[squid-users] Squid 2.7 STABLE8 (Win2008) can't get my MS Lync 2013 to work?

[Mirza Dedic]

We are using SQUID 2.7 STABLE8 on a Windows 2008 box, it is working except when 
a user tries to access Microsoft Lync 2013 they get a password prompt.
I've searched the web and spent countless hours on this with no luck, anyone 
able to shed some light?
When i start my Microsoft Lync 2013 client, on access.log I see the following 
hit when the proxy dialog box shows up within the Lync application.
1412717278.341516 172.16.12.110 TCP_MISS/200 11695 CONNECT 
login.microsoftonline.com:443 - DIRECT/65.52.244.66 -
Here is my squid.conf file:
I've tried to add all of the published URLs and IPs that Microsoft lists for 
Office 365 and related products, but I still have no luck.. anyone able to 
assist?

# Port on which Squid will lisen onhttp_port 8080
# Authenticationauth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe 
--helper-protocol=squid-2.5-ntlmsspauth_param ntlm children 5auth_param ntlm 
keep_alive onauth_param basic program c:/squid/libexec/mswin_ntlm_auth.exe 
--helper-protocol=squid-2.5-basicauth_param basic children 5auth_param basic 
realm Proxy Serverauth_param basic credentialsttl 2 hoursauth_param basic 
casesensitive offauthenticate_cache_garbage_interval 10 seconds
# Squid Defaultsacl all src allacl manager proto cache_objectacl localhost src 
127.0.0.1
# Class C Internal Subnet - Defaultsacl localnet src 10.0.0.0/8acl localnet src 
172.16.0.0/12acl localnet src 192.168.0.0/16
# ACLs# for destination machineacl lan_dst dst 172.16.0.0/16# for source 
machineacl lan_src src 172.16.0.0/16# for destination domainacl lan_domain 
dstdomain .contoso.com
# SSL Portsacl SSL_ports port 443 8180 8443 563 1494 2598 8531
# Standard Portsacl Safe_ports port 80  
# httpacl Safe_ports port 81# http for Pacific 
Brokerageacl Safe_ports port 21  # 
ftpacl Safe_ports port 443 563# httpacl 
Safe_ports port 70# gopheracl 
Safe_ports port 210 # waisacl 
Safe_ports port 280   # http-mgmtacl 
Safe_ports port 488  # gss-httpacl 
Safe_ports port 591   # 
filemakeracl Safe_ports port 777  # 
multiling httpacl Safe_ports port 8080 8081 8082 8088 8180acl Safe_ports port 
3128# Squid http serveracl Safe_ports port 1494 
2598# ICA - Citrixacl Safe_ports port 7000 8000 
# Oracleacl Safe_ports port 9000# 
Oracleacl Safe_ports port 8530# WSUSacl 
Safe_ports port 55905 # WSUSacl Safe_ports port 
1025-65535# unregistered ports
external_acl_type AD_group %LOGIN c:/squid/libexec/mswin_check_ad_group.exe 
-Gacl AuthorizedUsers proxy_auth REQUIRED
# ACL - Microsoftacl msdomains dstdomain .windowsupdate.com acl msdomains 
dstdomain .microsoft.comacl msdomains dstdomain .windows.comacl msdomains 
dstdomain .live.comacl msdomains dstdomain .msecnd.netacl msdomains dstdomain 
.microsoftonline.comacl msdomains dstdomain .office365.comacl msdomains 
dstdomain .lync.comacl msdomains dstdomain .office.comacl msdomains dstdomain 
.onmicrosoft.comacl msdomains dstdomain .microsoftonline-p.comacl msdomains 
dstdomain .microsoftonline-p.netacl msdomains dstdomain 
.microsoftonlineimages.comacl msdomains dstdomain 
.microsoftonlinesupport.netacl msdomains dstdomain .msocdn.comacl msdomains 
dstdomain .msn.comacl msdomains dstdomain .msn.co.jpacl msdomains dstdomain 
.msn.co.ukacl msdomains dstdomain .office.netacl msdomains dstdomain 
.aadrm.comacl msdomains dstdomain .cloudapp.netacl msdomains dstdomain 
.windowsazure.comacl msdomains dstdomain .phonefactor.netacl msdomains 
dstdomain .symcb.com
# ACL - SSL Providersacl registars dstdomain .verisign.comacl registars 
dstdomain .godaddy.com
# LYNCacl lync2013 dst 65.54.54.128/25acl lync2013 dst 65.55.121.128/27acl 
lync2013 dst 65.55.127.0/24acl lync2013 dst 111.221.17.128/27acl lync2013 dst 
111.221.22.64/26acl lync2013 dst 111.221.76.96/27acl lync2013 dst 
111.221.76.128/25acl lync2013 dst 111.221.77.0/26acl lync2013 dst 
134.170.0.0/25acl lync2013 dst 157.55.40.128/25acl lync2013 dst 
157.55.46.0/27acl lync2013 dst 157.55.46.64/26acl lync2013 dst 
157.55.104.96/27acl lync2013 dst 157.55.229.128/27acl lync2013 dst 
157.55.232.128/26acl lync2013 dst 157.55.238.0/25acl lync2013 dst 
207.46.5.0/24acl lync2013 dst 207.46.7.128/27acl lync2013 dst 207.46.57.0/25
# OFFICE 365 PORTAL AND IDENTITYacl 365portal dst 23.96.208.238acl 365portal 
dst 23.97.64.252acl 365portal dst 23.97.68.113acl 365portal dst 23.97.70.147acl 
365portal dst 23.97.72.158acl 365portal dst 23.97.72.161acl 365portal

