Hi Enfal,
Do you run also samba on the server ? If so samba may change the AD
host entry to which your keytab is associated. This means your keytab gets out
of sync with AD.
Markus
"Enfal Gok" wrote in message
news:pawpr03mb9010df5eec64c9a281a03b24f4...@pawpr03mb901
I see, I think this would mean using Basic Auth to proxy1 which then gets a
Kerberos ticket for the user to authenticate to proxy2. This is possible,
but I would not think it is a good secure option.
Regards
Markus
"Grant Taylor" wrote in message
news:a2070fca-07fd-9a67-3f23
GSS_C_NO_NAME option to select either key.
A second option is to add a second service principal name to the proxy2 AD
account and use -s GSS_C_NO_NAME.
Regards
Markus
"Amos Jeffries" wrote in message
news:95c70ccd-5c15-3395-2103-3025ef043...@treenet.co.nz...
On 14/10/21 8:48 am, Mark
I think you talk about a kdc proxy, which is for another case.
Regards
Markus
"Grant Taylor" wrote in message
news:b815528d-34ff-0fed-3194-dc6f34199...@spamtrap.tnetconsulting.net...
On 10/13/21 1:48 PM, Markus Moeller wrote:
The problem lies more in the way how Kerb
will be rejected.
Markus
"Amos Jeffries" wrote in message
news:ac36f75f-97c7-211e-a5bd-b12b7035a...@treenet.co.nz...
On 12/10/21 9:33 pm, 森 隆聡 wrote:
I made Single Sign On environment with AD+Squid and it worked fine.
[It works]
Client(Windows) -> Squid(CentOS) ->
"Alex Rousskov" wrote in message
news:7e75c2bf-51db-f8c3-73f0-ba7fca55e...@measurement-factory.com...
On 10/9/21 1:46 PM, Markus Moeller wrote:
i try to find a way how squid can "route" all Internet
domains to a default proxy and a subset of well defined domains to the
"Alex Rousskov" wrote in message
news:cbe23671-7b3c-e270-f3f4-593d4f030...@measurement-factory.com...
On 10/9/21 9:06 AM, Markus Moeller wrote:
Hi,
I have now tested with the below config and I see my first request
works, but the second fails. So I am not sure if it is still a
con
CT_FAIL 110
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from clientproxy
X-Cache-Lookup: MISS from clientproxy:3128
Connection: keep-alive
--
Thank you
Markus
"Markus Moeller" wrote in message news:sjrrhc$lat$1...@ciao.gmane.io...
I understand now better the concept.
Thank y
I understand now better the concept.
Thank you
Markus
"Alex Rousskov" wrote in message
news:3dec529a-b62e-1e95-6cb7-0b68f6bf3...@measurement-factory.com...
On 10/8/21 8:02 PM, Markus Moeller wrote:
I try to setup a proxy chain, but don't get the setup right. I have o
t why ?
Thank you
Markus
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localn
What does he cache log show ?
Markus
"Alex Gutiérrez" wrote in message
news:acd33a78-c0dc-d539-1028-ed1c700db...@esines.cu...
HI community, reciently I install an old UBT 18.04 with squid 3. I use to
authenticate my users kerberos.
Everithing seem´s great, but my all my users a
Hi Klaus,
The negotiate_kerberos_auth helper is not intended to run on Windows.
How did you compile it ?
Markus
"Klaus Westkamp" wrote in message
news:8251c91f-1b08-82f2-f6ec-46ef92fe9...@westkamp.net...
Hi,
i digged a little further (but i'm no exert in WinDBG):
At
CNAMEs
and then merge the keys into one keytab to be used on all squid servers.
Kind Regards
Markus
"L.P.H. van Belle" wrote in message
news:vmime.5f1aa165.2c44.7eb4bc368bae...@ms249-lin-003.rotterdam.bazuin.nl...
forgot 1 thing. (sorry)
#
adduser proxyuser winbind_priv
or things
the client Kerberos cache e.g. by login out and in again
or use klist purge ?
Markus
"Amos Jeffries" wrote in message
news:704e36b3-4cd8-611c-0643-231c02045...@treenet.co.nz...
On 25/07/20 2:48 am, Klaus Brandl wrote:
sorry, i did not found this script, and the binary is not av
Hi Amos,
Is there any reason that kerberos_sid_group is not included in the tar ?
