Rafael Akchurin wrote:
> I believe I do (but you made me doubt:)
>
Well, I have tried negotiate_kerberos_auth with Firefox (Windows) and
they don't work together. I am attaching a packet dump which boils
down basically to the following:
1. proxy.sibptus.transneft.ru:3131 is configured in Firefox
And before I forget and before somebody asks. In Firefox:
network.negotiate-auth.allow-proxies=true
network.negotiate-auth.gsslib=""
network.negotiate-auth.using-native-gsslib=true
Victor Sudakov wrote:
> Rafael Akchurin wrote:
> > I believe I do (but you made me doubt:)
> >
>
> Well, I have tr
Victor Sudakov wrote:
> Rafael Akchurin wrote:
> > I believe I do (but you made me doubt:)
> >
>
> Well, I have tried negotiate_kerberos_auth with Firefox (Windows)
I have tried the same with MSIE 8 (Windows).
It's obviously trying to do NTLM instead of Kerberos (see below). How
do I enable Ke
Victor Sudakov wrote:
> > Well, I have tried negotiate_kerberos_auth with Firefox (Windows)
>
> I have tried the same with MSIE 8 (Windows).
After some adjustment to domain group policies, the Windows host is
at last requesting and successfully receiving the ticket for the proxy
service. Wiresh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
And my Kerberos server setup seems valid:
$ setenv KRB5_KTNAME /usr/local/etc/squid/squid.keytab
$ setenv KRB5_CONFIG /usr/local/etc/squid/krb5.conf
$ kdestroy
$ kinit -t $KRB5_KTNAME HTTP/proxy.sibptus.transneft.ru
$ klist
Credentials cache: FILE:/t
And my Kerberos server setup seems valid:
$ setenv KRB5_KTNAME /usr/local/etc/squid/squid.keytab
$ setenv KRB5_CONFIG /usr/local/etc/squid/krb5.conf
$ kdestroy
$ kinit -t $KRB5_KTNAME HTTP/proxy.sibptus.transneft.ru
$ klist
Credentials cache: FILE:/tmp/krb5cc_Ld5uU9
Principal:
HTTP/proxy.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Colleagues,
I am posting below the contents of an HTTP request (especially the
"Proxy-Authorization:" header the browser is sending) to which squid's
negotiate_kerberos_auth replies:
"ERROR: Negotiate Authentication validating user. Result: {result=
Hi Victor,
In the helpers/negotiate_auth/kerberos directory is a script
test_negotiate_auth.sh to test authentication outside of squid. Change dir
to your binary directory and do the following ( please adapt to your
environment):
export KRB5_KTNAME=squid-win.keytab
kinit m...@win2003r2.hom
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Markus Moeller wrote:
>
> In the helpers/negotiate_auth/kerberos directory is a script
> test_negotiate_auth.sh to test authentication outside of squid.
Markus,
I could find the said script neither in the source nor in the binary
package. Howeve
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/08/2014 06:29 AM, Victor Sudakov wrote:
> Markus,
>
> I could find the said script neither in the source nor in the
> binary package. However I think I can guess what could be inside.
> Could you look below if that makes sense?
Or you can just
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Eliezer Croitoru wrote:
> >
> > I could find the said script neither in the source nor in the
> > binary package. However I think I can guess what could be inside.
> > Could you look below if that makes sense?
>
> Or you can just look at the source c
Hi Victor,
I only found the following explanation:
This error will happen if you didn't write the key into the keytab file, or
the permission setting of keytab file reject the read access, or the key
file is not the one you should access (for example, you want
/opt/somedir/conf/krb5.conf,
Hi Victor,
I only found the following explanation:
This error will happen if you didn't write the key into the keytab file, or
the permission setting of keytab file reject the read access, or the key
file is not the one you should access (for example, you want
/opt/somedir/conf/krb5.conf, but
Markus Moeller wrote:
>
>I only found the following explanation:
>
> This error will happen if you didn't write the key into the keytab file, or
> the permission setting of keytab file reject the read access, or the key
> file is not the one you should access (for example, you want
> /opt/som
Colleagues,
What if the service principal's name in squid's keytab does not
coincide with the host's primary FQDN (AKA `hostname`)?
E.g. the squid's keytab contains keys for HTTP/proxy.my.domain while
the server's actual FQDN is fw.my.domain?
Should it cause the obscure error I have stumbled up
I think it could. Can you try the option -s GSS_C_NO_NAME ?
Markus
"Victor Sudakov" wrote in message
news:20141010113630.ga39...@admin.sibptus.tomsk.ru...
Colleagues,
What if the service principal's name in squid's keytab does not
coincide with the host's primary FQDN (AKA `hostname`)?
E.g
Markus Moeller wrote:
>
> > What if the service principal's name in squid's keytab does not
> > coincide with the host's primary FQDN (AKA `hostname`)?
> >
> > E.g. the squid's keytab contains keys for HTTP/proxy.my.domain while
> > the server's actual FQDN is fw.my.domain?
> >
> > Should it cau
Good to see it works now. As far as I recall the MIT message is clearer in
this case.