Re: [squid-users] Squid 2.7 STABLE8 (Win2008) can't get my MS Lync 2013 to work?

[Mirza Dedic]

Hi Elizabeth,
Thanks, I totally forgot I could use a paste like service, here is the link to 
my squid.conf file:
http://pastie.org/9629651
I have stripped out the comments from the paste.
It seems it could be HTTP 1.1 according to 
http://blog.schertz.name/2012/12/http-utilized-lync-server/ 
Does this mean I am out of luck with getting this to work on Squid 2.7 STABLE8?
I would upgrade to a higher version, however 2.7 STABLE8 is the latest 
available version for Windows it appears.

> Date: Wed, 8 Oct 2014 00:45:33 +0300
> From: elie...@ngtech.co.il
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Squid 2.7 STABLE8 (Win2008) can't get my MS Lync   
> 2013 to work?
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On 10/08/2014 12:37 AM, Mirza Dedic wrote:
> > We are using SQUID 2.7 STABLE8 on a Windows 2008 box, it is working
> > except when a user tries to access Microsoft Lync 2013 they get a
> > password prompt. I've searched the web and spent countless hours on
> > this with no luck, anyone able to shed some light? When i start my
> > Microsoft Lync 2013 client, on access.log I see the following hit
> > when the proxy dialog box shows up within the Lync application. 
> > 1412717278.341516 172.16.12.110 TCP_MISS/200 11695 CONNECT
> > login.microsoftonline.com:443 - DIRECT/65.52.244.66 - Here is my
> > squid.conf file: I've tried to add all of the published URLs and
> > IPs that Microsoft lists for Office 365 and related products, but I
> > still have no luck.. anyone able to assist?
> 
> Hey,
> 
> First note that 2.7 is very old and do not support HTTP 1.1 which lync
> might require.
> How do you configure you Lync client?
> Also note that the client uses a CONNECT method which is a very
> special one that in your case is allowed.
> 
> The issue you are probably having is not related 100% to squid since
> the basic logs shows that it allows the connection to be forwarded
> towards the destination server.
> 
> The squid.conf you just pasted inside the email was distorted please do:
> - - Clean the file from comments before reposting it.
> - - Attach the file to the email instead of pasting it inside the email
> or alternatively use some paste site such as:
> http://fpaste.org/
> http://pastie.org/
> http://paste.ubuntu.com/
> http://paste.debian.net/
> 
> All The Bests,
> Eliezer
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> 
> iQEcBAEBAgAGBQJUNF78AAoJENxnfXtQ8ZQUPFAH/2r/ymz6ADcBJIxK2Pe5sp8W
> CbPMxr8gFHmD0p4z79qsyef2UYXMtES1YzO68ZGq12YZ7Dxm0ibPQxZ2DEbqrwJq
> MRNghrw4wP5LfXywRowO339TGkAWXkAAaG3mixzBDxp8Rf+V/4Z5rDrAVchKweLo
> Ri0DVZD6u3F9czJgVsZrIQzB9SuhMIXPAOmLZI5yd0416Pn5fEYAkY83vL/q1Xb4
> SR96O/ZT3E3FpEcOSk/bla+adScwpa8T5Bp9cauvnwVUuNcvsWAJQZS5+EvZFHEj
> Xc91KA02qfBuG5zDpX4StVKTFC3az8ZEaRpwS6nY3qI4XbpdagPXTsqibSF/oo4=
> =lpsQ
> -END PGP SIGNATURE-
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
  ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 2.7 STABLE8 (Win2008) can't get my MS Lync 2013 to work?