Thank you
Markus
"Amos Jeffries" wrote in message
news:d6159d58-f75b-1af7-4690-5819cd465188__18406.7017086365$1546614300$gmane$o...@treenet.co.nz...
The Squid HTTP Proxy team is very pleased to an
tiate_kerberos_auth -d -t none -k $dir/squid.keytab -s
GSS_C_NO_NAME
Markus
"Alex Rousskov" wrote in message
news:63ddace0-2bde-9ab6-1fd8-c53afa2dd...@measurement-factory.com...
On 09/04/2018 09:22 AM, Silamael wrote:
At moment a helper will call exit(0) after 1 requests.
go
You don't have to join a domain. You only need a Kerberos authentication
server to get a ticket.
You only need AD (or Samba) if you want also authorisation (PAC data) in you
Kerberos ticket.
As Amos said you need a Kerberos client and a Browser supporting
Proxy-Negotiate.
Markus
Can you capture the traffic on port 88 ? Heimdal has not helpful messages, so
seeing the real traffic may help identifying the issue.
Kinit should create an AS req/rep
the test program creates a TGS req/rep
Example attached if it gets through.
Markus
"Panagiotis Bariamis" wrote
You don't have to join a domain. You only need a Kerberos authentication
server to get a ticket.
You only need AD (or Samba) if you want also authorisation (PAC data) in you
Kerberos ticket.
As Amos said you need a Kerberos client and a Browser supporting
Proxy-Negotiate.
Markus
server
Markus
"Jeroen Ruijter" wrote in message
news:510fcecd6e595a4d83bf67fc07028e7507c99...@bhmb-01.bnh.local...
I believe this has to be the problem, but how do I solve it? Its almost at
the end of the whole listing
support_ldap.cc(333): pid=2951 :2018/02/20 17:02:27| kerberos_
d when how do they influence squid and
the connection?
any hints, ideas...
Mit freundlichen Grüßen
Markus Rietzler
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
4| test_ACL: user=administra...@samba.home
2017/08/08 20:02:24| test_ACL:
groups=AQUAAAUVjxbSIudxUpznEbHVCAIAAA==,AQUAAAUVjxbSIudxUpznEbHVPAIAAA==,AQUAAAUVjxbSIudxUpznEbHVBwIAAA==,AQUAAAUVjxbSIudxUpznEbHVBgIAAA==,AQUAAAUVjxbSIudxUpznEbHVAAIAAA==,AQUAAAUVjxbSIudxUpznEbHVUwQAAA==
2017/08/08 20:02:24| test_ACL: matched group:
AQUAAAUVjxbSIudxUpznEbHVUwQAAA==
Regards
Markus
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
y/download/5B257B96A465517EB839F3C078665EE83AE7F0EE:
AIA for Root CA.
Since squid is sslbumping the connection, it must be doing the AIA
lookups (presumably for SSL verification). Does anybody have an idea why
it is blocking its own requests?
Best /markus
On 03/21/2017 11:35 AM, Markus Wernig wrote:
> Hi all
>
> I have conf
AQ and wiki, but couldn't find anything on the topic.
Thanks & best
/markus
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
f Rafael Akchurin
> Sent: 09 March 2017 17:01
> To: Amos Jeffries; squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] microsoft edge and proxy auth not working
>
> Hello Amos, Markus, all,
>
> Just as a side note - I also suffered from this error sometime before
&g
id-cache.org] Im
> Auftrag von Amos Jeffries
> Gesendet: Donnerstag, 9. März 2017 17:12
> An: squid-users@lists.squid-cache.org
> Betreff: Re: [squid-users] microsoft edge and proxy auth not working
>
> On 8/03/2017 11:28 p.m., Rietzler, Markus (RZF, Aufg 324 /
> ) wrote:
>
i should add that we are using squid 3.5.24.
> -Ursprüngliche Nachricht-
> Von: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Im
> Auftrag von Rietzler, Markus (RZF, Aufg 324 / )
> Gesendet: Mittwoch, 8. März 2017 11:26
> An: squid-users@lists.squid-cach
with connection-auth allowed.
but not for proxy-auth.
is there any option in squid.conf which prevents Edge to do a successful auth?
http://www.wuppertal-live.de/A0.gif
Mit freundlichen Grüßen
Markus Rietzler
___
squid-users mailing list
squid-users@lists.
then your name or config does not match up.
