Re: [squid-users] Errors with sasl while compiling Squid 3.1.4
I had this same issue and could .. ehrm guess (sorry) from the logs that I was missing g++ After apt-getting g++, everything went smooth. thanks for pointing to the solution. cheers! Lieven Henrik Nordström wrote: ons 2010-06-30 klockan 14:25 +0200 skrev Babelo Gmvsdm: Hi When I run ./configure to prepare compilation on Squid 3.1.4 I got this = errors: checking /usr/include/sasl.h usability... no checking /usr/include/sasl.h presence... no checking for /usr/include/sasl.h... no checking sasl.h usability... no checking sasl.h presence... no checking for sasl.h... no configure: error: Neither SASL nor SASL2 found Whereas /usr/include/sasl.h is present in the right directory=20 Check config.log for more information. Regards Henrik
Re: [squid-users] Re: Re: squid_kerb_auth received type 1 NTLM token
Dear Markus, You have to be recommended for your patience!! Turns out that my keytab file was wrong all along due to a stupid mistake from my side. (as to be expected :-/) I did have the principal for the realm but not for the proxy server itself. Thus the HTTP-keytab was recreated with the msktutil, this time with correct principal information. Now it works fine, I can see the clients authenticating in the cache.log bottomline: my bad knowledge about kerberos made me look for the wrong reasons. thank you very much for your help. Cheers ! Lieven Markus Moeller wrote: Changing the name may not be enough. Delete the AD entry and the keytab and create a new entry with keytab. Regards Markus Lieven lieve...@gmail.com wrote in message news:4be9c40a.1090...@gmail.com... That seems to clarify my problems. thank you. After the mkstutil, I saw that a new computer object had been made in the AD. In adsiedit, I opened this squid3-proxy computeraccount and checked it's principalname service. There was only HTTP/domain.local so I manually added HTTP/squid3-proxy.domain.local. Then after I did a new webrequest via the proxyserver, I saw this HTTP/squid3-proxy.domain.local service principal in kerbtray. Only, it still pops up with a authentication request so I'm not yet there. Anyway, tomorrow I'll have access to the local pc and a wireshark trace will probably help me solve this further. thanks for all the effort already. cheers. Lieven Markus Moeller wrote: Hi Lieven, The problem seems to be the krb5kdc_err_s_principal_unknown error. If you took the capture earlier shoudl have seen a TGS REQ in wireshark for HTTP/squid3-proxy.domain.local and AD says it does not anything about this principal. Can you search AD if you have an entry with serviceprincipalname=HTTP/squid3-proxy.domain.local using adsiedit.msc for example ? If you would have got a successful reply it would be a TGS REP and kerbtray would show DOMAIN.LOCAL |_ cifs/adserver1.domain.local |_ krbtgt/DOMAIN.LOCAL |_ krbtgt/DOMAIN.LOCAL |_ LDAP/adserver1.domin.local/domain.local |_ ProtectedStorage/adserver1.domain.local |_ HTTP/asquid3-proxy.domain.local/domain.local Regards Markus lieven lie...@ba.be wrote in message news:4be94d3c.6040...@ba.be... Hello again, This time, I got access to a pc in the AD domain. When I monitor for both udp and tcp port 88, there is krb communication to be seen but it doesn't look right. From AD server to client I see the following error: krb5kdc_err_s_principal_unknown It looks like this: (only krb5 and some tcp lines) 1. server - client: Krb Error: krb5kdc_err_s_principal_unknown 2. client - server: AS-REQ 3. server - client: KRB Error: krb5kdc_err_preauth_required 4. client - server: AS-REQ 5. server - client: AS-REP 6. client - server: AS-REQ 7. server - client: KRB Error: krb5kdc_err_preauth_required ...