Re: [squid-users] Errors with sasl while compiling Squid 3.1.4
I had this same issue and could .. ehrm "guess" (sorry) from the logs that I was missing g++ After apt-getting g++, everything went smooth. thanks for pointing to the solution. cheers! Lieven Henrik Nordström wrote: ons 2010-06-30 klockan 14:25 +0200 skrev Babelo Gmvsdm: Hi When I run ./configure to prepare compilation on Squid 3.1.4 I got this = errors: checking /usr/include/sasl.h usability... no checking /usr/include/sasl.h presence... no checking for /usr/include/sasl.h... no checking sasl.h usability... no checking sasl.h presence... no checking for sasl.h... no configure: error: Neither SASL nor SASL2 found Whereas /usr/include/sasl.h is present in the right directory=20 Check config.log for more information. Regards Henrik
Re: [squid-users] Report of visited sites? (No filtering, just reporting)
did you try sarg? It checks the squid logs and creates overviews of the visited sites per ip. Marcello Romani wrote: Charles Bray ha scritto: Hello, I am sure this must be a common question... please excuse. Does there exist a tool or example configuration that will enable me to log, and display in a nice "HR department friendly" format, the sites that users in our small office network are visiting? We are already using OpenDNS for filtering, but we do need per-user (just ip address) reporting. No need for actual content caching, either. Any suggestions? Thank you, CB This is a good starting point: http://www.squid-cache.org/Scripts/
Re: [squid-users] Re: Re: squid_kerb_auth received type 1 NTLM token
Dear Markus, You have to be recommended for your patience!! Turns out that my keytab file was wrong all along due to a stupid mistake from my side. (as to be expected :-/) I did have the principal for the realm but not for the proxy server itself. Thus the HTTP-keytab was recreated with the msktutil, this time with correct principal information. Now it works fine, I can see the clients authenticating in the cache.log bottomline: my bad knowledge about kerberos made me look for the wrong reasons. thank you very much for your help. Cheers ! Lieven Markus Moeller wrote: Changing the name may not be enough. Delete the AD entry and the keytab and create a new entry with keytab. Regards Markus "Lieven" wrote in message news:4be9c40a.1090...@gmail.com... That seems to clarify my problems. thank you. After the mkstutil, I saw that a new computer object had been made in the AD. In adsiedit, I opened this squid3-proxy computeraccount and checked it's principalname service. There was only "HTTP/domain.local" so I manually added "HTTP/squid3-proxy.domain.local". Then after I did a new webrequest via the proxyserver, I saw this HTTP/squid3-proxy.domain.local service principal in kerbtray. Only, it still pops up with a authentication request so I'm not yet there. Anyway, tomorrow I'll have access to the local pc and a wireshark trace will probably help me solve this further. thanks for all the effort already. cheers. Lieven Markus Moeller wrote: Hi Lieven, The problem seems to be the krb5kdc_err_s_principal_unknown error. If you took the capture earlier shoudl have seen a TGS REQ in wireshark for HTTP/squid3-proxy.domain.local and AD says it does not anything about this principal. Can you search AD if you have an entry with serviceprincipalname=HTTP/squid3-proxy.domain.local using adsiedit.msc for example ? If you would have got a successful reply it would be a TGS REP and kerbtray would show DOMAIN.LOCAL |_ cifs/adserver1.domain.local |_ krbtgt/DOMAIN.LOCAL |_ krbtgt/DOMAIN.LOCAL |_ LDAP/adserver1.domin.local/domain.local |_ ProtectedStorage/adserver1.domain.local |_ HTTP/asquid3-proxy.domain.local/domain.local Regards Markus "lieven" wrote in message news:4be94d3c.6040...@ba.be... Hello again, This time, I got access to a pc in the AD domain. When I monitor for both udp and tcp port 88, there is krb communication to be seen but it doesn't look right. From AD server to client I see the following error: krb5kdc_err_s_principal_unknown It looks like this: (only krb5 and some tcp lines) 1. server -> client: Krb Error: krb5kdc_err_s_principal_unknown 2. client -> server: AS-REQ 3. server -> client: KRB Error: krb5kdc_err_preauth_required 4. client -> server: AS-REQ 5. server -> client: AS-REP 6. client -> server: AS-REQ 7. server -> client: KRB Error: krb5kdc_err_preauth_required ...{4-7} X7 this sequence, starting from 3 is repeated a few times, as many times as I had to enter credentials in IE popup. Here is a detail from the error packet principal unknown: No. TimeSourceDestination Protocol Info 6 0.009940X.X.X.X X.X.X.X KRB5 KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN Frame 6 (179 bytes on wire, 179 bytes captured) Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst: Dell_48:f3:90 (00:24:e8:48:f3:90) Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X) Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248 (65248), Seq: 1, Ack: 1660, Len: 125 Kerberos KRB-ERROR Record Mark: 121 bytes Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2010-05-11 10:44:11 (UTC) susec: 313474 error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: DOMAIN.LOCAL Server Name (Service and Instance): HTTP/squid3-proxy.domain.local Name-type: Service and Instance (2) Name: HTTP Name: squid3-proxy.domain.local On this client pc, it is a windows vista, I have different kerberos tickets: (as per kerbtray) DOMAIN.LOCAL |_ cifs/adserver1.domain.local |_ krbtgt/DOMAIN.LOCAL |_ krbtgt/DOMAIN.LOCAL |_ LDAP/adserver1.domin.local/domain.local |_ ProtectedStorage/adserver1.domain.local The encryption types are for all tickets: Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption type) The client principal is use...@domain.local I also traced DNS on udp and tcp 53, this seems to work ok; it shows a lookup of the requested site and then a reply from the adserver (also dns) with the ip of the site. I don't see any lookup of the proxy-server fqdn that is put as the connection proxy setting in the browser. (it is squid3-proxy.domain.local) Next, I tried to follow the requests on port 3128 tcp to the proxyserver: 1) the client requests a webpage to the proxyserver on port 3128: "GET http://www.google.be/ HTTP/1.1" (http proto