Markus
"Rick" wrote in message news:20161125110932.760cfeda@chavez...
FreeBSD 10.3 / Samba42 / Squid 3.5
All the net ads / kinit / keytab stuff seems okay however hitting Squid
from a Windows box using IE 11 results in repeated p
Hi
Did you try the debug option -d for ext_kerberos_ldap_group_acl to get
some debug ? Maybe it gives some indication of the problem ?
Markus
"erdosain9" wrote in message
news:1474570767416-4679652.p...@n4.nabble.com...
So, i have a little more of info
this is config
###Ker
Hi Silamael,
Can you perform a kinit u...@example.com ? Does the squid user have
read access to krb5.conf ?
Markus
"Silamael Darkomen" wrote in message
news:955b9071-4d07-f0a2-2925-8f63fa332...@coronamundi.de...
Hello,
I'm currently working on setting up our proxy
the keytab invalid.
Markus
"L.P.H. van Belle" wrote in message
news:vmime.57c3e5ca.28ab.73ab0c8662c33...@ms249-lin-003.rotterdam.bazuin.nl...
Hello Markus,
Thank you for the explanation, that helped a lot.
I use the TLS_CACERTFILE in the init script now and that wo
0}END{print "QQ"}' |
/opt/squid-trunk/sbin/negotiate_kerberos_auth -r -k squid.keytab -s
HTTP/opensuse42.suse.home
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus group=
BH quit command
Anyway the basic check looks good. You now just need to run the helper with
squid. I will see if I can crea
(e.g. AD) as user
first.
Regards
Markus
"Marcio Demetrio Bacci" wrote in message
news:ca+0tdyqeat4l5ko4zrjnj1aue64my2re7z95kfdqw7y8sv_...@mail.gmail.com...
I have trouble to authenticate Squid3 with kerberos in Samba4 domain. I'm using
CentOS 7 and Squid 3.3.8 (yum install squid
and check if the CACERTFILE variable is already set.
Kind regards
Markus
"L.P.H. van Belle" wrote in message
news:vmime.57bdb617.37c8.575130a1134f9...@ms249-lin-003.rotterdam.bazuin.nl...
Ok reply to myself so other users know this also.
if you create a user for the HTTP servic
.
Markus
"L.P.H. van Belle" wrote in message
news:vmime.57beabe1.6a01.3a47ad2737b8d...@ms249-lin-003.rotterdam.bazuin.nl...
Hai,
I’ve added the needed upn, setup the _ldaps in the dns zones, thats ok now.
The last part, here i need some help.
support_ldap.cc(942): pid=26693 :201
/hostname.domain@domain.org –d
Then you get debug output in your cache.log file.
Markus
"Markus Moeller" wrote in message
news:nikoqr$i2m$1...@ger.gmane.org...
What does the log say when you use the –d option with the helper
Markus
"Nilesh Gavali" wrote in message
news
Hi Michael,
Yes you should be able to set a environment variable KRB5RCACHEDIR in your
startup script. You can also use KRB5RCACHETYPE to set (or disable) the cache
type.
Markus
"Michael Pelletier" wrote in message
news:caencsg74pkxndiasr4yfgy9uuzqhk21jl5uytzxp6_tmpeu...@mail
account, unless you are using a forest trust. Then you could define a
Kerberos Forest Search Order
Markus
"akn ab" wrote in message
news:trinity-1231fb52-3516-493c-a2c9-b9fe1c1623c5-1458549367234@3capp-mailcom-lxa05...
Hello Markus,
firt of all thank you for your reply, today i&
Markus
"akn ab" wrote in message
news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01...
Dear all,
i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos
authentication in my Mono Forest Multi Domains.
My FATHER.COM is
You are welcome
Markus
"Victor Sudakov" wrote in message
news:20160305180102.ga94...@admin.sibptus.tomsk.ru...
Markus Moeller wrote:
If I look at the wireshark capture details I see that the client is
sending
a key of version 3( kvno) , but the keytab is version 1. This will
)
kvno: 3
cipher:
265a0b2badd3eb5a0677731ae8a61f5ca6b1c63c466defe9...
authenticator
"Victor Sudakov" wrote in message
news:20160305112825.ga91...@admin.sibptus.tomsk.ru...
