Re: [squid-users] squid_kerb_auth Backup-Auth server?
Thanks for response. I will try it. But as Markus mentioned before, authentication doesn't need any configured KDCs because it looks into AD - it didn't help for me maybe caused by one kdc entry in the realm section you mentioned below. I hope I find time to test both scenarios. Regards Andrew Am Freitag, 2. Oktober 2009 22:26:19 schrieb andrew: Mrvka Andreas wrote: Hi list, does anybody know if there is any change to define a backup kerberos authentication server? Do I have to set anything in krb5.conf to support more than one AD server? If I want to reboot the kerberos server squid should still be able to authenticate. Are there any hints? Regards Andrew Try several kdc lines in the /etc/krb5.conf file. Like this [realms] DOMAIN.BLA = { kdc = kerbserver1.domain.bla kdc = kerbserver2.domain.bla } HTH, Andrew
[squid-users] squid_kerb_auth Backup-Auth server?
Hi list, does anybody know if there is any change to define a backup kerberos authentication server? Do I have to set anything in krb5.conf to support more than one AD server? If I want to reboot the kerberos server squid should still be able to authenticate. Are there any hints? Regards Andrew
Re: [squid-users] Re: Re: Re: Re: squid_kerb_auth.... Key Version number?
Hello Markus, I thought there will be more changes in wiki than what you have written. You write about either use msktutil or net ads... but not both. In fact, after installation of squid I did the way via msktutil but ntlm authentication didn't work afterwards. Maybe it was because of the client cache I missunderstood. If you say my installation will run into miss-behaviours of my keys (mkstutil and net ads at the same time) then I will try to - delete kerberos key on windows client - use either msktutil or net ads Maybe I can share my experience again. Thanks a lot Andrew Am Sonntag, 27. September 2009 22:30:18 schrieb Markus Moeller: Andrew, I added more details to the wiki for cases where Samba is used too. I hope this helps. Regards Markus Mrvka Andreas m...@tuv.at wrote in message news:200909250845.48301@tuv.at... Agreed. So if I read your mail correctly you want to say: - net ads join uses _computer-name_ to identify the authentication scheme - msktutil (kerberos) only watches at the _service_ (http,cifs,...) The HowTo should look like: 1. use net ads join to talk via computer-name with AD 2 use msktutil _with a non-existend computer-name_ so that the associated HOST/non-existendhostname can not correlate with net ads join Only the sericePrincipal HTTP/fqdn is important for squid/kerberos. Have I understood you in the right way? And will it work to use a non-existend hostname, or will msktutil fail? :-) The best way would be - the client sends an NTLM token and squid_kerb_auth does the rest. :-) Thanks for support. I can imagine lots of other squid-users use net ads join and want to implement kerberos too. Regards Andrew Am Freitag, 25. September 2009 01:07:44 schrieb Markus Moeller: Henrik Nordstrom hen...@henriknordstrom.net wrote in message news:1253822657.5592.1.ca...@localhost.localdomain... tor 2009-09-24 klockan 10:09 +0200 skrev Mrvka Andreas: You are right - I have to use NTLM too because there are many IE 6 around. But I use the same name for kerberos_auth and ntlm_auth (kerberos - samba/winbind) How should I configure a browser setting then? I want to set only one proxy server. Hmm.. I then suspect the HTTP ticket will get mismatch again in some time when the computer account is renewed by Samba. I think so too. Let me try to explain. Each entry in AD has a key associated with it. For a user account the key is based on the user password and for a computer it is based on a random password. As you may have seen each entry in AD has also a serviceprincipalname attribute. This attribute is used to associate a Kerberos principal with a key. You will see a computer account has usually a HOST/shorthostname host/fqdn serviceprincipal name and HTTP/fqdn if IIS is installed and cifs/fqdn for fileshares. net ads join creates an entry in AD with a random password with CN=hostname. If you use msktutil with --computer-name hostname the same AD entry will be used and since both commands will set a random password you will get conflicts. For Kerberos the computer name doesn't matter (only the serviceprinciplname attribute is important) why you should use msktutil with any computer name (e.g. shorthostname-http) to avoid the conflict. Additionally msktutil sets the userprincipalname when you use --upn. The userprincipalname is used to authenticate a principal (user or other e.g. HTTP/fqdn) via kinit. So if you use msktutil as described kinit -kt keytab HTTP/fqdn will authenticate HTTP/fqdn with the key (= encrypted random password) stored in the keytab. If that's the case then I also guess you should be able to automatically renew the HTTP ticket using the Samba keytab however. But Kerberos is not my main field of expertise.. Regards Henrik Regards Markus
Re: [squid-users] Re: Re: Re: squid_kerb_auth.... Key Version number?
Agreed. So if I read your mail correctly you want to say: - net ads join uses _computer-name_ to identify the authentication scheme - msktutil (kerberos) only watches at the _service_ (http,cifs,...) The HowTo should look like: 1. use net ads join to talk via computer-name with AD 2 use msktutil _with a non-existend computer-name_ so that the associated HOST/non-existendhostname can not correlate with net ads join Only the sericePrincipal HTTP/fqdn is important for squid/kerberos. Have I understood you in the right way? And will it work to use a non-existend hostname, or will msktutil fail? :-) The best way would be - the client sends an NTLM token and squid_kerb_auth does the rest. :-) Thanks for support. I can imagine lots of other squid-users use net ads join and want to implement kerberos too. Regards Andrew Am Freitag, 25. September 2009 01:07:44 schrieb Markus Moeller: Henrik Nordstrom hen...@henriknordstrom.net wrote in message news:1253822657.5592.1.ca...@localhost.localdomain... tor 2009-09-24 klockan 10:09 +0200 skrev Mrvka Andreas: You are right - I have to use NTLM too because there are many IE 6 around. But I use the same name for kerberos_auth and ntlm_auth (kerberos - samba/winbind) How should I configure a browser setting then? I want to set only one proxy server. Hmm.. I then suspect the HTTP ticket will get mismatch again in some time when the computer account is renewed by Samba. I think so too. Let me try to explain. Each entry in AD has a key associated with it. For a user account the key is based on the user password and for a computer it is based on a random password. As you may have seen each entry in AD has also a serviceprincipalname attribute. This attribute is used to associate a Kerberos principal with a key. You will see a computer account has usually a HOST/shorthostname host/fqdn serviceprincipal name and HTTP/fqdn if IIS is installed and cifs/fqdn for fileshares. net ads join creates an entry in AD with a random password with CN=hostname. If you use msktutil with --computer-name hostname the same AD entry will be used and since both commands will set a random password you will get conflicts. For Kerberos the computer name doesn't matter (only the serviceprinciplname attribute is important) why you should use msktutil with any computer name (e.g. shorthostname-http) to avoid the conflict. Additionally msktutil sets the userprincipalname when you use --upn. The userprincipalname is used to authenticate a principal (user or other e.g. HTTP/fqdn) via kinit. So if you use msktutil as described kinit -kt keytab HTTP/fqdn will authenticate HTTP/fqdn with the key (= encrypted random password) stored in the keytab. If that's the case then I also guess you should be able to automatically renew the HTTP ticket using the Samba keytab however. But Kerberos is not my main field of expertise.. Regards Henrik Regards Markus
Re: [squid-users] Re: Re: squid_kerb_auth.... Key Version number?