Re: [squid-users] Re: squid_kerb_auth received type 1 NTLM token
That seems to clarify my problems. thank you. After the mkstutil, I saw that a new computer object had been made in the AD. In adsiedit, I opened this squid3-proxy computeraccount and checked it's principalname service. There was only "HTTP/domain.local" so I manually added "HTTP/squid3-proxy.domain.local". Then after I did a new webrequest via the proxyserver, I saw this HTTP/squid3-proxy.domain.local service principal in kerbtray. Only, it still pops up with a authentication request so I'm not yet there. Anyway, tomorrow I'll have access to the local pc and a wireshark trace will probably help me solve this further. thanks for all the effort already. cheers. Lieven Markus Moeller wrote: Hi Lieven, The problem seems to be the krb5kdc_err_s_principal_unknown error. If you took the capture earlier shoudl have seen a TGS REQ in wireshark for HTTP/squid3-proxy.domain.local and AD says it does not anything about this principal. Can you search AD if you have an entry with serviceprincipalname=HTTP/squid3-proxy.domain.local using adsiedit.msc for example ? If you would have got a successful reply it would be a TGS REP and kerbtray would show DOMAIN.LOCAL |_ cifs/adserver1.domain.local |_ krbtgt/DOMAIN.LOCAL |_ krbtgt/DOMAIN.LOCAL |_ LDAP/adserver1.domin.local/domain.local |_ ProtectedStorage/adserver1.domain.local |_ HTTP/asquid3-proxy.domain.local/domain.local Regards Markus "lieven" wrote in message news:4be94d3c.6040...@ba.be... Hello again, This time, I got access to a pc in the AD domain. When I monitor for both udp and tcp port 88, there is krb communication to be seen but it doesn't look right. From AD server to client I see the following error: krb5kdc_err_s_principal_unknown It looks like this: (only krb5 and some tcp lines) 1. server -> client: Krb Error: krb5kdc_err_s_principal_unknown 2. client -> server: AS-REQ 3. server -> client: KRB Error: krb5kdc_err_preauth_required 4. client -> server: AS-REQ 5. server -> client: AS-REP 6. client -> server: AS-REQ 7. server -> client: KRB Error: krb5kdc_err_preauth_required ...{4-7} X7 this sequence, starting from 3 is repeated a few times, as many times as I had to enter credentials in IE popup. Here is a detail from the error packet principal unknown: No. TimeSourceDestination Protocol Info 6 0.009940X.X.X.X X.X.X.X KRB5 KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN Frame 6 (179 bytes on wire, 179 bytes captured) Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst: Dell_48:f3:90 (00:24:e8:48:f3:90) Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X) Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248 (65248), Seq: 1, Ack: 1660, Len: 125 Kerberos KRB-ERROR Record Mark: 121 bytes Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2010-05-11 10:44:11 (UTC) susec: 313474 error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: DOMAIN.LOCAL Server Name (Service and Instance): HTTP/squid3-proxy.domain.local Name-type: Service and Instance (2) Name: HTTP Name: squid3-proxy.domain.local On this client pc, it is a windows vista, I have different kerberos tickets: (as per kerbtray) DOMAIN.LOCAL |_ cifs/adserver1.domain.local |_ krbtgt/DOMAIN.LOCAL |_ krbtgt/DOMAIN.LOCAL |_ LDAP/adserver1.domin.local/domain.local |_ ProtectedStorage/adserver1.domain.local The encryption types are for all tickets: Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption type) The client principal is use...@domain.local I also traced DNS on udp and tcp 53, this seems to work ok; it shows a lookup of the requested site and then a reply from the adserver (also dns) with the ip of the site. I don't see any lookup of the proxy-server fqdn that is put as the connection proxy setting in the browser. (it is squid3-proxy.domain.local) Next, I tried to follow the requests on port 3128 tcp to the proxyserver: 1) the client requests a webpage to the proxyserver on port 3128: "GET http://www.google.be/ HTTP/1.1" (http protocol) 2) proxy sends back a 407: (http) "HTTP/1.0 407 Proxy Authentication Requied (text/html)" 3) client responds with (http) "GET http://www.google.be/ HTTP/1.1 , NTLMSSP_NEGOTIATE" Between each point there is some tcp syn/ack/fin traffic which I can post if needed. The last 2 points are repeated a few times where the proxy requests authentication, expecting kerberos and the client responding with ntlm for some reason. In Firefox, It is the same as IE, proxy auth required followd by an ntlmssp_negotiate from the client. Why I don't get kerberos to work is a mistery to me as it seems to work in the domain itself when computers authenticate to get access to shares etc... Any clues welcome. thanks, Lieven -- Please Visit us at V-ICT-OR shopt IT 2
Re: [squid-users] squid non-accel default website
