiate. Error returned 'BH received type 1 NTLM >> token' >> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR >> TlRMTVNTUAABl4II4gAGAbAdDw==' from squid >> (length: 59). >> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode >> 'TlRMTVNTUAABl4II4gAGAbAdDw==' (decoded >> length: 40). >> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token >> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error >> validating user via Negotiate. Error returned 'BH received type 1 NTLM >> token' >> >> >> I want to check and make sure my keytab entries are good. How do I do >> that? My client System can list the tickets for client principal. >> >> Please have a look at my krb5.conf & keytab file here >> http://pastebin.com/vTBr3r5D >> >> I'm using this command to create the keytab file. >> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h >> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name >> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server >> ad01.orangegroup.com --verbose >> >> All the domains are resolving properly to IPs. >> >> Thanks for your help. >> > > >
Re: [squid-users] Re: Help me configure Kerberos Authentication
Amos, Even now I get these entries in my cache.log [2011/04/30 14:55:08, 1] libsmb/ntlmssp.c:335(ntlmssp_update) got NTLMSSP command 3, expected 1 2011/04/30 14:55:08| negotiate_wrapper: Return 'NA = NT_STATUS_INVALID_PARAMETER The whole point for me to move from ntlm to kerberos was to get rid of these messages. On 30 April 2011 14:13, Amos Jeffries wrote: > On 30/04/11 21:58, Go Wow wrote: >> >> Thanks Amos. >> >> If I use negotiate_wrapper then I'm able to access websites using >> squid (yes I dont get prompt for credentials) but I get many of these >> messages in cache.log >> >> 2011/04/30 13:56:33| negotiate_wrapper: received type 3 NTLM token >> 2011/04/30 13:56:33| negotiate_wrapper: Got 'KK >> >> TlRMTVNTUAADGAAYAJoqASoBsgAAABIAEgBYGgAaAGoWABYAhBAAEADcAQAAFYKI4gYBsB0P7ybJT7FBFVDqpuR1XQqVQEwAQQBMAFMARwBSAE8AVQBQAHMAeQBlAGQALgBoAHUAcwBzAGEAaQBuAGkATABBAEwAUwAtAEkAVAAtADAANgA1AOZTezFHvWzJUXf3Tk1kBg4BAQAAAC7ki+QcB8wBLHpqvSKv9yAAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0ACAAwADAwAADFSQt0HTDf8OpuYYkUMfen9wZfPrromcHVsBG/ndGpWgoAEAAACQAmAEgAVABUAFAALwAxADkAMgAuADEANgA4AC4AMQA4AC4AMgAyADUAAABuHEq3B9Rp3pJ7I5hc5aWd' >> from squid (length: 659). >> 2011/04/30 13:56:33| negotiate_wrapper: Decode >> >> 'TlRMTVNTUAADGAAYAJoqASoBsgAAABIAEgBYGgAaAGoWABYAhBAAEADcAQAAFYKI4gYBsB0P7ybJT7FBFVDqpuR1XQqVQEwAQQBMAFMARwBSAE8AVQBQAHMAeQBlAGQALgBoAHUAcwBzAGEAaQBuAGkATABBAEwAUwAtAEkAVAAtADAANgA1AOZTezFHvWzJUXf3Tk1kBg4BAQAAAC7ki+QcB8wBLHpqvSKv9yAAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0ACAAwADAwAADFSQt0HTDf8OpuYYkUMfen9wZfPrromcHVsBG/ndGpWgoAEAAACQAmAEgAVABUAFAALwAxADkAMgAuADEANgA4AC4AMQA4AC4AMgAyADUAAABuHEq3B9Rp3pJ7I5hc5aWd' >> (decoded length: 492). >> 2011/04/30 13:56:33| negotiate_wrapper: received type 3 NTLM token >> 2011/04/30 13:56:33| negotiate_wrapper: Return 'AF = tim.panei >> ' >> 2011/04/30 13:56:33| negotiate_wrapper: Return 'AF = tim.panei >> ' >> 2011/04/30 13:56:33| negotiate_wrapper: Return 'AF = tim.panei >> ' >> 2011/04/30 13:56:39| negotiate_wrapper: Got 'YR >> TlRMTVNTUAABl4II4gAGAbAdDw==' from squid >> (length: 59). >> 2011/04/30 13:56:39| negotiate_wrapper: Decode >> 'TlRMTVNTUAABl4II4gAGAbAdDw==' (decoded >> length: 40). >> 2011/04/30 13:56:39| negotiate_wrapper: received type 1 NTLM token >> 2011/04/30 13:56:39| negotiate_wrapper: Return 'TT >> >> TlRMTVNTUAACEgASADAVgonioXIqyzNaOaMAAIgAiABCTABBAEwAUwBHAFIATwBVAFAAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAA== >> ' >> 2011/04/30 13:56:39| negotiate_wrapper: Got 'KK >> >> TlRMTVNTUAADGAAYAJoqASoBsgAAABIAEgBYGgAaAGoWABYAhBAAEADcAQAAFYKI4gYBsB0PdhlaEke/dDcr/4RKNRk2fUwAQQBMAFMARwBSAE8AVQBQAHMAeQBlAGQALgBoAHUAcwBzAGEAaQBuAGkATABBAEwAUwAtAEkAVAAtADAANgA1AFgVcliSQLD7vvZarRF5Sr4BAQAAAMfbNugcB8wB+xR68ZbrWeIAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0ACAAwADAwAADFSQt0HTDf8OpuYYkUMfen9wZfPrromcHVsBG/ndGpWgoAEAAACQAmAEgAVABUAFAALwAxADkAMgAuADEANgA4AC4AMQA4AC4AMgAyADU5+4TAEwsbC+LD4YC+Npm2' >> from squid (length: 659). >> 2011/04/30 13:56:39| negotiate_wrapper: Decode >> >> 'TlRMTVNTUAADGAAYAJoqASoBsgAAABIAEgBYGgAaAGoWABYAhBAAEADcAQAAFYKI4gYBsB0PdhlaEke/dDcr/4RKNRk2fUwAQQBMAFMARwBSAE8AVQBQAHMAeQBlAGQALgBoAHUAcwBzAGEAaQBuAGkATABBAEwAUwAtAEkAVAAtADAANgA1AFgVcliSQLD7vvZarRF5Sr4BAQAAAMfbNugcB8wB+xR68ZbrWeIAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0ACAAwADAwAADFSQt0HTDf8OpuYYkUMfen9wZfPrromcHVsBG/ndGpWgoAEAAACQAmAEgAVABUAFAALwAxADkAMgAuADEANgA4AC4AMQA4AC4AMgAyADU5+4TAEwsbC+LD4YC+Npm2' >> (decoded length: 492). >> 2011/04/30 13:56:39| negotiate_wrapper: received type 3 NTLM token >> 2011/04/30 13:56:39| negotiate_wrapper: Return 'AF = tim.panei >> >> >> Is this something of worry in long term? > > That is a success messages. But very verbose. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.12 > Beta testers wanted for 3.2.0.7 and 3.1.12.1 >
Re: [squid-users] Re: Help me configure Kerberos Authentication
Thanks Amos. If I use negotiate_wrapper then I'm able to access websites using squid (yes I dont get prompt for credentials) but I get many of these messages in cache.log 2011/04/30 13:56:33| negotiate_wrapper: received type 3 NTLM token 2011/04/30 13:56:33| negotiate_wrapper: Got 'KK TlRMTVNTUAADGAAYAJoqASoBsgAAABIAEgBYGgAaAGoWABYAhBAAEADcAQAAFYKI4gYBsB0P7ybJT7FBFVDqpuR1XQqVQEwAQQBMAFMARwBSAE8AVQBQAHMAeQBlAGQALgBoAHUAcwBzAGEAaQBuAGkATABBAEwAUwAtAEkAVAAtADAANgA1AOZTezFHvWzJUXf3Tk1kBg4BAQAAAC7ki+QcB8wBLHpqvSKv9yAAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0ACAAwADAwAADFSQt0HTDf8OpuYYkUMfen9wZfPrromcHVsBG/ndGpWgoAEAAACQAmAEgAVABUAFAALwAxADkAMgAuADEANgA4AC4AMQA4AC4AMgAyADUAAABuHEq3B9Rp3pJ7I5hc5aWd' from squid (length: 659). 2011/04/30 13:56:33| negotiate_wrapper: Decode 'TlRMTVNTUAADGAAYAJoqASoBsgAAABIAEgBYGgAaAGoWABYAhBAAEADcAQAAFYKI4gYBsB0P7ybJT7FBFVDqpuR1XQqVQEwAQQBMAFMARwBSAE8AVQBQAHMAeQBlAGQALgBoAHUAcwBzAGEAaQBuAGkATABBAEwAUwAtAEkAVAAtADAANgA1AOZTezFHvWzJUXf3Tk1kBg4BAQAAAC7ki+QcB8wBLHpqvSKv9yAAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0ACAAwADAwAADFSQt0HTDf8OpuYYkUMfen9wZfPrromcHVsBG/ndGpWgoAEAAACQAmAEgAVABUAFAALwAxADkAMgAuADEANgA4AC4AMQA4AC4AMgAyADUAAABuHEq3B9Rp3pJ7I5hc5aWd' (decoded length: 492). 2011/04/30 13:56:33| negotiate_wrapper: received type 3 NTLM token 2011/04/30 13:56:33| negotiate_wrapper: Return 'AF = tim.panei ' 2011/04/30 13:56:33| negotiate_wrapper: Return 'AF = tim.panei ' 2011/04/30 13:56:33| negotiate_wrapper: Return 'AF = tim.panei ' 2011/04/30 13:56:39| negotiate_wrapper: Got 'YR TlRMTVNTUAABl4II4gAGAbAdDw==' from squid (length: 59). 2011/04/30 13:56:39| negotiate_wrapper: Decode 'TlRMTVNTUAABl4II4gAGAbAdDw==' (decoded length: 40). 2011/04/30 13:56:39| negotiate_wrapper: received type 1 NTLM token 2011/04/30 13:56:39| negotiate_wrapper: Return 'TT TlRMTVNTUAACEgASADAVgonioXIqyzNaOaMAAIgAiABCTABBAEwAUwBHAFIATwBVAFAAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAA== ' 2011/04/30 13:56:39| negotiate_wrapper: Got 'KK TlRMTVNTUAADGAAYAJoqASoBsgAAABIAEgBYGgAaAGoWABYAhBAAEADcAQAAFYKI4gYBsB0PdhlaEke/dDcr/4RKNRk2fUwAQQBMAFMARwBSAE8AVQBQAHMAeQBlAGQALgBoAHUAcwBzAGEAaQBuAGkATABBAEwAUwAtAEkAVAAtADAANgA1AFgVcliSQLD7vvZarRF5Sr4BAQAAAMfbNugcB8wB+xR68ZbrWeIAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0ACAAwADAwAADFSQt0HTDf8OpuYYkUMfen9wZfPrromcHVsBG/ndGpWgoAEAAACQAmAEgAVABUAFAALwAxADkAMgAuADEANgA4AC4AMQA4AC4AMgAyADU5+4TAEwsbC+LD4YC+Npm2' from squid (length: 659). 