RE: [squid-users] pop up authentication prompts
nick.aposto...@au.abnamro.com wrote: Hi, Anyone got any suggestions on my authentication prompt problems with NTLM authentication? I've also got a test box which was build with a tar ball of the squid and samba directories which authenticates with no problem and does not give any errors in the cache.log. Regards Nick Apostolou IT Infrastructure | ABN AMRO Bank Australia/NZ Ph: +61 2 8259 5330 | Fax: +61 2 8259 5440 | Mobile: + 61 401 709 007 email: nick.aposto...@au.abnamro.com Try the squid_kerb_auth module. We are running 2.6.x and we have suffered the same random pop-ups on NTLM, adding Kerberos authentication to the top of the auth configuration fixes the random pop-ups on IE 7 and Firefox. IE 6 does not support Kerberos so leave NTLM in your configuration if you have this browser on site. XP users will also suffer Kerberos ticket renewal issues if your users leave their machines on overnight and XP is not patched to SP3. HTH Dean nick.aposto...@au.abnamro.com 20/02/2009 03:46 PM To squid-users@squid-cache.org cc Subject [squid-users] pop up authentication prompts Hi, Random users are getting pop up authentication prompts rather than getting authenticated transparently via NTLM. This has only started to occur in the last week and the previous few months I have not had a problem. There are 2 proxy servers running squid/samba and both get entries in cache.log every minute such as this. [2009/02/20 14:29:48, 1] libsmb/ntlmssp.c:ntlmssp_update(333) got NTLMSSP command 3, expected 1 [2009/02/20 14:30:48, 1] libsmb/ntlmssp.c:ntlmssp_update(333) got NTLMSSP command 3, expected 1 [2009/02/20 14:31:48, 1] libsmb/ntlmssp.c:ntlmssp_update(333) got NTLMSSP command 3, expected 1 [2009/02/20 14:32:48, 1] libsmb/ntlmssp.c:ntlmssp_update(333) got NTLMSSP command 3, expected 1 [2009/02/20 14:33:48, 1] libsmb/ntlmssp.c:ntlmssp_update(333) got NTLMSSP command 3, expected 1 [2009/02/20 14:34:48, 1] libsmb/ntlmssp.c:ntlmssp_update(333) got NTLMSSP command 3, expected 1 [2009/02/20 14:35:48, 1] libsmb/ntlmssp.c:ntlmssp_update(333) got NTLMSSP command 3, expected 1 These 2 proxies use an upstream squid to pass on requests via cache_peer statements. I had the domain controllers rebooted yesterday and followed that with a clean reboot of the squid (running on Solaris 10 x86) and within 30 seconds of the cache being up the cache.log files starts to log these entries. Samba Version 3.2.0 (compiled with --quiet --with-winbind --with-ads=no -prefix=/usr/local/samba --localstatedir=/var/samba) Squid Cache: Version 2.7.STABLE2 configure options: '--enable-snmp' '--enable-external-acl-helpers=unix_group,wbinfo_group' '--enable-auth=ntlm,basic' '--enable-storeio=ufs,aufs' '--prefix=/usr/local/squid' '--localstatedir=/var/squid' Reading though the archives there are suggestion about upgrading versions but all relate to much older versions. Anyone come across this with more recent versions (not that mine are the latest) and is there a possible resolution to it? Regards Nick Apostolou IT Infrastructure | ABN AMRO Bank Australia/NZ Ph: +61 2 8259 5330 | Fax: +61 2 8259 5440 | Mobile: + 61 401 709 007 email: nick.aposto...@au.abnamro.com ABN AMRO Bank N.V. is an authorised agent of The Royal Bank of Scotland plc --- This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorised use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Bank N.V, which has its seat at Amsterdam, the Netherlands, and is registered in the Commercial Register under number 33002587, including its group companies, shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. --- ABN AMRO Bank N.V. is an authorised agent of The Royal Bank of Scotland plc --- This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorised use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change.