I might be completely misunderstanding your request but can't you just run a http daemon like apache on your proxyserver that serves a page with explanations? rgds, Lieven Nils Hügelmann wrote: Hi, i have a non-accel non-transparent squid 3.1 running on port 80, and when someone accesses the proxy directly (via http://hostname or http://ip) i want the proxy to show an explanation website. At the current state, it shows an "invalid URL" ... "while trying to retrieve the URL: /" error on direct access, which prevents using url rewriters(and deny_info too?!) so how to do this?... Thanks Nils
Re: [squid-users] Re: squid_kerb_auth received type 1 NTLM token
How can I check this bind compatibility? The server is a windows 2008 so I assumed it just used kerberos when I added the vista pc to the domain. Yes, I have the same visible behavior with an xp client although I could not check wireshark on port 88 because the xp is connected via vpn. thanks, Lieven Tim Neto wrote: How is the Vista machine bound to the Active Directory domain? NTLM compatibility? Does the same behavior occur with an XP client? -- Timothy E. Neto Computer Systems Engineer SMS Construction and Mining Systems Inc. E-M: tn...@smscons.com5985 McLaughlin Road Ph#: 905-283-2770 x265Mississauga, Canada Fax: 905-283-2779 L5R 1B8 -- On 5/11/2010 8:27 AM, lieven wrote: Hello again, This time, I got access to a pc in the AD domain. When I monitor for both udp and tcp port 88, there is krb communication to be seen but it doesn't look right. From AD server to client I see the following error: krb5kdc_err_s_principal_unknown It looks like this: (only krb5 and some tcp lines) 1. server -> client: Krb Error: krb5kdc_err_s_principal_unknown 2. client -> server: AS-REQ 3. server -> client: KRB Error: krb5kdc_err_preauth_required 4. client -> server: AS-REQ 5. server -> client: AS-REP 6. client -> server: AS-REQ 7. server -> client: KRB Error: krb5kdc_err_preauth_required ...{4-7} X7 this sequence, starting from 3 is repeated a few times, as many times as I had to enter credentials in IE popup. Here is a detail from the error packet principal unknown: No. TimeSourceDestination Protocol Info 6 0.009940X.X.X.X X.X.X.X KRB5 KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN Frame 6 (179 bytes on wire, 179 bytes captured) Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst: Dell_48:f3:90 (00:24:e8:48:f3:90) Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X) Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248 (65248), Seq: 1, Ack: 1660, Len: 125 Kerberos KRB-ERROR Record Mark: 121 bytes Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2010-05-11 10:44:11 (UTC) susec: 313474 error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: DOMAIN.LOCAL Server Name (Service and Instance): HTTP/squid3-proxy.domain.local Name-type: Service and Instance (2) Name: HTTP Name: squid3-proxy.domain.local On this client pc, it is a windows vista, I have different kerberos tickets: (as per kerbtray) DOMAIN.LOCAL |_ cifs/adserver1.domain.local |_ krbtgt/DOMAIN.LOCAL |_ krbtgt/DOMAIN.LOCAL |_ LDAP/adserver1.domin.local/domain.local |_ ProtectedStorage/adserver1.domain.local The encryption types are for all tickets: Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption type) The client principal is use...@domain.local I also traced DNS on udp and tcp 53, this seems to work ok; it shows a lookup of the requested site and then a reply from the adserver (also dns) with the ip of the site. I don't see any lookup of the proxy-server fqdn that is put as the connection proxy setting in the browser. (it is squid3-proxy.domain.local) Next, I tried to follow the requests on port 3128 tcp to the proxyserver: 1) the client requests a webpage to the proxyserver on port 3128: "GET http://www.google.be/ HTTP/1.1" (http protocol) 2) proxy sends back a 407: (http) "HTTP/1.0 407 Proxy Authentication Requied (text/html)" 3) client responds with (http) "GET http://www.google.be/ HTTP/1.1 , NTLMSSP_NEGOTIATE" Between each point there is some tcp syn/ack/fin traffic which I can post if needed. The last 2 points are repeated a few times where the proxy requests authentication, expecting kerberos and the client responding with ntlm for some reason. In Firefox, It is the same as IE, proxy auth required followd by an ntlmssp_negotiate from the client. Why I don't get kerberos to work is a mistery to me as it seems to work in the domain itself when computers authenticate to get access to shares etc... Any clues welcome. thanks, Lieven WARNING: This electronic transmission contains confidential information, intended only for the person(s) named above, and is privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or any other use of this email is strictly prohibited. If you have received this transmission by error, please notify us immediately by return email and destroy the original transmission immediately and all copies thereof. AVIS IMPORTANT: Cette transmission électronique est strictement réservée à l'usage de la (des) personne(s) à qui elle est adressée et contient des informations privilégiées et confidenti
[squid-users] Re: squid_kerb_auth received type 1 NTLM token
