sadly yes..
https://chromium.googlesource.com/chromium/src/+/HEAD/net/docs/certificate_lifetimes.md
Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
robert k Wild
Verzonden: donderdag 23 september 2021 14:53
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-use
> -Oorspronkelijk bericht-
> Van: squid-users
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Amos Jeffries
> Verzonden: maandag 20 september 2021 23:48
> Aan: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid 5.1 for Debian Bullseye
> (amd64/i386/so
What i showed used kerberos, if that fails it used ntlm.. and you can add.. if
that fails use LDAP (basic auth) ..
This way, you support all of them.
if you going only for kerberos, that make sure you setup your krb5.conf
correctly..
A + PTR records, SPN/UPNs and yes, then you can run it full
in your smb.conf add
# Added to enforced NTLM 2, must be set on all Samba AD-DC's and the needed
members.
# This is used in combination with ntlm_auth --allow-mschapv2
ntlm auth = mschapv2-and-ntlmv2-only
In squid use:
auth_param negotiate program /usr/lib/squid/negotiate_wrappe
And i have the Debian Bullseye packages also online.
My changelog compaired to the Debian Unstable.
squid (5.1-1.1bullseye1) bullseye; urgency=medium
* Non-maintainer upload.
* Used sources from squid-cache.org build : squid-5.1-20210804-r1f9e52827
* Lowered previous version 5.1-2 ba
Good Afernoon Amos, (and others offcourse),
A small update on this.
Short version, i can make bullseye package ready for production but not for
buster (yet).
Long version..
If i pull in the debian salsa git, the build fails on bullseye.
( thats more me, because i lack knowledge on git use )
Good Morning.
> >
>
> I have spent a while working on it today and have pushed an update to
> Debian packaging repo. Please pull a new copy of that latest.
> It should fix all the issues you have.
Wow, Thank you very very much Amos..
Im on it now :-) ?¾
I'll post the results later today.
Hai Amos,
Thanks on the reply, ive missed the change from db to tdb, thanks on that.
What i notice in the builds is,
I see this one..
config.status: creating test-suite/Makefile
And then i see these, then it failes.
cp ../../src/tests/stub_fd.cc tests/stub_fd.cc
cp: cannot create regular
How do you build and start it, init.d/squid or systemd start squid
In case of last, what i suspect, I seen more if these messages on previous
version..
But all my version dont show this on Debian 10.
This is my latest startup for systemd
# /lib/systemd/system/squid.service
## Copyright (C)
Hai Amos,
Im attempting to make a squid 5.1 build based on the bullseye squid/debian
folder.
( ps. Im building with sbuilder )
Now, this "normaly" worked since squid 3.2 for me, copy the debian folder, make
minor adjustments if needed,
Just with latest adjustments, well, i cant make it work
Try this.
For now, removing these build options works:
--srcdir=. --disable-dependency-tracking
( Amos posted this on 5 augustus )
https://www.spinics.net/lists//squid/msg94409.html
Greetz,
Louis
yeah, the same one. ;-)
> -Oorspronkelijk bericht-
> Van: squid-users
> [mailto:s
He Marco,
You better upgrade to debian bullseye and see if it happens there also.
If you dont want that, try this.
systemctl edit squid.service
Add :
[Service]
LimitNOFILE=65535
Save and run : systemctl restart squid
But i would recommend to use Debian Bullseye.
Greetz,
Louis
In your windows config.
Remove the ip adres from the gateway and configure your proxy settings.
Without proxy and gateway no internet.
Or setup SSL proxy
Add something like this in your firewall and you catch all.
# Redirect HTTP on eth0 from LAN_CIDR to locally installed Squid instance usin
>
> Small Addon here.
>
> NTLM V1 and V2..
> Most uses still NTLMv1 but thats being disabled in windows
> and samba these days.
>
>
> To make sure you do use NTLMv2.