[Mirza Dedic]

Hi Eliezer,

After I commented out the SquidGuard part of the config and restarted squid
I restart my Lync 2013 client and it connects without a proxy prompt, in the
log I still see the " 1412723608.354485 172.16.12.110 TCP_MISS/200 11695
CONNECT login.microsoftonline.com:443 - DIRECT/65.52.244.66 -" but no proxy
on the client's side.

So, something in SquidGuard must be causing this??

I did not want to uncomment the NTLM because we use this to provide seamless
authentication for the clients, if we only allow basic it will prompt for
user/pass won't it?

We use SquidGuard as it has a pre-defined list of blocked sites, so it was a
quick way to add a set of blocked sites.. but this whole setup is old I
don't even know where the win32 binaries came from for squidguard.. 

You mentioned a 3.x being developed for Windows, is this internal only or
somewhere I can follow the progress?

Thank you for your help on this !

-Original Message-
From: Eliezer Croitoru [mailto:elie...@ngtech.co.il] 
Sent: October 7, 2014 3:47 PM
To: squid-users@lists.squid-cache.org
Cc: Mirza Dedic
Subject: Re: [squid-users] Squid 2.7 STABLE8 (Win2008) can't get my MS Lync
2013 to work?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

It's Eliezer..

Since you are using squidguard and ntlm first try to disable them both for a
specific src IP and\or dst domain\ip for the testing period.

For the specific domains of ms and specific dst ip addresses it can be
disabled since they most likely will not host facebook\youtube\other stuff.
(if and only if this is what you are looking to use squidguard for..)

If you can run a newer version of squid even as a VM it would at least give
you the option to minimize the search since 2.7 will not get an update.

There is a work in progress to build squid for windows but I would recommend
you to run a newer version on a liunx machine.
If you do not like cli you can use webmin for most of your basic tasks as a
proxy\cache admin.

If you have wireshark installed on the windows machine we might be able to
see what's in the packets but I cannot guarantee that I will find the issue
in the capture.

All The Bests,
Eliezer

On 10/08/2014 01:00 AM, Mirza Dedic wrote:
> Hi Elizabeth, Thanks, I totally forgot I could use a paste like 
> service, here is the link to my squid.conf file:
> http://pastie.org/9629651 I have stripped out the comments from the 
> paste. It seems it could be HTTP 1.1 according to 
> http://blog.schertz.name/2012/12/http-utilized-lync-server/ Does this 
> mean I am out of luck with getting this to work on Squid 2.7 STABLE8? 
> I would upgrade to a higher version, however 2.7 STABLE8 is the latest 
> available version for Windows it appears.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJUNG1aAAoJENxnfXtQ8ZQUfQgH/1zjzDX9ZHRWx7UOpGz1/Ai8
KWdB3fzM0HwnCo/xh7lyOY4VRLaX4knfnsIS2rP3u7QyNOy2Z2x91um2PhQXbFbE
sPA+tIeetA1zv2EeETqvu8lYVxd6BVHMdinMQqafgAlH/Ybx2QMC7hHJemgUiaZS
rBEMT1vc8De9GHfHjDQWcqUrOd8pno2xuObLmF1fFyxGwBNrWeuebxq6KZP0L9fU
/UHfpFuFc782N9TRHDzoJz+pqpHp/Y4juP5KAKfs77Bw11f/udKXCCxPC7nVTlxU
PznuRfwh8mRYzMjjvpZhh8iVlyi4EQLy5ck3b8wjVf5yBt/gMI5W5hw2Gz+BP7M=
=bE7/
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 2.7 STABLE8 (Win2008) can't get my MS Lync 2013 to work?

[Mirza Dedic]

