Hi Mark,
Be aware that Browsers may behave differently when using CNAMES. Some
Browser uses the HTTP/ ticket and some use HTTP/
e.g. if proxy.example.com is a cname for server1.example.com on 192.168.1.2
You may need tickets for both i.e. HTTP/proxy.example.com AND
HTTP/server1.exam
Hello Mark,
You can just export the keytab generated on windows and use it on your proxy -
then there is no need to mess with proxy’s account in AD - overall this is much
easier I believe - see
https://www.diladele.com/websafety/docs/authentication/active_directory/kerberos/
And it also works
Hi,
Thanks- that make sense and as a result I've set the reverse DNS on the
2 hosts to the round-robin DNS name.
RE: the KVNO drift issue, one suggestion was to delete the existing
machine account(s) from AD and use ktpass and set the kvno to 0.
I'd previously used msktutil (as suggested on
On 18/06/25 20:49, Mark Cairney wrote:
Hi,
I’ve been trying to get Kerberos Authentication against AD working but
have been seeing inconsistent results/behaviour across multiple Oses and
I’m not sure if the issue lies with the DNS configuration, Kerberos
itself or with the Squid config:
THE
f considered as less secure, or else only for
non-productive environments.
Best regards,
Yves
From: squid-users On Behalf Of
Mark Cairney
Sent: Wednesday, June 18, 2025 10:50 AM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Kerberos Auth weirdness/inconsistency when using
CN
Hi,
I’ve been trying to get Kerberos Authentication against AD working but
have been seeing inconsistent results/behaviour across multiple Oses and
I’m not sure if the issue lies with the DNS configuration, Kerberos
itself or with the Squid config:
THE DNS setup is as follows:
test.squid.cl
On 2023-11-21 23:05, Andrey K wrote:
I have posted a PR: https://github.com/squid-cache/squid/pull/1597
This is my first contribution to open source. Could you please verify if
everything is OK.
Thank you for posting that pull request! Let's continue this
conversation on GitHub since squid-
Hello, Alex,
I have posted a PR: https://github.com/squid-cache/squid/pull/1597
This is my first contribution to open source. Could you please verify if
everything is OK.
Kind regards,
Ankor.
чт, 16 нояб. 2023 г. в 17:01, Alex Rousskov <
rouss...@measurement-factory.com>:
> On 2023-11-16
On 2023-11-16 07:48, Andrey K wrote:
I have slightly patched the negotiate_kerberos_pac.cc to
implement ResourceGropIds-block parsing.
Please consider posting tested changes as a GitHub Pull Request:
https://wiki.squid-cache.org/MergeProcedure#pull-request
Thank you,
Alex.
Maybe it will
Hello,
I found that negotiate_kerberos_auth helper does not see domain local AD
groups.
As it turned out, helper parses only GroupIds and ExtraSids pac-blocks,
while the information about domain local groups is placed in the
ResourceGropIds pac-block.
I have slightly patched the negotiate_kerberos
I have one question (issue) and I hope that you can help me.
Kerberos authentication works perfectly fine when the PC is connected to
Domain and the user is authenticated.
auth_param negotiate program
/usr/local/libexec/squid/negotiate_kerberos_auth -r -d -k
/usr/local/etc/squid/squidproxy.keytab
/event_14_kerberos_key_distribution_center.html
Best regards,
rafael
-Original Message-
From: squid-users On Behalf Of
Klaus Brandl
Sent: Friday, November 18, 2022 3:23 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Kerberos - Cannot decrypt ticket for HTTP
which options do you have configured for the
which options do you have configured for the auth helper?
Something like:
auth_param negotiate program
/usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -i
Best regards
Klaus
Am Freitag, dem 18.11.2022 um 10:54 +0800 schrieb Михаил:
> Hi David,
>
> Thanks for your advice but i
Hi David, Thanks for your advice but it doesn't help me. I use AD account which haven't set these parameters. Misha. 17.11.2022, 10:07, "David Touzeau" :Hiperhaps this onehttps://wiki.articatech.com/en/proxy-service/troubleshooting/gss-cannot-decrypt-ticket Le 16/11/2022 à 05:11, Михаил a écrit :Hi
Hi
perhaps this one
https://wiki.articatech.com/en/proxy-service/troubleshooting/gss-cannot-decrypt-ticket
Le 16/11/2022 à 05:11, Михаил a écrit :
Hi everybody,
Could you help me to setup my new squid server? I have a problem with
keytab authorization.