Hi, Am Mittwoch, 23. September 2009 23:45:17 schrieb Markus Moeller: Mrvka Andreas m...@tuv.at wrote in message news:200909230856.14501@tuv.at... Well, What do you mean with clearing cache on Windows client? Do you mean the AD Server Win2k8 or a normal Windows browser cache? Windows XP Kerberos cache. When you authenticate on XP ( or other Windows systems) against AD you cache a ticket for about 8 hours. This ticket is used to get a so called TGS for the service HTTP/fqdn from AD. Once requested from AD the TGS is also cached for 8 hours. This means if you change during the 8 hours the entry in AD the Windows XP client won't know and will still use the previously cached TGS with the key from the old AD entry. So I thought in the wrong direction concerning key missmatch. I thought of AD and squid as the client maybe it should stated at your wiki? If the keytab has been created with msktutil in the way I described in the wiki then the kinit must work otherwise the key in teh keytab does not macth the entry in AD. Now that everything works as expected I won't try kinit HTTP/fqdn again :-) I tested with klist, ktab, kvno and looked to have the versions coherent and after using kinit I had to do an net ads join again becaue wbinfo -t check You must make sure that the AD entries don't have the same name (e.g. the computername in msktutil can not be the same as the one net ads join uses !!) BTW net ads join is not needed for Kerberos, but I guess you want to handle NTLM too You are right - I have to use NTLM too because there are many IE 6 around. But I use the same name for kerberos_auth and ntlm_auth (kerberos - samba/winbind) How should I configure a browser setting then? I want to set only one proxy server. Well, in fact it works after a long way. I can only guess that you did use the same name as this would explain a chnage in the kvno. Yes so I do. Bye and thanks for the support. Andrew
Re: [squid-users] Re: squid_kerb_auth.... Key Version number?
Hi Markus, thank you for your response. It seemes that I've solved it fir myself with keep very long trying I would have done your debugging questions if I had read your answer sooner. Well, What do you mean with clearing cache on Windows client? Do you mean the AD Server Win2k8 or a normal Windows browser cache? I havent' read anywhere that the client cache has something to do with it... (but maybe - because on one domain the auth worked and at the other domain not) Your kinit line never worked for me, as I can remind. Only kinit administrator did. I tested with klist, ktab, kvno and looked to have the versions coherent and after using kinit I had to do an net ads join again becaue wbinfo -t check failed afterwards and this changes the version of the host prinical ticket sometimes... It was really a trial and error with destroying the computer account, using kdestroy on squid and do ktpass or msktutil again... But in the end where kvno and klist say that they have the same version - it seemed that I just had to wait that the message key version incorrect disappeared in cache.log. Maybe the client cache is really important Regards Andrew Am Dienstag, 22. September 2009 22:33:48 schrieb Markus Moeller: Can you send me the cache.log entries ? Can you do a kinit -kt /etc/squid/HTTP.keytab HTTP/f...@domain ? Can you capture with wireshark the traffic on port 88 on the kdc when doing kinit ? Did you clear the cache on the Windows client using the Windows klist or kerbtray from the resource kit ? Regards Markus Mrvka Andreas m...@tuv.at wrote in message news:200909221022.00697@tuv.at... Hi again, now I created the HTTP.keytab file on Win2k8 server and actually the apps klist -ke and kvno say the key versions are VALID. but squid is of the opion that they differ. # klist -ke Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Principal -- 5 HTTP/f...@domain (DES cbc mode with CRC-32) 5 HTTP/f...@domain (DES cbc mode with RSA-MD5) 5 HTTP/f...@domain (ArcFour with HMAC/md5) 5 HTTP/f...@domain (AES-256 CTS mode with 96-bit SHA-1 HMAC) 5 HTTP/f...@domain (AES-128 CTS mode with 96-bit SHA-1 HMAC) # kvno -k /etc/squid/HTTP.keytab HTTP/f...@domain HTTP/f...@domain: kvno = 5, keytab entry valid From where does squid get his wrong impression? My squid.conf auth_param negotiate program squid_kerb_auth -d -s HTTP/f...@domain Maybe I can support anyone by my detailed described errors. :-) Regards Andrew Am Dienstag, 22. September 2009 08:48:28 schrieb Mrvka Andreas: Hello, on the next day, I also get my Key Version number-problem on the same domain What is the best way to keep the versions in sync? I already erased the computer account and did msktutil again. I believe that for a short time the versions were correct (said klist and kvno) but during tests with squid they differed.!? I only use one KDC Win2k8 (configured in krb5.conf). Does anybody has a clue? Thanks Andrew Am Dienstag, 22. September 2009 00:33:13 schrieb Mrvka Andreas: Hi list, does anybody know what to do againg different key version numbers using squid_kerb_auth? I created HTTP.keytab from the msktutil and works great. In fact in this domain where squid lives this internet explorers has no problem using squid_kerb_auth. On other domains I get Unspecified GSS failure. Minor code may provide more information. Key version number for principal in key table is incorrect Via klist -ke and kvno HTTP/fqdn I am able to can compare these keys and they differ. kinit -R doesn't work...: KDC can't fulfill requested option while renewing credentials Can anybody shine me a light? Thanks you very much. Andrew
Re: [squid-users] squid_kerb_auth.... Key Version number?
Hello, on the next day, I also get my Key Version number-problem on the same domain What is the best way to keep the versions in sync? I already erased the computer account and did msktutil again. I believe that for a short time the versions were correct (said klist and kvno) but during tests with squid they differed.!? I only use one KDC Win2k8 (configured in krb5.conf). Does anybody has a clue? Thanks Andrew Am Dienstag, 22. September 2009 00:33:13 schrieb Mrvka Andreas: Hi list, does anybody know what to do againg different key version numbers using squid_kerb_auth? I created HTTP.keytab from the msktutil and works great. In fact in this domain where squid lives this internet explorers has no problem using squid_kerb_auth. On other domains I get Unspecified GSS failure. Minor code may provide more information. Key version number for principal in key table is incorrect Via klist -ke and kvno HTTP/fqdn I am able to can compare these keys and they differ. kinit -R doesn't work...: KDC can't fulfill requested option while renewing credentials Can anybody shine me a light? Thanks you very much. Andrew
Re: [squid-users] squid_kerb_auth.... Key Version number?