Regards
Markus
"Victor Sudakov" wrote in message
news:20141011044626.gb49...@admin.sibptus.tomsk.ru...
Markus Moeller wrote:
> What if the service principal's name in squid's keytab does not
> coincide w
Hi Viktor,
These sections of code do the selection in squid:
char *service_name = (char *) "HTTP", *host_name = NULL;
if (service_principal && strcasecmp(service_principal, "GSS_C_NO_NAME")) {
service.value = service_principal;
service.length = strlen((char *) service.value);
} else {
Markus Moeller wrote:
> Hi Viktor,
>
>These sections of code do the selection in squid:
>
>
> char *service_name = (char *) "HTTP", *host_name = NULL;
Thanks for posting this. BTW does it mean that the service name "HTTP"
is hardcoded, and if I wanted to use a principal with a different
ser
HTTP is the standard service for HTTP authentication (web and proxy)
Markus
"Victor Sudakov" wrote in message
news:20141011131747.ga56...@admin.sibptus.tomsk.ru...
Markus Moeller wrote:
Hi Viktor,
These sections of code do the selection in squid:
char *service_name = (char *) "HTTP",
Also you can overwrite it with the -s option if you really need to.
Markus
"Victor Sudakov" wrote in message
news:20141011131747.ga56...@admin.sibptus.tomsk.ru...
Markus Moeller wrote:
Hi Viktor,
These sections of code do the selection in squid:
char *service_name = (char *) "HTTP", *
Now as I run the test authenticator, what's the
"INFO: continuation needed"
message from the squid Kerberos helper? How do I interperet it? Is it
success or fail?
See output below:
$ bin/test_negotiate_auth.sh
/home/sudakov/squid.keytab:
Vno Type Principal
1 des-cbc-crc
Hi Victor,
That just means that the server requires more information from the client.
This could happen if mutual authentication is required or the dataset is too
large and had to be split. If you run it in squid the client would send new
data until the server says the exchange is complete (
This question is neither exactly squid-related nor Heimdal-related, but
maybe someone guru could shed some light.
I configure MSIE to use the proxy server "proxy.sibptus.transneft.ru".
On starting MSIE, some Windows hosts request a ticket for the
principal HTTP/proxy.sibptus.transneft.ru" and rec
Hi Victor,
That sounds a bit strange. Can you capture with wireshark the traffic on
port 88 on the system which has squiduser in the cache ( best after a clear
the cache with kerbtray first) when accessing squid and send it to me as cap
file ?
Markus
"Victor Sudakov" wrote in message
n
Markus Moeller wrote:
>
> That sounds a bit strange. Can you capture with wireshark the traffic on
> port 88 on the system which has squiduser in the cache ( best after a clear
> the cache with kerbtray first) when accessing squid and send it to me as cap
> file ?
I am attaching a traffic dum
Hi.
On 17.10.2014 11:02, Victor Sudakov wrote:
>
> I am attaching a traffic dump.
>
> Please look at Frame No. 36, where a ticket is requested for
> "HTTP/proxy.sibptus.transneft.ru", and then at Frame No. 39, where
> the ticket is granted, but for the wrong principal name.
>
The thing is, valid e
Markus Moeller wrote:
> >
> > Now as I run the test authenticator, what's the
> > "INFO: continuation needed"
> > message from the squid Kerberos helper? How do I interperet it? Is it
> > success or fail?
>
> That just means that the server requires more information from the client.
> This cou
Eugene M. Zheganin wrote:
> >
> > I am attaching a traffic dump.
> >
> > Please look at Frame No. 36, where a ticket is requested for
> > "HTTP/proxy.sibptus.transneft.ru", and then at Frame No. 39, where
> > the ticket is granted, but for the wrong principal name.
> >
> The thing is, valid exchang
Hi.
On 18.10.2014 16:11, Victor Sudakov wrote:
I thought as much. This error seems suspicious. But why does a second
request not cause the same error?
No idea.
We have tried both ways (enabling all ciphers and enabling only
arcfour-hmac-md5), but it made no difference. Currently we are using
t
Eugene M. Zheganin wrote:
>
> On 18.10.2014 16:11, Victor Sudakov wrote:
> > I thought as much. This error seems suspicious. But why does a second
> > request not cause the same error?
> No idea.
Hopefully I can interest our Windows admin to enable Kerberos event
logging per KB262177.
But for th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/19/2014 10:32 AM, Victor Sudakov wrote:
> Hopefully I can interest our Windows admin to enable Kerberos
> event logging per KB262177.
>
> But for the present I have found an ugly workaround. In squid's
> keytab, I created another principal calle
Hi.
On 19.10.2014 13:32, Victor Sudakov wrote:
>
> Hopefully I can interest our Windows admin to enable Kerberos event
> logging per KB262177.
>
> But for the present I have found an ugly workaround. In squid's keytab, I
> created another principal called 'squiduser' with the same hex key and
> kv
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Eugene M. Zheganin wrote:
> >
> > Hopefully I can interest our Windows admin to enable Kerberos event
> > logging per KB262177.
