[squid-users] load balancing
Good Morning, I have a proxy squid on debian with kerberos authentication and it works fine. I would create a cluster load balancing for 2/3 proxy squid. In particular, the clients connect to the load balancer, that redirects the request to one of the proxies. These proxies will must authenticate through kerberos. Is it possible implement something like that? What can I use? Best regards. Nicola
[squid-users] internal website directly
Hi, I admin a proxy server with Squid version 3 on GNU/Linux Debian 6 (Squeeze). Using my proxy server, users must be able to browse some internal website directly (without going through the proxy), while for the remaining websites, they must go through the proxy (with kerberos authentication). Is it possible? Regards.
Re: [squid-users] internal website directly
Is it possible to use squid for redirect instead of wpad or proxy.pac?
Thanks
Nick
2012/9/6 Jason Leschnik :
> if (dnsDomainIs(host, "mydomain.com") || isPlainHostName(host)) {
>
> return "DIRECT";
>
> }
>
> This is what i use on my home network to bypass my proxy via my proxy auto
> config
>
> On Thu, Sep 6, 2012 at 4:34 PM, nicola gentile
> wrote:
>>
>> Hi,
>>
>> I admin a proxy server with Squid version 3 on GNU/Linux Debian 6
>> (Squeeze).
>>
>> Using my proxy server, users must be able to browse some internal
>> website directly (without going through the proxy), while for the
>> remaining websites, they must go through the proxy (with kerberos
>> authentication).
>>
>> Is it possible?
>>
>> Regards.
>
>
>
>
> --
> Regards,
> Jason Leschnik.
>
> [m] 0432 35 4224
> [w@] jason dot leschnik ansto dot gov dot au
> [U@] jml...@uow.edu.au
>
>
[squid-users] help squid_kerb_auth
Good morning,
I use successfully squid to authenticate AD users in a domain
.dom3.dom2.dom1.com and it works fine.
The server is debian etch with squid 2.7.STABLE6 and the clients are
Windows (ntlm) and Linux (squid_kerb_auth).
On Linux client pc I installed samba+winbind. The users accounts and
computers accounts are on a domain .dom3.dom2.dom1.com.
Now things have changed, the users accounts are on parent domain
(.domain.com) and the computers accounts are in child domain
(.child.domain.com).
The .domain.com is a root domain of forest.
The forest is in a mixed mode (windows 2008 and windows 2003).
I have installed a server with debian lenny with squid 2.7.STABLE9.
The configure options are:
--prefix=/usr/local/squid
--enable-auth=negotiate ntlm
--enable-ntlm-auth-helpers=SMB
--enable-negotiate-auth-helpers=squid_kerb_auth
--enable-default-err-language=Italian
--enable-err-languages=Italian English
--enable-async-io
--with-pthreads
--enable-storeio=ufs aufs diskd null
--with-large-files
This is my squid.conf
auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth
-d -s HTTP/squid.domain@.domain.com
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param ntlm program /usr/local/squid/libexec/ntlm_auth
domain/server1 child/server2
auth_param ntlm children 30
auth_param ntlm keep_alive off
acl out proxy_auth REQUIRED
acl autkrb src 192.168.47.36
http_access allow out autkrb
This is my krb5.conf
[libdefaults]
default_realm = DOMAIN.COM
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
clockskew = 600
[realms]
DOMAIN.COM = {
kdc = srv1.domain.com
admin_server = srv1.domain.com
default_domain = domain.com
}
CHILD.DOMAIN.COM = {
kdc = serv1.child.domain.com
admin_server = serv1.child.domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
.child.domain.com = CHILD.DOMAIN.COM
child.domain.com = CHILD.DOMAIN.COM
I also added the following lines to squid start script.
KRB5_KTNAME=/usr/local/squid/etc/squid20100714.keytab
export KRB5_KTNAME
The dns are configured as parent windows domain doami.com.
On client each time I try to use firefox, the server squid gives me
the following error:
squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information. No error
in the browser I see the pop-up for username and password.