{4-7} X7 this sequence, starting from 3 is repeated a few times, as many times as I had to enter credentials in IE popup. Here is a detail from the error packet principal unknown: No. TimeSourceDestination Protocol Info 6 0.009940X.X.X.X X.X.X.X KRB5 KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN Frame 6 (179 bytes on wire, 179 bytes captured) Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst: Dell_48:f3:90 (00:24:e8:48:f3:90) Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X) Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248 (65248), Seq: 1, Ack: 1660, Len: 125 Kerberos KRB-ERROR Record Mark: 121 bytes Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2010-05-11 10:44:11 (UTC) susec: 313474 error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: DOMAIN.LOCAL Server Name (Service and Instance): HTTP/squid3-proxy.domain.local Name-type: Service and Instance (2) Name: HTTP Name: squid3-proxy.domain.local On this client pc, it is a windows vista, I have different kerberos tickets: (as per kerbtray) DOMAIN.LOCAL |_ cifs/adserver1.domain.local |_ krbtgt/DOMAIN.LOCAL |_ krbtgt/DOMAIN.LOCAL |_ LDAP/adserver1.domin.local/domain.local |_ ProtectedStorage/adserver1.domain.local The encryption types are for all tickets: Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption type) The client principal is use...@domain.local I also traced DNS on udp and tcp 53, this seems to work ok; it shows a lookup of the requested site and then a reply from the adserver (also dns) with the ip of the site. I don't see any lookup of the proxy-server fqdn that is put as the connection proxy setting in the browser. (it is squid3-proxy.domain.local) Next, I tried to follow the requests on port 3128 tcp to the proxyserver: 1) the client requests a webpage to the proxyserver on port 3128: GET http://www.google.be/ HTTP/1.1 (http protocol) 2) proxy sends back a 407: (http) HTTP/1.0 407 Proxy Authentication Requied
Re: [squid-users] Report of visited sites? (No filtering, just reporting)
did you try sarg? It checks the squid logs and creates overviews of the visited sites per ip. Marcello Romani wrote: Charles Bray ha scritto: Hello, I am sure this must be a common question... please excuse. Does there exist a tool or example configuration that will enable me to log, and display in a nice HR department friendly format, the sites that users in our small office network are visiting? We are already using OpenDNS for filtering, but we do need per-user (just ip address) reporting. No need for actual content caching, either. Any suggestions? Thank you, CB This is a good starting point: http://www.squid-cache.org/Scripts/
[squid-users] Re: squid_kerb_auth received type 1 NTLM token
Hello again, This time, I got access to a pc in the AD domain. When I monitor for both udp and tcp port 88, there is krb communication to be seen but it doesn't look right. From AD server to client I see the following error: krb5kdc_err_s_principal_unknown It looks like this: (only krb5 and some tcp lines) 1. server - client: Krb Error: krb5kdc_err_s_principal_unknown 2. client - server: AS-REQ 3. server - client: KRB Error: krb5kdc_err_preauth_required 4. client - server: AS-REQ 5. server - client: AS-REP 6. client - server: AS-REQ 7. server - client: KRB Error: krb5kdc_err_preauth_required ...{4-7} X7 this sequence, starting from 3 is repeated a few times, as many times as I had to enter credentials in IE popup. Here is a detail from the error packet principal unknown: No. TimeSourceDestination Protocol Info 6 0.009940X.X.X.X X.X.X.X KRB5 KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN Frame 6 (179 bytes on wire, 179 bytes captured) Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst: Dell_48:f3:90 (00:24:e8:48:f3:90) Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X) Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248 (65248), Seq: 1, Ack: 1660, Len: 125 Kerberos KRB-ERROR Record Mark: 121 bytes Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2010-05-11 10:44:11 (UTC) susec: 313474 error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: DOMAIN.LOCAL Server Name (Service and Instance): HTTP/squid3-proxy.domain.local Name-type: Service and Instance (2) Name: HTTP Name: squid3-proxy.domain.local On this client pc, it is a windows vista, I have different kerberos tickets: (as per kerbtray) DOMAIN.LOCAL |_ cifs/adserver1.domain.local |_ krbtgt/DOMAIN.LOCAL |_ krbtgt/DOMAIN.LOCAL |_ LDAP/adserver1.domin.local/domain.local |_ ProtectedStorage/adserver1.domain.local The encryption types are for all tickets: Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption type) The client principal is use...