Hi again, now I created the HTTP.keytab file on Win2k8 server and actually the apps klist -ke and kvno say the key versions are VALID. but squid is of the opion that they differ. # klist -ke Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Principal -- 5 HTTP/f...@domain (DES cbc mode with CRC-32) 5 HTTP/f...@domain (DES cbc mode with RSA-MD5) 5 HTTP/f...@domain (ArcFour with HMAC/md5) 5 HTTP/f...@domain (AES-256 CTS mode with 96-bit SHA-1 HMAC) 5 HTTP/f...@domain (AES-128 CTS mode with 96-bit SHA-1 HMAC) # kvno -k /etc/squid/HTTP.keytab HTTP/f...@domain HTTP/f...@domain: kvno = 5, keytab entry valid From where does squid get his wrong impression? My squid.conf auth_param negotiate program squid_kerb_auth -d -s HTTP/f...@domain Maybe I can support anyone by my detailed described errors. :-) Regards Andrew Am Dienstag, 22. September 2009 08:48:28 schrieb Mrvka Andreas: Hello, on the next day, I also get my Key Version number-problem on the same domain What is the best way to keep the versions in sync? I already erased the computer account and did msktutil again. I believe that for a short time the versions were correct (said klist and kvno) but during tests with squid they differed.!? I only use one KDC Win2k8 (configured in krb5.conf). Does anybody has a clue? Thanks Andrew Am Dienstag, 22. September 2009 00:33:13 schrieb Mrvka Andreas: Hi list, does anybody know what to do againg different key version numbers using squid_kerb_auth? I created HTTP.keytab from the msktutil and works great. In fact in this domain where squid lives this internet explorers has no problem using squid_kerb_auth. On other domains I get Unspecified GSS failure. Minor code may provide more information. Key version number for principal in key table is incorrect Via klist -ke and kvno HTTP/fqdn I am able to can compare these keys and they differ. kinit -R doesn't work...: KDC can't fulfill requested option while renewing credentials Can anybody shine me a light? Thanks you very much. Andrew
[squid-users] squid_kerb_auth.... Key Version number?
Hi list, does anybody know what to do againg different key version numbers using squid_kerb_auth? I created HTTP.keytab from the msktutil and works great. In fact in this domain where squid lives this internet explorers has no problem using squid_kerb_auth. On other domains I get Unspecified GSS failure. Minor code may provide more information. Key version number for principal in key table is incorrect Via klist -ke and kvno HTTP/fqdn I am able to can compare these keys and they differ. kinit -R doesn't work...: KDC can't fulfill requested option while renewing credentials Can anybody shine me a light? Thanks you very much. Andrew
Re: [squid-users] Re: squid_kerb_auth and Windows 2008
Am Mittwoch, 2. September 2009 23:35:32 schrieb Markus Moeller: I found the problem. msktutil has a bug when using a computername with uppercase letters. I never mind using uppercase letters :-)) But I' ve tested it once with the computer name squid-HTTP and it worked as well. The short name proxy was my error; after using squidproxy it helped. Regards Markus Regards Markus
Re: [squid-users] Re: Re: kerberos (AD) authentication - squid_kerb_auth
Hi, Am Donnerstag, 27. August 2009 08:40:53 schrieb Jeremy Monnet: Would you have any clue to what the problem may be ? Should I try with the MIT libs instead ? I use MIT libs... FYI Thanks for your help ! Jeremy Andrew
Re: [squid-users] Re: kerberos (AD) authentication - squid_kerb_auth
hi, if you have made the wiki[...]/Kerberos guide through then you are close to the goal. it seems that your problem is only configuration error on client side. since squid_kerb_auth is a MUST to configure the fqdn name of squid in the IE settings. at my place IE 7, IE 8 and FF 3.5 works great with squid_kerb_auth. regards Andrew Am Mittwoch, 26. August 2009 00:35:01 schrieb Jeremy Monnet: On Tue, Aug 25, 2009 at 11:23 PM, Markus Moellerhua...@moeller.plus.com wrote: I a m trying to authenticate users through kerberos on a windows 2003 server AD. Basically, I followed the klaubert tutorial [1], part on Negotiate/kerberos authentication. See also http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos Of course I forgot this one, but I used it also. reason attempted to use NTLM. , does this mean the web browser/gssapi or stuff on the client side is the problem ? Is there anything to do on the windows client machine to send just a standard kerberos ticket ? Possibly. It is important that the proxy you have configured is the fqdn and that your web Browser supports negotiate proxy authentication (e.g IE 7 or Firefox) Trying on windows 7 with IE 8 and FF 3.5. And, last but not least, it seems we can start squid_kerb_auth from the command line in standalone (well, that's the way it works with squid), is there a way to use it to debug the situation ? Yes Just start it onthe command line and input YR token where token is a base64 encoded token. There is a small test program squid_kerb_auth_test.c at http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerb_ auth/ which you can run as follows: kinit u...@domain ./squid_kerb_auth_test proxy fqdn 200 | ./squid_kerb_auth -d -s HTTP/proxy fqdn This will create 200 authentication requests for testing. That will help me a lot ! Thank you very much for your answers ! I'll post comments as soon as it works (or I get new questions). Regards, Jeremy
Re: [squid-users] Re: kerberos (AD) authentication - squid_kerb_auth
hm... i can tell you what I did. first I tried ktpass too as you describe. But nevertheless to use exactly the same as in the wiki I finally used msktutil to proceed. I run an SLES 11 Server and had to download SLES 11 SDK iso to compile msktutil successfully. My way was: - configure /etc/krb5.conf correctly (realm, ad-server, etc.) - join AD domain with an user with permissions - kinit thisadu...@mydomain.com - ./msktutil -c -s HTTP/squidproxy.mydomain.com -h squidproxy.mydomain.com -k /usr/local/squid-3.1/etc/HTTP.keytab --computer-name squidproxy --upn HTTP/squidproxy.mydomain.com --server DC.mydomain.com --verbose --delegation --description Proxy Server - configure squid.conf to use auth_param negotiate path_to_squidkerbauth no parameters!! And it worked. I never used squid_kerb_auth_test as I didn't know how to use it :-) Bye Andrew Am Mittwoch, 26. August 2009 12:28:15 schrieben Sie: On Wed, Aug 26, 2009 at 11:06 AM, Mrvka Andreasm...@tuv.at wrote: hi, if you have made the wiki[...]/Kerberos guide through then you are close to the goal. I hope so anyway :-) it seems that your problem is only configuration error on client side. I am not so sure anymore. I tried to use the squid_kerb_auth_test utility, but it still gives me errors on the tokens (see below for listings). I may add that I compiled both squid3.0 and squid_kerb_auth 1.0.5. I used squid_kerb_auth_test with both squid_kerb_auth from the squid_kerb_auth1.0.5 package and the squid3.0 package. I get errors in both cases (though not the same, but that may simply be that one is older). I am using a windows server 2003 R2 corporate with SP2, in case there may be an issue with a SP or something. Last thing I can think of is the way I created the keytab (but kerberos seems to like it this way) : ktpass -out squidproxy.krb5.keytab -pass Password1 -princ HTTP/squidproxy.ad.simia...