> With Samba 4.2.x and up, use the following setting on the
> Squid and/or Freeradius
> and on all the Samba AD-DC's and
post a few lines from "/usr/local/squid/etc/urlwhite.txt"
Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
robert k Wild
Verzonden: donderdag 15 juli 2021 14:09
Aan: Amos Jeffries
CC: squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] wildcard for numbers i
Your firewall rules seems off.
192.168.1.32??? is your client, as i seen in
the log.
But your showing 10.3.141.0/24 so..
?
Try/look at this. Change interfaces where needed offcourse.
iptables ? -p tcp \
--dport 80 -j REDIRECT --to-port 3128 -m commen
Hai Elizer,
> -Oorspronkelijk bericht-
> Van: NgTech LTD [mailto:ngtech1...@gmail.com]
> Verzonden: woensdag 30 december 2020 13:37
> Aan: L.P.H. van Belle
> CC: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Anyone has experience with Windows clients
> DNS timeout
>
> H
And, yes i agree, DNS over TLS might be slower, but really, if you have to wait
seconds for a DNS reply... imagine..
Lots of websites have 10-20 hosts in them, if you have to wait 10 sec for a
website, well, im gone already then.
Thats why i also showed the direct tests my internal Authoritive
Hai Elizer
Sorry, im not fully agreeing with Amos here..
If you DNS is taking 7-10 sec, i would investigate why the dns is that slow.
Something is off, that simple.
A small example of my dns resolving to internet and my lan dnsservers.
time dig a www.google.nl @8.8.8.8 @internet dns
real
Hai Amos,
Just a small question. If i may hop in this thread.
Based on TP starter, i also took a 5.0.4 to build on debian, i build in
pbuilder/cowbuilder env.
I first attempted to build and that errored on time_quote.
I found that i had to add libtdb-dev to the build depends in debian/contr
Hai,
Just something i noticed..
> auth_param basic program
> /usr/local/libexec/squid/basic_ldap_auth -P -R
> -b dc=lab,dc=local -D cn=squid,cn=users,dc=lab,dc=local -w squid -f
> "(&(objectClass=person)(sAMAccountName=%s))" -v 3 192.168.0.7:389
Change that to:
auth_param basic program
I use this :
You need this in smb.conf
# Added for freeradius or squid proxy support
# Obligated to set on both AD-DC and Member server.
ntlm auth = mschapv2-and-ntlmv2-only
And this or something like that, i have more working auth setups for squid,
But i use this primarly.
auth_param negot
Hai Rafael,
First, thank you for maintaining diladele, each time i read them,
i learned something :-) As usual, your manuals look great.
I have a few suggestion if i may point these out, just small update for the
site.
https://docs.diladele.com/administrator_guide_stable/active_directory/kerb
forgot 1 thing. (sorry)
#
adduser proxyuser winbind_priv
or things might not work.
Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
L.P.H. van Belle
Verzonden: vrijdag 24 juli 2020 10:46
Aan: squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] Problem
i would recommend to ..
1) use debian buster,
2) use squid 4.12
3) use samba (winbind).
needed in smb.conf ( only shown whats really needed ), there is more
offcourse.
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# renew the kerberos ticket
Hai,
Thanks for the info Amos.
Ok so i need to reverse the Licence/Credits due to the licencing.
I'll reverse these and add these in the lintian overrides then.
On the error messages translation text part, should think in squid langpack?
For now i just used the debian supplied package with m
Hai,
Sorry for not pushing this through git.
If you want some typo fixed, here you go.
Fixed typo's found by Lintian on Debian Buster.
--- a/src/ssl/crtd_message.cc
+++ b/src/ssl/crtd_message.cc
@@ -206,7 +206,7 @@
i = map.find(Ssl::CrtdMessage::param_Sign);
if (i != map.end()) {
Hai Amos
Thank you for all the help, it nicely builded now..