2011/04/30 13:56:39| negotiate_wrapper: Decode 'TlRMTVNTUAADGAAYAJoqASoBsgAAABIAEgBYGgAaAGoWABYAhBAAEADcAQAAFYKI4gYBsB0PdhlaEke/dDcr/4RKNRk2fUwAQQBMAFMARwBSAE8AVQBQAHMAeQBlAGQALgBoAHUAcwBzAGEAaQBuAGkATABBAEwAUwAtAEkAVAAtADAANgA1AFgVcliSQLD7vvZarRF5Sr4BAQAAAMfbNugcB8wB+xR68ZbrWeIAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0ACAAwADAwAADFSQt0HTDf8OpuYYkUMfen9wZfPrromcHVsBG/ndGpWgoAEAAACQAmAEgAVABUAFAALwAxADkAMgAuADEANgA4AC4AMQA4AC4AMgAyADU5+4TAEwsbC+LD4YC+Npm2' (decoded length: 492). 2011/04/30 13:56:39| negotiate_wrapper: received type 3 NTLM token 2011/04/30 13:56:39| negotiate_wrapper: Return 'AF = tim.panei Is this something of worry in long term? On 30 April 2011 13:45, Go Wow wrote: > Amos, Do you know where the problem is? Should I move back to squid > 2.7, will that help? > > If I configure my squid to use ntlm auth I get so many NTLM Type 3 > token messages in cache.log. The same config works good on IE6. When I > test this with firefox 3.6+ or IE8 it keeps prompting the username. > > On 30 April 2011 13:30, Amos Jeffries wrote: >> On 30/04/11 20:13, Go Wow wrote: >>> >>> When I run msktutil I get this line in the output. >>> >>> krb5_get_init_creds_keytab failed (Client not found in Kerberos dat
Re: [squid-users] Re: Help me configure Kerberos Authentication
Amos, Do you know where the problem is? Should I move back to squid 2.7, will that help? If I configure my squid to use ntlm auth I get so many NTLM Type 3 token messages in cache.log. The same config works good on IE6. When I test this with firefox 3.6+ or IE8 it keeps prompting the username. On 30 April 2011 13:30, Amos Jeffries wrote: > On 30/04/11 20:13, Go Wow wrote: >> >> When I run msktutil I get this line in the output. >> >> krb5_get_init_creds_keytab failed (Client not found in Kerberos database) >> >> I did kinit before issuing msktutil and it ran successfully. I can see >> tickets when I issue klist. >> > > Tickets, klist and keytabs do not matter in this case Kerberos is not > involved. > >> >> >> On 30 April 2011 10:43, Go Wow wrote: >>> >>> Hi, >>> >>> I'm trying to configure Kerberos Authentication for squid. I'm >>> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the >>> kerberos authentication guide on squid-cache and many other guides, I >>> always end up with these logs in my cache.log. My client browser keeps >>> prompting for username/password. Even a valid set of credentials are >>> not accepted. >>> >>> 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM >>> token >>> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error >>> validating user via Negotiate. Error returned 'BH received type 1 NTLM >>> token' > > "type 1 NTLM" aka NTLM authentication protocol. > > The Kerberos helpers for Squid only validate type 3 (Kerberos). > > Markus has developed a negotiate_wrapper helepr which can split the > Negotiate auth protocol into Negotiate/Kerberos and Negotiate/NTLM > validation. That may be of some help, though there are bugs in the Squid end > which prevent is working sometimes. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.12 > Beta testers wanted for 3.2.0.7 and 3.1.12.1 >
[squid-users] Re: Help me configure Kerberos Authentication
When I run msktutil I get this line in the output. krb5_get_init_creds_keytab failed (Client not found in Kerberos database) I did kinit before issuing msktutil and it ran successfully. I can see tickets when I issue klist. On 30 April 2011 10:43, Go Wow wrote: > Hi, > > I'm trying to configure Kerberos Authentication for squid. I'm > running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the > kerberos authentication guide on squid-cache and many other guides, I > always end up with these logs in my cache.log. My client browser keeps > prompting for username/password. Even a valid set of credentials are > not accepted. > > 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM token > 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error > validating user via Negotiate. Error returned 'BH received type 1 NTLM > token' > 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR > TlRMTVNTUAABl4II4gAGAbAdDw==' from squid > (length: 59). > 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode > 'TlRMTVNTUAABl4II4gAGAbAdDw==' (decoded > length: 40). > 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token > 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error > validating user via Negotiate. Error returned 'BH received type 1 NTLM > token' > 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR > TlRMTVNTUAABl4II4gAGAbAdDw==' from squid > (length: 59). > 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode > 'TlRMTVNTUAABl4II4gAGAbAdDw==' (decoded > length: 40). > 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token > 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error > validating user via Negotiate. Error returned 'BH received type 1 NTLM > token' > > > I want to check and make sure my keytab entries are good. How do I do > that? My client System can list the tickets for client principal. > > Please have a look at my krb5.conf & keytab file here > http://pastebin.com/vTBr3r5D > > I'm using this command to create the keytab file. > msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h > proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name > proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server > ad01.orangegroup.com --verbose > > All the domains are resolving properly to IPs. > > Thanks for your help. >
[squid-users] Help me configure Kerberos Authentication
Hi, I'm trying to configure Kerberos Authentication for squid. I'm running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the kerberos authentication guide on squid-cache and many other guides, I always end up with these logs in my cache.log. My client browser keeps prompting for username/password. Even a valid set of credentials are not accepted. 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM token 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABl4II4gAGAbAdDw==' from squid (length: 59). 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABl4II4gAGAbAdDw==' (decoded length: 40). 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABl4II4gAGAbAdDw==' from squid (length: 59). 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABl4II4gAGAbAdDw==' (decoded length: 40). 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' I want to check and make sure my keytab entries are good. How do I do that? My client System can list the tickets for client principal. Please have a look at my krb5.conf & keytab file here http://pastebin.com/vTBr3r5D I'm using this command to create the keytab file. msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server ad01.orangegroup.com --verbose All the domains are resolving properly to IPs. Thanks for your help.