Markus Moeller wrote:
What does
Hi Victor,
What does the squid log say when you use -d for the authentication
helper ?
Can you provide a wireshark capture from the client ? I guess that
2008 is using AES not RC4.
Markus
"Victor Sudakov" wrote in message
news:20160304162923.gb81...@admin.sibptu
Hi Markus,
When you say authentication does not work, do you mean Kerberos
authentication or Kerberos and NTLM ? Can you add a -d for debug to the
Kerberos authentication helper and provide the log file messages ?
Can you also provide the content of the keytab ?
Regards
Markus
"M
ss auth
http_access denyBlockedSites
http_access denyBlockedSocialnet
http_access denyBlockedWebmail
http_access allow StandardAccess auth
# DO NOT REMOVE THE FOLLOWING LINE
http_access deny all
# The End
#
+-+
You have new mail in /var/spool/mail/root
best regards
Markus
ct,
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
to tell me, that the only possible way is continuous
observation what's new "on market" and adding new rules?
many thanks for explanation!
Markus
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
re complicated case:
http://6web.pl/~mserafin/putty_zip.txt (it's a regular ZIP file with
putty.exe inside)
Can ICAP-Clamav deal with it?
thx!
On Sun, Dec 13, 2015 at 9:47 PM, Yuri Voinov wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Finally,
>
>
lutions:
>
> http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP
> http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/eCAP
>
> No need to block any and all executables in the world. Just enough to
> check it with AV-engine. ;)
>
> 13.12.15 18:31, Mark
ssible, what about performance in real environment?
maybe there's a way to analyze only the first bytes of the incoming
stream?
greetings
Markus
PS
if the string 'MZ' is too short, we can also use 'This program cannot
be run in DOS mode' (this
Hi Alex,
Yes I talk about the AD computer account password.
Markus
"Alex Samad" wrote in message
news:CAJ+Q1PVw1rrSvMUjzqbp_QNUAVwN=r7rqrg0lt94hv3v3o9...@mail.gmail.com...
so when I do kinit I should use a different account to the samba one.
I'm lost sorry.
when I atta
Hi,
The issue appears if you use the same AD account for samba and the
kerberos keytab creation. As samba will reset the password of the AD
account and thereby invalidate the extracted keytab.
Markus
"Alex Samad" wrote in message
news:CAJ+Q1PW9Ue4zdT9GCt-4MjW=UjDWyBOPc4AFr
What other output do you get when using –d ( i.e. enable debug output) ? It
may indicate the reason for your return message.
Markus
"Michael Pelletier" wrote in message
news:CAEnCSG7hVR5DQ7d8awR1ax_qvmOeXBCZOY=mkvflwgji8-+...@mail.gmail.com...
Hello,
I am building a new squ
NegoEx after failing with
Kerberos and before trying NTLM. If on the client NegoEx is successful then
NTLM will not be attempted. And I think that is the case here. Do you know if
NegoEx is used on the client ?
Does anybody else know about NegoEx ?
Markus
From: Olivier CALVANO
Sent: Tuesday
us/library/dd560645%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
That is not supported.
Markus
"Olivier CALVANO" wrote in message
news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com...
Hi
i test a authentification AD with Kerberos/Ntlm
### neg
Hi Olivier,
Which Kerberos version do you use ? MIT or Heimdal ?
Markus
"Olivier CALVANO" wrote in message
news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com...
Hi
i test a authentification AD with Kerberos/Ntlm
### negotiate kerberos and ntlm auth
What happens if you adjust the system time to be in sync with the AD server ?
Markus
"Михаил" wrote in message
news:1462781444845...@web15m.yandex.ru...
Hi All!
Sometime I get a error message and squid stop:
2015/10/14 14:31:51| WARNING: All 300/300 negotiateauthenticator processes
Hi Paul,
negotiate_kerberos_auth is for Unix only.
Regards
Markus
"MORRIS Paul [Tuart College]" wrote in message
news:508E8480E38F464FA0778ECCA1DB51F41FE95135@E7359SVIN1052.resources.internal...
Hi,
I am trying without success to use the "negotiate_kerberos_auth.e
client machine. If the
user does not lock/unlock his PC there won’t be any update to the cached
ticket and therefore not to the group membership information in the ticket
either.