Thanks Amos,
It seems I spoke too fast, the proxy prompt is back, so disabling SG didn't do 
the trick.
Two two hits I see in access.log are:
1412778349.755141 172.16.12.110 TCP_MISS/200 462 POST 
http://sqm.microsoft.com/sqm/wm/sqmserver.dll - DIRECT/65.55.7.141 
-1412778349.911515 172.16.12.110 TCP_MISS/200 11695 CONNECT 
login.microsoftonline.com:443 - DIRECT/157.55.208.198 -
These happen when I restart the Lync program and at the time of the proxy 
prompt.
My config file is here: http://pastebin.com/MSsTWum2
I spent last night trying to mess with cygwin + squid to try and tackle this 
issue by upgrading to a more supported squid, I see there is a 3.3.3 published 
in their repository; I got this working at home (squid starts) on Windows 7 
machine however getting errors trying to start the same cygwin setup on my 
win2003 remote server, getting..
2014/10/08 08:12:56| aclIpParseIpData: Bad host/IP: '::1' in '::1', flags=0 : 
(8) Name or service not knownFATAL: Bungled Default Configuration line 11: acl 
localhost src 127.0.0.1/32 ::1Squid Cache (Version 3.3.3): Terminated 
abnormally.
My cygwin squid.conf is similar to 2.7, except a few changes.. 
http://pastebin.com/BrCG8yHL
I am confused because no where is acl loclahost src defined in my config, and I 
tried starting squid with -f to make sure I am reading in the correct 
squid.conf file.
Figured i'd try the cygwin+squid route to get a more supported version going, 
but I am having issues starting it in my Win2003 box (the box has multiple 
network cards, so don't know if that has anything to do with it?).
> Date: Wed, 8 Oct 2014 19:35:25 +1300
> From: squ...@treenet.co.nz
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Squid 2.7 STABLE8 (Win2008) can't get my MS Lync 
> 2013 to work?
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On 8/10/2014 12:17 p.m., Mirza Dedic wrote:
> > Hi Eliezer,
> > 
> > After I commented out the SquidGuard part of the config and
> > restarted squid I restart my Lync 2013 client and it connects
> > without a proxy prompt, in the log I still see the " 1412723608.354
> > 485 172.16.12.110 TCP_MISS/200 11695 CONNECT
> > login.microsoftonline.com:443 - DIRECT/65.52.244.66 -" but no
> > proxy on the client's side.
> > 
> > So, something in SquidGuard must be causing this??
> 
> Yes several things. Basically SG does not contain all of the hacks and
> disablings necessary to cope with demands NTLM places on HTTP proxies.
> Which is reasonable since its design goal is to filter HTTP traffic.
> 
> > 
> > I did not want to uncomment the NTLM because we use this to provide
> > seamless authentication for the clients, if we only allow basic it
> > will prompt for user/pass won't it?
> > 
> > We use SquidGuard as it has a pre-defined list of blocked sites, so
> > it was a quick way to add a set of blocked sites.. but this whole
> > setup is old I don't even know where the win32 binaries came from
> > for squidguard..
> 
> In which case there should be no need for you to have SG at all.
> 
> The popular blocklist/blacklist sources for SG also provide Squid
> format downloads of the same lists, or converters are easily written.
> https://www.google.com/search?q=squid+blacklist
> 
> 
> > 
> > You mentioned a 3.x being developed for Windows, is this internal
> > only or somewhere I can follow the progress?
> 
> I am the one driving that effort at present. It is a side hobby on my
> overall goal of feature parity between Squid-2 and Squid-3 - keeping
> Squid building and running on any OS Squid-2 was useful for.
> 
> The official state of Squid on Windows is documented in here:
> http://wiki.squid-cache.org/KnowledgeBase/Windows
> the newest bits are down under "Porting Efforts" for now.
> 
> Changes as they are found are being applied directly on the mainstream
> 3.HEAD version. So the regular 3.HEAD ChangeLog and bugzilla are used
> to track minor changes and issues.
> 
> Summary:
> So far I have MinGW-w64 executables of Squid-3.5 that produce "Error
> 127". yay!. Any assistance figuring out what I have done wrong to get
> that is welcome. So far I think its a missing DLL or wrong .exe
> settings going into the compiler.
> 
> Visual Studio 2012 builds are also ongoing, but will not be available
> until the Foundation provides an upstream git repository (being planned).
> 
> Personal donations welcome (<http://treenet.co.nz/projects/squid/>),
> but due to the above error 127 I am disinclined to accept contracts
> with anything like a deadline.
> 
> Amos
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.2

Re: [squid-users] Squid 2.7 STABLE8 (Win2008) can't get my MS Lync 2013 to work?

[Mirza Dedic]

Squid Cache v3.3.3 included in cygwin was ./configured with:
$ ./squid -vSquid Cache: Version 3.3.3 
'--srcdir=/usr/src/ports/squid/squid-3.3.3-2.i686/src/squid-3.3.3' 
'--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' 
'--libexecdir=/usr/libexec' '--datadir=/usr/share' '--localstatedir=/var' 
'--sysconfdir=/etc' '--libdir=/usr/lib' '--datarootdir=/usr/share' 
'--docdir=/usr/share/doc/squid' '--htmldir=/usr/share/doc/squid/html' '-C' 
'--sysconfdir=/etc/squid' '--datadir=/usr/share/squid' 
'--libexecdir=/usr/lib/squid' '--disable-strict-error-checking' 
'--with-logdir=/var/log/squid' '--with-swapdir=/var/cache/squid' 
'--with-pidfile=/var/run/squid.pid' '--enable-ssl' '--enable-esi' 
'--enable-disk-io=AIO,Blocking,DiskThreads,IpcIo,Mmapped' 
'--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,POP3,RADIUS,SASL,SMB,fake,getpwnam'
 '--enable-auth-ntlm=fake,smb_lm' '--enable-auth-negotiate=kerberos,wrapper' 
'--enable-external-acl-helpers=LDAP_group,SQL_session,eDirectory_userip,file_userip,kerberos_ldap_group,session,time_quota,unix_group,wbinfo_group'
 '--with-filedescriptors=3072' 'CC=gcc' 'CFLAGS=-ggdb -O2 -pipe 
-Wimplicit-function-declaration 
-fdebug-prefix-map=/usr/src/ports/squid/squid-3.3.3-2.i686/build=/usr/src/debug/squid-3.3.3-2
 