2022/11/16 11:35:39| ERROR: Negotiate Au
Hi everybody, Could you help me to setup my new squid server? I have a problem with keytab authorization. 2022/11/16 11:35:39| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more
On 10/17/21 10:57 AM, Grant Taylor wrote:
My understanding is that you can use Kerberos from clinet0 to proxy1 and
that proxy1 can use the same mechanism to get a special ticket to
communicate from proxy1 to proxy2 as the original user.
I looked at my copy of Kerberos - The Definitive Guide by
On 10/17/21 10:46 AM, Markus Moeller wrote:
I see, I think this would mean using Basic Auth to proxy1 which then
gets a Kerberos ticket for the user to authenticate to proxy2. This is
possible, but I would not think it is a good secure option.
I think that we're now talking about the same fu
I see, I think this would mean using Basic Auth to proxy1 which then gets a
Kerberos ticket for the user to authenticate to proxy2. This is possible,
but I would not think it is a good secure option.
Regards
Markus
"Grant Taylor" wrote in message
news:a2070fca-07fd-9a67-3f23-551c1fe77...@s
On 10/16/21 1:31 PM, Markus Moeller wrote:
I think you talk about a kdc proxy, which is for another case.
I don't think so. I'm not talking about using a proxy to access the KDC.
I'm talking about using a component of the following scenario:
1) Client uses traditional username and password
Hi Amos,
If you let me know where exactly I can add a few lines.
One way to make this setup work would be to add proxy1 also to AD like
proxy2 and then merge the keytab for proxy1 into the keytab of proxy2 using
ktutil. The negotiate_kerberos_auth handle would require the -s
GSS_C_NO_NAME
I think you talk about a kdc proxy, which is for another case.
Regards
Markus
"Grant Taylor" wrote in message
news:b815528d-34ff-0fed-3194-dc6f34199...@spamtrap.tnetconsulting.net...
On 10/13/21 1:48 PM, Markus Moeller wrote:
The problem lies more in the way how Kerberos proxy authenticatio
On 10/13/21 1:48 PM, Markus Moeller wrote:
The problem lies more in the way how Kerberos proxy authentication
works. The client uses the proxy name to create a ticket and in this
case it would be the name of the first proxy e.g. proxy1.internal. The
first proxy will pass it through to the auth
On 14/10/21 8:48 am, Markus Moeller wrote:
The problem lies more in the way how Kerberos proxy authentication
works. The client uses the proxy name to create a ticket and in this
case it would be the name of the first proxy e.g. proxy1.internal. The
first proxy will pass it through to the aut
The problem lies more in the way how Kerberos proxy authentication works.
The client uses the proxy name to create a ticket and in this case it would
be the name of the first proxy e.g. proxy1.internal. The first proxy will
pass it through to the authenticating proxy for authentication
proxy2.
On 12/10/21 9:33 pm, 森 隆聡 wrote:
I made Single Sign On environment with AD+Squid and it worked fine.
[It works]
Client(Windows) -> Squid(CentOS) -> Internet
* Client is joined the domain and Squid configured Kerberos Authentication with
AD.
But after add another squid, it didn't work.
...
I made Single Sign On environment with AD+Squid and it worked fine.
[It works]
Client(Windows) -> Squid(CentOS) -> Internet
* Client is joined the domain and Squid configured Kerberos Authentication with
AD.
But after add another squid, it didn't work.
[Not works]
Client -> Squid(No Auth.) ->
7
Aan: L.P.H. van Belle; squid-users@lists.squid-cache.org
Onderwerp: RE: [squid-users] Kerberos nad keytab problem
Hello everyone,
Just my two cents too. Note you can map the *user* to the Kerberos SPN – this
lets you have your squid proxy live outside of the AD.
Just setup the dedicated
L.P.H. van Belle
Sent: Wednesday, 25 September 2019 17:02
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Kerberos nad keytab problem
I also had problems with msktutil.. so i suggest you try this, see below..