:-)
My used changes
0004-fix-var-run.patch
From: Louis van Belle
Date Thu, 23 Apr 2020 15:22:00 +0200
Subject : fix-var-run location to debian standards /run
--- a/tools/systemd/squid.service
+++ b/tools/systemd/squid.service
@@ -12
Hai,
The folder test-suite/buildtests/
Is an not exiting folder in current 4.11 tar.gz
Can you verify that? I thinks thats also from 5.x
Greetz,
Louis
>
>
> > -Oorspronkelijk bericht-
> > Van: squid-users
> > [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> > Am
I'll report as some as i know.
I'll add it to the build, thats for the very quick reply!
You guys are the best.
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: squid-users
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Amos Jeffries
> Verzonden: donderdag 23 april 2
Hai,
Im currently building squid 411 on debian buster. Cowbuilder setup.
I re-used the debian.tar.gz from squid-4.10-1 Debian Testing/Sid.
Which i have done since squid 3.2, first time it fails.
but only AMD64 fails to build, while i386 build fine.
That a part im not familiar with, any sugges
This is a simple one.
The certificate chain of that website is incorrect.
As shown here :
https://www.ssllabs.com/ssltest/analyze.html?d=www.formulare%2dbfinv.de&latest
Check you webserver first and correct you ciphers in your apache webserver.
Greetz,
Louis
> -Oorspronkelijk beric
Hai,
Use winbind and never have this problem again.
* install winbind only is sufficient, below works since squid 3.2 up to 4.10
An example of a minimal smb.conf for it.
[global]
# Auth-Only setup with winbind. ( no Shares )
workgroup = NTDOM
security = ADS
realm = YOUR.
Yeah, if you know how it is pretty simple ;-)
And thank for the reply back and nice words..
And your welkom.. :-)
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: squid-users
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Rafael Silva Daniel
> Verzonden: vrijdag 2
Hai Rafeal,
Yes, i agree, this is the other most simple way, but i suggest, you
remove/change on this page:
https://docs.diladele.com/administrator_guide_stable/active_directory/kerberos/keytab.html
The generated Kerberos configuration file will usually look like:
[libdefaults]
default_realm
Ps., forgot to say,
After installing winbind and setting up smb.conf
Join the domain offcourse.
net ads join -U Adminsitrator
or,
kinit Administrator
net ads join -k yes
In debian, there is not need to change any files except the smb.conf as shown.
All other defaults, should work out of the
Hai,
This is the most stable way to run with kerberos, or at least for me.
* below works for me since with samba 3.x-4.11.x and squid 3.2 upto 4.10
Im running this on Debian Buster now. ( samba 4.11.6 + squid 4.10 )
( all packaged in own repo.)
1) Setup samba and join the domain. this asume
Hai,
I'm having a squid 4.10 on Debian 10 running ( with strongswan VPN ) and ufw
firewall (iptables)
Most is running fine but i still see some error and i somehow miss here what im
doing wrong.
So if someone has suggestions that would be great. I see for example these
lines in the UFW log
Hai,
Most probely the ssl options are not correct enabled or missing while you
compiled squid.
So check if ssl is enabled.
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: squid-users
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens yohan83942
> Verzonden: maandag 3 fe
Thanks Amos for the notify.
For the people on debian Buster.
I have Debian Buster squid 4.10 SSL enable and squidclamav on my repo.
The debs and sources are available in amd64 andi386
--- THE REPO SETUP ---
1) Choose http or https for you apt, both work, for https you need to
Ah.. it shows Amos is human also.. :-)
If you need squid 4.9 in debian Buster (10) package.
These are the package i currently provide on/for Debian Buster.
Squid 4.9 with ssl enabled settings.
Package list:
https://apt.van-belle.nl/current-packages-in-buster-squid49-apt.txt
(included also
What are your squid logs saying?
Tip, close office, clear your squid logs, start office then look at the logs.
And are you for example blocking login.microsoft.com or something like that.
