wins?
Thanks in advance.
Tom
2010/12/9 Markus Moeller hua...@moeller.plus.com:
Hi Tom,
What does klist -ekt squid.keytab show ? Does it have an entry for AES ?
Did you use --enctypes 28 with msktutil as described here
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
workgroup manager
doesn't ask for a password that I can remember. I didn't add an actual user
named proxyserver because that didn't make sense to me for a host.
Thanks,
Rob
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169
Markus Moeller hua
-236-7744 x169
Markus Moeller hua...@moeller.plus.com 12/10/10 2:19 PM
Hi Rob,
Before you used xst you must have created the principal with a command
like add_principal or ank with either a -pw or -randkey option. This would
have set the password for the principal. Can you try the same kinit
District
870-236-7744 x169
Markus Moeller hua...@moeller.plus.com 12/10/10 5:16 PM
Hi Rob,
It looks like no password was set or the keytab does not contain the right
key (password). Can you try to use add_principal with -randkey ?
Markus
Rob Asher ras...@paragould.k12.ar.us wrote in message
Hi Tom,
What does klist -ekt squid.keytab show ? Does it have an entry for AES ?
Did you use --enctypes 28 with msktutil as described here
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab ?
Markus
Tom Tux tomtu...@gmail.com wrote in message
Hi Rob,
It looks like your kdc does not know about the service principal
HTTP/proxyserver.paragould@xserve.paragould.psd
How did you create the entry and keytab ?
Markus
Rob Asher ras...@paragould.k12.ar.us wrote in message
news:4cfcf8e3.0172.003...@paragould.k12.ar.us...
I've
Technician
Paragould School District
870-236-7744 x169
Markus Moeller hua...@moeller.plus.com 12/08/10 2:39 PM
Hi Rob,
It looks like your kdc does not know about the service principal
HTTP/proxyserver.paragould@xserve.paragould.psd
How did you create the entry and keytab ?
Markus
Here is a patch for the squid trunk.
Markus
Amos Jeffries squ...@treenet.co.nz wrote in message
news:4cdf2628.2050...@treenet.co.nz...
On 13/11/10 22:30, Eugene M. Zheganin wrote:
Hi.
On 05.11.2010 21:01, Markus Moeller wrote:
Hi
I get the same successful results on 64 bit FreeBSD 8.0
/support_resolv.Tpo .deps/support_resolv.Po
Markus
Eugene M. Zheganin e...@norma.perm.ru wrote in message
news:4cde5aaa.1070...@norma.perm.ru...
Hi.
On 05.11.2010 21:01, Markus Moeller wrote:
Hi
I get the same successful results on 64 bit FreeBSD 8.0.
$ uname -a
FreeBSD freebsd-80-64.freebsd.home 8.0
:4cde5aaa.1070...@norma.perm.ru...
Hi.
On 05.11.2010 21:01, Markus Moeller wrote:
Hi
I get the same successful results on 64 bit FreeBSD 8.0.
$ uname -a
FreeBSD freebsd-80-64.freebsd.home 8.0-RELEASE FreeBSD 8.0-RELEASE #0:
Sat Nov 21 15:02:08 UTC 2009
r...@mason.cse.buffalo.edu:/usr/obj/usr
| squid_kerb_ldap: Users primary group matches
SOCKS_ALLOW
2010/11/05 13:56:04| squid_kerb_ldap: Unbind ldap server
2010/11/05 13:56:04| squid_kerb_ldap: User markus is member of gr...@domain
socks_al...@suse.home
OK
2010/11/05 13:56:04| squid_kerb_ldap: OK
Markus
Markus Moeller hua
package installed ? How does
your ldd look ? I installed a standard freebsd 8.0 84 bit plus
ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/8.0-RELEASE/packages/net/openldap-sasl-client-2.4.18.tbz
for ldap with sasl support.