Im using it for few years and it always works (for me offcourse)..
It shou
On 9/25/19 11:01 AM, L.P.H. van Belle wrote:
> I also had problems with msktutil.. so i suggest you try this, see below..
> Im using it for few years and it always works (for me offcourse)..
>
> It should be pretty simple, but the site squid-cache (wiki) is in my
> opinion a bit outdated.
Anybod
var/log/squid/cache.log
Now go configure the other parts you need of squid.
And enjoy.. :-)
Greetz,
Louis
Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
Tevfik Ceydeliler
Verzonden: woensdag 25 september 2019 13:59
Aan: squid-users@lists.squid-cache.org
Hi, I try to use kerberos in my squid. Nut I get an error message :
33
msktutil --auto-update --verbose --computer-name suqidpnb1 --server
dctoyo1.toyo.grp -k /etc/squid/PROXY.keytab
-- init_password: Wiping the computer password structure
-- generate_new_password: Ge
Thanks again for your support Mr. Jeffries, My proxy only contains of 1
GB of memory :-(
Here i leave my squid.conf
###
###
On 30/03/19 3:30 am, Alex Gutiérrez Martínez wrote:
> Hello Community, I just compiled my squid 4. Everything works fine
> except integration to the Kerberos authentication server.
>
> I have already managed to integrate my ubuntu with the kerberos and the
> tickets are created correctly. Here i l
Hello Community, I just compiled my squid 4. Everything works fine
except integration to the Kerberos authentication server.
I have already managed to integrate my ubuntu with the kerberos and the
tickets are created correctly. Here i leave my configuration of the auth
in the squid
##
On 19/07/18 03:41, Victor Sudakov wrote:
>
> If there were an option to debug which "http_access" line rejects him
> I could try it.
>
Please try:
debug_options ALL,1 28,5
... and have them login. Your cache.log should then list the ACLs being
tested and what their results are.
Amos
__
Amos Jeffries wrote:
> >>>
> >>> After upgrading to Squid 4.1 (from FreeBSD ports) I started having
> >>> problems
> >>> with Kerberos authentication.
> >>>
> >>> A user complained about being denied access. The strange things are that:
> >>>
> >>> 1. There was only one such user, others seemed
On 18/07/18 19:16, Victor Sudakov wrote:
> Amos Jeffries wrote:
>> On 17/07/18 14:20, Victor Sudakov wrote:
>>>
>>> After upgrading to Squid 4.1 (from FreeBSD ports) I started having problems
>>> with Kerberos authentication.
>>>
>>> A user complained about being denied access. The strange things
Amos Jeffries wrote:
> On 17/07/18 14:20, Victor Sudakov wrote:
> >
> > After upgrading to Squid 4.1 (from FreeBSD ports) I started having problems
> > with Kerberos authentication.
> >
> > A user complained about being denied access. The strange things are that:
> >
> > 1. There was only one
On 17/07/18 14:20, Victor Sudakov wrote:
> Dear Colleagues,
>
> After upgrading to Squid 4.1 (from FreeBSD ports) I started having problems
> with Kerberos authentication.
>
> A user complained about being denied access. The strange things are that:
>
> 1. There was only one such user, others
Dear Colleagues,
After upgrading to Squid 4.1 (from FreeBSD ports) I started having problems
with Kerberos authentication.
A user complained about being denied access. The strange things are that:
1. There was only one such user, others seemed to be authenticating
properly (or just did not com
You don't have to join a domain. You only need a Kerberos authentication
server to get a ticket.
You only need AD (or Samba) if you want also authorisation (PAC data) in you
Kerberos ticket.
As Amos said you need a Kerberos client and a Browser supporting
Proxy-Negotiate.
Markus
"Amos Jeffrie
Can you capture the traffic on port 88 ? Heimdal has not helpful messages, so
seeing the real traffic may help identifying the issue.
Kinit should create an AS req/rep
the test program creates a TGS req/rep
Example attached if it gets through.
Markus
"Panagiotis Bariamis" wrote in message
ne
You don't have to join a domain. You only need a Kerberos authentication
server to get a ticket.