Greetz,
Louis
Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
robert k
Hai Rafael,
Yes, i did that in an older setup, with you site guidance..
That works also very good ..
Once i have time i'll see if i can update the squid wiki.
Greetz,
Louis
Van: Rafael Akchurin [mailto:rafael.akchu...@diladele.com]
Verzonden: woensdag 25 september 2019 17:27
Aan:
I also had problems with msktutil.. so i suggest you try this, see below..
Im using it for few years and it always works (for me offcourse)..
It should be pretty simple, but the site squid-cache (wiki) is in my opinion a
bit outdated.
And its for Amos to adapt it on the site.
Amos or Alex,
The most simple way to add SSO.
Install winbind krb5-user, then your smb.conf, update this config :
[global]
# Auth-Only setup with winbind. ( no Shares )
log level = 1
workgroup = NTDOM
security = ADS
realm = YOUR-REALM
netbios name = HOSTNAME
preferred mas
the SSL3_GET_MESSAGE ?
Maybe because the only support TLSv1.2 ?
Its long ago i seen a site good configured for ones with its TLS settings.
So most probely, your downgrading the connection within the proxy settings to
sslv3
And sharing you config might help to see that.
Greetz,
Loui
Hai,
You are probely missing in you smb.conf:
ntlm auth = yes
Greetz,
Louis
Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
Ilias Clifton
Verzonden: woensdag 29 mei 2019 6:42
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] LDAP authentica
This is related to samba and MS disabling NTLM (smb1)
What is the samba version in question and the running OS?
But first thing you can try is set in smb.conf
ntlm auth = yes
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: squid-users
> [mailto:squid-users-boun...@lists.squid-cac
And what if you test on debian stretch.
Rebuilding squid 4.6 for stretch is pretty easy.
Add buster src to repo.
apt-get build-dep squid3
apt-get source squid3 -b
And now you wait.
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: squid-users
> [mailto:squid-users-boun...@lists.sq
I suggest start compairing the logs you posted, the builds are really
different.
Differences in
- kernel
- needed packages
- build paramaters due to missing or different packages.
Etc.
Just diff you logs and you will see it.
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: squ
Hai Alex,
Ahh.. You wanted with ssl, sorry missed that.
Here you go.
apt-get source squid
cd squid-4.6/debian/
Edit rules, after the line, --with-gnutls
Add these: --enable-ssl --enable-ssl-crtd --with-openssl
Save.
Edit changelog
Change the version 4.6-1 to 4.6-1ssl
Save
Install libgnutl
Its pretty simple..
Enable the debian sid source in your ubuntu 18
apt install -y software-properties-common debian-archive-keyring dirmngr
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010
add-apt-
I think you problem has todo NT1.
I assum you already tried the setting in smb.conf :
ntlm auth = ntlmv1-permitted
(which is the alias for yes)
And which samba/ntlm_auth version it this? Standard centos?
I must say i noob in Centos, so i'll shown you what i know from debian.
And it might
Hai,
Good to hear there are more then Luigi :-)
I builded debian packages yesterday for squid 4.5
Which was pretty simple and worked fine in the end.
Get the source of 4.4 ( apt-get source -t unstable squid )
Copy the debian folder from 4.4 into the 4.5 folder.
And changed in the changelo
Hai,
I use this for the latest 4.xx release
mkdir squid && curl -q -L $(lynx -listonly -nonumbers -dump
http://www.squid-cache.org/Versions/v4/ | grep squid-4.5 | grep ".tar.gz") |
tar -xz -C squid --strip-components 1 -f -
and this one for the daily
mkdir squid-$(date +%F) && curl -q -L
i suggest you try:
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s s GSS_C_NO_NAME \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=MYDOMAIN
Greetz,
Louis
Van: squid-users [mailto:squid-user
Hai,
You missed a few points in your config.
And thank you for the music link, something different then the radio here. ;-)
Ive installed a debian stretch server.