@ad.simia.fr -mapuser host_squid -ptype KRB5_NT_SRV_HST -crypto DES-CBC-MD5 (could have used RC4-HMAC, but I had problems before when I put in place unix authentication on AD/kerberos). since squid_kerb_auth is a MUST to configure the fqdn name of squid in the IE settings. I did it this way ... :-/ at my place IE 7, IE 8 and FF 3.5 works great with squid_kerb_auth. Hope I can make it work also. Thanks, Jeremy Squid_kerb_auth_test : squidproxy:~/squid/squid_kerb_auth-1.0.5# kdestroy squidproxy:~/squid/squid_kerb_auth-1.0.5# kinit j...@ad.simia.fr j...@ad.simia.fr's Password: squidproxy:~/squid/squid_kerb_auth-1.0.5# /root/squid/squid_kerb_auth-1.0.5/squid_kerb_auth_test squidproxy.ad.simia.fr | /usr/local/libexec/squid_kerb_auth -d -s HTTP/squidproxy.ad.simia.fr 2009/08/26 12:17:10| squid_kerb_auth: Got 'Token: YIIE8QYGKwYBBQUCoIIE5TCCBOGgDTALBgkqhkiG9xIBAgKiggTOBIIEymCCBMYGCSqGSIb3EgE CAgEAboIEtTCCBLGgAwIBBaEDAgEOogcDBQAAo4IDqWGCA6UwggOhoAMCAQWhDRsLQUQuU0 lNSUEuRlKiKTAnoAMCAQGhIDAeGwRIVFRQGxZzcXVpZHByb3h5LmFkLnNpbWlhLmZyo4IDXjCCA 1qgAwIBA6EDAgEKooIDTASCA0jVFrJW9Hmfkrhd3LmVf3ZLpeqR/87YM7hkqbk75EMhcX+Mb/ci G5h6kuFl7fBKzW/prfmOPmYzAPVc4HdnLchdkXCQNsxe/IrCT/DwkB1pSopcr7N9zqnJ6xN8UR/ Zd8vfUnhmoNI4/lQ2pg04GJTv8UFXi3UKVmH7aHENQGB6pLaeoFe6inhK+/c7/9O1m5GHsmNbua wNH3N48gEiFYkfOHVqyAQukuGWLpJHyvVUBS3XTuAj2LhqxqZJzuiyOkUIReb7NU4ZuWVO7oZvp 7+AIbCcaikdxU2nsnVrM9EypGpcUzdy3SBd+eqdGIuctW/+pZ0gAtu7/JCmgNpoaJGZH90dnp33 9/LUIg3nGI8+MoPPhTaE4iWLp6smi/rB/tzpiKYDz8Rr0MIdB5rs0jRr3Kjeg0gcaLsMIaKA2t8 ZmFAWUXPq8GQaX57e8DGBTKNut9lzhCsDEV8zhzAIdKmrs6XJm5Vq1GjCbchTUSoRaZhd663S47 kjTpxKA9eyTWYkWdExGrvz9fUYRq6QPIv6wmbU9HwkZZTsJ2YH5JrJPAPK2icuQkSCTXiMKBHc4 KLMgZ3MFciWAKPBXETwVhDtEy2jeIYfkR4+Imzg9l8qC8qIUOYVQx0PYywS2gcn53FT5JgA6N7C I5jk6jOu7/lf5QrGR33cwk01Qh9AnGQ4pZw3beWZKN1ezZsJlHr6Ucrn63XiDhv8UAsBDdNeuT8 pN0RjXpmt7S0xRmi7Ql4SMyljSiCplhQkOPRnM+VOqPvMcfLP/et7f6xCVMY+9mxLcR9dvl19m4 +24EM0Hk59ndlUJD0+xsEYygp3sB6obAhg1IHv6Dn7AwKI56zju3i/H6WyAfGx6lqiDX1sv+oqd Djf0slTAlYpm9DNtTx2KSWmGbRlbKx4/DfxtXCjte5ltbttYOiGBcFtePQK2Z0PpTvdgXqPPfq0 5juN6dDsabDGuz9KyKWyga2RXssxCaIWcU2CDRY75nru6IivHR6HrEUrhj4VLXuMIfzAdw/FPcV 4qd+XDqhWON9yc+HiqjfXPTUq8JcHYq9+rSk/4IlkmW/WqgJuvFaQHLicev5KWYw7J+Z/sGfCOb XG/e6OlQMcHNIR0JRvMjukge4wgeugAwIBA6KB4wSB4IcbergiZ7uvt8Z9Y1TM62ZQM0pFTFhi8 ll0riYdLXVnJI0KHNU1PGg+It5iDIlCJcBJWbAtgDfLfO6N00xEnIpxwZdDo3ZdNF/+eImBHsDp GWx7ZuEygw9R0kKUQozz+bi6JvjN6MUsvquriLecvTcfvLyViZEXdIcBmgRq1fphwambQaRsGi6 Ubahd6Q1P6YYNg3Hk2+RzsgaFw/1gOKCoka3VGyLZndVsFv0MS2EXyyb04iXXu37uCkt2py4ou1 lGaMS2hTpHfqz2TyMUfPM0cHF8O9iHtc9UuAEVsiXk' from squid (length: 1699). 2009/08/26 12:17:10| squid_kerb_auth: gss_accept_sec_context() failed: A token was invalid. unknown mech-code 0 for mech unknown NA gss_accept_sec_context() failed: A token was invalid. unknown mech-code 0 for mech unknown ## squid log trying from windows box : ## 2009/08/26 12:23:30.633| authenticateValidateUser: Auth_user_request was NULL! 2009/08/26 12:23:30.633| authenticateAuthenticate:
Re: [squid-users] Re: Linux using kerberos works but squid won't
Hi Markus, yes I set it up as you described. Andrew Am Montag, 24. August 2009 21:53:49 schrieb Markus Moeller: Did you set the environment variable KRB5_KTNAME to your HTTP.keytab location otherwise the default /etc/krb5.keytab will be used ? Markus Mrvka Andreas m...@tuv.at wrote in message news:200908241355.23393@tuv.at... Hi list, I want to use this brilliant software squid but do you know what I missing? I have working AD authentication on my SLES11 system - kinit -k -t HTTP.keytab HTTP/squid.fqdn.com works - login via ssh works with pam_krb5 - joining to my domain also worked as a charm At this stage I believe, I've set up krb5.conf correctly. So I compiled Squid 3.1.0.13. configure options: '--prefix=/usr/local/squid-3.1' '--enable-auth=basic,ntlm,negotiate' '--enable-basic-auth-helpers=SMB getpwnam multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm no_check' '--enable-negotiate-auth-helpers=squid_kerb_auth' --with-squid=/install/squid-3.1.0.13 --enable-ltdl-convenience Next I inserted these lines into squid.conf auth_param negotiate program squid_kerb_auth -d 99 -s HTTP/squid.fqdn.com auth_param negotiate children 15 auth_param negotiate keep_alive on Starting squid again worked fine, so didn't get any error at boot time and -- ps -ef -- shows me squid28944 27915 0 12:51 pts/000:00:00 ./squid -N -d 20 -f ../etc/squid.conf squid28945 28944 0 12:51 ?00:00:00 (squid_kerb_auth) -d 99 -s HTTP/squid.fqdn.com squid28946 28944 0 12:51 ?00:00:00 (squid_kerb_auth) -d 99 -s HTTP/squid.fqdn.com On my windows PC I configured proxy using manual setting to the FQDN of squid. The result is - in cache.log I find 2009/08/24 12:58:13| squid_kerb_auth: Got 'YR YIIFzAYGKwYBBQUCoIIFwDCCBby ... [...] from squid (length: 1987). 2009/08/24 12:58:13| squid_kerb_auth: Decode 'YIIFzAYGKwYBBQ [...] (decoded length: 1488) 2009/08/24 13:21:19| squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found 2009/08/24 13:21:19| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found' I created my HTTP.keytab as it was described somewhere. Logged on windows DC - used ktpass and mapped the service principal to a windows user. After that I copied this file to linux squid. I also tried to configure in squid.conf to use squid_kerb_auth -s HTTP/squid.fqdn@realm But this didn't work either. I think there is something small missing but I can't figure it out. Please can anybody help me? I hope, my detailed explanation will help others too to configure their systems. With best regards Andrew
Re: [squid-users] (solved) Linux using kerberos works but squid won't
Hi again, I've found my error myself. Using this howto from Guido: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos works great at my site (with defining my environment hosts, users and pass)! My caveat for not working was: _I used a too short name for the principal or hostname_ !!! First I tried the hostname squid-HTTP as Guido described in his example and this worked. Then I wanted to use my hostname: squid.domain.com and this arised an error. After being completly confused I wrote the hostname like squidproxy.domain.com without any expectation for success - but I got convinced. Squid authentication against Active Directory on Windows 2008 DCs work now! This must be a bug or anything else on the new domain controller because the same 'msktutil' command worked on AD 2003. I hope I could help some other people and maybe you can insert this caveat in your Wiki. Andrew Am Montag, 24. August 2009 13:55:23 schrieb Mrvka Andreas: Hi list, I want to use this brilliant software squid but do you know what I missing? I have working AD authentication on my SLES11 system - kinit -k -t HTTP.keytab HTTP/squid.fqdn.com works - login via ssh works with pam_krb5 - joining to my