Regards
Markus
"Heine, Enrico" wrote in message
news:c821a938e46c6278b4cc39912760b408bb84f...@dat
mount of time"
If it is, i dunno why. I got this error right when i tried to open the
webpage for the very first time.
Hope someone can help me.
best regards
Markus
___
Markus Preis
Berge & Meer Touristik GmbH
And
the PC to the AD server of the
domain DOMAIN.COM ( I assume you have given out some AD guest accounts to the
none domain PC )
Regards
Markus
"L.P.H. van Belle" wrote in message
news:vmime.55d2d089.2ba7.1a22bdbf5ed74...@ms249-lin-003.rotterdam.bazuin.nl...
Nobody any hint where the
So this worked ?
Markus
"Olivier CALVANO" wrote in message
news:cajajpeddju9t4qaipsmt-5jusn4gf6nj0pff3jbj+bzxztx...@mail.gmail.com...
hoo i have deleted "--enctypes 28"
and now:
[root@gw msktutil-1.0rc1]# ./msktutil -c -b "CN=COMPUTERS" -s
HTTP/ophtcysrv1
Hi Olivier,
You may need to check with the msktutil authors as this is not directly
related to squid.
Regards
Markus
"Olivier CALVANO" wrote in message
news:CAJajPecBcrbW+jtiwF2J=ujz4kwdtwf6opzjf56pvz+-gfn...@mail.gmail.com...
Hi
i have compiled the 1.0rc version :
[root@g
Did you compile msktutil or is it a package in centos ?
Markus
"Olivier CALVANO" wrote in message
news:cajajpecqd+_1krufwa9eac4iyakapzblyg-9vuueklgwuec...@mail.gmail.com...
Hi
Thanks for your answer
CentOS Linux release 7.1.1503 (Core)
krb5-workstation-1.12.2-14.el7.x86_64
Which OS and Kerberos version do you have ? There might be some issue with the
cache used KEYRING:persistent:0:0
Markus
"Olivier CALVANO" wrote in message
news:CAJajPefo3t8b1=_v5pfj3h0gq4jk3oosutw8gnhy7z-gs21...@mail.gmail.com...
Hi
I request your help because i want use NTLM/Ke
bugs:
http://bugs.squid-cache.org/show_bug.cgi?id=3997
http://bugs.squid-cache.org/show_bug.cgi?id=4190
Mit freundlichen Grüßen
Markus Rietzler
Rechenzentrum der Finanzverwaltung NRW
___
squid-users mailing list
squid-users@lists.squid-cache.org
http
bugs:
http://bugs.squid-cache.org/show_bug.cgi?id=3997
http://bugs.squid-cache.org/show_bug.cgi?id=4190
Mit freundlichen Grüßen
Markus Rietzler
Rechenzentrum der Finanzverwaltung NRW
Roßstr. 131
40476 Düsseldorf
Tel.: 0211 / 4572 - 2130
___
squid
Hi Joao,
OK now you use the authentication rule.
How did you create the keytab ? Does the hostname match the keytab entry ?
Can you run the helper with –d to get more debug ?
Markus
From: Joao Paulo Monticelli Gaspar
Sent: Thursday, March 19, 2015 12:41 AM
To: Markus Moeller
Hi Joao
Then you hit
http_access allow localnet
and not
http_access allow ad_auth
Comment out the following line in squid.conf
http_access allow localnet
and try again.
Markus
From: Joao Paulo Monticelli Gaspar
Sent: Wednesday, March 18, 2015 11:38 PM
To: Markus Moeller
Subject: Re
Hi,
From which network do you surf ? From localnet ?
Can you send sample log entries ?
Markus
From: Joao Paulo Monticelli Gaspar
Sent: Wednesday, March 18, 2015 9:18 PM
To: Markus Moeller
Subject: Re: [squid-users] Squid + AD + Kerb auth question
squid.conf
visible_hostname
How does the config file look like ?
Markus
"Joao Paulo Monticelli Gaspar" wrote in message
news:CAFjXhx=idbdxeqxbzy56tr5m3fztasu2tqgwlclydi_s-s3...@mail.gmail.com...
Hey people
I have a doubt and couldn't find the answer anywhere yet, I'm using SQUID
integrate to a
Do you get any more details when you start the wrapper with –d ?