This is the debian default config with 2 modifications.
## Squid 3.5.23
## First enable the acl for YOUR localnet ( here i enab
If i may suggest..
Use the squid version from debian sid.
Rebuilding these to stretch isnt that hard.
add the sid sources, run : apt-get update
apt-get build-dep squid
apt-get source squid -b
then create a file repo ( or http repo ) and install squid.
or, if you dont want to rebuild them
i noticed the following : dig caa habr.com
;; ANSWER SECTION:
habr.com. 3600 IN CAA 0 iodef "mailto:io...@habr.com";
habr.com. 3600 IN CAA 0 issue "comodoca.com"
So you cant bump this site, its protecting its certificates with a CAA/DANE dns
Ah, sorry Amos,
I was understanding you ment the Question was about the NTLM auth itself not
the token.
My mis understanding. :-/
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: squid-users
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Amos Jeffries
> Verzonden
> Also, what then do the other lines in your config then say to do with
> the NTLM type-1 requests (no credentials) and failed-login requests?
No this happend after the last security update of samba.
This is due to a samba update.
SECURITY UPDATE: Weak authentication protocol allowed
CVE-2018-1
Hai Alex,
Ah, yes, your totaly right.
Just checked the systemd service file again and it shows.
ExecStartPre=/usr/sbin/squid --foreground -z
ExecStart=/usr/sbin/squid -sYC
Sorry for the stupic question. Should have seen that.
But thank you for the reply.
Greetz,
Louis
> -Oorspronke
Hai,
Thank you for the new release.
If people want to test against Debian, i've create Debian Stretch packages for
Squid 4.2 today.
I am testing them as we speak and if you want to test them, you can find them
here:
https://downloads.van-belle.nl
I took the Debian squid GIT sources for thi
Hai Amos,
Yes, true, but if systemd-sysv is installed, and it probley is, you might hit
this bug.
Systemd is calling the sysv script.
I tried to find it, the bug report but ive to much things here trown at my head
atm, sorry.
My production squid = 3.5.27 and no problems. ( also rebuilded f
I do know there is/was a bug the systemd isnt picking up the filedescriptors
with systemd, you might have hit it.
Im suspecting your start script is a sysv script invoked by systemd.
Try to set the limits within the start script (sysv) so the correct users (
running squid ) gets the filedescr
Hello Alex,
Thank you for the reply and the bug report link.
Totaly forgot to check the bugzilla, sorry for that.
I did read it and that exact what it is.
I also can confirm that the assertion only happens with the logrotate.
Squid does not crash so that looks all ok to me, i just dont like
Hai,
Im testing squid 4.1 on Debian Stretch, i've rebuilded the Debian Sid 4.1 to
Stretch.
Everything looks good, i only see one failed line in cache.log ( see below. )
this is the default configuration, only 1 change made.
in debian we have : /etc/squid/conf.d/debian.conf
# Squid configura
Read :
https://findproxyforurl.com/official-toolset/
That one helped me a lot, all you want to know is there imo.
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: squid-users
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens L A Walsh
> Verzonden: dinsdag 31 juli 2018 8:02
>
Hai,
If people want, i've create debian stretch packages for squid 4.1 yesterday.
I am testing them today and if you want to test them, you can find them here:
https://downloads.van-belle.nl
Drop me a note how they are working, if they are ok, i'll put them on my repo.
I took the Debian Uns
Hai,
I would say facebook protected there certificates with TSLA.
Then you cant use ssl bump if im correct.
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: squid-users
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Julian Perconti
> Verzonden: dinsdag 12 juni 2018
Is squid starting with a systemd service startup>?
If so try:
systemctl edit squid.service
Add at the Service section:
[Service]
LimitNOFILE=8192:65535
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: squid-users
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Mat
Hi,
If you want a squid 3.5.27 for debian stretch. (amd64 only builded)
Have a look here : http://downloads.van-belle.nl/squid/
The tar.gz contains, build log, sources used and debs.