Re: [squid-users] The Famous "NTLMSSP command 3, expected 1"
Thanks. I have set my ntlm auth children to 50, basic auth children to 30 and squidGuard children to 30. As I see my CPU usage is under 0.09 and RAM is 1.2GB free outta 4GB. I also set these directives in squid.conf logformat agentTokens %{Proxy-Authentication}>h "%{User-Agent}>h" acl failedAuth http_status 407 access_log /var/log/squid3/access.log squid access_log /var/log/squid3/access.log agentTokens failedAuth but I dont see any user-agent info in cache.log (I know im doing something wrong here, pls correct me) Cheers On 19 April 2011 17:26, Amos Jeffries wrote: > On 20/04/11 01:20, Go Wow wrote: >> >> I'm completely noob in this. How do I set the below setting? >> >> Ensure that persistent connections are ON to clients (default in 3.1). >> That will have the biggest impact. >> > > In 3.0 and older: > client_persistent_connections on > > In 3.1 ensure that the directive is not set anywhere in squid.conf. > > >> On 19 April 2011 17:17, Amos Jeffries wrote: >>> >>> On 20/04/11 01:04, Go Wow wrote: >>>> >>>> I have seen the increasing the number of auth children decreases the >>>> error in cache.log. What is the optimal amount of children that we >>>> should use, supposing squid is serving 500 users. >>>> >>>> I will try your suggestions and inform you. >>>> >>> >>> Hmm, that sounds like it may actually be NTLM, but failing some other >>> way. >>> >>> Number of auth children has a max of 256 connections to the DC. Each >>> child >>> will consume one. >>> If you have much RAM used by Squid there are also sometimes limits to >>> how >>> many children it can spawn/fork before you get out-of-memory problems. >>> >>> Ensure that persistent connections are ON to clients (default in 3.1). >>> That >>> will have the biggest impact. >>> >>>> >>>> Regards >>>> >>>> On 19 April 2011 16:50, Amos Jeffries wrote: >>>>> >>>>> On 19/04/11 23:54, Go Wow wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> I meant 3.1.11 >>>>>> >>>>>> How do I check which user-agent is giving this issue? As I told 70% >>>>>> people use IE here (different versions) some use IE 8, IE 7 and IE 6. >>>>>> 20-25% use firefox 3.6 or firefox 4 and rest use google chrome. >>>>> >>>>> It may be in your logs as a client which gets a lot of NTLM denials. >>>>> >>>>> If not, adding a log to record which agents are failing is easy: >>>>> >>>>> logformat agentTokens %{Proxy-Authentication}>h "%{User-Agent}>h" >>>>> >>>>> (mind the wrap that is one line) >>>>> >>>>> acl failedAuth http_status 407 >>>>> access_log /some/file.log agentTokens failedAuth >>>>> >>>>> This logs the auth tokens and user-agents sending them. One of the >>>>> tokens >>>>> should appear in cache.log next to the error message. >>>>> >>>>>> >>>>>> Can you please point me to some doc to use that negotiate wrapper. I >>>>>> tried squid_kerb_auth and failed miserably and I'm not planning to go >>>>>> near it until my squid is stable. >>>>>> >>>>>> I have made a GPO for all users to use NTML as preferred auth method, >>>>>> let's see if that makes a difference. I did it by adding >>>>>> "LmCompatibilityLevel" to "1" in registry. >>>>> >>>>> "1" is not a good value for that. Probably "4" is what you need. "5" if >>>>> possible. >>>>> >>>>> see this for what each level apparently means: >>>>> >>>>> >>>>> >>>>> http://technet.microsoft.com/en-nz/magazine/2006.08.securitywatch%28en-us%29.aspx >>>>> >>>>> It seems to be an old article, so things may have changed a little. I'm >>>>> not >>>>> sure how Kerberos integrates with those for example in IE 7/8. >>>>> >>>>>> >>>>>> Cheers >>>>>> >>>>>> On 19 April 2011 14:08, Amos Jeffries wrote: >>>>>>> >>>>>>> On 19/04/11 20:09, Go Wow wrote: >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I use NTLM to authenticate my AD users with Squid 3.11. My cache >>>>>>>> logs >>>>>>> >>>>>>> You mean 3.1.1? we are only up to 3.2 series so far. >>>>>>> >>>>>>>> have these entries at random times. I know that the client is >>>>>>>> sending >>>>>>>> a kerberos reply instead of NTLM auth. I want to know whether >>>>>>>> something can be done about this or not. >>>>>>>> >>>>>>>> libsmb/ntlmssp.c:335(ntlmssp_update) got NTLMSSP command 3, >>>>>>>> expected >>>>>>>> 1 >>>>>>>> >>>>>>>> I tried moving to Kerberos but it didnt work for me. My client >>>>>>>> envirno >>>>>>>> is IE 8, Chrome and Firefox 3.6 or 4 >>>>>>> >>>>>>> For the record which User-Agent is broken and sending Kerberos when >>>>>>> offered >>>>>>> NTLM? and are you offering Negotiate? >>>>>>> >>>>>>> The new negotiate_wrapper helper from Markus Moeller may help. We >>>>>>> have >>>>>>> tested it of use in "auth_param negotiate", but I'm not sure of the >>>>>>> effect >>>>>>> if its used in "auth_param ntlm". > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.12 > Beta testers wanted for 3.2.0.7 and 3.1.12.1 >
Re: [squid-users] The Famous "NTLMSSP command 3, expected 1"
I'm completely noob in this. How do I set the below setting? Ensure that persistent connections are ON to clients (default in 3.1). That will have the biggest impact. On 19 April 2011 17:17, Amos Jeffries wrote: > On 20/04/11 01:04, Go Wow wrote: >> >> I have seen the increasing the number of auth children decreases the >> error in cache.log. What is the optimal amount of children that we >> should use, supposing squid is serving 500 users. >> >> I will try your suggestions and inform you. >> > > Hmm, that sounds like it may actually be NTLM, but failing some other way. > > Number of auth children has a max of 256 connections to the DC. Each child > will consume one. > If you have much RAM used by Squid there are also sometimes limits to how > many children it can spawn/fork before you get out-of-memory problems. > > Ensure that persistent connections are ON to clients (default in 3.1). That > will have the biggest impact. > >> >> Regards >> >> On 19 April 2011 16:50, Amos Jeffries wrote: >>> >>> On 19/04/11 23:54, Go Wow wrote: >>>> >>>> Hi, >>>> >>>> I meant 3.1.11 >>>> >>>> How do I check which user-agent is giving this issue? As I told 70% >>>> people use IE here (different versions) some use IE 8, IE 7 and IE 6. >>>> 20-25% use firefox 3.6 or firefox 4 and rest use google chrome. >>> >>> It may be in your logs as a client which gets a lot of NTLM denials. >>> >>> If not, adding a log to record which agents are failing is easy: >>> >>> logformat agentTokens %{Proxy-Authentication}>h "%{User-Agent}>h" >>> >>> (mind the wrap that is one line) >>> >>> acl failedAuth http_status 407 >>> access_log /some/file.log agentTokens failedAuth >>> >>> This logs the auth tokens and user-agents sending them. One of the tokens >>> should appear in cache.log next to the error message. >>> >>>> >>>> Can you please point me to some doc to use that negotiate wrapper. I >>>> tried squid_kerb_auth and failed miserably and I'm not planning to go >>>> near it until my squid is stable. >>>> >>>> I have made a GPO for all users to use NTML as preferred auth method, >>>> let's see if that makes a difference. I did it by adding >>>> "LmCompatibilityLevel" to "1" in registry. >>> >>> "1" is not a good value for that. Probably "4" is what you need. "5" if >>> possible. >>> >>> see this for what each level apparently means: >>> >>> >>> http://technet.microsoft.com/en-nz/magazine/2006.08.securitywatch%28en-us%29.aspx >>> >>> It seems to be an old article, so things may have changed a little. I'm >>> not >>> sure how Kerberos integrates with those for example in IE 7/8. >>> >>>> >>>> Cheers >>>> >>>> On 19 April 2011 14:08, Amos Jeffries wrote: >>>>> >>>>> On 19/04/11 20:09, Go Wow wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> I use NTLM to authenticate my AD users with Squid 3.11. My cache logs >>>>> >>>>> You mean 3.1.1? we are only up to 3.2 series so far. >>>>> >>>>>> have these entries at random times. I know that the client is sending >>>>>> a kerberos reply instead of NTLM auth. I want to know whether >>>>>> something can be done about this or not. >>>>>> >>>>>> libsmb/ntlmssp.c:335(ntlmssp_update) got NTLMSSP command 3, expected >>>>>> 1 >>>>>> >>>>>> I tried moving to Kerberos but it didnt work for me. My client envirno >>>>>> is IE 8, Chrome and Firefox 3.6 or 4 >>>>> >>>>> For the record which User-Agent is broken and sending Kerberos when >>>>> offered >>>>> NTLM? and are you offering Negotiate? >>>>> >>>>> The new negotiate_wrapper helper from Markus Moeller may help. We have >>>>> tested it of use in "auth_param negotiate", but I'm not sure of the >>>>> effect >>>>> if its used in "auth_param ntlm". > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.12 > Beta testers wanted for 3.2.0.7 and 3.1.12.1 >
Re: [squid-users] The Famous "NTLMSSP command 3, expected 1"