Markus
Markus Moeller hua...@moeller.plus.com wrote in message
Will all 3 groups have the same rights ? Or do you want to block some users
and others not.
Markus
Roy Anciso r...@manistee.org wrote in message
news:aanlktikjgqwiztr3ubnk-kfg-thjxerg0jg7okr2m...@mail.gmail.com...
Hello,
I know with squid_kerb_ldap you can list multiple groups using a colon
Are you sure Safari supports proxy authentication with Negotiate or only Web
authentication with Negotiate?
Markus
- Original Message -
From: Rolf Loudon r...@ses.tas.gov.au
To: Markus Moeller hua...@moeller.plus.com
Sent: Wednesday, November 03, 2010 5:07 AM
Subject: [Partly solved
Rolf Loudon r...@ses.tas.gov.au wrote in message
news:ea4139a9-af4d-4e0d-8a05-c7b0c3ef4...@ses.tas.gov.au...
hello
Hi Rolf
I am trying to setup kerberos auth against Active Directory - Windows
2000 - in squid, 2.7. This is primarily so that the username is captured
in the access log.
Let me see if I can get a 8.0/7.x build. Does it compile AND work on 8.1 or
do you still see the crash when reading the keytab ?
Markus
Eugene M. Zheganin eug...@zhegan.in wrote in message
news:4ccd5f0e.9080...@zhegan.in...
Hi.
On 30.10.2010 00:14, Markus Moeller wrote:
Hi,
I have now
My tests show the same. RC4 works but AES 128/256 fail. It seems to be
some incompatibility between MS and MIT/Heimdal Kerberos libraries
introduces in R2
Markus
DmitrySh sbro...@inbox.lv wrote in message
news:1288361044027-3019158.p...@n4.nabble.com...
I solve the problem on Win7
SOCKS_ALLOW
2010/10/29 18:41:48| squid_kerb_ldap: Unbind ldap server
2010/10/29 18:41:48| squid_kerb_ldap: User markus is member of gr...@domain
socks_al...@suse.home
OK
Eugene M. Zheganin eug...@zhegan.in wrote in message
news:4cc662af.7070...@zhegan.in...
Hi.
On 07.12.2008 18:09, Markus
I will try to get a 2008 R2 box, but it will take some time as I have only a
32bit system and R2 is 64bit.
Markus
Paul Freeman paul.free...@eml.com.au wrote in message
news:19672eecfb9ae340833c84f3e90b5956042a4...@mel-ex-01.eml.local...
Hi.
I have successfully installed Squid 3.1.8 on
Hi Paul,
Is your AD server 2003 or 2008 ?
Markus
Paul Freeman paul.free...@eml.com.au wrote in message
news:19672eecfb9ae340833c84f3e90b5956042a4...@mel-ex-01.eml.local...
Hi.
I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have
enabled
Kerberos/NTLM authentication using
DmitrySh sbro...@inbox.lv wrote in message
news:1288100124027-3013710.p...@n4.nabble.com...
Hi all again.
I think we can close this threat couse i localize the problem.
It's the same problem as in this threat -
. AD is running at the
2003
functional level. The AD environment is the same one that is working OK
with
Squid and Kerberos authentication for Windows XP workstations running IE8.
Regards
Paul
-Original Message-
From: Markus Moeller [mailto:hua...@moeller.plus.com]
Sent: Wednesday
Hi Paul,
As far as I know the Kerberos libraries do not use openssl code. Can you
capture the traffic between your 2008 server and AD on port 88 and between
the 2008 server and squid on 3128 (the squid port). Can you also capture the
traffic between squid and AD when you try a kinit -kt
Also check that squid_kerb_ldap is executable by the squid user
Regards
Markus
Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message
news:c8eb5040.193f2%nick.cairncr...@condenast.co.uk...
.
fpGHRVhvZk/kda8Vtvd618615TAA7y7E7ZN3DeUAEVD+fRErTlSbBlY/3uRdUzk6z+y3XhEBX1
Hi,
I will try to repeat it on a freebsd system ( although only 32bit).