domain also worked as a charm At this stage I believe, I've set up krb5.conf correctly. So I compiled Squid 3.1.0.13. configure options: '--prefix=/usr/local/squid-3.1' '--enable-auth=basic,ntlm,negotiate' '--enable-basic-auth-helpers=SMB getpwnam multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm no_check' '--enable-negotiate-auth-helpers=squid_kerb_auth' --with-squid=/install/squid-3.1.0.13 --enable-ltdl-convenience Next I inserted these lines into squid.conf auth_param negotiate program squid_kerb_auth -d 99 -s HTTP/squid.fqdn.com auth_param negotiate children 15 auth_param negotiate keep_alive on Starting squid again worked fine, so didn't get any error at boot time and -- ps -ef -- shows me squid28944 27915 0 12:51 pts/000:00:00 ./squid -N -d 20 -f ../etc/squid.conf squid28945 28944 0 12:51 ?00:00:00 (squid_kerb_auth) -d 99 -s HTTP/squid.fqdn.com squid28946 28944 0 12:51 ?00:00:00 (squid_kerb_auth) -d 99 -s HTTP/squid.fqdn.com On my windows PC I configured proxy using manual setting to the FQDN of squid. The result is - in cache.log I find 2009/08/24 12:58:13| squid_kerb_auth: Got 'YR YIIFzAYGKwYBBQUCoIIFwDCCBby ... [...] from squid (length: 1987). 2009/08/24 12:58:13| squid_kerb_auth: Decode 'YIIFzAYGKwYBBQ [...] (decoded length: 1488) 2009/08/24 13:21:19| squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found 2009/08/24 13:21:19| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found' I created my HTTP.keytab as it was described somewhere. Logged on windows DC - used ktpass and mapped the service principal to a windows user. After that I copied this file to linux squid. I also tried to configure in squid.conf to use squid_kerb_auth -s HTTP/squid.fqdn@realm But this didn't work either. I think there is something small missing but I can't figure it out. Please can anybody help me? I hope, my detailed explanation will help others too to configure their systems. With best regards Andrew
[squid-users] Linux using kerberos works but squid won't
Hi list, I want to use this brilliant software squid but do you know what I missing? I have working AD authentication on my SLES11 system - kinit -k -t HTTP.keytab HTTP/squid.fqdn.com works - login via ssh works with pam_krb5 - joining to my domain also worked as a charm At this stage I believe, I've set up krb5.conf correctly. So I compiled Squid 3.1.0.13. configure options: '--prefix=/usr/local/squid-3.1' '--enable-auth=basic,ntlm,negotiate' '--enable-basic-auth-helpers=SMB getpwnam multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm no_check' '--enable-negotiate-auth-helpers=squid_kerb_auth' --with-squid=/install/squid-3.1.0.13 --enable-ltdl-convenience Next I inserted these lines into squid.conf auth_param negotiate program squid_kerb_auth -d 99 -s HTTP/squid.fqdn.com auth_param negotiate children 15 auth_param negotiate keep_alive on Starting squid again worked fine, so didn't get any error at boot time and -- ps -ef -- shows me squid28944 27915 0 12:51 pts/000:00:00 ./squid -N -d 20 -f ../etc/squid.conf squid28945 28944 0 12:51 ?00:00:00 (squid_kerb_auth) -d 99 -s HTTP/squid.fqdn.com squid28946 28944 0 12:51 ?00:00:00 (squid_kerb_auth) -d 99 -s HTTP/squid.fqdn.com On my windows PC I configured proxy using manual setting to the FQDN of squid. The result is - in cache.log I find 2009/08/24 12:58:13| squid_kerb_auth: Got 'YR YIIFzAYGKwYBBQUCoIIFwDCCBby ... [...] from squid (length: 1987). 2009/08/24 12:58:13| squid_kerb_auth: Decode 'YIIFzAYGKwYBBQ [...] (decoded length: 1488) 2009/08/24 13:21:19| squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found 2009/08/24 13:21:19| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found' I created my HTTP.keytab as it was described somewhere. Logged on windows DC - used ktpass and mapped the service principal to a windows user. After that I copied this file to linux squid. I also tried to configure in squid.conf to use squid_kerb_auth -s HTTP/squid.fqdn@realm But this didn't work either. I think there is something small missing but I can't figure it out. Please can anybody help me? I hope, my detailed explanation will help others too to configure their systems. With best regards Andrew
Re: [squid-users] disable ntlm_auth for java
hi, nice to see someone who has the same error with the same site :-) just add the following 2 lines for every site you don't want to authenticate. (windowsupdate.com for example) acl netbanking dstdomain netbanking.at http_access allow netbanking that's all. cheers Andrew Am Donnerstag, 28. September 2006 14:02 schrieb Hitzler, Siegfried (Exchange): Hello, We authenticate our users over ntlm_auth. The problem is if the load a Java-Applet which is implemented on a Secure Site (www.netbanking.at), Java pops up a Windows and force the users to enter their username, password and domain to load the Applet. Is there a way to disable authentication for Java-Applets or for some sites? Same shit on Windows Update Site. Site is searching for needing updates when suddenly an error apears. authentication lines in squid.conf looks something like this: auth_param ntlm program /usr/lib/squid/ntlm_auth DOMAIN/PDC auth_param ntlm children 10 auth_param ntlm max_challenge_lifetime 2 minutes Would be realy greate if somebody can help me out of this problem! Thanks and best regards Siegfried
Re: [squid-users] problem with 2 proxies in same network
Hi Mark, hi list. Am Montag, den 16.01.2006, 22:59 +0100 schrieb Mark Elsen: You may need : http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE12-SMB_BadFetch M. this workaround compiling squid again without --enable-ntlm-fail didn't work for me. i still got authentication windows on the other proxy. i can't test it deeper, 'cause browsing through the internet will become unuseable. cheers andrew
Re: [squid-users] problem with 2 proxies in same network
Am Mittwoch, den 18.01.2006, 10:38 +0100 schrieb Mark Elsen: this workaround compiling squid again without --enable-ntlm-fail didn't work for me. i still got authentication windows on the other proxy. i can't test it deeper, 'cause browsing through the internet will become unuseable. That was not the workaround whitch I suggested. I said that when using this flag, you may need the stable-12 patch I pointed you. M. oh, ok. i thought, either I patch my running installation or I can recompile without this option, as the webpage describes. mhh, I'll give it one more try thanks, andrew
[squid-users] problem with 2 proxies in same network
hi list, i have two proxies on the same network/domain (one is a clone of another) their names are proxy1 and proxy2. I wanted to update one proxy from version 2.5-STABLE10 to STABLE 12. After this update the network authentication via ntlm_auth doesn't work anymore. so i tried to create a domain account for proxy2 again. But after this proxy1 stopped to authenticate! I was confused that my change had an influence to proxy1 ??? Please can anybody tell me what went wrong? 'cause after creating old proxy1 domain account again, this correlations went away. btw: what is the perfect setting for ntlm authentication for about 300 people? my config script: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp /etc/samba/smb.conf auth_param ntlm children 20 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 20 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 10 minutes authenticate_ttl 2 minutes authenticate_ip_ttl 20 seconds proxy and domain controller are connected via gigabit. thanks in advance! cheers, andrew