-fdebug-prefix-map=/usr/src/ports/squid/squid-3.3.3-2.i686/src/squid-3.3.3=/usr/src/debug/squid-3.3.3-2'
 'LDFLAGS=' 'LIBS=''CPPFLAGS=''CXX=g++''CXXFLAGS=-ggdb -O2 -pipe 
-fdebug-prefix-map=/usr/src/ports/squid/squid-3.3.3-2.i686/build=/usr/src/debug/squid-3.3.3-2
 
-fdebug-prefix-map=/usr/src/ports/squid/squid-3.3.3-2.i686/src/squid-3.3.3=/usr/src/debug/squid-3.3.3-2'
Running squid -X log is here: http://pastebin.com/7f5U4k9W
From: mirza.de...@outlook.com
To: squ...@treenet.co.nz; squid-users@lists.squid-cache.org
Date: Wed, 8 Oct 2014 08:19:29 -0700
Subject: Re: [squid-users] Squid 2.7 STABLE8 (Win2008) can't get my MS Lync 
2013 to work?




Thanks Amos,
It seems I spoke too fast, the proxy prompt is back, so disabling SG didn't do 
the trick.
Two two hits I see in access.log are:
1412778349.755141 172.16.12.110 TCP_MISS/200 462 POST 
http://sqm.microsoft.com/sqm/wm/sqmserver.dll - DIRECT/65.55.7.141 
-1412778349.911515 172.16.12.110 TCP_MISS/200 11695 CONNECT 
login.microsoftonline.com:443 - DIRECT/157.55.208.198 -
These happen when I restart the Lync program and at the time of the proxy 
prompt.
My config file is here: http://pastebin.com/MSsTWum2
I spent last night trying to mess with cygwin + squid to try and tackle this 
issue by upgrading to a more supported squid, I see there is a 3.3.3 published 
in their repository; I got this working at home (squid starts) on Windows 7 
machine however getting errors trying to start the same cygwin setup on my 
win2003 remote server, getting..
2014/10/08 08:12:56| aclIpParseIpData: Bad host/IP: '::1' in '::1', flags=0 : 
(8) Name or service not knownFATAL: Bungled Default Configuration line 11: acl 
localhost src 127.0.0.1/32 ::1Squid Cache (Version 3.3.3): Terminated 
abnormally.
My cygwin squid.conf is similar to 2.7, except a few changes.. 
http://pastebin.com/BrCG8yHL
I am confused because no where is acl loclahost src defined in my config, and I 
tried starting squid with -f to make sure I am reading in the correct 
squid.conf file.
Figured i'd try the cygwin+squid route to get a more supported version going, 
but I am having issues starting it in my Win2003 box (the box has multiple 
network cards, so don't know if that has anything to do with it?).
> Date: Wed, 8 Oct 2014 19:35:25 +1300
> From: squ...@treenet.co.nz
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Squid 2.7 STABLE8 (Win2008) can't get my MS Lync 
> 2013 to work?
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On 8/10/2014 12:17 p.m., Mirza Dedic wrote:
> > Hi Eliezer,
> > 
> > After I commented out the SquidGuard part of the config and
> > restarted squid I restart my Lync 2013 client and it connects
> > without a proxy prompt, in the log I still see the " 1412723608.354
> > 485 172.16.12.110 TCP_MISS/200 11695 CONNECT
> > login.microsoftonline.com:443 - DIRECT/65.52.244.66 -" but no
> > proxy on the client's side.
> > 
> > So, something in SquidGuard must be causing this??
> 
> Yes several things. Basically SG does not contain all of the hacks and
> disablings necessary to cope with demands NTLM places on HTTP proxies.
> Which is reasonable since its design goal is

[squid-users] cygwin (running on Win2K3 and 2K8) + squid 3.3.3 + negotiate_kerberos_auth

[Mirza Dedic]

I've got a Squid 3.3.3 running on Windows 2003 (and 2008) box via CYGWIN,
works with the basic config.