You only need AD (or Samba) if you want also authorisation (PAC data) in you
Kerberos ticket.
As Amos said you need a Kerberos client and a Browser supporting
Proxy-Negotiate.
Markus
"Amos Je
Hello my setup is as follows :
Freebsd 11 Heimdal Kerberos Server and DNS properly configured (testlab
enviroment for example.com domain)
Freebsd 11 squid proxy server
Windows Client
I have created a keytab from the Kerberos Server for http/squid.example.com
Proxy server machine has no problem ki
On Tue, May 8, 2018 at 9:03 AM, Amos Jeffries wrote:
> On 08/05/18 10:22, Panagiotis Bariamis wrote:
>
>
>
> >> A second question. If a non domain joined machine tries to use the proxy
> >> will there be a username password prompt where if correct credentials
> >> are presented he will be able to
On 08/05/18 10:22, Panagiotis Bariamis wrote:
> Hello,
> Is it possible with a squid kerberos only authentication setup be able
> to authenticate ie android phones to squid?
I don't have an answer for that, maybe someone else has experience. If
you have the environment available you could try it
Hello,
Is it possible with a squid kerberos only authentication setup be able to
authenticate ie android phones to squid?
A second question. If a non domain joined machine tries to use the proxy
will there be a username password prompt where if correct credentials are
presented he will be able to
On 28/02/18 07:43, erdosain9 wrote:
> Thank you Amos (sorry again Yuri).
>
> And yes, the user are complains.
>
> The problem is this (and sorry for be recurrent with this).
>
> That value avg ms for some times goes up to 3000... and in that moment all
> stop.
>
> in the cache.log sometimes, im
Thank you Amos (sorry again Yuri).
And yes, the user are complains.
The problem is this (and sorry for be recurrent with this).
That value avg ms for some times goes up to 3000... and in that moment all
stop.
in the cache.log sometimes, im getting this.
support_sasl.cc(276): pid=3729 :2018/02/
p.cc(416): pid=2951 :2018/02/20 17:02:27|
kerberos_ldap_group: DEBUG: ERR
-Oorspronkelijk bericht-
Van: Jeroen Ruijter
Verzonden: maandag 19 februari 2018 11:19
Aan: 'Amos Jeffries'; squid-users@lists.squid-cache.org
Onderwerp: RE: [squid-users] kerberos authentication with kerberos groups
On 24/02/18 06:29, erdosain9 wrote:
> Hi to all.
> I dont know why i have this bad values. My network is woking fine. How i can
> do to fix this. I think is a high value.
>
> HTTP/1.1 200 OK
> Server: squid/3.5.27
> Mime-Version: 1.0
> Date: Fri, 23 Feb 2018 17:16:25 GMT
> Content-Type: text/plai
Users complains?
23.02.2018 23:29, erdosain9 пишет:
> Hi to all.
> I dont know why i have this bad values. My network is woking fine. How i can
> do to fix this. I think is a high value.
>
> HTTP/1.1 200 OK
> Server: squid/3.5.27
> Mime-Version: 1.0
> Date: Fri, 23 Feb 2018 17:16:25 GMT
> Content
Hi to all.
I dont know why i have this bad values. My network is woking fine. How i can
do to fix this. I think is a high value.
HTTP/1.1 200 OK
Server: squid/3.5.27
Mime-Version: 1.0
Date: Fri, 23 Feb 2018 17:16:25 GMT
Content-Type: text/plain;charset=utf-8
Expires: Fri, 23 Feb 2018 17:16:25 GMT
A new problem popped up in the last couple of days in an otherwise working
environment.
Active Directory running on 2008r2
Windows 10 client
Squid 3.5.12
# squid -v
Squid Cache: Version 3.5.12
Service Name: squid
Ubuntu linux
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
'--inc
maandag 19 februari 2018 11:19
Aan: 'Amos Jeffries'; squid-users@lists.squid-cache.org
Onderwerp: RE: [squid-users] kerberos authentication with kerberos groups
Do you advise to use capitals or small characters for the domain name?