I have seen the increasing the number of auth children decreases the error in cache.log. What is the optimal amount of children that we should use, supposing squid is serving 500 users. I will try your suggestions and inform you. Regards On 19 April 2011 16:50, Amos Jeffries wrote: > On 19/04/11 23:54, Go Wow wrote: >> >> Hi, >> >> I meant 3.1.11 >> >> How do I check which user-agent is giving this issue? As I told 70% >> people use IE here (different versions) some use IE 8, IE 7 and IE 6. >> 20-25% use firefox 3.6 or firefox 4 and rest use google chrome. > > It may be in your logs as a client which gets a lot of NTLM denials. > > If not, adding a log to record which agents are failing is easy: > > logformat agentTokens %{Proxy-Authentication}>h "%{User-Agent}>h" > > (mind the wrap that is one line) > > acl failedAuth http_status 407 > access_log /some/file.log agentTokens failedAuth > > This logs the auth tokens and user-agents sending them. One of the tokens > should appear in cache.log next to the error message. > >> >> Can you please point me to some doc to use that negotiate wrapper. I >> tried squid_kerb_auth and failed miserably and I'm not planning to go >> near it until my squid is stable. >> >> I have made a GPO for all users to use NTML as preferred auth method, >> let's see if that makes a difference. I did it by adding >> "LmCompatibilityLevel" to "1" in registry. > > "1" is not a good value for that. Probably "4" is what you need. "5" if > possible. > > see this for what each level apparently means: > > http://technet.microsoft.com/en-nz/magazine/2006.08.securitywatch%28en-us%29.aspx > > It seems to be an old article, so things may have changed a little. I'm not > sure how Kerberos integrates with those for example in IE 7/8. > >> >> Cheers >> >> On 19 April 2011 14:08, Amos Jeffries wrote: >>> >>> On 19/04/11 20:09, Go Wow wrote: >>>> >>>> Hi, >>>> >>>> I use NTLM to authenticate my AD users with Squid 3.11. My cache logs >>> >>> You mean 3.1.1? we are only up to 3.2 series so far. >>> >>>> have these entries at random times. I know that the client is sending >>>> a kerberos reply instead of NTLM auth. I want to know whether >>>> something can be done about this or not. >>>> >>>> libsmb/ntlmssp.c:335(ntlmssp_update) got NTLMSSP command 3, expected 1 >>>> >>>> I tried moving to Kerberos but it didnt work for me. My client envirno >>>> is IE 8, Chrome and Firefox 3.6 or 4 >>> >>> For the record which User-Agent is broken and sending Kerberos when >>> offered >>> NTLM? and are you offering Negotiate? >>> >>> The new negotiate_wrapper helper from Markus Moeller may help. We have >>> tested it of use in "auth_param negotiate", but I'm not sure of the >>> effect >>> if its used in "auth_param ntlm". > > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.12 > Beta testers wanted for 3.2.0.7 and 3.1.12.1 >
Re: [squid-users] The Famous "NTLMSSP command 3, expected 1"
Hi, I meant 3.1.11 How do I check which user-agent is giving this issue? As I told 70% people use IE here (different versions) some use IE 8, IE 7 and IE 6. 20-25% use firefox 3.6 or firefox 4 and rest use google chrome. Can you please point me to some doc to use that negotiate wrapper. I tried squid_kerb_auth and failed miserably and I'm not planning to go near it until my squid is stable. I have made a GPO for all users to use NTML as preferred auth method, let's see if that makes a difference. I did it by adding "LmCompatibilityLevel" to "1" in registry. Cheers On 19 April 2011 14:08, Amos Jeffries wrote: > On 19/04/11 20:09, Go Wow wrote: >> >> Hi, >> >> I use NTLM to authenticate my AD users with Squid 3.11. My cache logs > > You mean 3.1.1? we are only up to 3.2 series so far. > >> have these entries at random times. I know that the client is sending >> a kerberos reply instead of NTLM auth. I want to know whether >> something can be done about this or not. >> >> libsmb/ntlmssp.c:335(ntlmssp_update) got NTLMSSP command 3, expected 1 >> >> I tried moving to Kerberos but it didnt work for me. My client envirno >> is IE 8, Chrome and Firefox 3.6 or 4 > > For the record which User-Agent is broken and sending Kerberos when offered > NTLM? and are you offering Negotiate? > > The new negotiate_wrapper helper from Markus Moeller may help. We have > tested it of use in "auth_param negotiate", but I'm not sure of the effect > if its used in "auth_param ntlm". > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.12 > Beta testers wanted for 3.2.0.7 >
[squid-users] The Famous "NTLMSSP command 3, expected 1"
Hi, I use NTLM to authenticate my AD users with Squid 3.11. My cache logs have these entries at random times. I know that the client is sending a kerberos reply instead of NTLM auth. I want to know whether something can be done about this or not. libsmb/ntlmssp.c:335(ntlmssp_update) got NTLMSSP command 3, expected 1 I tried moving to Kerberos but it didnt work for me. My client envirno is IE 8, Chrome and Firefox 3.6 or 4
Re: [squid-users] Squid 3 with AD Integration has Sharepoint Access problem!!
All my problems seems to be getting resolved. NTLM_AUTH still doesnt bypass my sharepoint server. I made use of PAC file to bypass it. here is the copy of it function FindProxyForURL(url,host) {if (shExpMatch(url,"*Sharepointserver*") || shExpMatch(url,"*mylocaldomain*") || shExpMatch(url,"*intranet*") || shExpMatch(url,"*192.168.*")) return "DIRECT"; else return "PROXY 192.168.10.95:3128";} I made it in one line without wrapping. replace "Sharepointserver" with your "sharepoint server name" and "mylocaldomain" with your "local domain name" which should something like mycompany.com Regards On 22 March 2011 10:34, Go Wow wrote: > Below is the complete log. This is for one request to the sharepoint > from squid, at the end it pops for username/pass > > 1300775478.267 1 192.168.50.123 TCP_DENIED/407 4268 GET > http://sharepoint/ - NONE/- text/html > 1300775478.277 2 192.168.50.123 TCP_DENIED/407 4598 GET > http://sharepoint/ - NONE/- text/html > 1300775478.289 8 192.168.50.123 TCP_MISS/401 1729 GET > http://sharepoint/ DOMAIN\james.watson DIRECT/192.168.100.64 text/html > 1300775478.311 1 192.168.50.123 TCP_DENIED/407 4360 GET > http://sharepoint/ - NONE/- text/html > 1300775478.318 2 192.168.50.123 TCP_DENIED/407 4690 GET > http://sharepoint/ - NONE/- text/html > 1300775478.329 7 192.168.50.123 TCP_MISS/401 1050 GET > http://sharepoint/ DOMAIN\james.watson DIRECT/192.168.100.64 text/html > 1300775478.344 1 192.168.50.123 TCP_DENIED/407 5014 GET > http://sharepoint/ - NONE/- text/html > 1300775478.351 2 192.168.50.123 TCP_DENIED/407 5344 GET > http://sharepoint/ - NONE/- text/html > 1300775478.362 7 192.168.50.123 TCP_MISS/401 1729 GET > http://sharepoint/ DOMAIN\james.watson DIRECT/192.168.100.64 text/html > > > > On 21 March 2011 09:59, Amos Jeffries wrote: >> On 21/03/11 18:16, Go Wow wrote: >>> >>> Sharepoint is integrated with NTLM, normally it doesn't ask for >>> username and password. Also if we enter username and password when the >>> pop up comes then its not accepting. Why does it allow some users and >>> block others? Just to mention I changed my squid3 config to add NTLM >>> support with 2 auth_param basic and NTLM. Is this the cause of >>> problem?? >> >> That change might make a browser bug visible. I have not seen any other >> cases of it though. >> The proxy login and the server login are completely separate in HTTP and >> Squid. The browser *should* be considering each to be separate and sending >> the right ones. >> >> >> Browser only sends credentials when they have to. First nothing, which squid >> 407 challenges. Then just the proxy ones which the server 401 challenges. >> Then both, which works. >> >> So what you see in the logs would be: >> TCP_MISS/407 1729 GET http://spserver/ - NONE/- >> TCP_MISS/401 1729 GET http://spserver/ DOMAIN-NAME\User.Name >> DIRECT/192.168.50.124 text/html >> TCP_MISS/200 4567 GET http://spserver/ DOMAIN-NAME\User.Name >> DIRECT/192.168.50.124 text/html >> ... >> >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE9 or 3.1.11 >> Beta testers wanted for 3.2.0.5 >> >
Re: [squid-users] SquidGuard - Ldap doesnt filter users
I got this working with help of Mat. This link has the patch, all you need to do is apply it and recompile squidguard. http://www.shalla.de/mailman/private/squidguard/2010-December/001896.html Thanks for help people. 2011/3/23 Jorge Armando Medina : > On 03/21/2011 01:17 PM, Go Wow wrote: >> Hi, >> >> I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to >> filter my web traffic. I know this is not a right place to post it, I >> guess squidguard dev team is busy enhancing the product. Looking for >> help from you guys. >> >> My squid3 is authenticating users properly and parsing all rules. The >> problem is with squidguard which doesn't seem to filter out users. >> below is my squidguard config. >> >> >> dbhome /usr/local/squidGuard/db >> logdir /usr/local/squidGuard/log >> ldapbinddn "cn=Ldap,cn=Users,dc=domain,dc=com" >> ldapbindpass secretpass >> ldapcachetime 300 >> ldapprotover 3 >> >> >> src Allowed_Top_Mgmt { >> ldapusersearch >> "ldap://host.domain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Allowed_Full_Proxy_Users%2cou=Group%20Accounts%2cdc=domain%2cdc=com))" >> } >> >> dest ads { >> domainlist ads/domains >> urllist ads/urls >> redirect http://192.168.100.195/blocked.html >> } >> acl { >> Allowed-Top-Mgmt { >> pass !ads all >> redirect http://192.168.100.195/blocked.html >> } >> default { >> pass none >> redirect http://192.168.100.195/blocked.html >> } >> } >> >> My squidguard logs have these messages. >> >> >> [30393] (squidGuard): ldap_search_ext_s failed: Bad search filter >> (params: dc=domain,dc=com, 2, >> (&(sAMAccountName=domain\peter.hank)(memberOf=cn=Allowed_Full_Proxy_Users,ou=Group >> Accounts,dc=domain,dc=com)), sAMAccountName) >> [30393] Added LDAP source: domain%5cpeter.hank >> [30393] DEBUG: sgFindUser called with: domain%5cpeter.hank >> >> peter.hank user is unable to access anything or any other user from >> other group is not able to access anything. Peter.hank is a member of >> the above defined group, I have cross checked it. > > I think the problem is with the filter, squid is passing the user as > domain\username which > is not recognized by squidguard as a valid user, you need to apply the > patch suggested by > Mathieu Parent , search the squidguard list archive for the topic: > [Squidguard] Fwd: Stripping NT domain name or Kerberos Realm from user name > > For more info ask in the squidguard mailling list. > > Best regards. >> >> Please do give me some ways to test ldapuser. Some pointers would even work. >> >> Thanks > > > -- > Jorge Armando Medina > Computación Gráfica de México > Web: http://www.e-compugraf.com > Tel: 55 51 40 72, Ext: 124 > Email: jmed...@e-compugraf.com > GPG Key: 1024D/28E40632 2007-07-26 > GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632 > > >