 

My next step is to put in some authentication in place, in this case
Kerberos using..

 

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -s
HTTP/vis-squid.VAND1.OPPY.COM

auth_param negotiate children 10

auth_param negotiate keep_alive on

 

Before I can do this, I need to get a keytab file and setup the proper SPNs,
on CYGWIN we don't have Samba so I am using  msktutil to create the computer
account and keytab/SPNs; specifically one that works under CYGWIN
(https://github.com/fd00/yacp/tree/master/msktutil).

 

When I try to create the keytab as per
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos by
running...



msktutil -c -b "CN=computers" -s HTTP/xxx-squid.MY.DOMAIN.COM -k
/etc/squid/PROXY.keytab --computer-name xxx-squid --upn HTTP/
xxx-squid.MY.DOMAIN.COM--server DCSRV02 --enctypes 28 -verbose

 

It runs but dies at..

 

-- ldap_get_pwdLastSet: pwdLastSet is 130576191605205669

-- set_password: Successfully set password, waiting for it to be reflected
in LDAP.

-- ldap_get_pwdLastSet: pwdLastSet is 130576191607895789

-- set_password: Successfully reset computer's password

-- set_password: Setting samba machine trust account password

The syntax of this command is:

 

 

NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |

  HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION |

  SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]

 

Setting samba secret failed with error code 256

Error: set_password failed

Hint: Does your password policy allow to change vis-squid's password?

  For example, there could be a "Minimum password age" policy preventing

  passwords from being changed too frequently. If so, you can reset the

  password instead of changing it using the --user-creds-only option.

  Be aware that you need a ticket of a user with administrative
privileges

  for that.

-- ~msktutil_exec: Destroying msktutil_exec

-- ldap_cleanup: Disconnecting from LDAP server

-- init_password: Wiping the password structure

-- ~KRB5Context: Destroying Kerberos Context

 

Looks like it is trying to use Samba's "net" command which is different than
the net command above (windows). So I edited
http://repo.or.cz/w/msktutil.git/blob/9f22f3ec6efa0a6f8bb122fb14095a1ab50d3d
6c:/msktpass.cpp and commented out the block of code that tries to run "net
changesecretpw" samba cmd (I thought the whole purpose of msktutil was an
alternative way to perform net ads keytab create so why is it  running that
cmdlet.) then re-compiled msktutil and re-ran it..

 

It went through this time with..

 

-- ldap_get_pwdLastSet: pwdLastSet is 130576324675479078

-- set_password: Successfully reset computer's password

-- set_password: Setting samba machine trust account password

-- set_password: Successfully set samba machine trust account password

-- ldap_add_principal: Checking that adding principal
HTTP/xxx-squid.MY.DOMAIN.COM to vis-squid won't cause a conflict

-- ldap_add_principal: Adding principal HTTP/xxx-squid.MY.DOMAIN.COM to LDAP
entry

-- execute: Updating all entries for rmt-server01.MY.DOMAIN.COM in the
keytab WRFILE:/etc/squid/PROXY.keytab

 

-- update_keytab: Updating all entires for vis-squid

-- ldap_get_kvno: KVNO is 4

-- add_principal_keytab: Adding principal to keytab: vis-squid

-- add_principal_keytab: Using salt of
MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x17

-- add_principal_keytab: Using salt of
MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x11

-- add_principal_keytab: Using salt of
MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x12

-- add_principal_keytab: Adding principal to keytab:
HTTP/xxx-squid.MY.DOMAIN.COM

-- add_principal_keytab: Removing entries with kvno < 0

-- add_principal_keytab: Using salt of
MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x17

-- add_principal_keytab: Using salt of
MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x11

-- add_principal_keytab: Using salt of
MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x12

-- ~msktutil_exec: Destroying msktutil_exec

-- ldap_cleanup: Disconnecting from LDAP server

-- init_password: Wiping the password structure

-- ~KRB5Context: Destroying Kerberos Context

 

In AD I can see a new user account named "xxx-squid" (should this not be a
computer object instead of a user object?), so now back to Squid
(stop/start) and try hitting google.com via IE9/IE10/IE11 I get..