AW: [squid-users] problem with 2 proxies in same network
Hi Mark, hi list. Squid -v on squids-STABLE12 should be a clone of squid-STABLE10. Just, that i recompiled it with the same properties as you can see now. Just after turning off this STABLE12-machine our network relieves harmless again But anyway - i want to stay on actual security-prevention. My output of 'squid -v': Squid Cache: Version 2.5.STABLE12 configure options: --with-dl --enable-snmp --enable-carp --enable-useragent-log '--enable-auth=basic digest ntlm' '--enable-basic-auth-helpers=LDAP MSNT NCSA PAM SMB YP getpwnam multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB no_check' --enable-digest-auth-helpers=password '--enable-external-acl-helpers=ip_user ldap_group unix_group wbinfo_group' --enable-ntlm-fail-open --enable-referer-log --enable-arp-acl --enable-htcp --enable-underscores --enable-stacktraces --enable-delay-pools --enable-ssl --enable-cache-digests --enable-poll --enable-x-accelerator-vary Cheers andrew -Ursprüngliche Nachricht- Von: Mark Elsen [mailto:[EMAIL PROTECTED] Gesendet: Montag, 16. Januar 2006 18:19 An: Mrvka Andreas Cc: squid-users@squid-cache.org Betreff: Re: [squid-users] problem with 2 proxies in same network hi list, i have two proxies on the same network/domain (one is a clone of another) their names are proxy1 and proxy2. I wanted to update one proxy from version 2.5-STABLE10 to STABLE 12. After this update the network authentication via ntlm_auth doesn't work anymore. In the STABLE12-case, what is the output of : % squid -v M.
AW: [squid-users] problem with 2 proxies in same network
-Ursprüngliche Nachricht- Von: Mark Elsen [mailto:[EMAIL PROTECTED] Gesendet: Montag, 16. Januar 2006 22:59 An: Mrvka Andreas Cc: Squid-Users Betreff: Re: [squid-users] problem with 2 proxies in same network You may need : http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE12-SMB_BadFetch M. So, you say after recompiling squid without '-enable-ntlm-fail-open' These 2 proxies can co-exist again? I will give it a try. Thanks for that. Cheers Andrew
[squid-users] owa access
hi list, i know, there are many writings about outlook web access and how to configure it with transparent proxy. but i still have problems :-( I configured my proxy like this: http_port 80 httpd_accel_host internalmailserver httpd_accel_port 80 httpd_accel_single_host on httpd_accel_with_proxy on httpd_accel_uses_host_header off I can connect from outside and get my basic authentication from my internalmailserver. But then i will be forwarded direct to my internalmailserver And never via my published proxy name. In fact, connection to internalmailserver is denied. Please can you also give me a hint how to change my config to use SSL? (how to create a ssl certificate) Thanks, Andrew
AW: [squid-users] owa access
Hi, Mhh.. We don't use squid via ssl nor OWA with ssl. (i think debugging is simplier without that) In /etc/hosts there is a correct naming of the server, But it doesn't work. I can get to the login window but not further. SSL activation on squid i don't know either how to manage :-( Thanks, for response. Cheers, Andrew Jason Whiteaker schrieb am Montag, 25. Juli 2005 15:10: Hi Andrew, I wish I had better news, as I too have tried to get OWA to work with Squid. The final answer is that I was able to get OWA to work with Squid, however, you'll find that the spell checker is broken. It appears to be because of non-RFC compliance by OWA (big surprise there, eh?) :-) The issue stems from apparent HTTP chunking issues, and from what I've seen, a future release of Squid may address this. For now, we can access OWA via Squid (HTTPS - Squid - HTTP - OWA), but the spell checker function is broken. This may not be a big deal to your user base, but it's an issue here. See this Microsoft article: http://support.microsoft.com/default.aspx?scid=kb;en-us;307347 I think your current issue is that you'll need a filter on OWA so that it will not send HTTPS back as part of the HTTP header info, that is, it sounds like you're having the issue I ran into - OWA doesn't know that it's behind a proxy, so when it responds, it responds with HTTPS in the header info and your client establishes the connection to the OWA server that bypasses the proxy. Your Squid config seems OK. Be sure to create a host entry for your mailserver in /etc/hosts that points to the real (internal) IP of the OWA server. Good luck! -Jason -Original Message- From: Mrvka Andreas [mailto:[EMAIL PROTECTED] Sent: Monday, July 25, 2005 2:08 AM To: Squid-Users Subject: [squid-users] owa access hi list, i know, there are many writings about outlook web access and how to configure it with transparent proxy. but i still have problems :-( I configured my proxy like this: http_port 80 httpd_accel_host internalmailserver httpd_accel_port 80 httpd_accel_single_host on httpd_accel_with_proxy on httpd_accel_uses_host_header off I can connect from outside and get my basic authentication from my internalmailserver. But then i will be forwarded direct to my internalmailserver And never via my published proxy name. In fact, connection to internalmailserver is denied. Please can you also give me a hint how to change my config to use SSL? (how to create a ssl certificate) Thanks, Andrew
[squid-users] authentication on websites with java problems
Hi list, We have squid 2.5STABLE10 running very fine. We authenticate via ntlm_auth to MS AD. Everything works fine as expected _except_ webpages with java plugins. If Sun's JRE wants to authenticate to fetch some class files from the internet, i don't see any username in log. With sun's version 1.3.1 it worked and from this Version up to 1.5.x it refuses to authenticate. It just pops up an authentication window Text: proxy, ntlm, Input fields: user, pass, domain Does someone have any ideas? Can I guide Java JRE to use basic auth? Maybe this works better? Kind regards, Andrew
Re: [squid-users] suse 9.1 preinstalled squid3
Am Mittwoch, 25. August 2004 21:44 schrieb Henrik Nordstrom: [...] As an official standpoint from the Squid developers PRE releases is not supported on the squid-users mailinglist, only STABLE releases (this to limit the confusion due to configuration syntax changes). In addition any user using a PRE release should be prepared to dig into the application with a debugger and applying patches as there is expected to be many nasty bugs waiting to be discovered (and too many already known in Squid-3 at the moment). okay, your message was clear. i will try to configure squid3 pre version for a short time and if i fail i return to 2.5 stable back. Regards Henrik thanks andrew