Re: [squid-users] Re: SquidGuard - Ldap doesnt filter users
Thanks for your help We cannot do anything on squid side to fix this, like while passing the username to squidguard, we strips the " domain\ " part and pass only username. On 23 March 2011 15:42, Amos Jeffries wrote: > On 23/03/11 22:25, Go Wow wrote: >> >> Hi, >> >> I have observed that squid3 when used with ntlm, passes the AD >> usersname to squidguard in the below format >> >> DOMAIN%5cUSERNAME >> >> %5c represents " \ ". How do we overcome this, because squidguard is >> trying to find username with the above format and off course its >> failing. >> > > Yes, usernames are URL-encoded to avoid binary and other reserved characters > like escape-\ which people seem to like putting in there. > > You need to contact the squidGuard people. > > Amos > >> >> Any workaround for this. I tried adding winbind seperator = \ in >> smb.conf but still no luck, >> >> >> >> On 21 March 2011 23:17, Go Wow wrote: >>> >>> Hi, >>> >>> I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to >>> filter my web traffic. I know this is not a right place to post it, I >>> guess squidguard dev team is busy enhancing the product. Looking for >>> help from you guys. >>> >>> My squid3 is authenticating users properly and parsing all rules. The >>> problem is with squidguard which doesn't seem to filter out users. >>> below is my squidguard config. >>> >>> >>> dbhome /usr/local/squidGuard/db >>> logdir /usr/local/squidGuard/log >>> ldapbinddn "cn=Ldap,cn=Users,dc=domain,dc=com" >>> ldapbindpass secretpass >>> ldapcachetime 300 >>> ldapprotover 3 >>> >>> >>> src Allowed_Top_Mgmt { >>> ldapusersearch >>> >>> "ldap://host.domain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Allowed_Full_Proxy_Users%2cou=Group%20Accounts%2cdc=domain%2cdc=com))" >>> } >>> >>> dest ads { >>> domainlist ads/domains >>> urllist ads/urls >>> redirect http://192.168.100.195/blocked.html >>> } >>> acl { >>> Allowed-Top-Mgmt { >>> pass !ads all >>> redirect http://192.168.100.195/blocked.html >>> } >>> default { >>> pass none >>> redirect http://192.168.100.195/blocked.html >>> } >>> } >>> >>> My squidguard logs have these messages. >>> >>> >>> [30393] (squidGuard): ldap_search_ext_s failed: Bad search filter >>> (params: dc=domain,dc=com, 2, >>> >>> (&(sAMAccountName=domain\peter.hank)(memberOf=cn=Allowed_Full_Proxy_Users,ou=Group >>> Accounts,dc=domain,dc=com)), sAMAccountName) >>> [30393] Added LDAP source: domain%5cpeter.hank >>> [30393] DEBUG: sgFindUser called with: domain%5cpeter.hank >>> >>> peter.hank user is unable to access anything or any other user from >>> other group is not able to access anything. Peter.hank is a member of >>> the above defined group, I have cross checked it. >>> >>> >>> Please do give me some ways to test ldapuser. Some pointers would even >>> work. >>> >>> Thanks >>> > > > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.11 > Beta testers wanted for 3.2.0.5 >
[squid-users] Re: SquidGuard - Ldap doesnt filter users
Hi, I have observed that squid3 when used with ntlm, passes the AD usersname to squidguard in the below format DOMAIN%5cUSERNAME %5c represents " \ ". How do we overcome this, because squidguard is trying to find username with the above format and off course its failing. Any workaround for this. I tried adding winbind seperator = \ in smb.conf but still no luck, On 21 March 2011 23:17, Go Wow wrote: > Hi, > > I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to > filter my web traffic. I know this is not a right place to post it, I > guess squidguard dev team is busy enhancing the product. Looking for > help from you guys. > > My squid3 is authenticating users properly and parsing all rules. The > problem is with squidguard which doesn't seem to filter out users. > below is my squidguard config. > > > dbhome /usr/local/squidGuard/db > logdir /usr/local/squidGuard/log > ldapbinddn "cn=Ldap,cn=Users,dc=domain,dc=com" > ldapbindpass secretpass > ldapcachetime 300 > ldapprotover 3 > > > src Allowed_Top_Mgmt { > ldapusersearch > "ldap://host.domain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Allowed_Full_Proxy_Users%2cou=Group%20Accounts%2cdc=domain%2cdc=com))" > } > > dest ads { > domainlist ads/domains > urllist ads/urls > redirect http://192.168.100.195/blocked.html > } > acl { > Allowed-Top-Mgmt { > pass !ads all > redirect http://192.168.100.195/blocked.html > } > default { > pass none > redirect http://192.168.100.195/blocked.html > } > } > > My squidguard logs have these messages. > > > [30393] (squidGuard): ldap_search_ext_s failed: Bad search filter > (params: dc=domain,dc=com, 2, > (&(sAMAccountName=domain\peter.hank)(memberOf=cn=Allowed_Full_Proxy_Users,ou=Group > Accounts,dc=domain,dc=com)), sAMAccountName) > [30393] Added LDAP source: domain%5cpeter.hank > [30393] DEBUG: sgFindUser called with: domain%5cpeter.hank > > peter.hank user is unable to access anything or any other user from > other group is not able to access anything. Peter.hank is a member of > the above defined group, I have cross checked it. > > > Please do give me some ways to test ldapuser. Some pointers would even work. > > Thanks >
Re: [squid-users] Squid 3 with AD Integration has Sharepoint Access problem!!
Below is the complete log. This is for one request to the sharepoint from squid, at the end it pops for username/pass 1300775478.267 1 192.168.50.123 TCP_DENIED/407 4268 GET http://sharepoint/ - NONE/- text/html 1300775478.277 2 192.168.50.123 TCP_DENIED/407 4598 GET http://sharepoint/ - NONE/- text/html 1300775478.289 8 192.168.50.123 TCP_MISS/401 1729 GET http://sharepoint/ DOMAIN\james.watson DIRECT/192.168.100.64 text/html 1300775478.311 1 192.168.50.123 TCP_DENIED/407 4360 GET http://sharepoint/ - NONE/- text/html 1300775478.318 2 192.168.50.123 TCP_DENIED/407 4690 GET http://sharepoint/ - NONE/- text/html 1300775478.329 7 192.168.50.123 TCP_MISS/401 1050 GET http://sharepoint/ DOMAIN\james.watson DIRECT/192.168.100.64 text/html 1300775478.344 1 192.168.50.123 TCP_DENIED/407 5014 GET http://sharepoint/ - NONE/- text/html 1300775478.351 2 192.168.50.123 TCP_DENIED/407 5344 GET http://sharepoint/ - NONE/- text/html 1300775478.362 7 192.168.50.123 TCP_MISS/401 1729 GET http://sharepoint/ DOMAIN\james.watson DIRECT/192.168.100.64 text/html On 21 March 2011 09:59, Amos Jeffries wrote: > On 21/03/11 18:16, Go Wow wrote: >> >> Sharepoint is integrated with NTLM, normally it doesn't ask for >> username and password. Also if we enter username and password when the >> pop up comes then its not accepting. Why does it allow some users and >> block others? Just to mention I changed my squid3 config to add NTLM >> support with 2 auth_param basic and NTLM. Is this the cause of >> problem?? > > That change might make a browser bug visible. I have not seen any other > cases of it though. > The proxy login and the server login are completely separate in HTTP and > Squid. The browser *should* be considering each to be separate and sending > the right ones. > > > Browser only sends credentials when they have to. First nothing, which squid > 407 challenges. Then just the proxy ones which the server 401 challenges. > Then both, which works. > > So what you see in the logs would be: > TCP_MISS/407 1729 GET http://spserver/ - NONE/- > TCP_MISS/401 1729 GET http://spserver/ DOMAIN-NAME\User.Name > DIRECT/192.168.50.124 text/html > TCP_MISS/200 4567 GET http://spserver/ DOMAIN-NAME\User.Name > DIRECT/192.168.50.124 text/html > ... > > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.11 > Beta testers wanted for 3.2.0.5 >
[squid-users] SquidGuard - Ldap doesnt filter users
Hi, I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to filter my web traffic. I know this is not a right place to post it, I guess squidguard dev team is busy enhancing the product. Looking for help from you guys. My squid3 is authenticating users properly and parsing all rules. The problem is with squidguard which doesn't seem to filter out users. below is my squidguard config. dbhome /usr/local/squidGuard/db logdir /usr/local/squidGuard/log ldapbinddn "cn=Ldap,cn=Users,dc=domain,dc=com" ldapbindpasssecretpass ldapcachetime 300 ldapprotover3 src Allowed_Top_Mgmt { ldapusersearch "ldap://host.domain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Allowed_Full_Proxy_Users%2cou=Group%20Accounts%2cdc=domain%2cdc=com))" } dest ads { domainlist ads/domains urllist ads/urls redirect http://192.168.100.195/blocked.html } acl { Allowed-Top-Mgmt { pass !ads all redirect http://192.168.100.195/blocked.html } default { pass none redirect http://192.168.100.195/blocked.html } } My squidguard logs have these messages. [30393] (squidGuard): ldap_search_ext_s failed: Bad search filter (params: dc=domain,dc=com, 2, (&(sAMAccountName=domain\peter.hank)(memberOf=cn=Allowed_Full_Proxy_Users,ou=Group Accounts,dc=domain,dc=com)), sAMAccountName) [30393] Added LDAP source: domain%5cpeter.hank [30393] DEBUG: sgFindUser called with: domain%5cpeter.hank peter.hank user is unable to access anything or any other user from other group is not able to access anything. Peter.hank is a member of the above defined group, I have cross checked it. Please do give me some ways to test ldapuser. Some pointers would even work. Thanks
Re: [squid-users] Squid 3 with AD Integration has Sharepoint Access problem!!