 

2014/10/12 17:37:14 kid1| ERROR: Negotiate Authentication validating user.
Error returned 'BH gss_accept_sec_context() failed: Unspecified GS

Re: [squid-users] some question about compiling squid with Cygwin

[Mirza Dedic]

You should be able to grab SQUID 3.3.3 from Cygwin and compile it there without 
issues.
When working within cygwin get the "cygport" program as there is a specific 
squid.cygport install file that extracts the squid source, applies cygwin 
specific patches and compiles it for you.
If you are running this on a Win2003 box (x86) and no ipv6, you'll need a small 
patch that fixes the built in ACL that causes the executable to crash 
(https://bugs.freebsd.org/bugzilla/attachment.cgi?id=132625&action=diff).
I've been testing this the last few days to replace our outdated SQUID 2.7 on 
Windows and it looks promising so far... got it in PROD at a small site with 
about 20 people and its running fine.
> Date: Tue, 14 Oct 2014 20:55:51 +1300
> From: squ...@treenet.co.nz
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] some question about compiling squid with Cygwin
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On 14/10/2014 7:17 p.m., lionx...@gmail.com wrote:
> > Hello, everybody!
> > 
> > Recently i need run squid 3.x(x >= 1) on windows, and i found
> > related wiki from this url:
> > 
> > http://wiki.squid-cache.org/KnowledgeBase/Windows
> > 
> > From this i know there are two methods of running squid on
> > windows. 1. Compiling with Cygwin 2. Compiling with MinGW and squid
> > series 3 has major build issues on all Windows compiler systems.
> > And there is no solution of the issues about compiling with MinGw.
> > 
> > but then i readed that there have been unconfirmed reports from
> > some users of building up to squid-3.3 successfully and producing a
> > usable executable. Cygwin project provide version 3.3.3 packages.
> > 
> > I was excited. I tried it immediately, but i failed when i make it.
> > I had sucessfully compiled suqid-2.7 in the same environmnent.
> > 
> > so, are there people of compiling squid 3.3.3 with Cygwin
> > successfully. and can give me some help?
> 
> The download URLs referenced under
> 
> includes both binary and source packages which are being used to build.
> 
> Please check if you are using that src package rather than the
> upstream release tarball. There may be cygwin specific patches applied
> to it.
> 
> Also, if you need to build any features not included in the provided
> binary package then you may consider the feature untested possibly
> either not building or working. There may be some support from Cygwin
> regarding those situations, but the upstream target for resuming
> Windows support is 3.5 series.
> 
> Amos
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.22 (MingW32)
> 
> iQEcBAEBAgAGBQJUPNcGAAoJELJo5wb/XPRj75kIAOSp5KgTJVLNjiVqzQnwBKGP
> /w8thp52qhpLwoiTQQ8vouyuuElbwMihJ6SWH51xOiCFyCtG5n1iTenEb26xcCGf
> g49UaeehlKihnElkLmFUJmDsnHHD+tkjr6gfg5pAKwtVzMdU30bmpF2ga7TnBwSe
> KZvGcWSfOD6xCEysuYMokgRPYmWcZd4ySX+r32lrWW+c28Tyz1KTJlcuvpq8TAzN
> twyjubjLCRSh7s91eFnhf0/woY7dn2dr0jnflA3ZPPcIqgOqw4Y7wnA7GTVFLviC
> JnA8qVT5k4VK4xurUoYyOMfKmVIh3W+Q4M8gfDyjjcwr89d/xFf0C2pjTMEkcsA=
> =QROG
> -END PGP SIGNATURE-
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
  ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Best way to deny access to URLs in Squid 3.3.x?

[Mirza Dedic]

Just curious, what are some of you doing in your Squid environment as far as 
URL filtering goes? It seems there are a few options out there.. squidguard... 
dansguardian.. plain block lists.
What is the best practice to implement some sort of block list into squid? I've 
found urlblacklist.com that has a pretty good broken down URL block list by 
category, what would be the best way to go.. use dansguardian with this list or 
set it up in squid.conf as an "acl dstdomain" and feed in the block list file 
without calling an external helper application?
Thanks.   ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] http_access deny for dstdomain acl not denying access to url.. what am I doing wrong?

[Mirza Dedic]