-Oorspronkelijk bericht-
Van: squid-users
-users] kerberos authentication with kerberos groups
On 17/02/18 02:02, Jeroen Ruijter wrote:
> I'm trying to replace my basic ldap authentication by kerberos single
> sign on.
>
NP: Despite what some claim, SSO is not unique to NTLM and Kerberos
authentication. It is a behaviou
as=x86_64-suse-linux-gnu' 'host_alias=x86_64-suse-linux-gnu'
'CFLAGS=-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2
-fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -fPIE -fPIC
-DOPENSSL_LOAD_CONF' 'LDFLAGS=-Wl,--as-needed -Wl,--no-undefined
On 17/02/18 02:02, Jeroen Ruijter wrote:
> I'm trying to replace my basic ldap authentication by kerberos single
> sign on.
>
NP: Despite what some claim, SSO is not unique to NTLM and Kerberos
authentication. It is a behaviour of the tools used. As such it can be
done with *any* authentication t
I'm trying to replace my basic ldap authentication by kerberos single sign on.
The user can succesfully login with single sign on, but I have restriction on
groups and that is where it goes wrong.
I would like to use -r to trim the domain name, but when I do so it seems to
work even less.
Someone
Looks like since posting the log the problem has disappeared for all 5 of my
test users; since nothing has been changed on the network, could it have
been caused by a Firefox and Chrome bug that has been recently fixed (I
don't recall ever seeing the problem on IE)? Does anyone know of the
existenc
I've just had the problem happen again (usually it happens after a long
period of inactivity, e.g. when trying to load the first web page in the
morning).
Here's the log: https://pastebin.com/fFTJNiKf
I'm looking into getting the output from squidclient but I have to try and
reproduce the probl
W dniu 28.07.2017 o 10:46, Grey pisze:
Shoul I wait for the error to appear and post the section relevant to the
time when it occurs?
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-access-denied-and-reauthentication-tp4683224p4683232.html
Sent fro
Shoul I wait for the error to appear and post the section relevant to the
time when it occurs?
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-access-denied-and-reauthentication-tp4683224p4683232.html
Sent from the Squid - Users mailing list archive
On 2017-07-27 10:27, Grey wrote:
Hi,
I'm trying to setup a proxy server using Squid 3.5.23 on Debian 9; I've
successfully setup Kerberos authentication generating the keytab file with
ktutil and manually setting the required SPN on my Windows domain
controller.
The problem I'm encountering is tha
Hi,
I'm trying to setup a proxy server using Squid 3.5.23 on Debian 9; I've
successfully setup Kerberos authentication generating the keytab file with
ktutil and manually setting the required SPN on my Windows domain
controller.
The problem I'm encountering is that sometimes (right now I'm the only
On 11/11/2016 7:50 p.m., Tevfik Ceydeliler wrote:
> Here is the problem,
>
> When I set my browser proxy configuration as "squiddc1.DOMAIN.grp " and
> then start to browse, I cant see "usern...@domain.grp" log entry in
> access.log.
>
> I think, It means that kerberos not work.
>
> Have you any
Hi,
I try to configure squid by using AD authentication via Kerberos.
And I have a keytab by using msktutil (PROXY.keytab)
I can run kinit, klist, wbinfo (-g, -u, -t) commands without any error.
here is my authparam configuration:
###
so... any advice about this??
Thanks!
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-appropriate-log-file-tp4679740p4679901.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
Hi.
yes, i see this now.
it's strange... authentication is working fine... i can surf the web... but
im having some error in cache.log...
tail -f /var/log/squid/cache.log
2016/09/29 15:43:37 kid1| Adding nameserver 192.168.1.10 from squid.conf
2016/09/29 15:43:37 kid1| Adding nameserver 192.168.1
On 29/09/2016 3:02 a.m., erdosain9 wrote:
> Hi.
> Sorry for my ignorance, but, i have squid authentication with kerberos...
>
> all is working fine...
>
> but i have some behavior in cache.log that... i dont know if this is the
> expected, or there is some problem
>
> because the file is goi
On Wednesday 28 September 2016 at 16:02:42, erdosain9 wrote:
> Hi.
> Sorry for my ignorance, but, i have squid authentication with kerberos...
>
> all is working fine...