My changelog.
squid3 (3.5.27-0.1) stretch; urgency=medium
* Non-maintainer upload.
* Builded from squid-ca
Looks the same like.
http://squid-web-proxy-cache.1019090.n4.nabble.com/Compiling-squid-3-5-4-with-ecap-enabled-td4671325.html
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: squid-users
> [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Norbert Naveen
> Verzonden: din
First, it very handy to know your os and samba and squid versions used.
?
Second,
Squid/radius etc anything that uses NTLMv1 with samba stopped working after
4.5.0
I think your main problem can be explained by this extract from the release
notes for 4.5.0:
?
NTLMv1 authentication disabled by
Hi Amos and others.
Its not a "samba" thing or a squid thing.
Maybe in the end yes, but this is a configuration thing.
For you guys to know, samba AD DC setup this parameter as default :
ldap server require strong auth = yes
Which obligates the use of TLS.
Next, users dont configure /et
Hai,
Im guess, squid is starting to soon, or there is not /dev/shm
Check/Try adding, if not already in /etc/fstab
none /dev/shmtmpfs defaults0 0
And reboot the server.
Or, i dont know and someone else can tell you. ;-)
But on my jessie with squid 3.5.24+ssl i dont
Hai Amos,
Now im bit confused. ( sorry english is not my native language )
In my situation.
1) i (normaly) only use debian packages.
2) if i build newer that supplied by debian, like squid,
i use the debian packages as base for the setup then i build a debian package
and install that.
Now
Hai Amos,
Thank you for that info, i didnt know that.
Will this be fixed for 3.5 or is squid4 going to enter debian?
I know i'll stay a bit longer on Debian Jessie to avoid this.
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cac
Hai,
>I am trying to build Squid 3.5.24 release under a Debian Testing
Debian testing already has 3.5.23 so this should be very easy...
# check if you have all dependecies.
apt-get build-deb squid
# Install you missing files if you did not see them.
apt-get install libssl-dev libcrypto++-dev
Hai,
I noticed a problem in the kerberos_ldap_group and im unable to get it working.
I reported the bug here also : https://github.com/squid-cache/squid/issues/17
Environment: Debian Jessie, Squid 3.5.24 debian rebuild from debian stretch.
kerberos_ldap_group: INFO: Starting version 1.3
If this one arived in the list.
This is solved, the wpad.dat was guiding my to the other proxy while my gateway
was set to me new proxy.
This happend at the policy refresh and did not notice it.
Sorry for the noice.
But if you see anything that incorrect, or can have a better setup,
Hai,
In configuring my debian jessie with squid 3.5.24 ( with ssl enabled ) c-icap
squidclamav and winbind 4.5.5 for kerberos keytab refresing.
Now, im at the point of reducing my logs and i nocited :
NOTICE: Authentication not applicable on intercepted requests.
Messages in squid/c
Yes,
You can fix that by setting the SPN : HTTP/host.you.domain.tld in UPN
I had that too, changed it and it is working perfect now.
See subject : Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2
minorbugsmaybe )
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: squid-u
Well thats strange.
No i cant speak about openBSD, but below is pretty general.
When you test, did you set this before the test.
KRB5_KTNAME=/etc/squid/proxy.keytab
And does that keytab contain the HTTP/SPN
And test/check if you see http/SPN in the UPN, if not try that also.
After that change
I think you forgot in your test, that you may need to modify the default
kerberos ticket used.
I suggest you change you config a bit to something like
external_acl_type internet-win-allowed %LOGIN
/usr/local/libexec/squid/ext_kerberos_ldap_group_acl \
-D YOUR.REALM.TLD \
-g allowed
Its in here :
( from your squid.conf )
"/etc/squid/listas/ad_block.lst"
http_access deny ads
#deny_info TCP_RESET ads
affiliates.digitalriver.com
it is in the ads list.