[squid-users] suse 9.1 preinstalled squid3
hi list, i have suse linux 9.1 where squid3 is precompiled but i dont get it running authenticating my users with active directory. here my squid.conf: [...] auth_param basic program /usr/sbin/squid_ldap_auth -p 389 -u cn -R -b dc=subdomain,dc=domain,dc=com -D cn=administrator,cn=users,dc=subdomain,dc=domain,dc=com -w password -f cn=%s -h PDC and: auth_param ntlm program /usr/sbin/ntlm_auth -b DOMAIN/PDC DOMAIN/BDC for testing i use: echo user pass | /usr/sbin/ntlm_auth -d DOMAIN\\PDC ntlm-auth[6099](ntlm_auth.c:188): Adding domain-controller DOMAIN\\PDC ntlm-auth[6099](ntlm_auth.c:461): options processed OK ntlm-auth[6099](ntlm_auth.c:285): managing request ntlm-auth[6099](ntlm_auth.c:291): ntlm authenticator. Got 'user pass' from Squid ntlm-auth[6099](ntlm_auth.c:441): sending 'BH Helper detected protocol error' to squid BH Helper detected protocol error fgets() failed! dying. errno=0 (Success) what can i do? regards andrew
Re: [squid-users] suse 9.1 preinstalled squid3
i found out, authentication via squid_ldap_auth works without using auth_param ntlm. i also found in this mailing list, that i cannot simply test ntlm with my script i wrote in my mail at the bottom. furthermore, if i browse with MS IE then i get an entry in log with user NONE and nothing more... the webpage also loads and loads and it seems for me that the two pcs are talking together, as i can see in ethereal. for your info. i see in /var/log/messages the following: Aug 25 14:17:41 proxy2 -- MARK -- Aug 25 14:26:42 proxy2 squid[9438]: assertion failed: ntlm/auth_ntlm.cc:962: authenticateRequestRefCount(conn-auth_user_request) == 1 Aug 25 14:26:42 proxy2 squid[9330]: Squid Parent: child process 9438 exited due to signal 6 Aug 25 14:26:45 proxy2 squid[9330]: Squid Parent: child process 9472 started Aug 25 14:26:45 proxy2 squid[9472]: Starting Squid Cache version 3.0-PRE3 for i686-pc-linux-gnu... Aug 25 14:26:45 proxy2 squid[9472]: Process ID 9472 please help, andrew Am Mittwoch, 25. August 2004 12:38 schrieb Mrvka Andreas: hi list, [...] auth_param ntlm program /usr/sbin/ntlm_auth -b DOMAIN/PDC DOMAIN/BDC for testing i use: echo user pass | /usr/sbin/ntlm_auth -d DOMAIN\\PDC ntlm-auth[6099](ntlm_auth.c:188): Adding domain-controller DOMAIN\\PDC ntlm-auth[6099](ntlm_auth.c:461): options processed OK ntlm-auth[6099](ntlm_auth.c:285): managing request ntlm-auth[6099](ntlm_auth.c:291): ntlm authenticator. Got 'user pass' from Squid ntlm-auth[6099](ntlm_auth.c:441): sending 'BH Helper detected protocol error' to squid BH Helper detected protocol error fgets() failed! dying. errno=0 (Success) what can i do? regards andrew
[squid-users] Customize LogFormat patch not work
Hi guys, i use awstats and wanted to analyse squid 2.5-Stable5. i heard to use a patch for customizable logformat. but after patching and recompiling nothing changed. parseConfigFile: line 26 unrecognized: 'LogFormat combined %a %ui %un [%{%d/%b/%Y:%H:%M:%S +}tl] %rm %ru HTTP/%rv %Hs %st %{Referer}h %{User-Agent}h %Ss:%S' what i did: # cd /install/squid2.5-STABLE5 # patch -p1 customizable-logformat.patch # ./configure --prefix=/usr/local/squid2 --bindir=/usr/local/squid2/bin -- enable-icmp --enable-kill-parent-hack --enable-default-err-language=German '--en able-err-languages=German English' '--enable-auth=basic ntlm' '--enable-basic-au th-helpers=SMB multi-domain-NTLM winbind MSNT' '--enable-ntlm-auth-helpers=SMB w inbind no_check' --enable-ntlm-fail-open '--enable-external-acl-helpers=wbinfo_g roup winbind_group' (don't know exactly if this all is needed... i just want to authenticate again ADS ... for IE Browser and Mozilla/Opera Browser) # make; make install; after starting squid the ParseError mentioned above appears. please can anybody help me? (send a personal mail directly to me too, please) TIA andrew
Re: [squid-users] Customize LogFormat patch not work
thanks for response! i will try it. am i right if i use your text in the following way: - copy your diff text and store it in a file.patch - copy the file.patch into the installation directory (where configure file exists) - type patch -p0 file.patch - configure; make; make install right? sorry, i'm not handy in playing with patch files... regards andrew Am Mi, 2004-06-09 um 10.20 schrieb Mirosaw Jaworski: Cytowanie Mrvka Andreas [EMAIL PROTECTED]: Hi guys, i use awstats and wanted to analyse squid 2.5-Stable5. i heard to use a patch for customizable logformat. Hi About year ago I was looking for a working patch and didn't find one, so I came up with my own hard hack, which causes squid to generate exact apache's combined log instead of common apache plus some squid fields log when you turn apache emulation logging on. 3 small changes below, plus emulate_httpd_log on in your squid.conf should do the trick. It's against squid-2.5.STABLE3: # diff -cr src/structs.h.orig src/structs.h *** src/structs.h.orig Wed Jun 4 14:13:31 2003 --- src/structs.h Wed Jun 4 14:14:44 2003 *** *** 1025,1030 --- 1025,1032 int code; const char *content_type; http_version_t version; + const char *agent; + const char *referer; } http; struct { icp_opcode opcode; # diff -cr src/client_side.c.orig src/client_side.c *** src/client_side.c.orig Wed Jun 4 14:09:57 2003 --- src/client_side.c Wed Jun 4 15:19:13 2003 *** *** 779,784 --- 779,785 ConnStateData *conn = http-conn; StoreEntry *e; request_t *request = http-request; + const HttpHeader *req_hdr = request-header; MemObject *mem = NULL; debug(33, 3) (httpRequestFree: %s\n, storeUrl(http-entry)); if (!clientCheckTransferDone(http)) { *** *** 805,810 --- 806,813 http-al.cache.size = http-out.size; http-al.cache.code = http-log_type; http-al.cache.msec = tvSubMsec(http-start, current_time); + http-al.http.agent = httpHeaderGetStr(req_hdr, HDR_USER_AGENT); + http-al.http.referer = httpHeaderGetStr(req_hdr, HDR_REFERER); if (request) { Packer p; MemBuf mb; # diff -cr src/access_log.c.orig src/access_log.c *** src/access_log.c.orig Wed Jun 4 14:06:01 2003 --- src/access_log.cWed Jun 4 15:19:55 2003 *** *** 271,277 client = inet_ntoa(al-cache.caddr); user1 = accessLogFormatName(al-cache.authuser); user2 = accessLogFormatName(al-cache.rfc931); ! logfilePrintf(logfile, %s %s %s [%s] \%s %s HTTP/%d.%d\ %d %ld %s:%s, client, user2 ? user2 : dash_str, user1 ? user1 : dash_str, --- 271,277 client = inet_ntoa(al-cache.caddr); user1 = accessLogFormatName(al-cache.authuser); user2 = accessLogFormatName(al-cache.rfc931); ! logfilePrintf(logfile, %s %s %s [%s] \%s %s HTTP/%d.%d\ %d %ld \%s\ \%s\, client, user2 ? user2 : dash_str, user1 ? user1 : dash_str, *** *** 281,288 al-http.version.major, al-http.version.minor, al-http.code, (long int) al-cache.size, ! log_tags[al-cache.code], ! hier_strings[al-hier.code]); safe_free(user1); safe_free(user2); } --- 281,288 al-http.version.major, al-http.version.minor, al-http.code, (long int) al-cache.size, ! al-http.referer ? al-http.referer : dash_str, ! al-http.agent ? al-http.agent : dash_str ); safe_free(user1); safe_free(user2); } Regards M.