Hello again, This time, I got access to a pc in the AD domain. When I monitor for both udp and tcp port 88, there is krb communication to be seen but it doesn't look right. From AD server to client I see the following error: krb5kdc_err_s_principal_unknown It looks like this: (only krb5 and some tcp lines) 1. server -> client: Krb Error: krb5kdc_err_s_principal_unknown 2. client -> server: AS-REQ 3. server -> client: KRB Error: krb5kdc_err_preauth_required 4. client -> server: AS-REQ 5. server -> client: AS-REP 6. client -> server: AS-REQ 7. server -> client: KRB Error: krb5kdc_err_preauth_required ...{4-7} X7 this sequence, starting from 3 is repeated a few times, as many times as I had to enter credentials in IE popup. Here is a detail from the error packet principal unknown: No. TimeSourceDestination Protocol Info 6 0.009940X.X.X.X X.X.X.X KRB5 KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN Frame 6 (179 bytes on wire, 179 bytes captured) Ethernet II, Src: Vmware_7e:84:97 (00:0c:29:7e:84:97), Dst: Dell_48:f3:90 (00:24:e8:48:f3:90) Internet Protocol, Src: X.X.X.X (X.X.X.X), Dst: X.X.X.X (X.X.X.X) Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 65248 (65248), Seq: 1, Ack: 1660, Len: 125 Kerberos KRB-ERROR Record Mark: 121 bytes Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2010-05-11 10:44:11 (UTC) susec: 313474 error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: DOMAIN.LOCAL Server Name (Service and Instance): HTTP/squid3-proxy.domain.local Name-type: Service and Instance (2) Name: HTTP Name: squid3-proxy.domain.local On this client pc, it is a windows vista, I have different kerberos tickets: (as per kerbtray) DOMAIN.LOCAL |_ cifs/adserver1.domain.local |_ krbtgt/DOMAIN.LOCAL |_ krbtgt/DOMAIN.LOCAL |_ LDAP/adserver1.domin.local/domain.local |_ ProtectedStorage/adserver1.domain.local The encryption types are for all tickets: Kerberos AES256-CTS-HMAC-SHA1-96 (both for ticket and key encryption type) The client principal is use...@domain.local I also traced DNS on udp and tcp 53, this seems to work ok; it shows a lookup of the requested site and then a reply from the adserver (also dns) with the ip of the site. I don't see any lookup of the proxy-server fqdn that is put as the connection proxy setting in the browser. (it is squid3-proxy.domain.local) Next, I tried to follow the requests on port 3128 tcp to the proxyserver: 1) the client requests a webpage to the proxyserver on port 3128: "GET http://www.google.be/ HTTP/1.1" (http protocol) 2) proxy sends back a 407: (http) "HTTP/1.0 407 Proxy Authentication Requied (text/html)" 3) client responds with (http) "GET http://www.google.be/ HTTP/1.1 , NTLMSSP_NEGOTIATE" Between each point there is some tcp syn/ack/fin traffic which I can post if needed. The last 2 points are repeated a few times where the proxy requests authentication, expecting kerberos and the client responding with ntlm for some reason. In Firefox, It is the same as IE, proxy auth required followd by an ntlmssp_negotiate from the client. Why I don't get kerberos to work is a mistery to me as it seems to work in the domain itself when computers authenticate to get access to shares etc... Any clues welcome. thanks, Lieven -- Please Visit us at V-ICT-OR shopt IT 25 May 2010 - De Montil - Affligem Lieven De Puysseleir BA N.V. - http://www.ba.be Dalemhof 28, 3000 Leuven tel: 0032 (0)16 29 80 45 <>
[squid-users] Re: squid_kerb_auth received type 1 NTLM token
Hello Markus, Sorry for my slow reaction. 1) I did a klist on the squid server and got this ticket: squid3-proxy:/var/log/squid-3.1.3# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@domain.local Valid starting ExpiresService principal 05/09/10 14:35:00 05/10/10 00:34:04 krbtgt/domain.lo...@domain.local renew until 05/10/10 14:35:00 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached => Do I have to renew this ticket from the server everyday? I thought that I only needed this ticket once to get my squid server into the AD domain with the msktutil? 2) I installed the kerbtray tool from the windows 2003 tools on my xp pc. My xp pc is connected via a windows vpn for this test, I logon with my domain credentials, connecting to vpn works fine, As soon as I try to connect to a site via the squid3-proxy server, I get one ticket in kerbtray. This is the only ticket I have in the list: krbtgt/DOMAIN.LOCAL for the client principal: b...@domain.local the service name is: krbtgt/domain.lo...@domain.local target name is: krbtgt/dom...@domain.local flags: forwardable, renewable, preauthenticated, initial encryption types: ticket encryption time: etype 18 and key encryption type: etype 0 regarding DNS, I doublechecked and A and PTR lookup are ok from the client. 3) When I open a site in my firefox browser on the client where I put the fqdn name as proxyserver, I see following in the cache.log on squid: 2010/05/09 14:59:03| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2010/05/09 14:59:03| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABB4IIogAFASgKDw==' (decoded length: 40). 2010/05/09 14:59:03| squid_kerb_auth: WARNING: received type 1 NTLM token 2010/05/09 14:59:03| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2010/05/09 14:59:04| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2010/05/09 14:59:04| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABB4IIogAFASgKDw==' (decoded length: 40). 2010/05/09 14:59:04| squid_kerb_auth: WARNING: received type 1 NTLM token 2010/05/09 14:59:04| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 4) It seems that winpcap 4.1 which I installed on my client is not able to scan the ppp interface which I use to connect to the windows vpn. I will send a dump from that traffic as soon as I have access to a pc at the location. (non vpn) How do I add a dump from wireshark? I got a tcpdump on the squid server which I opened in wireshark and then I exported it as a plaintext file (all captured traffic, 49 packets) but it's quiete large. (about 917 lines) Thanks for your help. kind regards, Lieven
