Search squid archive

missing negotiate_kerberos_auth on my squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello All;

Configured the steps require for kerberos authentication as given at http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
but instead of SSO to work when we try to open url; it is prompt for username and password, when passing credential it is not authenticating.
attached is our squid config for your reference.

Kindly let us know what went wrong.

we are using windows 2012 AD.



Thanks & Regards
Nilesh Suresh Gavali




From:        Nilesh Gavali/MUM/TCS
To:        squid-users@xxxxxxxxxxxxxxxxxxxxx, belle@xxxxxxxxx
Date:        27/05/2016 15:07
Subject:         missing negotiate_kerberos_auth on my squid



Thanks louise for reply.

but

Should be include imo. -- not sure what is imo

 

Shoud be in any Squid-3.2 and later.

 

And on my debian server its locate here.

/usr/lib/squid/negotiate_kerberos_auth - check the path but it is not there on my linux box.

 

Did you enable : --enable-auth-negotiate=kerberos,wrapper on compile ?  ---- NO didn't gave this option while compilation

 

Run squid –v to check it. -- we have"--enable-auth-negotiate" only and some other configured option.


can you help me how to get hit recomipled with reuqire options.


Thanks & Regards
Nilesh Suresh Gavali

----- Forwarded by Nilesh Gavali/MUM/TCS on 27/05/2016 15:01 -----

From:        squid-users-request@xxxxxxxxxxxxxxxxxxxxx
To:        squid-users@xxxxxxxxxxxxxxxxxxxxx
Date:        27/05/2016 12:42
Subject:        squid-users Digest, Vol 21, Issue 101
Sent by:        "squid-users" <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>




Send squid-users mailing list submissions to
                squid-users@xxxxxxxxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
               
http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
                squid-users-request@xxxxxxxxxxxxxxxxxxxxx

You can reach the person managing the list at
                squid-users-owner@xxxxxxxxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."


Today's Topics:

  1. NULL characters (joe)
  2. Re: Looking for a way to route into cache_peer traffic
     dynamically. (Alex Rousskov)
  3. The system returned: (111) Connection refused; (deepa ganu)
  4. Re: NULL characters (Eliezer Croitoru)
  5. missing negotiate_kerberos_auth on my squid (Nilesh Gavali)
  6. Re: missing negotiate_kerberos_auth on my squid (L.P.H. van Belle)


----------------------------------------------------------------------

Message: 1
Date: Thu, 26 May 2016 07:30:16 -0700 (PDT)
From: joe <chip_pop@xxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: NULL characters
Message-ID: <1464273016183-4677691.post@xxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

2016/05/26 06:41:28 kid1| ctx: enter level  0:
'http://js.advert.mirtesen.ru/data/js/82090.js'
2016/05/26 06:41:28 kid1| WARNING: HTTP header contains NULL characters
{Server: nginx
Date: Thu, 26 May 2016 03:46:52 GMT
Content-Type: application/_javascript_;charset=utf-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
X-MaxSize: 5
X-MaxShm: 5
X-ShmTol: 2
X-Loc: 2347
X-MID: 16
X-Node: ssel6
X-ChosenReserve: 2
X-TotalPrimary: 290
X-ExclByGeo: 266
X-TotalPrimaryPayable: 219
X-ChosenPrimary: 3
X-ExclByTime: 18
X-ShmNews: 1989237,2010118,2009700,
X-TotalPrimaryExchange: 0
X-TotalReserve: 332
X-ChosenPayable: 3
X-ShmCnt: 3
Set-Cookie: nid}
NULL
{Server: nginx
Date: Thu, 26 May 2016 03:46:52 GMT
Content-Type: application/_javascript_;charset=utf-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
X-MaxSize: 5
X-MaxShm: 5
X-ShmTol: 2
X-Loc: 2347
X-MID: 16
X-Node: ssel6
X-ChosenReserve: 2
X-TotalPrimary: 290
X-ExclByGeo: 266
X-TotalPrimaryPayable: 219
X-ChosenPrimary: 3
X-ExclByTime: 18
X-ShmNews: 1989237,2010118,2009700,
X-TotalPrimaryExchange: 0
X-TotalReserve: 332
X-ChosenPayable: 3
X-ShmCnt: 3
Set-Cookie: nid
2016/05/26 06:41:28 kid1| ctx: exit level  0

is it bad ?????



--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/NULL-characters-tp4677691.html
Sent from the Squid - Users mailing list archive at Nabble.com.


------------------------------

Message: 2
Date: Thu, 26 May 2016 09:16:52 -0600
From: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Looking for a way to route into cache_peer
                traffic dynamically.
Message-ID: <57471364.4030007@xxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=utf-8

On 05/26/2016 03:52 AM, Eliezer Croitoru wrote:

> I think that the best way is to use an ICAP meta header instead of altering
> the request itself

Agreed.