Markus
Eugene M. Zheganin eug...@zhegan.in wrote in message
news:4cc662af.7070...@zhegan.in...
Hi.
On 07.12.2008 18:09, Markus Moeller wrote:
I did implement recursive group search in squid_kerb_ldap at
http
DmitrySh sbro...@inbox.lv wrote in message
news:1287753284416-3007186.p...@n4.nabble.com...
Hi guru's
I try some weeks to configure my squid to auth with MS AD with
squid_kerb_auth.
As i understand squid_kerb_ldap is a new helper for ldap requests instead
of
squid_ldap_group, or am i
Hi Manoj,
The only way I see this can work is to use my experimental local proxy to
support application which don't support Negotiate authentication. You can
find it here
http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerberizer/
c:\ client_kerb_auth_sspi.exe -S -s
barbarossa bdman...@hotmail.com wrote in message
news:1285759672914-2718780.p...@n4.nabble.com...
I don't know why, but authenticating in the IE login dialog using kerberos
credentials works now (u...@realm.com, same as for FF).
For most of the page requests, squid writes to cache.log logs
Markus Moeller hua...@moeller.plus.com wrote in message
news:i806q2$qm...@dough.gmane.org...
barbarossa bdman...@hotmail.com wrote in message
news:1285759672914-2718780.p...@n4.nabble.com...
I don't know why, but authenticating in the IE login dialog using
kerberos
credentials works now
barbarossa bdman...@hotmail.com wrote in message
news:1285675470312-2717106.p...@n4.nabble.com...
So, I set the following in about:config (Firefox):
*network.auth.use-sspi: false
*network.negotiate-auth.gsslib: C:\Program
Files\MIT\Kerberos\bin\gssapi32.dll
Hi Josh,
This can be achieved through NTLM or Negotiate authentication, in which
case the browser will try to use the PC credentials to authenticate to
squid.
Markus
Josh Phillips jphill...@judicialservices.com wrote in message
news:2856986.66750.1285600653601.javamail.r...@zmstore52...
I
barbarossa bdman...@hotmail.com wrote in message
news:1285596015113-2715437.p...@n4.nabble.com...
I want to say that in IE 8 (the only version I used for the proxy), I get
a
login prompt.
Are the XP users defined in the Kerberos server ?
Markus
No. I just want to authenticate using the
Markus Moeller hua...@moeller.plus.com wrote in message
news:i7qqri$ku...@dough.gmane.org...
barbarossa bdman...@hotmail.com wrote in message
news:1285596015113-2715437.p...@n4.nabble.com...
I want to say that in IE 8 (the only version I used for the proxy), I get
a
login prompt
Markus Moeller hua...@moeller.plus.com wrote in message
news:i7ic41$s...@dough.gmane.org...
Are the XP users defined in the Kerberos server ?
Markus
barbarossa bdman...@hotmail.com wrote in message
news:1285330198052-2553379.p...@n4.nabble.com...
Hi,
I have a simple configuration of Squid
Aleksandar Ciric aciri...@yahoo.com wrote in message
news:375975.43025...@web114214.mail.gq1.yahoo.com...
Gentoo Squid, IE browser
1. GET google
2. 407, Proxy-Authenticate: Negotiate\r\n
3. GET google, Proxy-Authorization: Negotiate token, NTLMSSP
4. 407, Proxy-Authenticate: Negotiate\r\n
Aleksandar Ciric aciri...@yahoo.com wrote in message
news:353393.71638...@web114210.mail.gq1.yahoo.com...
Hello,
I have a Gentoo server with 3.1.6 Squid. I have setup Kerberos
authentication with our AD server that works correctly when accessed from
domain member computer.