RE: [squid-users] pop up authentication prompts
Plant, Dean wrote: nick.aposto...@au.abnamro.com wrote: Hi, Anyone got any suggestions on my authentication prompt problems with NTLM authentication? I've also got a test box which was build with a tar ball of the squid and samba directories which authenticates with no problem and does not give any errors in the cache.log. Regards Nick Apostolou IT Infrastructure | ABN AMRO Bank Australia/NZ Ph: +61 2 8259 5330 | Fax: +61 2 8259 5440 | Mobile: + 61 401 709 007 email: nick.aposto...@au.abnamro.com Try the squid_kerb_auth module. We are running 2.6.x and we have suffered the same random pop-ups on NTLM, adding Kerberos authentication to the top of the auth configuration fixes the random pop-ups on IE 7 and Firefox. IE 6 does not support Kerberos so leave NTLM in your configuration if you have this browser on site. XP users will also suffer Kerberos ticket renewal issues if your users leave their machines on overnight and XP is not patched to SP3. Just reread over my notes and IE6 *is* supposed to support kerb authentication. We just had issues with it's reliability in testing so left in NTLM to ensure that if kerb_auth failed it could drop back to NTLM.
RE: [squid-users] can't load clip from youtube (we're sorry, this video id no longer available)
Charuntorn Baimoung wrote: Dear all, I have problem where load clip from youtube that error show we're sorry, this video id no longer available but when I access another web my squid is work properly. below is detail. 1. I point browser to ip squid that access every website. It's work properly. 2. I use wccp that access every website (youtube too). It's working except load clip from youtube. The error show we're sorry, this video id no longer available Anybody can help me to fix this Charuntorn I have just had a user report the same thing on our production proxies running squid-2.6.STABLE18-1.el4 and NTLM auth. I have a test proxy running squid-2.6.STABLE20-1.el5 using Kerberos auth and the link works fine. What version of Squid are you running? The link in question was http://youtube.com/watch?v=j8XseabG5j0 Dean
RE: [squid-users] Re: Squid_kerb_auth problem after long login times.
Markus Moeller wrote: Can you use kerbtray on the client ( it is available as part of the support tools or resource tools). I suspect that your ticket has expired. The ticket will usually be renewed when you lock/unlock your screen or access a share. XP should also renew when IE accesses a web server or proxy with negotiate (although I have heard of some issues here). Can you try to lock and unlock the screen instead of logout/login. Markus BTW What does the squid logfile say when you use squid_kerb_auth -d -i ... ? Thanks for your reply. The tip, locking and unlocking the screen, does renew tickets and fix the issue when on XP SP2. I had never tried this before, leaving my test machines overnight meant they were already locked. The first action in the morning was to unlock and test the proxy connection, locking and unlocking a second time does fix the issue. I managed to fix this issue by simply installing XP SP3. I have now run for days without any overnight proxy authentication issues or requiring logout/login lock/unlock. Either from leaving machines logged in or putting machines into hibernate or standby. :-) I had been using kerbtray to debug kerberos. At SP2 level kerbtray would show the ticket expired when I first unlocked the screen but then go green within seconds as the machine renewed it tickets, authentication with the proxy would still fail. It would seem though that with XP SP2 the issues lie at this unlocking the screen stage as mentioned above locking and unlocking the screen a second time seems to correctly renew the tickets so communication to the proxy is restored. On a side note, The reason I started looking at squid_kerb_auth was that we were suffering from random pop-ups in Firefox with our transparent NTLM authentication. With this kerberos authentication system I have not seen one random pop-up yet so thank you very much for your work. Dean Plant, Dean [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] k... Testing squid-2.6.STABLE20 on CentOS 5 with WinXP clients that are part of and AD domain. I have been testing the Kerberos authentication and have noticed that after a few days I can no longer use the proxy. My Kerberos tickets are valid on the proxy and on the client and I can access windows network resources normally. If I login to different machine I can use the proxy so all seems well with the proxy configuration. If I logout of the affected machine and then login again proxy access is restored. I have tested this with a few other users who have been logged in for over a week with the same results. All were denied access until logging out and in again. Time is correct on all machines. Any ideas for the best way to debug the Kerberos handshake. Thanks in advance. Dean.