[squid-users] squid_kerb_auth received type 1 NTLM token
Dear list, I have currently a problem where it seems that my clients, webbrowsers firefox 3.5 and IE8 only seem to return NTLM tokens as authentication instead of kerberos. This is the error in the cache log from squid: ... squid_kerb_auth: WARNING: received type 1 NTLM token authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' ... squid has been configured like this: ./configure --enable-negotiate-auth-helpers=squid_kerb_auth --enable-stacktraces --prefix=/opt/squid-3.1.3 make and make install went fine. the squid box is a cleanly installed debian lenny i386. Squid itself seems to run fine, I can browse through it. Then my goal to use kerberos authentication fails with the error above. in my krb5.conf I have the following info in my realm: kdc = xxx.xxx.xxx.xxx admin_server = xxx.xxx.xxx.xxx these are the libdefaults: [libdefaults] default_realm = DOMAIN.LOCAL dns_lookup_kdc = no dns_lookup_realm = no default_keytab_name = /etc/HTTP.keytab ticket_lifetime = 24h the /etc/HTTP.keytab file is like this: -rw-r- 1 squid squid 532 2010-05-05 20:58 /etc/HTTP.keytab squid is running as user "squid" First I got a kerberos ticket with: kinit administrator I can see a krbtgt ticket with klist. I'm trying to authenticate against a windows 2008 dc and I used msktutil like this: msktutil -c -b "CN=COMPUTERS" -s HTTP/domain.local -h domain.local -k /etc/HTTP.keytab --computer-name squid3-proxy --upn HTTP/domain.local --server ad2008srvr.domain.local --verbose --enctypes 28 The squid config file is quiete basic. (only relevant parts here - I think) auth_param negotiate program /opt/squid-3.1.3/sbin/squid_kerb_auth -d auth_param negotiate children 10 auth_param negotiate keep_alive on acl AUTHENTICATED proxy_auth REQUIRED http_access allow AUTHENTICATED DNS seems to work alright, the AD server is used for dns and has a working A and PTR record for the squid3-proxy.domain.local server because the A and PTR lookups return the correct results when run from the server and from the clients. Is there anybody out there who can help me troubleshoot this problem? I found tutorials where the keytab file is created on the windows server but that's not necessary if I use the msktutil, right? thanks a lot. I'v been trying to get this to work for some time now. cheers, Lieven
Re: [squid-users] make squid-3.1.1
Hi, this problem is solved, completely something on my side as expected: It seems that my first try to download and compile the cvs of squid_kerb_auth had compromised the make with squid3.1.1. Even after make clean. I installed a fresh debian lenny and this time compiling squid with the helpers worked fine. thankyou, Lieven Henrik Nordström wrote: ons 2010-04-28 klockan 18:46 +0200 skrev lieven: squid_kerb_auth squid_kerb_auth.o base64.o -lmiscutil -lm ../../../lib/libmiscutil.a(base64.o):(.rodata+0x0): multiple definition of `base64_code' base64.o:(.rodata+0x0): first defined here Try this: echo >helpers/negotiate_auth/squid_kerb_auth/base64.c Appears that file is duplicate and colliding with the same from within the main parts of the Squid source tree. Regards Henrik -- Please Visit us at V-ICT-OR shopt IT 25 May 2010 - De Montil - Affligem Lieven De Puysseleir BA N.V. - http://www.ba.be Dalemhof 28, 3000 Leuven tel: 0032 (0)16 29 80 45 <>
Re: [squid-users] make squid-3.1.1
Thank you Henrik. I just tried your suggestion and emptied the base64.c file. It did solve one problem but a new one arises. I took following actions: make clean ./configure make and now it stops like this: gcc -g -O2 -Wall -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -Wl,-R/usr/lib -L/usr/lib -lgssapi -lheimntlm -lkrb5 -L../../../lib -o squid_kerb_auth squid_kerb_auth.o base64.o -lmiscutil -lm squid_kerb_auth.o: In function `main': /opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c:374: undefined reference to `ska_base64_decode_len' /opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c:379: undefined reference to `ska_base64_decode' /opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c:429: undefined reference to `ska_base64_encode_len' /opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c:437: undefined reference to `ska_base64_encode_len' /opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c:437: undefined reference to `ska_base64_encode' collect2: ld returned 1 exit status make[5]: *** [squid_kerb_auth] Error 1 make[5]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[3]: *** [all] Error 2 make[3]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/software/squid-3.1.1/helpers' make: *** [all-recursive] Error 1 Maybe I can just compile the squid_kerb_auth helper and install the rest of squid3 with apt-get. I already tried downloading the squid_kerb_auth from the cvs (sourceforge project) but couldn't get it to configure. Here, when I go into the squid_kerb_auth folder, at least the configure works. Sorry if this sounds gibberish, I'm not a programmer. thanks for your help. Lieven Henrik Nordström wrote: ons 2010-04-28 klockan 18:46 +0200 skrev lieven: squid_kerb_auth squid_kerb_auth.o base64.o -lmiscutil -lm ../../../lib/libmiscutil.a(base64.o):(.rodata+0x0): multiple definition of `base64_code' base64.o:(.rodata+0x0): first defined here Try this: echo >helpers/negotiate_auth/squid_kerb_auth/base64.c Appears that file is duplicate and colliding with the same from within the main parts of the Squid source tree. Regards Henrik -- Please Visit us at V-ICT-OR shopt IT 25 May 2010 - De Montil - Affligem Lieven De Puysseleir BA N.V. - http://www.ba.be Dalemhof 28, 3000 Leuven tel: 0032 (0)16 29 80 45 <>