However when I
--- On Tue, 9/21/10, Markus Moeller hua...@moeller.plus.com wrote:
From: Markus Moeller hua...@moeller.plus.com
Subject: [squid-users] Re: Squid 3.1.6, Kerberos and strange browser auth
behavior
To: squid-users@squid-cache.org
Date: Tuesday, September 21, 2010, 12:13 PM
Aleksandar Ciric
Hi Nick,
The only tweaking which might be required is for MIT based libraries on a
high load system to disable the replay cache by setting
KRB5RCACHETYPE=none
export KRB5RCACHETYPE
Markus
Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message
if this is achievable.
I don't think this is possible with Kerberos as the ticket does not have
(usable) information about the client computer.
Thanks for the help.
Manoj
On Wed, Sep 15, 2010 at 12:28 AM, Markus Moeller
hua...@moeller.plus.com wrote:
Manoj Rajkarnikar manoj.rajkarni...@gmail.com
Manoj Rajkarnikar manoj.rajkarni...@gmail.com wrote in message
news:aanlktingxtowx+aysrvgoaseiqrs1qrmx2vym8t5i...@mail.gmail.com...
Hi all.
I've been trying to setup this squid box with authentication to AD
2003 server. The need in our situation is to allow the workstation
allow access to
obtaining an IP address via DHCP.
I am finding that Firefox is actually failing at step 3. It is not
prompting
for a username and password. Unlike IE which is.
Thanks
Paul
-Original Message-
From: Markus Moeller [mailto:hua...@moeller.plus.com]
Sent: Thursday, 9 September 2010 6:01 AM
environment using W2K8R2 domain controller servers running
in W2K3 functional mode.
I have implemented suthenitcation in Squid using the squid_kerb_auth module
from Markus Moeller. Authentication is working fine for users logging in
using domain credentials on domain registered workstations using both
Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message
news:99a993aa-7d9f-49a2-bf7b-4bd51b109...@condenast.co.uk...
On Mon, 30 Aug 2010 16:32:51 +0200, Maxim Burgerhout ma...@wzzrd.com
wrote:
Of course I just bumped into that little gem *after* I sent the
previous message to this
Hi Manoj,
It looks like the client PC does not get the TGS for HTTP/proxy.domain.
Did you configure in IE the proxy with the name proxy.domain or as IP ? IE
requires the name. BTW IE 6 does not support Kerberos proxy authentication.
Can you capture the traffic on port 88 from your client
as a kerberized version of the HTTP caller, wrapping the
call in SPNEGO support or something?
Yes it just adds a SPNEGO/Kerberos token to each request using SSPI.
-Original Message-
From: Markus Moeller [mailto:hua...@moeller.plus.com]
Sent: Wednesday, August 25, 2010 2:43 PM
To: squid
Did you try something like
http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerberizer/ ?
It is a local proxy which uses the credentials of the logged in user to
authenticate to the next proxy (e.g. squid). It is a POC and works on Unix
and Windows.
Markus
Bucci, David
Can you run both squid_kerb_ldap and squid_kerb_auth with -d. It should give
a lot more details to find out why it happens
Markus
Mark deJong dejo...@gmail.com wrote in message
news:aanlktikvdju6+ysywkdn7vxyzyts4rtdjgf7ccnzm...@mail.gmail.com...
Hello,
I'm having an issue with
Mark deJong dejo...@gmail.com wrote in message
news:aanlktimpw4vgdf536suz0inbx8nwax-o_bvljjytr...@mail.gmail.com...
Hello,
I'm having some issue with squid_kerb_ldap in its handling of SPN's in
the specified keytab file. I'm hoping I'm just missing something.
I have a Windows Forest with
;
Proxy-Authorization NTLMSSP_AUTH; Proxy-connection: keep-alive
Child-proxy - clientTCP RESET
Why does the proxy reset the connection ? I could not see any obvious in the
log (even with full debug)
Thank you
Markus
Markus Moeller hua...@moeller.plus.com wrote in message
I forgot to say that I used 2.7 Stable 9
Markus
Markus Moeller hua...@moeller.plus.com wrote in message
news:i3s86d$ch...@dough.gmane.org...