>
> but i have some behavior in cache.log that... i dont know if this is the
> expected, or there is some problem
>
> bec
Hi.
Sorry for my ignorance, but, i have squid authentication with kerberos...
all is working fine...
but i have some behavior in cache.log that... i dont know if this is the
expected, or there is some problem
because the file is going to be huge as put the squid in production ... this
is app
Hi.
Im trying to configure SSO (single sing on) with Kerberos.
I have this error
[root@squid squid]# kinit administrator
Password for administra...@xxx.lan:
Warning: Your password will expire in 28 days on mié 21 sep 2016 12:20:39
ART
[root@squid squid]# msktutil -c -b "CN=COMPUTERS" -s HTTP/
Verzonden: donderdag 18 augustus 2016 16:09
Aan: Squid Users
Onderwerp: [squid-users] Kerberos Autenthication doesn't work
I have problems with Kerberos Autenthication in Squid3 on Debian 8 and Samba4 DC
My Squid version is: 3.4.8
My Kerberos Autenthication doesn&#
I have problems with Kerberos Autenthication in Squid3 on Debian 8 and
Samba4 DC
My Squid version is: 3.4.8
My Kerberos Autenthication doesn't work.
PROCEDURES PERFORMED
INSTALL OF SAMBA4 AND WINBIND OF DEBIAN BACKPORTS
apt-get -t jessie-backports install samba samba-doc winbind
KERBEROS TEST:
Heya Amos,
The problem was the keytab that didn't work correctly. I deleted the
objects from AD db and recreated keytab from linux side. The output now
says that using HTTP/mq-sqproxy.domain.co.za is "Authenticated to
kerberos", whilst the others now fail. I guess the HTTP is the only one
that
On 6/04/2016 3:27 a.m., Drikus Brits wrote:
>
>
> i believe i might have fixed it
>
> will advise soonest.
>
Any update?
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
i believe i might have fixed it
will advise soonest.
On 2016-04-05 16:01, Drikus Brits wrote:
> Extra info :
>
> root@mw-sqproxy-test:/home/geosupport# uname -a
> Linux mw-sqproxy-test 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24
> 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/L
Extra info :
root@mw-sqproxy-test:/home/geosupport# uname -a
Linux mw-sqproxy-test 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul
24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
root@mw-sqproxy-test:/home/geosupport# squid3 -v
Squid Cache: Version 3.3.8
Ubuntu
configure options: '--bui
Hi Experts,
After much struggling it seems i've reached some point of success but
yet still not. I've checked a multitude of websites for help before
coming here, but didn't get anything valuable yet. My problem as follows
:
I have 1x win2008R2 server that works with kerberos authentication,
In case anyone reads Russian, I have covered 2 new topics (possible
problems) in the Russian Squid+Kerberos Howto:
http://tinyurl.com/h68emax
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:suda...@sibptus.tomsk.ru
___
squid-users mailing list
squid-user
On Sun, Mar 06, 2016 at 07:18:18PM +0600, Victor Sudakov wrote:
>
> On a more practical note, the Windows command to extract the squid
> keytab from the AD was
>
> ktpass -princ HTTP/proxy2.sibptus...@stn.tn.corp -mapuser squiduser +rndPass
> -out squid.keytab -ptype KRB5_NT_PRINCIPAL /target x.
Markus Moeller wrote:
> > mismatch. What do you get when using the 2003 clients ?
>
> Markus, you are great! That was indeed the cause of the problem. Thank
> you ever so much.
>
> I have created an identical key with kvno=3 in the squid keytab, and
> now it's working. To hell with the Windows a
You are welcome
Markus
"Victor Sudakov" wrote in message
news:20160305180102.ga94...@admin.sibptus.tomsk.ru...
Markus Moeller wrote:
If I look at the wireshark capture details I see that the client is
sending
a key of version 3( kvno) , but the keytab is version 1. This will create
a
m
Markus Moeller wrote:
>
> If I look at the wireshark capture details I see that the client is sending
> a key of version 3( kvno) , but the keytab is version 1. This will create a
> mismatch. What do you get when using the 2003 clients ?