Re: [squid-users] make squid-3.1.1
Hi Nick, Thank you very much for your reply. I found the following page: http://www.mail-archive.com/debian-bugs-d...@lists.debian.org/msg535930.html Next, I apt-get installed the following packets: libldap2-dev, libpam0g-dev, sharutils, dpatch (>= 2.0.9), po-debconf, libdb-dev, libgssglue-dev, libkrb5-dev except for libkrb5-dev because I have heimdal-dev (Maybe I should switch to MIT version?) Anyways, after a *) make clean *) ./configure --enable-negotiate-auth-helpers=squid_kerb_auth --enable-stacktraces --prefix=/usr/local/sbin/squid-3.0 *) make -> I get the same problem. It just stops the same way as before. Then I tried an apt-get install squid3, this works fine but I do not have the much-wanted squid_kerb_auth because it is not included in the standard squid configure options. thanks for your help though. kind regards, Lieven Nick Cairncross wrote: Dependencies perhaps - krb5, cyrus-sasl, gss etc? -Original Message- From: lieven [mailto:lie...@ba.be] Sent: 28 April 2010 17:47 To: squid-users@squid-cache.org Subject: [squid-users] make squid-3.1.1 Dear list and people therein, I'm currently trying to compile (make) the squid 3.1.1 which I just downloaded from the squid-cache site. The OS is Debian Lenny 64bit. build-essentials was installed. ./configure works fine, I get a make file. Then I run make, it goes along for some time and then stops. (logging included below) If anybody can point me in the good direction to solve this, thank you very much. ... gcc -g -O2 -Wall -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -Wl,-R/usr/lib -L/usr/lib -lgssapi -lheimntlm -lkrb5 -L../../../lib -o squid_kerb_auth squid_kerb_auth.o base64.o -lmiscutil -lm ../../../lib/libmiscutil.a(base64.o):(.rodata+0x0): multiple definition of `base64_code' base64.o:(.rodata+0x0): first defined here collect2: ld returned 1 exit status make[5]: *** [squid_kerb_auth] Error 1 make[5]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[3]: *** [all] Error 2 make[3]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/software/squid-3.1.1/helpers' make: *** [all-recursive] Error 1 kind regards, Lieven ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900 -- Please Visit us at V-ICT-OR shopt IT 25 May 2010 - De Montil - Affligem Lieven De Puysseleir BA N.V. - http://www.ba.be Dalemhof 28, 3000 Leuven tel: 0032 (0)16 29 80 45 <>
[squid-users] make squid-3.1.1
Dear list and people therein, I'm currently trying to compile (make) the squid 3.1.1 which I just downloaded from the squid-cache site. The OS is Debian Lenny 64bit. build-essentials was installed. ./configure works fine, I get a make file. Then I run make, it goes along for some time and then stops. (logging included below) If anybody can point me in the good direction to solve this, thank you very much. ... gcc -g -O2 -Wall -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -Wl,-R/usr/lib -L/usr/lib -lgssapi -lheimntlm -lkrb5 -L../../../lib -o squid_kerb_auth squid_kerb_auth.o base64.o -lmiscutil -lm ../../../lib/libmiscutil.a(base64.o):(.rodata+0x0): multiple definition of `base64_code' base64.o:(.rodata+0x0): first defined here collect2: ld returned 1 exit status make[5]: *** [squid_kerb_auth] Error 1 make[5]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[3]: *** [all] Error 2 make[3]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth/squid_kerb_auth' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/opt/software/squid-3.1.1/helpers/negotiate_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/software/squid-3.1.1/helpers' make: *** [all-recursive] Error 1 kind regards, Lieven <>
Re: [squid-users] Squid & content filter
Guillaume <[EMAIL PROTECTED]> writes: > I would like to know if there is a plugin for squid or an parameter in > squid.conf to have the ability to filter word that are forbidden... > Ex: sex, porn, etc... > I'm on squid NT. > thanks for your replies. http://dansguardian.org/ -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Re: [squid-users] ntlm auth, unauthorized users without popup window
"=?iso-8859-2?Q?Horv=E1th_Szabolcs?=" <[EMAIL PROTECTED]> writes: > Hi! > > I've successfully configured squid to use ntlm authentication. If the > authenticated users go through the proxy, the web page will be loaded. > In the opposite side, if any unauthorized users want to browse, popup window > appears (username, password). > > I know is the default behaviour. Is there any chance to not to popup > authentication window in this case? > > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > --require-membership-of=S-1-5-21-298725999-1398125-441284377-12796 > auth_param ntlm children 100 > auth_param ntlm max_challenge_reuses 100 > auth_param ntlm max_challenge_lifetime 5 minutes > > auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic > --require-membership-of=S-1-5-21-298725999-1398125-441284377-12796 > auth_param basic children 100 > auth_param basic realm Kerem adja meg felhasznalonevet es jelszavat > auth_param basic credentialsttl 1 hours > > acl AuthorizedUsers proxy_auth REQUIRED > > http_access allow AuthorizedUsers > http_access deny all Perhaps by removing the basic authenticator? -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Re: [squid-users] How can I allow hosts to access web through squid without restarting?