I tried the following simple configuration for the child proxy:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl
Hi Tom,
squid_kerb_ldap does not authenticate a user. It just looks up membership
info and can not replace squid_ldap_auth
Markus
Tom Tux tomtu...@gmail.com wrote in message
news:aanlktimybsvmrsy7a7mhbaazvfv63wdfux1i5wd6t...@mail.gmail.com...
Hi
I've implemented a native
Joseph L. Casale jcas...@activenetwerx.com wrote in message
news:ca5a491e9defbe4cb777de97e21575e906bb0...@prato.activenetwerx.local...
Here is a short overview what squid_kerb_ldap does.
1) A user authenticates with either NTLM (username will be
NT-DOM\user)
or Kerberos (username will be
Hi
Can I run squid on Windows XP or Vista and provide NTLM authentication for
the XP/Vista local accounts or do I need a DC ?
Thank you
Markus
Hi Joseph,
Here is a short overview what squid_kerb_ldap does.
1) A user authenticates with either NTLM (username will be NT-DOM\user)
or Kerberos (username will be u...@kerb-dom)
2) squid_kerb_ldap uses the -N flag to map NT-DOM to KERB-DOM for NTLM
authenticated users
3) Uses DNS
Can you try to disable the replay cache as described here and let me know
the load please ?
Thank you
Markus
Billie Joe billiegd...@gmail.com wrote in message
news:aanlkti=zu4qs-rbjxdeuvyyqbokxj0j1aw+fx+epm...@mail.gmail.com...
Hi Folks,
Here it is:
Hardware specs:
HP DL160G6, 8GB RAM,
Hi,
If I have a parent proxy which requires NTLM or Kerberos user
authentication can I use login=PASS to do that ?
e.g.
cache_peer parent.foo.net parent3128 3130 proxy-only default
login=PASS
Is it also possible that the child does not authenticate the user but just
hands
? It just doesn't make
sense that it is so hit and miss..
Thanks,
Nick
On 17/07/2010 12:09, Markus Moeller hua...@moeller.plus.com wrote:
Hi Nick,
This is a unusual setup. I wonder how you could get it to work as a keytab
extraction changes usually the AD entry and therefore the key for your
2nd
Hi Nick,
This is a unusual setup. I wonder how you could get it to work as a keytab
extraction changes usually the AD entry and therefore the key for your
2nd/3rd squid server. I suggest to create three separate AD entries and
remove any SPN for HTTP/short-hostname.
Regards
Markus
Nick
for the help
Nicola Gentile
2010/7/16 Markus Moeller hua...@moeller.plus.com:
Hi Nicola,
Can you run strace against squid_kerb_auth ? You can do this by selecting
just on child (e.g. auth_param negotiate children 1) and then do trace -f
-F -p pid of squid_kerb_auth. Please send me the output. Can you
Hi Nicola,
Can you run strace against squid_kerb_auth ? You can do this by selecting
just on child (e.g. auth_param negotiate children 1) and then do
trace -f -F -p pid of squid_kerb_auth. Please send me the output. Can you
also check on the client with kerbtray ( available from Microsoft )
-
From: Tom Tux tomtu...@gmail.com
To: Markus Moeller hua...@moeller.plus.com
Sent: Thursday, July 08, 2010 1:54 PM
Subject: Re: [squid-users] Re: Kerberos-authentication and ntlm-fallback
with AD-group-membership-checking
Hi Markus
I think, that the output from the log with just the username
-1.2.1a. I will try it with the -D-Option.
Is it possible to have a Single-Sign-On-solution with IE6 without
winbind? Can I take squid_kerb_ldap for this purpose?
Thank you.