@domain.local I also traced DNS on udp and tcp 53, this seems to work ok; it shows a lookup of the requested site and then a reply from the adserver (also dns) with the ip of the site. I don't see any lookup of the proxy-server fqdn that is put as the connection proxy setting in the browser. (it is squid3-proxy.domain.local) Next, I tried to follow the requests on port 3128 tcp to the proxyserver: 1) the client requests a webpage to the proxyserver on port 3128: GET http://www.google.be/ HTTP/1.1 (http protocol) 2) proxy sends back a 407: (http) HTTP/1.0 407 Proxy Authentication Requied (text/html) 3) client responds with (http) GET http://www.google.be/ HTTP/1.1 , NTLMSSP_NEGOTIATE Between each point there is some tcp syn/ack/fin traffic which I can post if needed. The last 2 points are repeated a few times where the proxy requests authentication, expecting kerberos and the client responding with ntlm for some reason. In Firefox, It is the same as IE, proxy auth required followd by an ntlmssp_negotiate from the client. Why I don't get kerberos to work is a mistery to me as it seems to work in the domain itself when computers authenticate to get access to shares etc... Any clues welcome. thanks, Lieven -- Please Visit us at V-ICT-OR shopt IT 25 May 2010 - De Montil - Affligem Lieven De Puysseleir BA N.V. - http://www.ba.be Dalemhof 28, 3000 Leuven tel: 0032 (0)16 29 80 45 attachment: lieven.vcf
Re: [squid-users] squid non-accel default website
I might be completely misunderstanding your request but can't you just run a http daemon like apache on your proxyserver that serves a page with explanations? rgds, Lieven Nils Hügelmann wrote: Hi, i have a non-accel non-transparent squid 3.1 running on port 80, and when someone accesses the proxy directly (via http://hostname or http://ip) i want the proxy to show an explanation website. At the current state, it shows an invalid URL ... while trying to retrieve the URL: / error on direct access, which prevents using url rewriters(and deny_info too?!) so how to do this?... Thanks Nils
Re: [squid-users] Re: squid_kerb_auth received type 1 NTLM token
That seems to clarify my problems. thank you. After the mkstutil, I saw that a new computer object had been made in the AD. In adsiedit, I opened this squid3-proxy computeraccount and checked it's principalname service. There was only HTTP/domain.local so I manually added HTTP/squid3-proxy.domain.local. Then after I did a new webrequest via the proxyserver, I saw this HTTP/squid3-proxy.domain.local service principal in kerbtray. Only, it still pops up with a authentication request so I'm not yet there. Anyway, tomorrow I'll have access to the local pc and a wireshark trace will probably help me solve this further. thanks for all the effort already. cheers. Lieven Markus Moeller wrote: Hi Lieven, The problem seems to be the krb5kdc_err_s_principal_unknown error. If you took the capture earlier shoudl have seen a TGS REQ in wireshark for HTTP/squid3-proxy.domain.local and AD says it does not anything about this principal. Can you search AD if you have an entry with serviceprincipalname=HTTP/squid3-proxy.domain.local using adsiedit.msc for example ? If you would have got a successful reply it would be a TGS REP and kerbtray would show DOMAIN.LOCAL |_ cifs/adserver1.domain.local |_ krbtgt/DOMAIN.LOCAL |_ krbtgt/DOMAIN.LOCAL |_ LDAP/adserver1.domin.local/domain.local |_ ProtectedStorage/adserver1.domain.local |_ HTTP/asquid3-proxy.domain.local/domain.local Regards Markus lieven lie...@ba.be wrote in message news:4be94d3c.6040...@ba.be... Hello again, This time, I got access to a pc in the AD domain. When I monitor for both udp and tcp port 88, there is krb communication to be seen but it doesn't look right. From AD server to client I see the following error: krb5kdc_err_s_principal_unknown It looks like this: (only krb5 and some tcp lines) 1. server - client: Krb Error: krb5kdc_err_s_principal_unknown 2. client - server: AS-REQ 3. server - client: KRB Error: krb5kdc_err_preauth_required 4. client - server: AS-REQ 5. server - client: AS-REP 6. client - server: AS-REQ 7. server - client: KRB Error: krb5kdc_err_preauth_required ...