"Riaz Uddin" <[EMAIL PROTECTED]> writes: > Dear, > > I'm using squid as my proxy server in my network and allowing hosts to > access web by setting my proxy server in browser. Without the setting people > aren't allowed to access web. I'm very beginner in using squid. To allow > host to access web I do two steps and steps are: > > 1. Write lines in squid.conf: > acl usr1 src 172.16.0.5 > http_access allow usr1 > > > 2. After writing the above lines, I restart the squid service. No need to restart squid. Use squid -k parse to check your squid.conf for errors and when this works use squid -k reconfigure to start using it. Connections in progress will not be disturbed by this. -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Re: [squid-users] Load balancing on single machine
Dusan Djordjevic <[EMAIL PROTECTED]> writes: > I plan to install few instances of Squid on one multiprocessor box and > balance load between them. I plan to use LinuxVirtualServer for it. Do > someone have that kind of solution ? What load balancing you suggest ? > Any other recommendation ? First measure whether your squid installation is CPU-bound or I/O-bound. If it is the latter, multiprocessing won't change much. -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Re: [squid-users] How to bypass authentication for some URLs?
"Tan, Kian Tiong" <[EMAIL PROTECTED]> writes: > Hi, > > Anyone know how to access certain URL without going through Authentication > (like msntauth)?? > > I uses the following: > > acl surf dstdomain www.google.com > always_direct allow surf > > But it doesn't work. Is there any other method? always_direct does something entirely different. Use http_access allow surf before the http_access line that requires authentication. -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Re: [squid-users] HOw to use max_user_ip
"Li Wei" <[EMAIL PROTECTED]> writes: > the option "max_user_ip" is a new function with Squid.2.5 > >From its description, it seems very useful. > > However, I'm failed in using it. > Are there any advice to me about how to use it? acl multiple max_user_ip -s 1 http_access deny multiple will stop people using a userid on 2 machines simultaneously -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Re: Res: RE: [squid-users] problem with BIG passwords
"Alex Carlos Braga Ant?o" <[EMAIL PROTECTED]> writes: > Any news about that problem with passwords above 15 caracteres that > squid cannot authenticate ??? ncsa authentication ignores everything after the first 8 characters, just like the classic unix passwd. -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Re: [squid-users] Still Fail to Authenticate
Aqil <[EMAIL PROTECTED]> writes: > here is the content of my file1 : > user1:Q9jp0EYusm5eo > > Is there someone out there who wants to kindfully try > for me (with ncsa authentication scheme ? :) Seems fine to me. http-proxy-intern:/tmp# cat test.auth user1:Q9jp0EYusm5eo http-proxy-intern:/tmp# /usr/lib/squid/ncsa_auth ./test.auth user1 password4user1 OK -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Re: [squid-users] Converting clear-text file into supported-by-squid encrypted file
Aqil <[EMAIL PROTECTED]> writes: > The MD5 encryption is well supported by ncsa > authentication scheme, isn't it ? I don't think so. > So, I have 2 questions : > 1. How to make the famous file ? > ..the file as you know which has to be in the format > that ncsa authentication scheme supports. > > 2. How to convert my clear text password file into the > file that is required by ncsa authentication scheme? > I really need to perform this conversion because I > already have my database which consists of a large > number of lines. I can't imagine if I have to perform > the conversion line by line manually in the command > line .. if you have your userids and passwords in a file something like while read $user $password do htpasswd -b passwordfile $user $password done < cleartextfile should work -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
Re: [squid-users] I have an ACL blocking access but i want webmail
"Frank Chibesakunda" <[EMAIL PROTECTED]> writes: > my current acl rule is: > > acl center_user 192.168.10.2-192.168.10.110 > acl browse time 08:30-15:30 > > http_access deny center_user > http_access deny center_user browsetime This is redundant. The above matches center_user AND browsetime but center_user is already rejected in the line above. > am saying the above works, but i want to allow my webmail to be accessed > during the time my users have been blocked, i.e my webmail address is > http://mail.zen.co.zm, how do i allow it to be accessed? acl webmail dst mail.zen.co.zm http_access allow webmail http_access deny center_user http_access deny browsetime http_allow all -- "I do not want people to be agreeable, as it saves me the trouble of liking them." Jane Austen
Re: [squid-users] reply_body_max_size 2048 don't work :(
"kelly kloen" <[EMAIL PROTECTED]> writes: > i have put in : > > reply_body_max_size 2948 ( = 2 MB i think is this correct ? ) deny all 2048 > when i pu tin this line i can still download more dan 2 mb. from > www.xs4all.nl/~kloenie/ the emule file ( is 3 mb ;) ) > How long is the downloaded file? If the server doesn't return a Content-Length header, download is cut off after 2MB and you only get part of the file. -- "I do not want people to be agreeable, as it saves me the trouble of liking them." Jane Austen
Re: [squid-users] squid works but the url,ip,words block not :(
"kelly kloen" <[EMAIL PROTECTED]> writes: > my squid proxy works now on a redhat 9.0 > i have this in my squid.conf : > > acl leerling src 212.178.168.0/255.255.254.0 > acl block url_regex -i "/var/log/squid/block/block.txt" > acl ip dst "/var/log/squid/block/ip.txt" > acl url dstdomain "/var/log/squid/block/url.txt > > # And finally deny all other access to this proxy > http_access deny CONNECT !SSL_ports > http_access allow localhost > http_access allow leerling > http_access deny block > http_access deny ip > http_access deny url > http_access deny all > > and the file's in : /var/log/squid/block have now root/root access. and in > the block.txt is the word porno > so it needs to block every url with porno in it. > but when i look on the local machine i still van access porno.nl how can i > see if it use the files ??? dstdomain matches the exact domain. Perhaps you want dstdom_regex? Also since allow localhost comes before deny {block,ip,url} both localhost and the student network are allowed to access all sites. This is probably what you meant. http_access deny block http_access deny ip http_access deny url http_access allow localhost http_access allow leerling http_access deny all -- "I do not want people to be agreeable, as it saves me the trouble of liking them." Jane Austen
Re: [squid-users] authenticate_ip_ttl logging
Henrik Nordstrom <[EMAIL PROTECTED]> writes: > Not easily, but as a quick fix adding a log statement to the acl > processing of max_user_ip might suffice. However, you migth then be > somewhat flooded with messages if the users persists in trying to get > access. Yes, that would work. As another quick and dirty trick logging to syslog with its own severity and letting syslog consolidate the identical lines would solve the flood objection. -- There is only one war, and it's not the rich against the poor, the blacks against the whites, the Federation against the Borg, or the Democrats versus the Republicans. It's those of us who aren't complete idiots against those of us who are.