Regards,
Tom
2010/7/9 Markus Moeller hua...@moeller.plus.com:
Hi Tom,
Which version do you use ? The latest squid_kerb_ldap
Hi Tom
It should work if squid sends Negotiate and NTLM authentication requests to
the client. IE6 will ignore the Negotiate request and reply to NTLM, whereas
IE7 and IE8 will respond to Negotiate. With NTLM you will get a username
like Netbios-Domain\user in contrast to
Hi
squid_kerb_auth is not required for squid_kerb_ldap work, but you have to
use -g GROUP and provide an ldap URL as squid_kerb_ldap won't be able to
automagically determine the ldap server.
Regards
Markus
GIGO . gi...@msn.com wrote in message
.
Regards,
Tom
2010/7/1 Markus Moeller hua...@moeller.plus.com:
You could have used a tool like kerbtray or just lock and unlock the PC
which would have refreshed the cache.
Regards
Markus
Tom Tux tomtu...@gmail.com wrote in message
news:aanlktiljgrnzru9wxivap0tj22onxaknjanbczlvs
the keytab to verify the encrypted information for each request
the client send to the server. The server does not need to cache anything
only the client caches to avoid to many requests to AD.
Regards,
Tom
Regards
Markus
2010/7/2 Markus Moeller hua...@moeller.plus.com:
Hi Tom,
The important
is incorrect'
What's wrong here? I tried with kinit and kinit -R again - no
success. How can I fix this problem?
Regards
Tom
2010/6/30 Markus Moeller hua...@moeller.plus.com:
Hi Tom
squid_kerb_ldap tries to use the keytab to authenticate squid against AD.
The keytab contains basically
What is you access config ? Maybe you have a line which gives also
unauthenticated users access to hotmail.
BTW Do you want the workgroup users to have access after authentication ? I
tested that it might work if you provide via dhcp a WINS server which has an
entry for the Kerberos domain.
Hi
1) 1.2.1a is just a minor patch version to 1.2.1.
2) This happens only when you use the -d debug option
3) You can use the options -u BIND_DN -p BIND_PW -b BIND_PATH -l LDAP_URL
4) If they have different access needs then that is the only way. If they
have the same access right you can
The error message says it:
2010/06/30 15:56:39| squid_kerb_auth: gss_acquire_cred() failed: Unspecified
GSS failure. Minor code may provide more information. No such file or
directory
Which means you did not set the environment variable KRB5_KTNAME in the
startup script. See
Hi Tom
squid_kerb_ldap tries to use the keytab to authenticate squid against AD.
The keytab contains basically the password for the user http/fqdn which
maps in AD to the userprincipalname attribute. In your case squid_kerb_ldap
tries to use host/proxy-test-01.xx...@xx.yy but does not find in
Hi,
From your log file I also see that squid_kerb_ldap is crashing. Can you
get the latest version 1.2.1a ? If you have already that version I would
need to debug it to find the reason for the crash in free().
Regards
Markus
GIGO . gi...@msn.com wrote in message
for your help.
Tom
2010/6/30 Markus Moeller hua...@moeller.plus.com:
Hi Tom,
I have a SLES 11 system I can test tomorrow. It looks like an option is
not available.
Error: ldap_set_option (option=) failed (Can't contact LDAP server)
Markus
Tom Tux tomtu...@gmail.com wrote in message
Can you add the option -d -i to squid_kerb_auth and squid_kerb_ldap to
create more debut output and send the cache.log extract
Regards
Markus
GIGO . gi...@msn.com wrote in message
news:snt134-w34626d5c8ec65f9d8495b1b9...@phx.gbl...
Hi Henrik/Markus/All
Every setting(keeping in view your
gives me no principals back:
proxy-test-01:/usr/local/mskutil-0.4/sbin # ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
-
ktutil:
Thanks a lot.
Kind regards
Tom
2010/6/29 Markus Moeller hua
Make sure the squid servers hostname matches squidhr1.v.local. If not use -s
HTTP/squidhr1.v.local as an option to squid_kerb_auth.