What does means this error?
Have any ideas?
Thanks for your help
Nikkognt
Re: [squid-users] Re: help squid_kerb_auth
Now it works!
I have not changed anything.
Thanks for the help
Nicola Gentile
2010/7/16 Markus Moeller :
> Hi Nicola,
>
> Can you run strace against squid_kerb_auth ? You can do this by selecting
> just on child (e.g. auth_param negotiate children 1) and then do trace -f
> -F -p . Please send me the output. Can you also
> check on the client with kerbtray ( available from Microsoft ) that the
> client has a ticket for HTTP/squid.domain.com and which encryption type it
> is.
>
> Regards
> Markus
>
> "Nicola Gentile" wrote in message
> news:aanlktimlfs6h4t4ft4sw7kcv-eehsizv1mvzqtlrr...@mail.gmail.com...
>>
>> Good morning,
>> I use successfully squid to authenticate AD users in a domain
>> .dom3.dom2.dom1.com and it works fine.
>> The server is debian etch with squid 2.7.STABLE6 and the clients are
>> Windows (ntlm) and Linux (squid_kerb_auth).
>> On Linux client pc I installed samba+winbind. The users accounts and
>> computers accounts are on a domain .dom3.dom2.dom1.com.
>>
>> Now things have changed, the users accounts are on parent domain
>> (.domain.com) and the computers accounts are in child domain
>> (.child.domain.com).
>> The .domain.com is a root domain of forest.
>> The forest is in a mixed mode (windows 2008 and windows 2003).
>>
>> I have installed a server with debian lenny with squid 2.7.STABLE9.
>>
>> The configure options are:
>>
>> --prefix=/usr/local/squid
>> --enable-auth=negotiate ntlm
>> --enable-ntlm-auth-helpers=SMB
>> --enable-negotiate-auth-helpers=squid_kerb_auth
>> --enable-default-err-language=Italian
>> --enable-err-languages=Italian English
>> --enable-async-io
>> --with-pthreads
>> --enable-storeio=ufs aufs diskd null
>> --with-large-files
>>
>> This is my squid.conf
>>
>> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth
>> -d -s HTTP/squid.domain@.domain.com
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive on
>> auth_param ntlm program /usr/local/squid/libexec/ntlm_auth
>> domain/server1 child/server2
>> auth_param ntlm children 30
>> auth_param ntlm keep_alive off
>> acl out proxy_auth REQUIRED
>> acl autkrb src 192.168.47.36
>> http_access allow out autkrb
>>
>> This is my krb5.conf
>>
>> [libdefaults]
>> default_realm = DOMAIN.COM
>>
>> # The following krb5.conf variables are only for MIT Kerberos.
>> krb4_config = /etc/krb.conf
>> krb4_realms = /etc/krb.realms
>> kdc_timesync = 1
>> ccache_type = 4
>> forwardable = true
>> proxiable = true
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ticket_lifetime = 24h
>> clockskew = 600
>>
>> [realms]
>> DOMAIN.COM = {
>> kdc = srv1.domain.com
>> admin_server = srv1.domain.com
>> default_domain = domain.com
>> }
>> CHILD.DOMAIN.COM = {
>> kdc = serv1.child.domain.com
>> admin_server = serv1.child.domain.com
>> }
>>
>> [domain_realm]
>> .domain.com = DOMAIN.COM
>> domain.com = DOMAIN.COM
>> .child.domain.com = CHILD.DOMAIN.COM
>> child.domain.com = CHILD.DOMAIN.COM
>>
>> I also added the following lines to squid start script.
>>
>> KRB5_KTNAME=/usr/local/squid/etc/squid20100714.keytab
>> export KRB5_KTNAME
>>
>> The dns are configured as parent windows domain doami.com.
>>
>> On client each time I try to use firefox, the server squid gives me
>> the following error:
>>
>> squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS
>> failure. Minor code may provide more information. No error
>>
>> in the browser I see the pop-up for username and password.