Trying to understand what I am doing wrong with my ACLs (yes I've read the ACL 
guide on squid site.. but still confused).. My client is 172.16.10.101, trying 
to block access to facebook (and other dstdomain file lists), but it is not 
working from the client I can still access fb.
Is this because I have this rule below..?
acl localnet src 172.16.0.0/12http_access allow localnet
Instead of denying everything access and manually maintaining rules, I want to 
allow http/https access for everything except explicitly defined ACLs (in this 
case the facebook acl as a test).
I've tried to set debugging to debug_options ALL,1 33,2 to see more info on 
ACLs (read on some site this is the debug flags to set) but I don't see any ACL 
details in my access.log file.
my squid.conf (for SQUID 3.3.3) file is below..
acl localnet src 10.0.0.0/8 # RFC1918 possible internal networkacl localnet 
src 172.16.0.0/12  # RFC1918 possible internal networkacl localnet src 
192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 8180 8443 563 1494 2598 8531acl Safe_ports port 80   
# httpacl Safe_ports port 81
# http for Pacific Brokerageacl Safe_ports port 21  
# ftpacl Safe_ports port 443 563
# httpacl Safe_ports port 70
# gopheracl Safe_ports port 210 
# waisacl Safe_ports port 280   
# http-mgmtacl Safe_ports port 488  
# gss-httpacl Safe_ports port 591   
# filemakeracl Safe_ports port 777  
# multiling httpacl Safe_ports port 8080 8081 8082 8088 8180acl Safe_ports port 
3128# Squid http serveracl Safe_ports port 1494 
2598# ICA - Citrixacl Safe_ports port 7000 8000 
# Oracleacl Safe_ports port 9000# 
Oracleacl Safe_ports port 8530# WSUSacl 
Safe_ports port 55905 # WSUSacl Safe_ports port 
1025-65535# unregistered portsacl CONNECT method 
CONNECT
http_access allow localhost managerhttp_access deny managerhttp_access deny 
!Safe_portshttp_access deny CONNECT !SSL_portshttp_access deny to_localhost
acl ads dstdomain "/etc/squid/blacklists/ads/domains"acl adult dstdomain 
"/etc/squid/blacklists/adult/domains"acl gambling dstdomain 
"/etc/squid/blacklists/gambling/domains"acl fb dstdomain .facebook.com
http_access allow localnethttp_access allow localhost
http_access deny ads adult gambling fb
http_access deny all
http_port 8080dns_nameservers 172.16.11.3 172.16.11.2 
172.16.11.1visible_hostname www-proxy
hierarchy_stoplist cgi-bin ?
logformat oppy %ts.%03tu %6tr %>a %>A %Ss/%03>Hs %___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] http_access deny for dstdomain acl not denying access to url.. what am I doing wrong?

[Mirza Dedic]

Thanks Walter and Amos, i've taken your advice and now I got the blocking to 
partially work. I've re-organized how my ACLs are setup (order) and using your 
examples Walter to implement my ACLs.

Working on the facebook example, I have..

acl block_domains_regex dstdom_regex -i 
"/etc/squid/block-domains-regex-list-acl.squid"
deny_info ERR_URL_BLOCKED block_domains_regex
http_access deny block_domains_regex

In the acl file, I have..

.*\.facebook\.com.*

According to http://www.regexr.com this blocks:

https://www.facebook.com
https://www.facebook.com/something
https://something.facebook.com
www.facebook.com  
http://www.facebook.com  

However, it will not block..

https://facebook.com
http://facebook.com

I can't seem to get this right to block the bottom 2, any ideas?

Date: Wed, 15 Oct 2014 08:46:44 +0200
From: walte...@mathemainzel.info
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] http_access deny for dstdomain acl not denying 
access to url.. what am I doing wrong?


On 15.10.2014 08:13, Amos Jeffries wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
> And the key difference in these configs is not the ACL contents, but
> the ordering in which they are matched.
>
> Mirzas' config starts by telling Squid everything on the LAN/localnet
> is allowed. Ok, fine, Squid will do that.
>
> Walters' config will tell Squid a limited set of things to allow, then
> some things to deny, then implicitly allow everything else [1][2].
> Whichever rule actually matches the FB requests will be applied by
> Squid, with a limited set of initial allow/bypass the likelihood that
> a deny following will match is higher.
>
>
> [1] this is not a great situation, because any remote attack which can
> figure out a way past your regex ACLs can use the proxy for whatever
> they please[2].
>
> [2] I hope you just omitted the localnet ACL checks which should
> follow the ones you showed.
>
> Amos
Yes I omitted this:

acl localnet src 192.168.0.0/16

on top of squid.conf and

http_access allow localnet
http_access allow localhost

below the listed ACL rules;

Walter


___ squid-users mailing list 
squid-users@lists.squid-cache.org 
http://lists.squid-cache.org/listinfo/squid-users
  
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Unable to determine IP address from hostname ?

[Mirza Dedic]

I have users getting quite frequently this error in Squid..

Unable to determine IP address from hostname.
"The DNS server returned no DNS records"

I have in my squid.conf setup..

dns_nameservers 8.8.8.8 8.8.4.4
dns_timeout 5 second

It seems random, but 5 seconds should be enough and we're resolving against
Google public DNS servers.

The sites it is unable to resolve are up (expedia.com, and other sites that
usually don't go down).

Is there anything else I can do?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users