Re: [squid-users] How to do? authentication and ip-range
"Tushar Gupta" <[EMAIL PROTECTED]> writes: > Also is it possible to generate both start of session and end of session > records using squid using any authentication mechanism. I am looking > forward to do accounting based on number of hours of usage. HTTP is inherently a stateless protocol and the client authenticates to the proxy for every request. So there is no session or "end of session". You can kludge things together on the basis of considering each 5 minute period with at least one request part of an ongoing session etc. but accounting based on the number of bytes transferred seems more appropriate. -- There is only one war, and it's not the rich against the poor, the blacks against the whites, the Federation against the Borg, or the Democrats versus the Republicans. It's those of us who aren't complete idiots against those of us who are.
Re: [squid-users] restrictive proxy forwarding
"Robert Ainslie" <[EMAIL PROTECTED]> writes: > I have a very large network with an internet connection and an > authenticating squid proxy server. We have an important web > application that is hosted by a 3rd party asp but our internet pipe is > way overutilised which makes the application unusable. (any more > bandwidth we throw at the internet pipe will be snapped up and will > not solve the problem, managment issue. > > The solution is to connect directly to the asp. My question is this: > How can I in squid get all requests for a certain domain to be handled > but the local squid box, ie route them down the direct pipe, while all > other requests are handled by the authenticating squid box on the main > internet connection? > > The direct connection I think has to happen. If anyone can help with > the above it would be great or suggest other ideas, iptables...? Delay pools might be an answer. Put your asp traffic in one pool, the rest of the internet traffic in another and guarantee a certain bandwidth for the asp. -- There is only one war, and it's not the rich against the poor, the blacks against the whites, the Federation against the Borg, or the Democrats versus the Republicans. It's those of us who aren't complete idiots against those of us who are.
[squid-users] authenticate_ip_ttl logging
In recent versions of squid, the authenticate_ip_ttl mechanism has been changed with the max_user_ip acl. Previous versions of squid logged multiple ip address use with the user name which was handy to force password changes of compromised userids. Is there a way to get this logging back? -- There is only one war, and it's not the rich against the poor, the blacks against the whites, the Federation against the Borg, or the Democrats versus the Republicans. It's those of us who aren't complete idiots against those of us who are.
Re: [squid-users] How to do? authentication and ip-range
"Sander Winkel" <[EMAIL PROTECTED]> writes: > I want to give only access to computers from an specified ip-range and the > users at that ip-range must be validated with radius authentication. > The radius authentication works well, but I don't know how to define that > only the specified IP-range have access to the server. > Oh yes, I know that it could as specified below: > > acl clients src 192.168.0.0/255.255.255.0 > http_access allow clients > > But when I put this before: > > http_access allow password > > All the users within that range have access to the cache without > authentication. > > I think that's not so difficult to get this work, but I don't see the > solution at the moment. > I hope you can help me. acl's can be combined so you do http_access allow clients password -- There is only one war, and it's not the rich against the poor, the blacks against the whites, the Federation against the Borg, or the Democrats versus the Republicans. It's those of us who aren't complete idiots against those of us who are.
Re: [squid-users] Access Denied on an URL with a port
"Cliff Barnes" <[EMAIL PROTECTED]> writes: > I don´t know if this is really what I want... because of: > > Internet -- TrendMicro Interscan Viruswall -- SQUID -- Users > > SQUID should always connect through the Viruswall and never direct to the > internet. If I put in port 85 to the safe_ports, will SQUID bypass the > virusprotection? No. -- Never argue with a fool in public. People might not see the difference.
Re: [squid-users] Access Denied on an URL with a port
"Cliff Barnes" <[EMAIL PROTECTED]> writes: > I guess it´s because the ":85", but I don´t know... please help me! Add port 85 to the Safe_ports acl in squid.conf. -- Never argue with a fool in public. People might not see the difference.