> >
> > But for the present I have found an ugly workaround. In squid's keytab, I
> > created another principal called 'squi
Hi.
On 20.10.2014 22:29, Victor Sudakov wrote:
That's what we did.
1. Created an AD user called squiduser.
2. Extracted its keytab with something like
ktpass -princ HTTP/proxy.sibptus.transneft...@sibptus.transneft.ru -mapuser
squiduser +rndPass -out squid.keytab -ptype KRB5_NT_PRINCIPAL /t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Eliezer Croitoru wrote:
> > Hopefully I can interest our Windows admin to enable Kerberos
> > event logging per KB262177.
> >
> > But for the present I have found an ugly workaround. In squid's
> > keytab, I created another principal called 'squiduser
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Eliezer Croitoru wrote:
>
> And about the basic issues that you were having with performance, does
> it help to run Kerberos instead of NTLM (it should...)?
I have even moved squid to a new virtual machine (FreeBSD 9.3-RELEASE under
VMWare, 1 GB RAM)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 23/10/2014 5:53 p.m., Victor Sudakov wrote:
> Eliezer Croitoru wrote:
>
>> And about the basic issues that you were having with performance,
>> does it help to run Kerberos instead of NTLM (it should...)?
>
> I have even moved squid to a new virtu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Amos Jeffries wrote:
> >
> >> And about the basic issues that you were having with performance,
> >> does it help to run Kerberos instead of NTLM (it should...)?
> >
> > I have even moved squid to a new virtual machine (FreeBSD
> > 9.3-RELEASE under
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Victor Sudakov wrote:
> > >
> > >> And about the basic issues that you were having with performance,
> > >> does it help to run Kerberos instead of NTLM (it should...)?
> > >
> > > I have even moved squid to a new virtual machine (FreeBSD
> > > 9.3-R
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 23/10/2014 7:27 p.m., Victor Sudakov wrote:
> Victor Sudakov wrote:
> And about the basic issues that you were having with
> performance, does it help to run Kerberos instead of NTLM
> (it should...)?
I have even moved s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Eliezer Croitoru wrote:
> > I don't know what's happening with squid but this kind of CPU
> > consumption is just not normal:
> >
>
> Victor are you using workers by any chance?
I doubt it. I have compiled it from the FreeBSD ports, there was no
"w
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Amos Jeffries wrote:
> > And about the basic issues that you were having with
> > performance, does it help to run Kerberos instead of NTLM
> > (it should...)?
>
> I have even moved squid to a new virtual machine (FreeBSD
>
I had this kind of 100% CPU problem with auth helpers when upgrading
to squid 3.4. I use negotiate_wrapper, kerberos, ntlm and basic auth.
Then I had to fall back to 3.3 and it is production until now, with
some troubles with broken clients, but with normal cpu usage most of
the time.
Can you try w
Hi.
On 23.10.2014 18:13, Carlos Defoe wrote:
> I had this kind of 100% CPU problem with auth helpers when upgrading
> to squid 3.4. I use negotiate_wrapper, kerberos, ntlm and basic auth.
> Then I had to fall back to 3.3 and it is production until now, with
> some troubles with broken clients, but
no, rhel 6
On Thu, Oct 23, 2014 at 9:51 AM, Eugene M. Zheganin wrote:
> Hi.
>
> On 23.10.2014 18:13, Carlos Defoe wrote:
>> I had this kind of 100% CPU problem with auth helpers when upgrading
>> to squid 3.4. I use negotiate_wrapper, kerberos, ntlm and basic auth.
>> Then I had to fall back to 3
Carlos Defoe wrote:
> I had this kind of 100% CPU problem with auth helpers when upgrading
> to squid 3.4. I use negotiate_wrapper, kerberos, ntlm and basic auth.
> Then I had to fall back to 3.3 and it is production until now, with
> some troubles with broken clients, but with normal cpu usage mos
Colleagues,
I have created a howto in Russian about squid and Kerberos proxy
authentication, addressing also the two problems I personally
encountered while setting all the stuff up.
If any Russian speakers here could review and comment it, I would be
grateful.
The text is at http://victor-suda
Now available at
https://bitbucket.org/victor_sudakov/faq/src/tip/FAQ/squid_kerberos.txt
Victor Sudakov wrote:
> Colleagues,
>
> I have created a howto in Russian about squid and Kerberos proxy
> authentication, addressing also the two problems I personally
> encountered while setting all the st
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 4/11/2014 9:10 p.m., Victor Sudakov wrote:
> Now available at
> https://bitbucket.org/victor_sudakov/faq/src/tip/FAQ/squid_kerberos.txt
>
> Victor Sudakov wrote:
>> Colleagues,
>>
>> I have created a howto in Russian about squid and Kerberos proxy
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Amos Jeffries wrote:
> On 4/11/2014 9:10 p.m., Victor Sudakov wrote:
> > Now available at
> > https://bitbucket.org/victor_sudakov/faq/src/tip/FAQ/squid_kerberos.txt
[dd]
>
> If you are going to publish this please use either the official
> domains
52 matches
Mail list logo