Sharepoint is integrated with NTLM, normally it doesn't ask for username and password. Also if we enter username and password when the pop up comes then its not accepting. Why does it allow some users and block others? Just to mention I changed my squid3 config to add NTLM support with 2 auth_param basic and NTLM. Is this the cause of problem?? Regards On 21 March 2011 05:26, Amos Jeffries wrote: > On Sun, 20 Mar 2011 12:51:07 +0400, Go Wow wrote: >> >> Sharepoint sometime pop's up a credentials box and sometime it >> doesn't. Sometimes it pops up credential >> >> Access log has this entry >> >> TCP_MISS/401 1729 GET http://spserver/ DOMAIN-NAME\User.Name >> DIRECT/192.168.50.124 text/html >> >> >> Regards > > It is up to the users software to manage whether new credentials are needed. > > The above shows that proxy login credentials have been passed to Squid > (DOMAIN-NAME\User.Name). > However the credentials needed to login to the website at the other end are > missing (401). Squid has little or nothing to do with website credentials. > > Amos > >
Re: [squid-users] Squid 3 with AD Integration has Sharepoint Access problem!!
Sharepoint sometime pop's up a credentials box and sometime it doesn't. Sometimes it pops up credential Access log has this entry TCP_MISS/401 1729 GET http://spserver/ DOMAIN-NAME\User.Name DIRECT/192.168.50.124 text/html Regards On 17 March 2011 16:22, Go Wow wrote: > Upgrading to 3.1.10 worked for me. > > > Thank You Everyone For Help > > On 17 March 2011 01:50, Amos Jeffries wrote: >> On Wed, 16 Mar 2011 19:29:28 +0400, Go Wow wrote: >>> >>> squid3 -v shows are all options with which my squid3 was compiled. Can >>> I use these same options like in copy and paste for new ./configure ?? >>> >>> >>> Regards >>> >> >> I have a Ubuntu back-port of the Debian packages available at >> https://launchpad.net/~yadi/+archive/ppa >> >> Amos >> >>> On 16 March 2011 18:57, Go Wow wrote: >>>> >>>> Do you know of .deb package of 3.1.11. I'm using Ubuntu 10.04. >>>> >>>> >>>> Regards >>>> >>>> >>>> On 16 March 2011 18:10, Amos Jeffries wrote: >>>>> >>>>> On 17/03/11 02:41, Go Wow wrote: >>>>>> >>>>>> Squid 3 Stable 19 >>>>>> >>>>> >>>>> So a 3.0 series release. It will not work with relayed NTLM credentials. >>>>> >>>>> You need to upgrade to 3.1 before further testing is worth doing. >>>>> >>>>> Amos >>>>> -- >>>>> Please be using >>>>> Current Stable Squid 2.7.STABLE9 or 3.1.11 >>>>> Beta testers wanted for 3.2.0.5 >>>>> >>>> >> >> >
Re: [squid-users] Re: Squid 3.1 and winbind 3.4.7 permissions issue on winbindd_privileged
Winbind works properly , my bad I was issuing sudo wbinfo -a where it should been sudo wbinfo -a domain\\username Thanks for help. Regard On 18 March 2011 19:22, Go Wow wrote: > After issuing the command gpasswd -a proxy winbindd_priv > > wbinfo -a returns sucess for challenge/response but not for > plain text. No error given > > sudo wbinfo -a this.user > Enter this.user's password: > plaintext password authentication failed > Could not authenticate user this.user with plaintext password > Enter this.user's password: > challenge/response password authentication succeeded > > No error info in winbind log as well. > > > Regards > > > > > On 18 March 2011 17:14, Go Wow wrote: >> Thanks Amos. >> >> I was going to try with cache_effective_user setting in squid.conf but >> I will try this config first. >> >> Will update you guys. >> >> >> Regards >> >> On 18 March 2011 17:06, Amos Jeffries wrote: >>> On 19/03/11 00:15, Go Wow wrote: >>>> >>>> There is a script in /etc/init.d/winbind I tried editing it but still >>>> no luck. I check /etc/init.d/smbd but there is no mentioning about >>>> winbind. >>>> >>>> On 18 March 2011 15:02, Alex Crow wrote: >>>>> >>>>> On 18/03/11 10:47, Go Wow wrote: >>>>>> >>>>>> Just to kill my curiosity and resolve the issue I added proxy and root >>>>>> user to winbindd_priv group as well. But still damn winbind wont >>>>>> start. >>>>>> >>>>>> >>>>>> Regards >>>>> >>>>> Check /etc/init.d/winbind (or /etc/init.d/samba if you don't have >>>>> separate >>>>> scripts for winbind) to make sure it does not set permissions on the >>>>> directory. >>>>> >>>>> Some distributions seem to do this, I think it might even be in upstream >>>>> Samba. Just comment it out if it's doing it - it seems a stupid think to >>>>> put >>>>> in an init script to me. >>>>> >>>>> Cheers >>>>> >>>>> Alex >>>>> >>>>> >>> >>> The correct configuration is detailed here: >>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions >>> >>> One major gotcha: >>> RHEL and a few other OS patch a hard-coded value for this directive. So >>> that removing it from config still fails. In that case a full re-build >>> without the distro patch is required. >>> >>> Amos >>> -- >>> Please be using >>> Current Stable Squid 2.7.STABLE9 or 3.1.11 >>> Beta testers wanted for 3.2.0.5 >>> >> >
Re: [squid-users] Re: Squid 3.1 and winbind 3.4.7 permissions issue on winbindd_privileged
After issuing the command gpasswd -a proxy winbindd_priv wbinfo -a returns sucess for challenge/response but not for plain text. No error given sudo wbinfo -a this.user Enter this.user's password: plaintext password authentication failed Could not authenticate user this.user with plaintext password Enter this.user's password: challenge/response password authentication succeeded No error info in winbind log as well. Regards On 18 March 2011 17:14, Go Wow wrote: > Thanks Amos. > > I was going to try with cache_effective_user setting in squid.conf but > I will try this config first. > > Will update you guys. > > > Regards > > On 18 March 2011 17:06, Amos Jeffries wrote: >> On 19/03/11 00:15, Go Wow wrote: >>> >>> There is a script in /etc/init.d/winbind I tried editing it but still >>> no luck. I check /etc/init.d/smbd but there is no mentioning about >>> winbind. >>> >>> On 18 March 2011 15:02, Alex Crow wrote: >>>> >>>> On 18/03/11 10:47, Go Wow wrote: >>>>> >>>>> Just to kill my curiosity and resolve the issue I added proxy and root >>>>> user to winbindd_priv group as well. But still damn winbind wont >>>>> start. >>>>> >>>>> >>>>> Regards >>>> >>>> Check /etc/init.d/winbind (or /etc/init.d/samba if you don't have >>>> separate >>>> scripts for winbind) to make sure it does not set permissions on the >>>> directory. >>>> >>>> Some distributions seem to do this, I think it might even be in upstream >>>> Samba. Just comment it out if it's doing it - it seems a stupid think to >>>> put >>>> in an init script to me. >>>> >>>> Cheers >>>> >>>> Alex >>>> >>>> >> >> The correct configuration is detailed here: >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions >> >> One major gotcha: >> RHEL and a few other OS patch a hard-coded value for this directive. So >> that removing it from config still fails. In that case a full re-build >> without the distro patch is required. >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE9 or 3.1.11 >> Beta testers wanted for 3.2.0.5 >> >
Re: [squid-users] Re: Squid 3.1 and winbind 3.4.7 permissions issue on winbindd_privileged
Thanks Amos. I was going to try with cache_effective_user setting in squid.conf but I will try this config first. Will update you guys. Regards On 18 March 2011 17:06, Amos Jeffries wrote: > On 19/03/11 00:15, Go Wow wrote: >> >> There is a script in /etc/init.d/winbind I tried editing it but still >> no luck. I check /etc/init.d/smbd but there is no mentioning about >> winbind. >> >> On 18 March 2011 15:02, Alex Crow wrote: >>> >>> On 18/03/11 10:47, Go Wow wrote: >>>> >>>> Just to kill my curiosity and resolve the issue I added proxy and root >>>> user to winbindd_priv group as well. But still damn winbind wont >>>> start. >>>> >>>> >>>> Regards >>> >>> Check /etc/init.d/winbind (or /etc/init.d/samba if you don't have >>> separate >>> scripts for winbind) to make sure it does not set permissions on the >>> directory. >>> >>> Some distributions seem to do this, I think it might even be in upstream >>> Samba. Just comment it out if it's doing it - it seems a stupid think to >>> put >>> in an init script to me. >>> >>> Cheers >>> >>> Alex >>> >>> > > The correct configuration is detailed here: > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions > > One major gotcha: > RHEL and a few other OS patch a hard-coded value for this directive. So > that removing it from config still fails. In that case a full re-build > without the distro patch is required. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.11 > Beta testers wanted for 3.2.0.5 >