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] N
Hai,
Change this part :
#
range_offset_limit 5 Gb windowsupdate
maximum_object_size 5 Gb
quick_abort_min -1
#
To
range_offset_limit 0
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 90
and see what happens.
Greetz,
Louis
I also have these for windows updates.
acl windowsupdate dstdomain au.download.windowsupdate.com
acl windowsupdate dstdomain ds.download.windowsupdate.com
acl windowsupdate dstdomain ctldl.windowsupdate.com
acl windowsupdate dstdomain .data.microsoft.com
acl windowsupdate dstdomain .l.wind
Hello Markus,
No, im not useing the latest from trunk Atm i use the ( by debian testing )
supplied 3.5.19.
If you want me test test something, im happy to do that for you.
Best regards,
Louis
Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
Mar
Hello Markus,
Thank you for the explanation, that helped a lot.
I use the TLS_CACERTFILE in the init script now and that works for me .
( in debian the /etc/default/squid )
>>The helper tries to “authenticate” squid to AD as a user with the found SPN
>>name, so the UPN must be the
Ok, found it.
So a resume for a squid 3.5.19 + samba 4.4.5, kerberos auth and kerberos groups
on debian jessie.
By default the package libsasl2-modules-gssapi-mit was not installed.
So i installed it: apt-get install libsasl2-modules-gssapi-mit
I always install with, --no-install-r
http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_kerberos_ldap_group_acl.html
shows the following.
-u Ldap-User
Username for LDAP server.
-u Ldap-Password
Password for LDAP server.
-u Ldap-URL
LDAP server URL in form ldap[s]://server:port
3 x -u
While shows something different.
/u
Hai,
I’ve added the needed upn, setup the _ldaps in the dns zones, thats ok now.
The last part, here i need some help.
support_ldap.cc(942): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group:
DEBUG: Setting up connection to ldap server samba-dc1.internal.domain.tld:636
support_ldap.cc
Ok reply to myself so other users know this also.
if you create a user for the HTTP services and you dont use msktutil but like
me samba-tool or something else.
Read :
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully.
and the clue was this line for me.
Hello Dia,
Thank you for the reply,
So, can this be a “MIT” kerberos of HEIMDAL thing.
Im use Samba4 for ADDC and that uses heimdal.
Even that the logs says :
"Client 'HTTP/hostname.internet.domain@your.realm.tld' not found in
Kerberos database".
Im using NFSv4 over ke
Hai,
Im having trouble to get the ext_kerberos_ldap_group_acl working.
I’ve read :
http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_kerberos_ldap_group_acl.html
Here is what i have checked / done already.
My keytab file :
klist -ekt /etc/squid/keytab.PROXYSERVER-HTTP
K
Hm, beside the order, it looks good.
So if i understand correct, you want to deny everything except whats in your
whitelist_primaire file.?
Than take this copy of my home config, and i adjusted to your settings
already.
so you should be able to copy past this. ;-)
it mostly a defa
Hai,
Yes, all new things are hard..
I need some extra info because there are lots of things that can be wrong.
post what you see here :
/usr/lib/squid/negotiate_kerberos_auth -s
HTTP/proxy.empresa.com...@empresa.com.br ?d ?i
>> kinit and klist are ok
>> /etc/krb5.keytab and /e
Ok, samba isnt yet in jessie backports.. so you now use the 4.2.10 version.
Look here, these work good.
I build them and i use them in my office for some time now.
I?ll try the next version samba ( 4.4.5-3 ) in debian stretch to get in BPO.
That one has the file overwrite fixed. (just r
That you proxy refused you connections is correct.
You forgot to define an acl and allow it.
Something like :
acl internal-net 192.168.x.0/.24
and
> http_access allow localhost
http_access allow internal-net
> http_access deny all
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van
1 - 100 of 146 matches
Mail list logo