{4-7} X7 this sequence, starting from 3 is repeated a few times, as many times as I had to enter credentials in IE popup. Here is a detail from the error packet principal unknown: No. TimeSourceDestination Protocol Info 6 0.009940X.X.X.X X.X.X.X KRB5 KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN Frame 6 (179 bytes on wire, 179 bytes captured) Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst: Dell_48:f3:90 (00:24:e8:48:f3:90) Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X) Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248 (65248), Seq: 1, Ack: 1660, Len: 125 Kerberos KRB-ERROR Record Mark: 121 bytes Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2010-05-11 10:44:11 (UTC) susec: 313474 error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: DOMAIN.LOCAL Server Name (Service and Instance): HTTP/squid3-proxy.domain.local Name-type: Service and Instance (2) Name: HTTP Name: squid3-proxy.domain.local On this client pc, it is a windows vista, I have different kerberos tickets: (as per kerbtray) DOMAIN.LOCAL |_ cifs/adserver1.domain.local |_ krbtgt/DOMAIN.LOCAL |_ krbtgt/DOMAIN.LOCAL |_ LDAP/adserver1.domin.local/domain.local |_ ProtectedStorage/adserver1.domain.local The encryption types are for all tickets: Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption type) The client principal is use...@domain.local I also traced DNS on udp and tcp 53, this seems to work ok; it shows a lookup of the requested site and then a reply from the adserver (also dns) with the ip of the site. I don't see any lookup of the proxy-server fqdn that is put as the connection proxy setting in the browser. (it is squid3-proxy.domain.local) Next, I tried to follow the requests on port 3128 tcp to the proxyserver: 1) the client requests a webpage to the proxyserver on port 3128: GET http://www.google.be/ HTTP/1.1 (http protocol) 2) proxy sends back a 407: (http) HTTP/1.0 407 Proxy Authentication Requied (text/html) 3) client responds with (http) GET http://www.google.be/ HTTP/1.1 , NTLMSSP_NEGOTIATE Between each point there is some tcp syn/ack/fin traffic which I can post if needed. The last 2 points are repeated a few times where the proxy requests authentication, expecting kerberos and the client responding with ntlm for some reason. In Firefox, It is the same as IE, proxy auth required followd by an ntlmssp_negotiate from the client. Why I don't get kerberos to work is a mistery to me as it seems to work in the domain itself when computers authenticate to get access to shares etc... Any clues welcome. thanks, Lieven -- Please Visit us at V-ICT-OR shopt IT 25 May 2010 - De Montil - Affligem Lieven De Puysseleir BA N.V. - http://www.ba.be Dalemhof 28, 3000 Leuven tel: 0032 (0
[squid-users] Re: squid_kerb_auth received type 1 NTLM token
Hello Markus, Sorry for my slow reaction. 1) I did a klist on the squid server and got this ticket: squid3-proxy:/var/log/squid-3.1.3# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@domain.local Valid starting ExpiresService principal 05/09/10 14:35:00 05/10/10 00:34:04 krbtgt/domain.lo...@domain.local renew until 05/10/10 14:35:00 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached = Do I have to renew this ticket from the server everyday? I thought that I only needed this ticket once to get my squid server into the AD domain with the msktutil? 2) I installed the kerbtray tool from the windows 2003 tools on my xp pc. My xp pc is connected via a windows vpn for this test, I logon with my domain credentials, connecting to vpn works fine, As soon as I try to connect to a site via the squid3-proxy server, I get one ticket in kerbtray. This is the only ticket I have in the list: krbtgt/DOMAIN.LOCAL for the client principal: b...@domain.local the service name is: krbtgt/domain.lo...@domain.local target name is: krbtgt/dom...@domain.local flags: forwardable, renewable, preauthenticated, initial encryption types: ticket encryption time: etype 18 and key encryption type: etype 0 regarding DNS, I doublechecked and A and PTR lookup are ok from the client. 3) When I open a site in my firefox browser on the client where I put the fqdn name as proxyserver, I see following in the cache.log on squid: 2010/05/09 14:59:03| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2010/05/09 14:59:03| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABB4IIogAFASgKDw==' (decoded length: 40). 