[squid-users] one website denies access
hi, i have a standard config of squid.conf and surfing to every public website on the world works good except one! http://www.gmp-navigator.com normally, i surf with ntlm authentication (challenge and response) so that i access.log there is first access denied because of no username information and on the next step squid gets an username and finally the user has access to the sites. BUT, at the link above i only get a log entry for the first access without a username. nothing more! and so the site is forever denied. can anybody explain help me? regards Andrew Squid Cache: Version 2.5.STABLE1 configure options: --prefix=/usr/local/squid2 --bindir=/usr/local/squid2/bin --enable-icmp --enable-kill-parent-hack --enable-default-err-language=German ' --enable-err-languages=German English' ' --enable-auth=basic ntlm' ' --enable-basic-auth-helpers=SMB multi-domain-NTLM winbind MSNT' ' --enable-ntlm-auth-helpers=SMB winbind no_check' --enable-ntlm-fail-open ' --enable-external-acl-helpers=wbinfo_group winbind_group'
[squid-users] one website denies access
hi, i have a standard config of squid.conf and surfing to every public website on the world works good except one! http://www.gmp-navigator.com normally, i surf with ntlm authentication (challenge and response) so that i access.log there is first access denied because of no username information and on the next step squid gets an username and finally the user has access to the sites. BUT, at the link above i only get a log entry for the first access without a username. nothing more! and so the site is forever denied. can anybody explain help me? regards Andrew Squid Cache: Version 2.5.STABLE1 configure options: --prefix=/usr/local/squid2 --bindir=/usr/local/squid2/bin --enable-icmp --enable-kill-parent-hack --enable-default-err-language=German ' --enable-err-languages=German English' ' --enable-auth=basic ntlm' ' --enable-basic-auth-helpers=SMB multi-domain-NTLM winbind MSNT' ' --enable-ntlm-auth-helpers=SMB winbind no_check' --enable-ntlm-fail-open ' --enable-external-acl-helpers=wbinfo_group winbind_group'
[squid-users] content filter ceberian
hi! i read about the content filter ceberian and think about using it. BUT i've found anywhere on the website www.ceberian.com any information for virus checking. please tell me something about the product. this is an external helper (as i read). if someone downloads a file over squid, does ceberian more than URL checking? where does it get virus information updates (if it can do this)? how much does such a licence cost? regards Andrew
[squid-users] does squid work with content filter tools?
hi does squid work with content filter tools to keep surfing safe? thanks in advance for response. Andrew
AW: [squid-users] does squid work with content filter tools?
hi i already use squidguard and it works good. i think of content checking for filtering virus infections. may be it is something like antonio manfreda (Thu 22.01.2004 09:35) answered. i want to be able to scan downloaded documents. Andrew -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 22. Jänner 2004 09:30 try squidguard. Mit freundlichem Gruß/Yours sincerely Werner Rost GM-FIR - Netzwerk ZF Boge Elastmetall GmbH Friesdorfer Str. 175, 53175 Bonn, Deutschland/Germany Telefon/Phone +49 228 3825 - 420, Telefax/Fax +49 228 3825 - 398 [EMAIL PROTECTED] hi does squid work with content filter tools to keep surfing safe? thanks in advance for response. Andrew
[squid-users] windows server 2003
hi guys! is there a difference between the new windows server 2003 and win2k or winxp? i have a suse linux squid box with ntlm autentication method via ldap to our active directory primary domain controller. i recently installed on a machine windows server 2003, configured as usual the internet explorer (6.0) but there i cannot browse through the internet. has anyone experience with windows server 2003? regards, Andrew
AW: [squid-users] windows server 2003
-Ursprungliche Nachricht- Von: Serassio Guido [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 18. Juli 2003 10:25 i recently installed on a machine windows server 2003, configured as usual the internet explorer (6.0) but there i cannot browse through the internet. has anyone experience with windows server 2003? Hi, There is a problem in the Squid NTLM/LM support, see Bugzilla #610. So, in the Machine Local security Policy, security options, you must change the Network Security: LAN Manager Authentication Level from Send NTLM response only to Send LM NTLM responses. Regards Guido cool! you guided me to the right place, i changed my settings as you told me and it WORKS now :o) thanks for your fast response! Andreas
AW: [squid-users] windows server 2003
-Ursprungliche Nachricht- Von: Serassio Guido [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 18. Juli 2003 10:25 i recently installed on a machine windows server 2003, configured as usual the internet explorer (6.0) but there i cannot browse through the internet. has anyone experience with windows server 2003? Hi, There is a problem in the Squid NTLM/LM support, see Bugzilla #610. So, in the Machine Local security Policy, security options, you must change the Network Security: LAN Manager Authentication Level from Send NTLM response only to Send LM NTLM responses. Regards Guido cool! you guided me to the right place, i changed my settings as you told me and it WORKS now :o) thanks for your fast response! Andreas
[squid-users] IE - file upload problem
hi! what can i do against my problem? i am surfing with internet explorer 6 with all windows updates. i upload a file on a web formular through squid to a webserver and everything is ok. but when i come back to the original webpage to select another file and click upload again, then squid doesn't get any request! so, there is nothing in access or store or cache.log! for information: i do user authentication with ntml_auth and if there is no ntml, then i use basic authentication with squid_ldap_auth and there it works fine! please can anybody help me? Andreas