Regards
Markus
GIGO . gi...@msn.com wrote in message
news:snt134-w64257c53609757cd3cf006b9...@phx.gbl...
Hi all,
I am unable to do kerberos authentication in
Can you post the whole output of msktutil with --verbose please. If msktutil
fails with TLS on port 389 it will try again without TLS.
Regards
Markus
Tom Tux tomtu...@gmail.com wrote in message
news:aanlktil1fhq5ks3nx8mostkic2qoacz1xpmp6wh6r...@mail.gmail.com...
this works. I'm also able to
proxy --upn HTTP/proxy.xxx.yyy --server
dc2.xxx.yyy --verbose --enctypes 28
Maybe I misunderstood your english. I shouldn't use -s GSS_C_NO_NAME ?
Le Tue, 8 Jun 2010 19:50:01 +0100,
Markus Moeller hua...@moeller.plus.com a écrit :
Hi Emmanuel,
You did not use -s GSS_C_NO_NAME as I mentioned
Hi,
Would the below CONNECT request be valid or is it RFC non compliant (e.g.
Host: not as first line) ?
Authorization: BASIC bWhfhffrdsMw==
Accept-charset: iso-8859-1
Content-charset: iso-8859-1
Content-type: plain/text
Connection: Keep-Alive
Content-length: 5
User-Agent: Java/1.4.2_12
Hi Emmanuel,
You did not use -s GSS_C_NO_NAME as I mentioned in my first mail did you
?
Regards
Markus
Emmanuel Lesouef e.leso...@crbn.fr wrote in message
news:20100608100923.7ee7e...@nienor.local...
Le Tue, 8 Jun 2010 00:21:11 +0100,
Markus Moeller hua...@moeller.plus.com a écrit :
Hi
, 20 May 2010 21:51:08 +0100,
Markus Moeller hua...@moeller.plus.com a écrit :
It will work with the right setup (e.g. you have to copy the
Kerberos keytab to all machines and use the -s HTTP/RR-DNS-name
or -s GSS_C_NO_NAME option with squid_kerb_auth).
Regards
Markus
Understood. Thanks
The question is: Does Skype support Negotiate as an authentication scheme ?
If not you need something like a local proxy.
I have a POC version here
https://sourceforge.net/projects/squidkerbauth/files/squidkerberizer/squid_kerberizer-1.0.1/client_kerb_auth.zip/download
or
It will work with the right setup (e.g. you have to copy the Kerberos keytab
to all machines and use the -s HTTP/RR-DNS-name or -s GSS_C_NO_NAME option
with squid_kerb_auth).
Regards
Markus
Amos Jeffries squ...@treenet.co.nz wrote in message
news:4bf52c87.9080...@treenet.co.nz...
Emmanuel
Hi Matthew,
I think you are a bit confused. AD offers a Kerberos and ldap service.
OpenDirecttory or eDirectory is just ldap and has nothing to do with
Kerberos (as far as I know). You can use AD, MIT Kerberos, Heimdal Kerberos
or any other Implementation (e.g. Solaris based) for
Hi Lieven,
The problem seems to be the krb5kdc_err_s_principal_unknown error. If you
took the capture earlier shoudl have seen a TGS REQ in wireshark for
HTTP/squid3-proxy.domain.local and AD says it does not anything about this
principal. Can you search AD if you have an entry with
-proxy.domain.local service principal in kerbtray.
Only, it still pops up with a authentication request so I'm not yet there.
Anyway, tomorrow I'll have access to the local pc and a wireshark trace
will probably help me solve this further.
thanks for all the effort already.
cheers.
Lieven
Markus
Hi Lieven
Lieven lieve...@gmail.com wrote in message
news:4be6bd24.7090...@gmail.com...
Hello Markus,
Sorry for my slow reaction.