Re: [squid-users] Re: Squid 3.1 and winbind 3.4.7 permissions issue on winbindd_privileged
There is a script in /etc/init.d/winbind I tried editing it but still no luck. I check /etc/init.d/smbd but there is no mentioning about winbind. On 18 March 2011 15:02, Alex Crow wrote: > On 18/03/11 10:47, Go Wow wrote: >> >> Just to kill my curiosity and resolve the issue I added proxy and root >> user to winbindd_priv group as well. But still damn winbind wont >> start. >> >> >> Regards > > Check /etc/init.d/winbind (or /etc/init.d/samba if you don't have separate > scripts for winbind) to make sure it does not set permissions on the > directory. > > Some distributions seem to do this, I think it might even be in upstream > Samba. Just comment it out if it's doing it - it seems a stupid think to put > in an init script to me. > > Cheers > > Alex > >
[squid-users] Re: Squid 3.1 and winbind 3.4.7 permissions issue on winbindd_privileged
Just to kill my curiosity and resolve the issue I added proxy and root user to winbindd_priv group as well. But still damn winbind wont start. Regards On 18 March 2011 14:45, Go Wow wrote: > Hi, > > I'm trying squid 3.1.10 with ntlm and kerberos. The kinit, klist > process works good even net join is working. The problem im facing is > when trying to start winbind service and using wbinfo. Always the > service is not starting giving the error message > > lib/util_sock.c:1771(create_pipe_sock) invalid permissions on socket > directory /var/run/samba/winbindd_privileged > winbindd/winbindd.c:1412(main) winbindd_setup_listeners() failed > > > Right now the ownership of /var/run/samba/winbindd_privileged is set > to proxy:winbindd_priv with permissions of 0777 (for testing only), > still the service doesn't start. I made the change of permissions to > reflect in the service script also, /etc/init.d/winbind. I'm using > ubuntu 10.04 (lucid). > > On the side note, after editing the winbind service script, when I run > this command "sudo update-rc.d winbind start 21 2 3 4 5 . " I get a > warning saying > > update-rc.d: warning: winbind stop runlevel arguments (none) do not > match LSB Default-Stop values (0 1 6) > > System start/stop links for /etc/init.d/winbind already exist. > > > > Is there a known solution for this issue? > > > Regards >
[squid-users] Squid 3.1 and winbind 3.4.7 permissions issue on winbindd_privileged
Hi, I'm trying squid 3.1.10 with ntlm and kerberos. The kinit, klist process works good even net join is working. The problem im facing is when trying to start winbind service and using wbinfo. Always the service is not starting giving the error message lib/util_sock.c:1771(create_pipe_sock) invalid permissions on socket directory /var/run/samba/winbindd_privileged winbindd/winbindd.c:1412(main) winbindd_setup_listeners() failed Right now the ownership of /var/run/samba/winbindd_privileged is set to proxy:winbindd_priv with permissions of 0777 (for testing only), still the service doesn't start. I made the change of permissions to reflect in the service script also, /etc/init.d/winbind. I'm using ubuntu 10.04 (lucid). On the side note, after editing the winbind service script, when I run this command "sudo update-rc.d winbind start 21 2 3 4 5 . " I get a warning saying update-rc.d: warning: winbind stop runlevel arguments (none) do not match LSB Default-Stop values (0 1 6) System start/stop links for /etc/init.d/winbind already exist. Is there a known solution for this issue? Regards
Re: [squid-users] Squid 3 with AD Integration has Sharepoint Access problem!!
Upgrading to 3.1.10 worked for me. Thank You Everyone For Help On 17 March 2011 01:50, Amos Jeffries wrote: > On Wed, 16 Mar 2011 19:29:28 +0400, Go Wow wrote: >> >> squid3 -v shows are all options with which my squid3 was compiled. Can >> I use these same options like in copy and paste for new ./configure ?? >> >> >> Regards >> > > I have a Ubuntu back-port of the Debian packages available at > https://launchpad.net/~yadi/+archive/ppa > > Amos > >> On 16 March 2011 18:57, Go Wow wrote: >>> >>> Do you know of .deb package of 3.1.11. I'm using Ubuntu 10.04. >>> >>> >>> Regards >>> >>> >>> On 16 March 2011 18:10, Amos Jeffries wrote: >>>> >>>> On 17/03/11 02:41, Go Wow wrote: >>>>> >>>>> Squid 3 Stable 19 >>>>> >>>> >>>> So a 3.0 series release. It will not work with relayed NTLM credentials. >>>> >>>> You need to upgrade to 3.1 before further testing is worth doing. >>>> >>>> Amos >>>> -- >>>> Please be using >>>> Current Stable Squid 2.7.STABLE9 or 3.1.11 >>>> Beta testers wanted for 3.2.0.5 >>>> >>> > >
Re: [squid-users] Squid 3 with AD Integration has Sharepoint Access problem!!
Thanks Guys. Tomorrow I will try that PAC file solution if it doesnt work then I will start planning upgradation. Another query I had, although unrelated to Sharepoint. I'm using squiguard for filtering, if any of external webpage is not displayed properly then the issue is with squidguard or squid?? (I guess squidguard). What happens is 2 users who belong to same group and have same level of restrictions, for one user the webpage loads fully displaying all images, frames, css etc but for other user images are blocked with a red cross mark and no frames etc, it displays only text with hyper links. I checked the access log both users have TCP_IMS_HIT entry for that particular website. Wondering what could be wrong. I will update you about this Sharepoint thing. Regards 2011/3/16 Jorge Armando Medina : > On 03/16/2011 05:43 AM, Go Wow wrote: >> Hi, >> >> I have squid 3 with AD integrated, using squidGuard for filtering the >> traffic. When I try to access the sharepoint portal it give me error >> >> "401 - Unauthorized: Access is denied due to invalid credentials". >> >> Our sharepoint is also integrated with AD and without proxy it doesnt >> pop-up or require any credentials. We can access it directly >> >> How do I allow Sharepoint access for my users, is there any specific >> conifg that I need to add? > For this situations, I prefer to use WPAD and exclude local networks and > dns domains in the PAC file, so you access you sp portal directly. > > http://tuxjm.net/docs/Manual_de_Instalacion_de_Servidor_Proxy_Web_con_Ubuntu_Server_y_Squid/html-multiples/ch06s05.html#id390356 > > I have some instructions in spanish, probably you can use the examples, > there is info for creating your own pac file, how to configure apache to > host it and how to configure dns and/or dhcp to offer wpad to proxy > clientes. > > Best regards. > > > >> My access log has this entry when trying to access sharepoint >> >> TCP_MISS/401 1640 GET >> http://spserver.domain.com:3000/Pages/Default12.aspx harry.potter >> DIRECT/192.168.10.64 text/html >> >> I changed the fqdn above. >> >> >> >> Regards > > > -- > Jorge Armando Medina > Computación Gráfica de México > Web: http://www.e-compugraf.com > Tel: 55 51 40 72, Ext: 124 > Email: jmed...@e-compugraf.com > GPG Key: 1024D/28E40632 2007-07-26 > GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632 > > >
Re: [squid-users] Squid 3 with AD Integration has Sharepoint Access problem!!
squid3 -v shows are all options with which my squid3 was compiled. Can I use these same options like in copy and paste for new ./configure ?? Regards On 16 March 2011 18:57, Go Wow wrote: > Do you know of .deb package of 3.1.11. I'm using Ubuntu 10.04. > > > Regards > > > On 16 March 2011 18:10, Amos Jeffries wrote: >> On 17/03/11 02:41, Go Wow wrote: >>> >>> Squid 3 Stable 19 >>> >> >> So a 3.0 series release. It will not work with relayed NTLM credentials. >> >> You need to upgrade to 3.1 before further testing is worth doing. >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE9 or 3.1.11 >> Beta testers wanted for 3.2.0.5 >> >
Re: [squid-users] Squid 3 with AD Integration has Sharepoint Access problem!!