>>
>> What does means this error?
>> Have any ideas?
>>
>> Thanks for your help
>>
>> Nikkognt
>>
>
>
>
[squid-users] squid 3.3.3 + ntlm + kerberos
Good morning, I would ask you an information and help. Actually I use squid 3.1.21 on debian 6.0.7 with ntlm and kerberos authentication and all works fine. Now I must recompile squid and I would test 3.3.3 version. The options that I have used for the compile are: ./configure --prefix=/usr/local/squid \ --with-default-user=proxy \ --enable-async-io \ --enable-storeio="ufs,aufs,diskd" \ --enable-auth \ --disable-auth-basic \ --enable-auth-ntml=smb_lm \ --enable-auth-negotiate=kerberos,wrapper \ --disable-auth-digest \ --with-large-files \ --with-filedescriptors=65535 \ --enable-ltdl-convenience \ --enable-ssl \ --disable-ipv6 The daemon seems to work but when I try to authenticate through ntlm not work while kerberos work correctly I look in the file cache.log and the error message is the follow: ntlm_smb_lm_auth.cc(482): pid=11662 :managing request ntlm_smb_lm_auth.cc(488): pid=11662 :ntlm authenticator. Got 'YR TlRMTVNTUAABB4IIogAGAbEdDw==' from Squid ntlm_smb_lm_auth.cc(438): pid=11662 :obtain_challenge: selecting DOM1\SRV1 (attempt #1) ntlm_smb_lm_auth.cc(450): pid=11662 :attempting challenge retrieval ntlm_smb_lm_auth.cc(154): pid=11662 :Connecting to server SRV1 domain DOM1 ntlm_smb_lm_auth.cc(452): pid=11662 :make_challenge retuned 0x80545a0 ntlm_smb_lm_auth.cc(454): pid=11662 :Got it ntlm_smb_lm_auth.cc(623): pid=11662 :sending 'TT TlRMTVNTUAACBQAFACgAAACCgkEAhtKix/CDajcAAExJTkZB' to squid ntlm_smb_lm_auth.cc(482): pid=11662 :managing request ntlm_smb_lm_auth.cc(488): pid=11662 :ntlm authenticator. Got 'KK TlRMTVNTUAADGAAYAGwYABgAhAYABgBYBwAHAF4HAAcAZQCcBoIAAgYBsR0PptDQzxxxWJkujr9PtX/NoFBPTElUT0QwMDMwMzJQQ0xEMDUwor7z/ZaxHhw2k51d0lFDXxfxPESmOIySor7z/ZaxHhw2k51d0lFDXxfxPESmOIyS' from Squid ntlmssp: bad ascii: ffa2 2013/04/22 16:50:13 kid1| WARNING: ntlmauthenticator #1 exited 2013/04/22 16:50:13 kid1| Too few ntlmauthenticator processes are running (need 1/10) 2013/04/22 16:50:13 kid1| Starting new helpers 2013/04/22 16:50:13 kid1| helperOpenServers: Starting 1/10 'ntlm_smb_lm_auth' processes 2013/04/22 16:50:13 kid1| ERROR: NTLM Authentication Helper '0x9f2f478' crashed!. 2013/04/22 16:50:13 kid1| ERROR: NTLM Authentication validating user. Error returned 'BH Internal error' ntlm_smb_lm_auth.cc(384): pid=11667 :Adding domain-controller dom1/srv1 ntlm_smb_lm_auth.cc(384): pid=11667 :Adding domain-controller dom2/srv2 ntlm_smb_lm_auth.cc(640): pid=11667 :options processed OK ntlm_smb_lm_auth.cc(482): pid=11663 :managing request ntlm_smb_lm_auth.cc(488): pid=11663 :ntlm authenticator. Got 'YR TlRMTVNTUAABB4IIogAGAbEdDw==' from Squid ntlm_smb_lm_auth.cc(438): pid=11663 :obtain_challenge: selecting DOM1\SRV1 (attempt #1) ntlm_smb_lm_auth.cc(450): pid=11663 :attempting challenge retrieval ntlm_smb_lm_auth.cc(154): pid=11663 :Connecting to server SRV1 domain DOM1 ntlm_smb_lm_auth.cc(452): pid=11663 :make_challenge retuned 0x80545a0 ntlm_smb_lm_auth.cc(454): pid=11663 :Got it ntlm_smb_lm_auth.cc(623): pid=11663 :sending 'TT TlRMTVNTUAACBQAFACgAAACCgkEAYyPYfPYAm3IAAExJTkZB' to squid ntlm_smb_lm_auth.cc(482): pid=11663 :managing request ntlm_smb_lm_auth.cc(488): pid=11663 :ntlm authenticator. Got 'KK TlRMTVNTUAADGAAYAGwYABgAhAYABgBYBwAHAF4HAAcAZQCcBoIAAgYBsR0PIp8Zk9ICN8Hw1rL0qdbrHlBPTElUT0QwMDMwMzJQQ0xEMDUwIRuK8hsvU3s5klqASx0ijB7dbIt+CIw+IRuK8hsvU3s5klqASx0ijB7dbIt+CIw+' from Squid ntlmssp: bad ascii: 001b No auth at all. Returning no-auth ntlm_smb_lm_auth.cc(531): pid=11663 :sending 'NA Logon Failure' to squid I use Windows 7 with Internet Explorer 9 on the client. Also on my server, samba is not installed. I attach also the configuration of squid for NTLM: auth_param ntlm program /usr/local/squid/libexec/ntlm_smb_lm_auth -d dom1/srv1 dom2/srv2 auth_param ntlm children 10 startup=2 idle=1 auth_param ntlm keep_alive off Any suggestion? Help please! Nick
[squid-users] squid 3.3.3 ntlm kerberos
Good morning, I would ask you an information and help. Actually I use squid 3.1.21 on debian 6.0.7 with ntlm and kerberos authentication and all works fine. Now I must recompile squid and I would test 3.3.3 version. The options that I have used for the compile are: ./configure --prefix=/usr/local/squid \ --with-default-user=proxy \ --enable-async-io \ --enable-storeio="ufs,aufs,diskd" \ --enable-auth \ --disable-auth-basic \ --enable-auth-ntml=smb_lm \ --enable-auth-negotiate=kerberos,wrapper \ --disable-auth-digest \ --with-large-files \ --with-filedescriptors=65535 \ --enable-ltdl-convenience \ --enable-ssl \ --disable-ipv6 The daemon seems to work but when I try to authenticate through ntlm not work while kerberos work correctly I look in the file cache.log and the error message is the follow: ntlm_smb_lm_auth.cc(482): pid=11662 :managing request ntlm_smb_lm_auth.cc(488): pid=11662 :ntlm authenticator. Got 'YR TlRMTVNTUAABB4IIogAGAbEdDw==' from Squid ntlm_smb_lm_auth.cc(438): pid=11662 :obtain_challenge: selecting DOM1\SRV1 (attempt #1) ntlm_smb_lm_auth.cc(450): pid=11662 :attempting challenge retrieval ntlm_smb_lm_auth.cc(154): pid=11662 :Connecting to server SRV1 domain DOM1 ntlm_smb_lm_auth.cc(452): pid=11662 :make_challenge retuned 0x80545a0 ntlm_smb_lm_auth.cc(454): pid=11662 :Got it ntlm_smb_lm_auth.cc(623): pid=11662 :sending 'TT TlRMTVNTUAACBQAFACgAAACCgkEAhtKix/CDajcAAExJTkZB' to squid ntlm_smb_lm_auth.cc(482): pid=11662 :managing request ntlm_smb_lm_auth.cc(488): pid=11662 :ntlm authenticator. Got 'KK