1) I did a klist on the squid server and got this ticket:
squid3-proxy:/var/log/squid-3.1.3# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal:
Can you get a wireshark capture of port 53 (dns) and port 88(kerberos) and
port 3128(squid) from your client machine when you try to surf ? Can you
also install kerbtray from microsoft to list tickets in your clients
kerberos cache ?
Regards
Markus
Lieven lie...@ba.be wrote in message
Markus Moeller hua...@moeller.plus.com wrote in message
news:hr4mi5$3e...@dough.gmane.org...
GIGO . gi...@msn.com wrote in message
news:snt134-w60089c12fb3e7d43747c18b9...@phx.gbl...
Dear All,
The problem under discussion is a continuity of SPN creation/Single
Forest MultiDomain (Active
GIGO . gi...@msn.com wrote in message
news:snt134-w60089c12fb3e7d43747c18b9...@phx.gbl...
Dear All,
The problem under discussion is a continuity of SPN creation/Single Forest
MultiDomain (Active Directory) topic.
@ Markus
Yes my infrastructure is Active Directory based (Root Forest
Hi Bilal,
Firstly there is a difference in supporting IWA for web authentication
and IWA for proxy authentication. If I remember right proxy authentication
with Negotiate is only available from IE 7 onwards.
Can you capture the traffic from your client on port 88 with wireshark
?
In theory you can, but it has to be implemented in the client (e.g. the
Browser).
Regards
Markus
Tiery DENYS tiery.de...@gmail.com wrote in message
news:h2kfdcc38011004140653p92fd561fv81febc7501188...@mail.gmail.com...
Hi,
I am using squid with squid_kerb_auth plugin for authentication on a
Hi Nick,
You do not need a DNS entry for AUTH1. As default squid_kerb_auth uses
HTTP/gethostbyadr(gethostbyname(hostname()) which means I it canonicalises
the hostname. You can change this by using the -S option.
When you use msktutil you have to make sure that you do not have two
Hi Bilal,
In your case the browser is returning a NTLM token not a Kerberos token whu
squid_kerb_auth will deny access.
Regards
Markus
GIGO . gi...@msn.com wrote in message
news:snt134-w155de8e05828b08d15c09ab9...@phx.gbl...
Dear Nick,
This was the result of my klist -k command:
Hi Bilal,
Is the squidadmin user member of the UnixAdmins group ?
Regards
Markus
GIGO . gi...@msn.com wrote in message
news:snt134-w374039f11c582486d8169b9...@phx.gbl...
Dear Markus/all,
I am unable to create the keytab using mskutil please help me out i followed
the following steps:
Hi Bilal,
The error probably means that your squid user has no permission to
read/execute squid_kerb_auth. If you use a script you have to change
auth_param negotiate program /usr/sbin/squid_kerb_auth
to
auth_param negotiate program /usr/sbin/squid_kerb_auth_script.sh
assuming your script
Hi Bilal,
I create a new OU in Active Directory like OU=UnixPrincipals,DC=... I
then create a Windows Group UnixAdministrators and add the Windows account
of the UnixAdministrators to it. Finally I change the permissions on the
OU=UnixPrincipals so that the members of the group
Hi Bilal,
What you do is a possible option, but has in my view 3 problems.
1) In a large enterprise you really do not want additional user accounts
without password expiry as you have to have a process in place to recertify
them regularly
2) It means when the administrator leaves you have
Hi Bilal,
Regarding your second point about workgroups the answer is that Kerberos
can work too (with popup). But to make it work your DHCP server has to
privode WINS servers (or it has to be hardcoded on the client). When a
client gets the Negotiate request the client will try to find out
failed (Device or resource busy)
Error: set_password failed
-- krb5_cleanup: Destroying Kerberos Context
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
On 08/04/2010 20:08, Markus Moeller hua...@moeller.plus.com wrote:
Hi Nick,
Did you use
301 - 400 of 550 matches
Mail list logo