Do you know of .deb package of 3.1.11. I'm using Ubuntu 10.04. Regards On 16 March 2011 18:10, Amos Jeffries wrote: > On 17/03/11 02:41, Go Wow wrote: >> >> Squid 3 Stable 19 >> > > So a 3.0 series release. It will not work with relayed NTLM credentials. > > You need to upgrade to 3.1 before further testing is worth doing. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.11 > Beta testers wanted for 3.2.0.5 >
Re: [squid-users] Squid 3 with AD Integration has Sharepoint Access problem!!
Sorry, I updated it here http://tinypaste.com/8fe75 On 16 March 2011 18:05, Go Wow wrote: > I tried without sqiudguard and it didnt work. I get the same 401 error > > > You can access my squid.conf from here http://tinypaste.com/963e3 > > > Thanks > > Regards > > On 16 March 2011 17:41, Go Wow wrote: >> Squid 3 Stable 19 >> >> Squiguard 1.5 >> >> I will try without squidguard when users leave. >> >> >> >> On 16 March 2011 16:17, Amos Jeffries wrote: >>> On 17/03/11 00:43, Go Wow wrote: >>>> >>>> Hi, >>>> >>>> I have squid 3 with AD integrated, using squidGuard for filtering the >>>> traffic. When I try to access the sharepoint portal it give me error >>>> >>>> "401 - Unauthorized: Access is denied due to invalid credentials". >>>> >>>> Our sharepoint is also integrated with AD and without proxy it doesnt >>>> pop-up or require any credentials. We can access it directly >>>> >>>> How do I allow Sharepoint access for my users, is there any specific >>>> conifg that I need to add? >>> >>> Tried it without squidGuard? >>> What version of squidGuard? >>> What version of Squid? >>> >>> Squid pays little or no attention to server credentials. >>> squid-3.0 pay no attention at all and NTLM/Negotiate do not work through it. >>> squid-3.1 and later pay just enough attention to detect the NTLM or >>> Negotaite/Kerberos tag and turn on pinning/connection-auth to prevent the >>> connection having natural HTTP efficiency things done to it. >>> >>> Amos >>> -- >>> Please be using >>> Current Stable Squid 2.7.STABLE9 or 3.1.11 >>> Beta testers wanted for 3.2.0.5 >>> >> >
Re: [squid-users] Squid 3 with AD Integration has Sharepoint Access problem!!
I tried without sqiudguard and it didnt work. I get the same 401 error You can access my squid.conf from here http://tinypaste.com/963e3 Thanks Regards On 16 March 2011 17:41, Go Wow wrote: > Squid 3 Stable 19 > > Squiguard 1.5 > > I will try without squidguard when users leave. > > > > On 16 March 2011 16:17, Amos Jeffries wrote: >> On 17/03/11 00:43, Go Wow wrote: >>> >>> Hi, >>> >>> I have squid 3 with AD integrated, using squidGuard for filtering the >>> traffic. When I try to access the sharepoint portal it give me error >>> >>> "401 - Unauthorized: Access is denied due to invalid credentials". >>> >>> Our sharepoint is also integrated with AD and without proxy it doesnt >>> pop-up or require any credentials. We can access it directly >>> >>> How do I allow Sharepoint access for my users, is there any specific >>> conifg that I need to add? >> >> Tried it without squidGuard? >> What version of squidGuard? >> What version of Squid? >> >> Squid pays little or no attention to server credentials. >> squid-3.0 pay no attention at all and NTLM/Negotiate do not work through it. >> squid-3.1 and later pay just enough attention to detect the NTLM or >> Negotaite/Kerberos tag and turn on pinning/connection-auth to prevent the >> connection having natural HTTP efficiency things done to it. >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE9 or 3.1.11 >> Beta testers wanted for 3.2.0.5 >> >
Re: [squid-users] Squid 3 with AD Integration has Sharepoint Access problem!!
Squid 3 Stable 19 Squiguard 1.5 I will try without squidguard when users leave. On 16 March 2011 16:17, Amos Jeffries wrote: > On 17/03/11 00:43, Go Wow wrote: >> >> Hi, >> >> I have squid 3 with AD integrated, using squidGuard for filtering the >> traffic. When I try to access the sharepoint portal it give me error >> >> "401 - Unauthorized: Access is denied due to invalid credentials". >> >> Our sharepoint is also integrated with AD and without proxy it doesnt >> pop-up or require any credentials. We can access it directly >> >> How do I allow Sharepoint access for my users, is there any specific >> conifg that I need to add? > > Tried it without squidGuard? > What version of squidGuard? > What version of Squid? > > Squid pays little or no attention to server credentials. > squid-3.0 pay no attention at all and NTLM/Negotiate do not work through it. > squid-3.1 and later pay just enough attention to detect the NTLM or > Negotaite/Kerberos tag and turn on pinning/connection-auth to prevent the > connection having natural HTTP efficiency things done to it. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.11 > Beta testers wanted for 3.2.0.5 >
[squid-users] Squid 3 with AD Integration has Sharepoint Access problem!!
Hi, I have squid 3 with AD integrated, using squidGuard for filtering the traffic. When I try to access the sharepoint portal it give me error "401 - Unauthorized: Access is denied due to invalid credentials". Our sharepoint is also integrated with AD and without proxy it doesnt pop-up or require any credentials. We can access it directly How do I allow Sharepoint access for my users, is there any specific conifg that I need to add? My access log has this entry when trying to access sharepoint TCP_MISS/401 1640 GET http://spserver.domain.com:3000/Pages/Default12.aspx harry.potter DIRECT/192.168.10.64 text/html I changed the fqdn above. Regards
Re: [squid-users] Dual Level Authentication
Thanks for the reply. I think I will have to consider PAM. Regards On 8 March 2011 11:06, Amos Jeffries wrote: > On 08/03/11 18:42, Go Wow wrote: >> >> Hi All, >> >> I have implemented the AD authentication with squid3. I would like to >> add another level of authentication which should be local to unix box >> something like ncsa. When AD authentication fails then it should >> switch to other authentication and even if it fails then deny the >> packet. >> >> In squid, when I define >> >> auth_param basic program /usr/lib/ncsa_auth /etc/squid3/passwd >> auth_param basic program /usr/lib/squid_ldap_auth ... >> >> the bottom line is configured by initiating the helper programs and >> the top line is ignored. If I interchange the above lines then again >> the bottom program is initiated and top one is ignored. > > Yes. You can only define each authentication type once. > > Squid just hands every Basic auth header it gets over to a helper to get a > yes/no answer for use in ACLs. It is up to that helper and the backend > authentication system it uses to anything like failover, checking multiple > sources etc. > >> >> Can someone guide me how to create the dual level authen. >> > > > * Use two different types of authentication, ordered by your preference. > Then hope that the browser agrees with that preference because all you are > doing is offering auth types. The client browser chooses which one is used. > > * use an authentication backend which supports checking credentials against > multiple sources. ie PAM or similar. > > * write your own wrapper script to receive data from Squid and test both > data sources. Passing the overall result back to Squid. > > >> I read the multiple services authentication FAQ on >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/MultipleSources >> but couldn't understand fully. I understood myacl.pl is used for >> authentication but how I do define username and password for users >> using this method? > > This example is about enforcing strict controls over which background > authentication mechanism is used for any given client IP. > > You *could* use it, however for trying both systems with failover it is > simpler and more efficient to write an authenticator that does it. That > example is only needed because the IP is not sent to basic auth in some > squid versions. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.11 > Beta testers wanted for 3.2.0.5 >
[squid-users] Dual Level Authentication
Hi All, I have implemented the AD authentication with squid3. I would like to add another level of authentication which should be local to unix box something like ncsa. When AD authentication fails then it should switch to other authentication and even if it fails then deny the packet. In squid, when I define auth_param basic program /usr/lib/ncsa_auth /etc/squid3/passwd auth_param basic program /usr/lib/squid_ldap_auth ... the bottom line is configured by initiating the helper programs and the top line is ignored. If I interchange the above lines then again the bottom program is initiated and top one is ignored. Can someone guide me how to create the dual level authen. I read the multiple services authentication FAQ on http://wiki.squid-cache.org/ConfigExamples/Authenticate/MultipleSources but couldn't understand fully. I understood myacl.pl is used for authentication but how I do define username and password for users using this method? Regards
Re: [squid-users] Squid Blocking non-listed websites
so what according to you should be my edited squid.conf? and thanks for those great inputs.
Re: [squid-users] Squid Blocking non-listed websites
I sent out an email with my squid.conf, i want to know whether its received or not cuz i just got an email from support saying that my email had some words which are not allowed so the email was blocked and not delivered.
Re: [squid-users] Squid Blocking non-listed websites
whats the command to get only those configuration lines from squid.conf leaving the comment lines. If i get it i will post my config file.
[squid-users] Squid Blocking non-listed websites
Hey My squid is 2.6 and it os blocking some of the websites that are not listed in my block list an example is rpm.pbone.net. Any1 knows why is it happening or can give me some pointers to check why its happening.
Re: [squid-users] Squid Pre-Requisites
I want to install it on Debian, my debian instllation currently holds only limited set of packages and if I add unwanted packages then my debian may be down, so I want to make squid work as transparent proxy. Yes I'm experimenting with this.
[squid-users] Squid Pre-Requisites
What are the pre-requisites software in order to have squid installed on a machine.