Markus
"Donny Vibianto" wrote in message
news:CAC49LV6SRXbiFcGxqZgAoaHPj1qeifERtSN63ZrDsa_b=iw...@mail.gmail.com...
anyone please...?
On Sat, Mar 7, 2015 at 10:02 PM, Donny Vibianto
wrote:
Hi Guys,
After
Oh pretty old bug.
Thank you
Markus
"Amos Jeffries" wrote in message news:54f26815.4020...@treenet.co.nz...
On 1/03/2015 4:55 a.m., Markus Moeller wrote:
Hi,
I wonder about the total size variables st for squid logs
# st Received request size including HTTP heade
Good to hear. It seems freebsd has com_err.h why I did not come across it
lately.
Markus
"Simon Stäheli" wrote in message
news:ee58fc57-6b97-4de6-9fdf-2881209a5...@open.ch...
On 14.02.2015, at 15:43, Markus Moeller wrote:
On 12.02.2015, at 17:58, Amos Jeffries wrote:
d with
heimdal. I update my trunk version at
https://code.launchpad.net/~huaraz/squid/kerberos-updates. Can you test with
that and if OK I will ask to include the updates.
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http:
Hi Ludovit,
Yes the client determines the encryption strength and squid needs to have
all of them in the keytab (You can disallow DES or other weak encryption by
not adding these encryptions to the keytab).
Regards
Markus
"Ludovit Koren" wrote in message news:86lhk0j2xe
It could be the new AD server is setup to be backward compatible meaning
it use RC4 despite being able to use AES. I suggest you crate an additional
keytab entry for RC4. How did you create the keytab ?
Markus
"Ludovit Koren" wrote in message news:86mw4hbl56@gmail.com..
Hi Ludovit,
Firstly, these lines are contradictory
permitted_enctypes = aes128-cts-hmac-sha1-96
allow_weak_crypto = true
weak crypto is des and permitted is aes. Do you use a mixed AD environment
( 2003/2008 ) ? 2003 does not support aes.
Markus
"Ludovit Koren" wrote in me
now against
the
primary group of the user.
Thank you Markus for your explanations. I played around with
ext_kerberos_ldap_group_acl and would like to go into some details:
1) it is possible to define more than one LDAP server (e.g. for high
availability reasons)? The -l parameter allows only one
sted groups which was
not
available in the existing helper and thirdly I also check now against
the
primary group of the user.
Thank you Markus for your explanations. I played around with
ext_kerberos_ldap_group_acl and would like to go into some details:
1) it is possible to define more than
;sektion=5&manpath=FreeBSD+Ports+10.1-RELEASE&arch=default&format=html
default_tgs_enctypes, default_tkt_enctypes and permitted_enctypes
Markus
"Ludovit Koren" wrote in message news:86h9usfpsk@gmail.com...
Markus Moeller writes:
> Hi Ludovit,
> Which
Vno Type Principal Aliases
8 aes128-cts-hmac-sha1-96 HTTP/squid1.mdpt.local@MDPT.LOCAL
Markus
"Ludovit Koren" wrote in message news:86d25i9plr@gmail.com...
Markus Moeller writes:
> Hi Ludovit,
> I haven't seen tha
r nested groups which was
not
available in the existing helper and thirdly I also check now against
the
primary group of the user.
Thank you Markus for your explanations. I played around with
ext_kerberos_ldap_group_acl and would like to go into some details:
1) it is possible to define more
squid/negotiate_kerberos_auth_test squid1.mdpt.local |
awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' |
/usr/local/libexec/squid/negotiate_kerberos_auth -r -s GSS_C_NO_NAME
Markus
"Ludovit Koren" wrote in message news:86a90nxj41@gmail.com...
H
helpers.
Amos
Regards
Markus
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUvjtbAAoJELJo5wb/XPRjb1sH/2mO/l+k7jTdFr5CBfrBjXr8
hp8ECHtKkpHvhiinKadcQd69ZYz0bqYmKQ4AX44XaTKTgc2ctKeywuDBRtSVnMwH
KrSFY+YUhxpje7hRIwtoloVtPcT+JawUbnvGaAGtcb
what the differences between the two
helpers are and which one does fit my needs better. Any others?
Nothing I can pick out easily.
Do you know anything about the feature in
ext_kerberos_ldap_group_acl mentioned by Markus Moeller in an
earlier post?