2010/05/09 14:59:03| squid_kerb_auth: WARNING: received type 1 NTLM token 2010/05/09 14:59:03| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2010/05/09 14:59:04| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2010/05/09 14:59:04| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABB4IIogAFASgKDw==' (decoded length: 40). 2010/05/09 14:59:04| squid_kerb_auth: WARNING: received type 1 NTLM token 2010/05/09 14:59:04| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 4) It seems that winpcap 4.1 which I installed on my client is not able to scan the ppp interface which I use to connect to the windows vpn. I will send a dump from that traffic as soon as I have access to a pc at the location. (non vpn) How do I add a dump from wireshark? I got a tcpdump on the squid server which I opened in wireshark and then I exported it as a plaintext file (all captured traffic, 49 packets) but it's quiete large. (about 917 lines) Thanks for your help. kind regards, Lieven
Re: [squid-users] make squid-3.1.1
Hi, this problem is solved, completely something on my side as expected: It seems that my first try to download and compile the cvs of squid_kerb_auth had compromised the make with squid3.1.1. Even after make clean. I installed a fresh debian lenny and this time compiling squid with the helpers worked fine. thankyou, Lieven Henrik Nordström wrote: ons 2010-04-28 klockan 18:46 +0200 skrev lieven: squid_kerb_auth squid_kerb_auth.o base64.o -lmiscutil -lm ../../../lib/libmiscutil.a(base64.o):(.rodata+0x0): multiple definition of `base64_code' base64.o:(.rodata+0x0): first defined here Try this: echo helpers/negotiate_auth/squid_kerb_auth/base64.c Appears that file is duplicate and colliding with the same from within the main parts of the Squid source tree. Regards Henrik -- Please Visit us at V-ICT-OR shopt IT 25 May 2010 - De Montil - Affligem Lieven De Puysseleir BA N.V. - http://www.ba.be Dalemhof 28, 3000 Leuven tel: 0032 (0)16 29 80 45 attachment: lieven.vcf
[squid-users] squid_kerb_auth received type 1 NTLM token
Dear list, I have currently a problem where it seems that my clients, webbrowsers firefox 3.5 and IE8 only seem to return NTLM tokens as authentication instead of kerberos. This is the error in the cache log from squid: ... squid_kerb_auth: WARNING: received type 1 NTLM token authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' ... squid has been configured like this: ./configure --enable-negotiate-auth-helpers=squid_kerb_auth --enable-stacktraces --prefix=/opt/squid-3.1.3 make and make install went fine. the squid box is a cleanly installed debian lenny i386. Squid itself seems to run fine, I can browse through it. Then my goal to use kerberos authentication fails with the error above. in my krb5.conf I have the following info in my realm: kdc = xxx.xxx.xxx.xxx admin_server = xxx.xxx.xxx.xxx these are the libdefaults: [libdefaults] default_realm = DOMAIN.LOCAL dns_lookup_kdc = no dns_lookup_realm = no default_keytab_name = /etc/HTTP.keytab ticket_lifetime = 24h the /etc/HTTP.keytab file is like this: -rw-r- 1 squid squid 532 2010-05-05 20:58 /etc/HTTP.keytab squid is running as user squid First I got a kerberos ticket with: kinit administrator I can see a krbtgt ticket with klist. I'm trying to authenticate against a windows 2008 dc and I used msktutil like this: msktutil -c -b CN=COMPUTERS -s HTTP/domain.local -h domain.local -k /etc/HTTP.keytab --computer-name squid3-proxy --upn HTTP/domain.local --server ad2008srvr.domain.local --verbose --enctypes 28 The squid config file is quiete basic. (only relevant parts here - I think) auth_param negotiate program /opt/squid-3.1.3/sbin/squid_kerb_auth -d auth_param negotiate children 10 auth_param negotiate keep_alive on acl AUTHENTICATED proxy_auth REQUIRED http_access allow AUTHENTICATED DNS seems to work alright, the AD server is used for dns and has a working A and PTR record for the squid3-proxy.domain.local server because the A and PTR lookups return the correct results when run from the server and from the clients. Is there anybody out there who can help me troubleshoot this problem? I found tutorials where the keytab file is created on the windows server but that's not necessary if I use the msktutil, right? thanks a lot. I'v been trying to get this to work for some time now. cheers, Lieven