[squid-users] Squid_kerb_auth problem after long login times.
Testing squid-2.6.STABLE20 on CentOS 5 with WinXP clients that are part of and AD domain. I have been testing the Kerberos authentication and have noticed that after a few days I can no longer use the proxy. My Kerberos tickets are valid on the proxy and on the client and I can access windows network resources normally. If I login to different machine I can use the proxy so all seems well with the proxy configuration. If I logout of the affected machine and then login again proxy access is restored. I have tested this with a few other users who have been logged in for over a week with the same results. All were denied access until logging out and in again. Time is correct on all machines. Any ideas for the best way to debug the Kerberos handshake. Thanks in advance. Dean.
RE: [squid-users] remove DOMAIN part from NTLM username
Dhruv Ahuja wrote: Hi All I am successfully using NTLM authentication in my Fedora 8 Squid and Windows 2003 Active Directory environment. With NTLM in place, the usernames appear to be in the form of DOMAIN\username, which prevents me for being able to use them in any LDAP filter within squid.conf to determine, let's say, users' OUs. I'd rather use OUs to identify the group of people than Windows Groups. The Windows Group Policy in place is working that way (on OUs). I have tried winbind use default domain = yes in smb.conf but that doesn't help. winbind use default domain = yes should remove the requirement of DOMAIN\username. Does /usr/bin/ntlm_auth --username=username work? Everything was working fine in a pure LDAP implementation earlier. Except the annoying password prompt window at browser startup! So, I have now switched to NTLM and no longer face that issue. All I need now is to keep the usernames of the format username rather than DOMAIN\username to get my LDAP filter, or any LDAP filter at all, working. Any ideas? Thanks -- Dhruv
RE: [squid-users] How to Log Client IP's
Jonathan Caum wrote: Hello all, I am having a problem with the client IP's being logged in the access.log file. I am using Squid with Dansguardian, and we would like to have Squid log the IP's of each computer going through squid, but at the moment, all traffic appears to go through 127.0.0.1 in the log. How do I fix this, or what are some possible symptoms to this? Assuming Dansguardian is first in line then, In dansguardian.conf you need forwardedfor = on its in the Misc settings. And if you want Squid to act on the IP's you are passing then look for follow_x_forwarded_for in squid.conf Dean.
[squid-users] Fix for Windows media player and NTLM auth pop ups
I have seen this problem asked about in the archives but was not sure if a fix was ever given. If it has I apologise for the noise. I had been having problems with WMP not correctly authenticating to our proxy and came across a blog on the isaserver.org website. When WMP is acting as a web proxy client (CERN) and the web proxy server requires Windows Integrated authentication, WMP will not auto-authenticate to the web proxy server if the web proxy server is specified as either an FQDN or an IP address. If the web proxy server is specified as a NetBIOS (unqualified) name, WMP will auto-authenticate using the interactive account credentials. If the web proxy server requires Basic or Digest authentication, an authentication prompt is expected, regardless of how the web proxy server is specified. This behaviour is the same if the web proxy server is obtained via an automatic configuration (WPAD) script. http://blogs.isaserver.org/pouseele/2007/11/09/windows-media-player-auth entication-prompts/ I changed our wpad file from IP's to the NetBIOS names and the pop-ups have now disappeared. :-) Only problem now is that I have been testing the squid_kerb_auth helper (with good results so far) and as you have to specify the proxy as a FQDN, WMP is broken again :-( HTH Dean
RE: [squid-users] FW: Allowing streaming media through NTLM Authentication