TlRMTVNTUAADGAAYAGwYABgAhAYABgBYBwAHAF4HAAcAZQCcBoIAAgYBsR0PptDQzxxxWJkujr9PtX/NoFBPTElUT0QwMDMwMzJQQ0xEMDUwor7z/ZaxHhw2k51d0lFDXxfxPESmOIySor7z/ZaxHhw2k51d0lFDXxfxPESmOIyS' from Squid ntlmssp: bad ascii: ffa2 2013/04/22 16:50:13 kid1| WARNING: ntlmauthenticator #1 exited 2013/04/22 16:50:13 kid1| Too few ntlmauthenticator processes are running (need 1/10) 2013/04/22 16:50:13 kid1| Starting new helpers 2013/04/22 16:50:13 kid1| helperOpenServers: Starting 1/10 'ntlm_smb_lm_auth' processes 2013/04/22 16:50:13 kid1| ERROR: NTLM Authentication Helper '0x9f2f478' crashed!. 2013/04/22 16:50:13 kid1| ERROR: NTLM Authentication validating user. Error returned 'BH Internal error' ntlm_smb_lm_auth.cc(384): pid=11667 :Adding domain-controller dom1/srv1 ntlm_smb_lm_auth.cc(384): pid=11667 :Adding domain-controller dom2/srv2 ntlm_smb_lm_auth.cc(640): pid=11667 :options processed OK ntlm_smb_lm_auth.cc(482): pid=11663 :managing request ntlm_smb_lm_auth.cc(488): pid=11663 :ntlm authenticator. Got 'YR TlRMTVNTUAABB4IIogAGAbEdDw==' from Squid ntlm_smb_lm_auth.cc(438): pid=11663 :obtain_challenge: selecting DOM1\SRV1 (attempt #1) ntlm_smb_lm_auth.cc(450): pid=11663 :attempting challenge retrieval ntlm_smb_lm_auth.cc(154): pid=11663 :Connecting to server SRV1 domain DOM1 ntlm_smb_lm_auth.cc(452): pid=11663 :make_challenge retuned 0x80545a0 ntlm_smb_lm_auth.cc(454): pid=11663 :Got it ntlm_smb_lm_auth.cc(623): pid=11663 :sending 'TT TlRMTVNTUAACBQAFACgAAACCgkEAYyPYfPYAm3IAAExJTkZB' to squid ntlm_smb_lm_auth.cc(482): pid=11663 :managing request ntlm_smb_lm_auth.cc(488): pid=11663 :ntlm authenticator. Got 'KK TlRMTVNTUAADGAAYAGwYABgAhAYABgBYBwAHAF4HAAcAZQCcBoIAAgYBsR0PIp8Zk9ICN8Hw1rL0qdbrHlBPTElUT0QwMDMwMzJQQ0xEMDUwIRuK8hsvU3s5klqASx0ijB7dbIt+CIw+IRuK8hsvU3s5klqASx0ijB7dbIt+CIw+' from Squid ntlmssp: bad ascii: 001b No auth at all. Returning no-auth ntlm_smb_lm_auth.cc(531): pid=11663 :sending 'NA Logon Failure' to squid I use Windows 7 with Internet Explorer 9 on the client. Also on my server, samba is not installed. I attach also the configuration of squid for NTLM: auth_param ntlm program /usr/local/squid/libexec/ntlm_smb_lm_auth -d dom1/srv1 dom2/srv2 auth_param ntlm children 10 startup=2 idle=1 auth_param ntlm keep_alive off Any suggestion? Help please! Nick
Re: [squid-users] Re: squid 3.2 - squidclient - Connection refused
I have the same problem. I installed squid 3.3.8. it has been resolved? Nick 2013/4/17 babajaga : > May be, you have an effect I had already myself and filed as a bug: > > http://bugs.squid-cache.org/show_bug.cgi?id=3760 > > > > -- > View this message in context: > http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-2-squidclient-Connection-refused-tp4659536p4659547.html > Sent from the Squid - Users mailing list archive at Nabble.com.