Re: [squid-users] make squid-3.1.1
Thank you Henrik. I just tried your suggestion and emptied the base64.c file. It did solve one problem but a new one arises. I took following actions: make clean ./configure make and now it stops like this: gcc -g -O2 -Wall -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -Wl,-R/usr/lib -L/usr/lib -lgssapi -lheimntlm -lkrb5 -L../../../lib -o squid_kerb_auth squid_kerb_auth.o base64.o -lmiscutil -lm squid_kerb_auth.o: In function `main': /opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c:374: undefined reference to `ska_base64_decode_len' /opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c:379: undefined reference to `ska_base64_decode' /opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c:429: undefined reference to `ska_base64_encode_len' /opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c:437: undefined reference to `ska_base64_encode_len' /opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c:437: undefined reference to `ska_base64_encode' collect2: ld returned 1 exit status make[5]: *** [squid_kerb_auth] Error 1 make[5]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[3]: *** [all] Error 2 make[3]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/software/squid-3.1.1/helpers' make: *** [all-recursive] Error 1 Maybe I can just compile the squid_kerb_auth helper and install the rest of squid3 with apt-get. I already tried downloading the squid_kerb_auth from the cvs (sourceforge project) but couldn't get it to configure. Here, when I go into the squid_kerb_auth folder, at least the configure works. Sorry if this sounds gibberish, I'm not a programmer. thanks for your help. Lieven Henrik Nordström wrote: ons 2010-04-28 klockan 18:46 +0200 skrev lieven: squid_kerb_auth squid_kerb_auth.o base64.o -lmiscutil -lm ../../../lib/libmiscutil.a(base64.o):(.rodata+0x0): multiple definition of `base64_code' base64.o:(.rodata+0x0): first defined here Try this: echo helpers/negotiate_auth/squid_kerb_auth/base64.c Appears that file is duplicate and colliding with the same from within the main parts of the Squid source tree. Regards Henrik -- Please Visit us at V-ICT-OR shopt IT 25 May 2010 - De Montil - Affligem Lieven De Puysseleir BA N.V. - http://www.ba.be Dalemhof 28, 3000 Leuven tel: 0032 (0)16 29 80 45 attachment: lieven.vcf
Re: [squid-users] make squid-3.1.1
Hi Nick, Thank you very much for your reply. I found the following page: http://www.mail-archive.com/debian-bugs-d...@lists.debian.org/msg535930.html Next, I apt-get installed the following packets: libldap2-dev, libpam0g-dev, sharutils, dpatch (= 2.0.9), po-debconf, libdb-dev, libgssglue-dev, libkrb5-dev except for libkrb5-dev because I have heimdal-dev (Maybe I should switch to MIT version?) Anyways, after a *) make clean *) ./configure --enable-negotiate-auth-helpers=squid_kerb_auth --enable-stacktraces --prefix=/usr/local/sbin/squid-3.0 *) make - I get the same problem. It just stops the same way as before. Then I tried an apt-get install squid3, this works fine but I do not have the much-wanted squid_kerb_auth because it is not included in the standard squid configure options. thanks for your help though. kind regards, Lieven Nick Cairncross wrote: Dependencies perhaps - krb5, cyrus-sasl, gss etc? -Original Message- From: lieven [mailto:lie...@ba.be] Sent: 28 April 2010 17:47 To: squid-users@squid-cache.org Subject: [squid-users] make squid-3.1.1 Dear list and people therein, I'm currently trying to compile (make) the squid 3.1.1 which I just downloaded from the squid-cache site. The OS is Debian Lenny 64bit. build-essentials was installed. ./configure works fine, I get a make file. Then I run make, it goes along for some time and then stops. (logging included below) If anybody can point me in the good direction to solve this, thank you very much. ... gcc -g -O2 -Wall -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -Wl,-R/usr/lib -L/usr/lib -lgssapi -lheimntlm -lkrb5 -L../../../lib -o squid_kerb_auth squid_kerb_auth.o base64.o -lmiscutil -lm ../../../lib/libmiscutil.a(base64.o):(.rodata+0x0): multiple definition of `base64_code' base64.o:(.rodata+0x0): first defined here collect2: ld returned 1 exit status make[5]: *** [squid_kerb_auth] Error 1 make[5]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[3]: *** [all] Error 2 make[3]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/software/squid-3.1.1/helpers' make: *** [all-recursive] Error 1 kind regards, Lieven ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900 -- Please Visit us at V-ICT-OR shopt IT 25 May 2010 - De Montil - Affligem Lieven De Puysseleir BA N.V. - http://www.ba.be Dalemhof 28, 3000 Leuven tel: 0032 (0)16 29 80 45 attachment: lieven.vcf
[squid-users] make squid-3.1.1
Dear list and people therein, I'm currently trying to compile (make) the squid 3.1.1 which I just downloaded from the squid-cache site. The OS is Debian Lenny 64bit. build-essentials was installed. ./configure works fine, I get a make file. Then I run make, it goes along for some time and then stops. (logging included below) If anybody can point me in the good direction to solve this, thank you very much. ... gcc -g -O2 -Wall -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -Wl,-R/usr/lib -L/usr/lib -lgssapi -lheimntlm -lkrb5 -L../../../lib -o squid_kerb_auth squid_kerb_auth.o base64.o -lmiscutil -lm ../../../lib/libmiscutil.a(base64.o):(.rodata+0x0): multiple definition of `base64_code' base64.o:(.rodata+0x0): first defined here collect2: ld returned 1 exit status make[5]: *** [squid_kerb_auth] Error 1 make[5]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[3]: *** [all] Error 2 make[3]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/software/squid-3.1.1/helpers' make: *** [all-recursive] Error 1 kind regards, Lieven attachment: lieven.vcf
Re: [squid-users] ntlm auth, unauthorized users without popup window
=?iso-8859-2?Q?Horv=E1th_Szabolcs?= [EMAIL PROTECTED] writes: Hi! I've successfully configured squid to use ntlm authentication. If the authenticated users go through the proxy, the web page will be loaded. In the opposite side, if any unauthorized users want to browse, popup window appears (username, password). I know is the default behaviour. Is there any chance to not to popup authentication window in this case? auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=S-1-5-21-298725999-1398125-441284377-12796 auth_param ntlm children 100 auth_param ntlm max_challenge_reuses 100 auth_param ntlm max_challenge_lifetime 5 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of=S-1-5-21-298725999-1398125-441284377-12796 auth_param basic children 100 auth_param basic realm Kerem adja meg felhasznalonevet es jelszavat auth_param basic credentialsttl 1 hours acl AuthorizedUsers proxy_auth REQUIRED http_access allow AuthorizedUsers http_access deny all Perhaps by removing the basic authenticator? -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Re: [squid-users] Squid content filter
Guillaume [EMAIL PROTECTED] writes: I would like to know if there is a plugin for squid or an parameter in squid.conf to have the ability to filter word that are forbidden... Ex: sex, porn, etc... I'm on squid NT. thanks for your replies. http://dansguardian.org/ -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Re: [squid-users] How can I allow hosts to access web through squid without restarting?
Riaz Uddin [EMAIL PROTECTED] writes: Dear, I'm using squid as my proxy server in my network and allowing hosts to access web by setting my proxy server in browser. Without the setting people aren't allowed to access web. I'm very beginner in using squid. To allow host to access web I do two steps and steps are: 1. Write lines in squid.conf: acl usr1 src 172.16.0.5 http_access allow usr1 has more. 2. After writing the above lines, I restart the squid service. No need to restart squid. Use squid -k parse to check your squid.conf for errors and when this works use squid -k reconfigure to start using it. Connections in progress will not be disturbed by this. -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Re: [squid-users] How to bypass authentication for some URLs?