Mauricio Silveira wrote: Hi! I'm somehow Happy I'm not alone with this problem... I'm having this problem since squid 2.6STABLE9... (ALWAYS) I've tried everything possible without success... Let's try to get some progress on this matter, I'll dedicate some time to this soon (still this week or the next at most) If you have any progress, please post it here. Let's be sure of the problem... try accessing these radios: http://www.radios.com.br/emissoras/transa_prpop.htm http://www.radios.com.br/emissoras/transa_sppop.htm The former uses http as protocol, so it will ask for user/password, the latter uses mms as protocol, so it won't ask for user/password. I get the same results using squid-2.6.STABLE13-1.RHEL4. I have had to disable NTLM authentication (easy fix) for some sites with streaming media but to be honest I have not had the time to fully investigate the cause. Dean As far as my small brain knows... that's mms that should be giving headaches, not the http one! Please post back if you get the same results, I have to show my boss I'm right, I'm not alone and i DO KNOW how to configure squid. :D I'll post here if I get it working, let's flame this discussion I see everyone trying to get rid of streamings, but not trying to get it working without these imperfections. Thanks, Mauricio Hi Apologies if this has been discussed before but I couldn't find a solution for my exact problem in the archives. I run Squid 2.6STABLE13 and have configured it to use NTLM authentication for all client requests. This is working properly for standard traffic but I am hitting a problem with streaming media. I'm aware that most streaming media can't handle NTLM authentication automatically and therefore when a user tries to access streaming media a login box pops up. I don't want the users being asked to authenticate so I'm trying to come up with a solution to instruct the proxy server to not authenticate the streaming media. I've tried matching on the streaming media mime types but ran into the problem in that the mime type is in the response and not the request and it is the request that is authenticated. Has anyone dealt with this issue before and how did you go about allowing streaming media through an authenticated proxy? Regards, Mathew Archibald
[squid-users] Filtering activex/java/javascript
Can anyone advise the best up to date way of filtering activex/java/javascript in conjunction with Squid and Dansguardian I am using squid-2.5.STABLE6 on Centos 4. I have been trawling the mail archives and the web and have come across a few possible solutions but would like to ask how other people are doing this in a production environment and if some of the solutions below are still valid. Firstly, in case im making this more difficult than it need's to be, is it possible to filter out the dangerous content in squid alone. I notice within the squid.conf there is a rule that deny's javascript, but is it possible use a similar rule to stop activex. The squid FAQ http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.16 references http-gw which can filter the required content. Is this a recommend way of filtering content? The website for fwtk does not seem to be very up to date. Squid filter modules http://sites.inka.de/sites/bigred/devel/squid-filter.html has modules to filter content. Is anyone using these? I have tried to follow the instructions to patch/compile but receive the below errors when running the aclocal command as per the instructions. acinclude.m4:10: warning: underquoted definition of AC_CHECK_SIZEOF_SYSTYPE run info '(automake)Extending aclocal' or see http://sources.redhat.com/automake/automake.html#Extending-aclocal acinclude.m4:49: warning: underquoted definition of AC_CHECK_SYSTYPE configure.in:2420: error: `filters/Makefile' is already registered with AC_CONFIG_FILES. autoconf/status.m4:848: AC_CONFIG_FILES is expanded from... configure.in:2420: the top level autom4te: /usr/bin/m4 failed with exit status: 1 aclocal: autom4te failed with exit status: 1 Is there any other open source solutions available that I have not seen? Thanks in advance. Dean Plant
RE: [squid-users] NTLM Authentication
Mike Diggins wrote: We're running Squid V2.5Stable10 on a Solaris 8 platform and are attempting to get the NTLM authentication working along with basic authentication for non-IE browsers. So far, IE users that are logged into the domain authenticate without an authentication prompt (good). Non IE users or users of other web clients are prompted for authentication, which is expected, except now they must type in the domain/username and password (i.e. ap1/myname) instead of just their username. That's a bigger change in behaviour than we would like. Is there a way to make this work or is this normal behaviour? I think you need to set winbind use default domain = yes in your smb.conf Dean