"I have a new method in my squid 3.4 p
we just compiled and activated squid 3.5.1. everything works. no 100% peaks!
thanxs
markus
> -Ursprüngliche Nachricht-
> Von: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Im
> Auftrag von Amos Jeffries
> Gesendet: Montag, 19. Januar 2015 11:12
>
tow more additions:
check the user squid is running, is this user able to access ntlm_auth.
we also had to correct access rights for
/var/lib/samba/winbindd_privilege
so that our squid-user "www" will be able to use it...
markus
> -Ursprüngliche Nachricht-
>
I thought it wasn't trivial, otherwise it would have been already done. ;-)
Thank you
Markus
"Amos Jeffries" wrote in message news:54a3416f.9060...@treenet.co.nz...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 31/12/2014 7:59 a.m., Markus Moeller wrote:
Hi Amos,
On
Hi Amos,
On 30/12/2014 3:31 p.m., Markus Moeller wrote:
Hi,
Can squid authenticate to an upstream proxy using digest ? If I saw
it right cache_peer allows basic and negotiate only (or passthrough)
Thank you
Markus
Not yet.
Amos
Is it planned to add or no real interest in it ?
Thank
.
Content preview: Hi, Can squid authenticate to an upstream proxy using digest
? If I saw it right cache_peer allows basic and negotiate only (or
passthrough)
Thank you Markus [...]
Content analysis details: (7.8 points, 5.0 required)
pts rule name d
Hi Ahmed,
squid is a proxy which supports Kerberos authentication.
Markus
"Ahmed Allzaeem" wrote in message
news:001201d014d3$037fda70$0a7f8f50$@netstream.ps...
Hi ,
I have a Kerberos protected website. I am making a Kerberos enabled browser.
I need to test my browser for pro
r option. it does not
matter if workers are enabled or not. with more workers the cpu rise seems to
be somewhat slower. so it is not connected to (smp)workers. it is the external
auth helper - although the squid process and not the helper does consume all
the cpu...
markus
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
between your AD
servers ( You said it start working after removing an unused AD server which
would support y assumption).
Regards
Markus
"Pedro Lobo" wrote in message
news:09275cec-abc1-4bc6-b4f3-546e8c5d3...@gmail.com...
Hi Markus,
When I get in to the office tomorrow, I'll d
Hi Pedro,
Can you capture the traffic from one Windows 7 on XP client on port 88 (
just after the login before access a website via squid until successful or
unsuccessful accessing the website) using wireshark ? Send me the .cap files
to check.
Markus
"Pedro Lobo" wrote
Hi Pedro,
Did you try the –s GSS_C_NO_NAME option ?
Markus
"Pedro Lobo" wrote in message
news:94f74226-f24b-4910-95b7-b86ace815...@gmail.com...
Hey Everybody,
Seems as though I celebrated too soon on Saturday. Today things are back to not
working for Windows 7+ machines a
Hi Pedro,
Good to know you solved it. From your post it sounded like XP worked and
Win 7 didn’t
Markus
"Pedro Lobo" wrote in message
news:75991cae-5f10-4635-b012-d372c27f8...@gmail.com...
Hi Markus,
I initially had it configured as such and changed it to auth_param negotiat
Hi Pedro,
I wonder if he upper case in the name is a problem. Can you try
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s
GSS_C_NO_NAME
instead of
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s
HTTP/proxy01tst.fake.net
Markus
Hi Pedro,
How did you create your keytab ? What does klist –ekt show ( I
assume you use MIT Kerberos) ?
Markus
"Pedro Lobo" wrote in message
news:40e1e0e7-50c6-4117-94aa-50b065734...@gmail.com...
Hi Squid Gurus,
I'm at my wit's end and in dire need of some squid exp
the important keyword is "NTLM"!
without external auth helper squid 3.4 is working well. as soon as the external
helper is active, cpu rises to 100%. nothing with workers etc.
even the fakehelper is not working. just to make sure, that the problem is not
NTLM, samba, winbind, AD etc.
see http:/
Hi Victor,
That sounds a bit strange. Can you capture with wireshark the traffic on
port 88 on the system which has squiduser in the cache ( best after a clear
the cache with kerbtray first) when accessing squid and send it to me as cap
file ?
Markus
"Victor Sudakov" wrote
1 - 100 of 110 matches
Mail list logo