Markus, you are great! That was indeed the cause of the
Hi Victor,
If I look at the wireshark capture details I see that the client is sending
a key of version 3( kvno) , but the keytab is version 1. This will create a
mismatch. What do you get when using the 2003 clients ?
[truncated]Proxy-Authorization: Negotiate
YIISrgYGKwYBBQUCoIISojCCEp6gM
Markus Moeller wrote:
>
> What does the squid log say when you use -d for the authentication
> helper ?
I have uploaded the cache.log here: ftp://ftp.sibptus.ru/pub/vas/1.zip
There seems to be a message size limit in this list, so I cannot
attach it.
The helper error message is along the li
Hi Victor,
What does the squid log say when you use -d for the authentication
helper ?
Can you provide a wireshark capture from the client ? I guess that
2008 is using AES not RC4.
Markus
"Victor Sudakov" wrote in message
news:20160304162923.gb81...@admin.sibptus.tomsk.ru...
L.P.H. van Belle wrote:
>
> What is the output of
>
> ktutil list
>
> (of the squid keytab. )
I have already quoted it in the previous message, but I am happy to repeat:
/usr/local/etc/squid/squid.keytab:
Vno Type Principal
1 arcfour-hmac-md5 HTTP/proxy.sibptus.transneft.
-crc des-cbc-md5
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Victor Sudakov
> Verzonden: vrijdag 4 maart 2016 13:54
> Aan: squid-users@lists.squid-cache.org
> Onderwerp
Victor Sudakov wrote:
>
> I have squid 3.5.14 successfully authenticating users from a Windows 2003
> domain, but there is a problem authenticating Windows 2008R2 domain
> users from another realm. I am using the standard
> negotiate_kerberos_auth helper with "-s GSS_C_NO_NAME".
>
> I have collec
Dear Colleagues,
I have squid 3.5.14 successfully authenticating users from a Windows 2003
domain, but there is a problem authenticating Windows 2008R2 domain
users from another realm. I am using the standard
negotiate_kerberos_auth helper with "-s GSS_C_NO_NAME".
I have collected a traffic dump
apologize for my mail...
Fabio
2016-01-14 6:09 GMT+01:00 LYMN :
> On Wed, Jan 13, 2016 at 09:30:46AM +0100, Fabio Bucci wrote:
>> Hi All,
>> i want to terminate a previous job did by ex colleague is changed
>> company. Now there is a cluster of 2 nodes of squid with NTLM
>> transparent authentica
On Wed, Jan 13, 2016 at 09:30:46AM +0100, Fabio Bucci wrote:
> Hi All,
> i want to terminate a previous job did by ex colleague is changed
> company. Now there is a cluster of 2 nodes of squid with NTLM
> transparent authentication and one spare node i'm using as test and
> configured with kerberos
Hi All,
i want to terminate a previous job did by ex colleague is changed
company. Now there is a cluster of 2 nodes of squid with NTLM
transparent authentication and one spare node i'm using as test and
configured with kerberos instead. Reading a lot of info i understood
kerberos is more stable th
On Mon, Jan 11, 2016 at 09:06:27PM +1300, Amos Jeffries wrote:
> On 11/01/2016 2:48 p.m., LYMN wrote:
> >
> > I did manage to get this working, you did mention the correct solution
> > right down the end of your message.
> >
>
> Correct for you yes. That can happen when making half-blind guesses
On 11/01/2016 2:48 p.m., LYMN wrote:
>
> I did manage to get this working, you did mention the correct solution
> right down the end of your message.
>
Correct for you yes. That can happen when making half-blind guesses at
what the problem actually is based on partial information. It might have
b
Firstly, let me say that whatever you are using for a mail client makes
reading/replying to your message difficult (see below for a small
sample, I will clean up the rest as best I can)...
I did manage to get this working, you did mention the correct solution
right down the end of your message.
sts.squid-cache.org] Namens
> LYMN
> Verzonden: donderdag 7 januari 2016 5:23
> Aan: squid-us...@squid-cache.org
> Onderwerp: [squid-users] kerberos authentication with a machine account
> doesn't work
>
>
> Hi,
>
> We have been using kerberos authentic
1 - 100 of 143 matches
Mail list logo