Tan, Kian Tiong [EMAIL PROTECTED] writes: Hi, Anyone know how to access certain URL without going through Authentication (like msntauth)?? I uses the following: acl surf dstdomain www.google.com always_direct allow surf But it doesn't work. Is there any other method? always_direct does something entirely different. Use http_access allow surf before the http_access line that requires authentication. -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Re: [squid-users] HOw to use max_user_ip
Li Wei [EMAIL PROTECTED] writes: the option max_user_ip is a new function with Squid.2.5 From its description, it seems very useful. However, I'm failed in using it. Are there any advice to me about how to use it? acl multiple max_user_ip -s 1 http_access deny multiple will stop people using a userid on 2 machines simultaneously -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Re: [squid-users] Still Fail to Authenticate
Aqil [EMAIL PROTECTED] writes: here is the content of my file1 : user1:Q9jp0EYusm5eo Is there someone out there who wants to kindfully try for me (with ncsa authentication scheme ? :) Seems fine to me. http-proxy-intern:/tmp# cat test.auth user1:Q9jp0EYusm5eo http-proxy-intern:/tmp# /usr/lib/squid/ncsa_auth ./test.auth user1 password4user1 OK -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Re: [squid-users] I have an ACL blocking access but i want webmail
Frank Chibesakunda [EMAIL PROTECTED] writes: my current acl rule is: acl center_user 192.168.10.2-192.168.10.110 acl browse time 08:30-15:30 http_access deny center_user http_access deny center_user browsetime This is redundant. The above matches center_user AND browsetime but center_user is already rejected in the line above. am saying the above works, but i want to allow my webmail to be accessed during the time my users have been blocked, i.e my webmail address is http://mail.zen.co.zm, how do i allow it to be accessed? acl webmail dst mail.zen.co.zm http_access allow webmail http_access deny center_user http_access deny browsetime http_allow all -- I do not want people to be agreeable, as it saves me the trouble of liking them. Jane Austen
Re: [squid-users] squid works but the url,ip,words block not :(
kelly kloen [EMAIL PROTECTED] writes: my squid proxy works now on a redhat 9.0 i have this in my squid.conf : acl leerling src 212.178.168.0/255.255.254.0 acl block url_regex -i /var/log/squid/block/block.txt acl ip dst /var/log/squid/block/ip.txt acl url dstdomain /var/log/squid/block/url.txt # And finally deny all other access to this proxy http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow leerling http_access deny block http_access deny ip http_access deny url http_access deny all and the file's in : /var/log/squid/block have now root/root access. and in the block.txt is the word porno so it needs to block every url with porno in it. but when i look on the local machine i still van access porno.nl how can i see if it use the files ??? dstdomain matches the exact domain. Perhaps you want dstdom_regex? Also since allow localhost comes before deny {block,ip,url} both localhost and the student network are allowed to access all sites. This is probably what you meant. http_access deny block http_access deny ip http_access deny url http_access allow localhost http_access allow leerling http_access deny all -- I do not want people to be agreeable, as it saves me the trouble of liking them. Jane Austen
Re: [squid-users] How to do? authentication and ip-range
Sander Winkel [EMAIL PROTECTED] writes: I want to give only access to computers from an specified ip-range and the users at that ip-range must be validated with radius authentication. The radius authentication works well, but I don't know how to define that only the specified IP-range have access to the server. Oh yes, I know that it could as specified below: acl clients src 192.168.0.0/255.255.255.0 http_access allow clients But when I put this before: http_access allow password All the users within that range have access to the cache without authentication. I think that's not so difficult to get this work, but I don't see the solution at the moment. I hope you can help me. acl's can be combined so you do http_access allow clients password -- There is only one war, and it's not the rich against the poor, the blacks against the whites, the Federation against the Borg, or the Democrats versus the Republicans. It's those of us who aren't complete idiots against those of us who are.
[squid-users] authenticate_ip_ttl logging
In recent versions of squid, the authenticate_ip_ttl mechanism has been changed with the max_user_ip acl. Previous versions of squid logged multiple ip address use with the user name which was handy to force password changes of compromised userids. Is there a way to get this logging back? -- There is only one war, and it's not the rich against the poor, the blacks against the whites, the Federation against the Borg, or the Democrats versus the Republicans. It's those of us who aren't complete idiots against those of us who are.
Re: [squid-users] authenticate_ip_ttl logging
Henrik Nordstrom [EMAIL PROTECTED] writes: Not easily, but as a quick fix adding a log statement to the acl processing of max_user_ip might suffice. However, you migth then be somewhat flooded with messages if the users persists in trying to get access. Yes, that would work. As another quick and dirty trick logging to syslog with its own severity and letting syslog consolidate the identical lines would solve the flood objection. -- There is only one war, and it's not the rich against the poor, the blacks against the whites, the Federation against the Borg, or the Democrats versus the Republicans. It's those of us who aren't complete idiots against those of us who are.
Re: [squid-users] Access Denied on an URL with a port
Cliff Barnes [EMAIL PROTECTED] writes: I guess it´s because the :85, but I don´t know... please help me! Add port 85 to the Safe_ports acl in squid.conf. -- Never argue with a fool in public. People might not see the difference.