> but I am not sure if it is possible

It is not possible today: Converting ICAP headers into annotations
understood by Squid ACLs is only supported for eCAP services.

IIRC, somebody posted a patch (on squid-dev) with a similar feature for
ICAP, but that implementation needed to be redone to be officially
accepted (IMO). I do not know whether the author will adjust their code
to follow my recommendations. Perhaps you can do it for them.

Alex.



------------------------------

Message: 3
Date: Fri, 27 May 2016 14:25:19 +0530
From: deepa ganu <deepaganu@xxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: The system returned: (111) Connection refused;
Message-ID:
                <CA+qV5k+cSUThvZYCS1JLcNuXsFCA8Vnk1Rmc5opK1w15W6asyg@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"

Hi
I am using squid as a reverse.

#http_port  80 accel defaultsite=202.53.13.19
https_port 443 accel  cert=/var/www/html/webrtc/imp/teleuniv.net.crt
key=/var/www/html/webrtc/imp/teleuniv.net.key
cafile=/var/www/html/webrtc/imp/intermediate.crt defaultsite=202.53.13.19
no-vhost


#this ACL is url path specific which accepts only portal urls and deny
others.
acl portal urlpath_regex ^/portal6may
cache_peer 172.20.36.144 parent 80 0 no-query originserver name=portalserver
cache_peer_access portalserver allow portal
cache_peer_access portalserver deny all
http_access allow portal


cache_peer 172.20.36.150 parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER login=PASS connection-auth=off name=teleuniv
acl our_sites dstdomain 202.53.13.19
http_access allow our_sites
cache_peer_access teleuniv allow our_sites
cache_peer_access teleuniv deny all

SO when i try to access the url
https://202.53.13.19/ I get the following
error
"The following error was encountered while trying to retrieve the URL: The
system returned: (111) Connection refused; The remote host or network may
be down. Please try the request again."

It only gives for 172.20.36.144 not for the urlpath acl. But this happens
only sometimes. When I physically go to that server (172.20.36.150) and
click on the wired connection (one of the LAN options using linux). It
works again. I am very confused

--
Regards
Deepa Ganu
R&D Head(CSE) KMIT
Ph no : 9908036660
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://lists.squid-cache.org/pipermail/squid-users/attachments/20160527/998e60f3/attachment-0001.html>

------------------------------

Message: 4
Date: Fri, 27 May 2016 14:17:17 +0300
From: "Eliezer Croitoru" <eliezer@xxxxxxxxxxxx>
To: "'joe'" <chip_pop@xxxxxxxxxxx>,
                <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: NULL characters
Message-ID: <33b501d1b809$541a9620$fc4fc260$@ngtech.co.il>
Content-Type: text/plain;                 charset="utf-8"

If it ended with some kind of server issues else then the logs, then it would be considered not nice.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx


-----Original Message-----
From: squid-users [
mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Thursday, May 26, 2016 5:30 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: NULL characters

2016/05/26 06:41:28 kid1| ctx: enter level  0:
'http://js.advert.mirtesen.ru/data/js/82090.js'
2016/05/26 06:41:28 kid1| WARNING: HTTP header contains NULL characters
{Server: nginx
Date: Thu, 26 May 2016 03:46:52 GMT
Content-Type: application/_javascript_;charset=utf-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
X-MaxSize: 5
X-MaxShm: 5
X-ShmTol: 2
X-Loc: 2347
X-MID: 16
X-Node: ssel6
X-ChosenReserve: 2
X-TotalPrimary: 290
X-ExclByGeo: 266
X-TotalPrimaryPayable: 219
X-ChosenPrimary: 3
X-ExclByTime: 18
X-ShmNews: 1989237,2010118,2009700,
X-TotalPrimaryExchange: 0
X-TotalReserve: 332
X-ChosenPayable: 3
X-ShmCnt: 3
Set-Cookie: nid}
NULL
{Server: nginx
Date: Thu, 26 May 2016 03:46:52 GMT
Content-Type: application/_javascript_;charset=utf-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
X-MaxSize: 5
X-MaxShm: 5
X-ShmTol: 2
X-Loc: 2347
X-MID: 16
X-Node: ssel6
X-ChosenReserve: 2
X-TotalPrimary: 290
X-ExclByGeo: 266
X-TotalPrimaryPayable: 219
X-ChosenPrimary: 3
X-ExclByTime: 18
X-ShmNews: 1989237,2010118,2009700,
X-TotalPrimaryExchange: 0
X-TotalReserve: 332
X-ChosenPayable: 3
X-ShmCnt: 3
Set-Cookie: nid
2016/05/26 06:41:28 kid1| ctx: exit level  0

is it bad ?????



--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/NULL-characters-tp4677691.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



------------------------------

Message: 5
Date: Fri, 27 May 2016 12:32:15 +0100
From: Nilesh Gavali <nilesh.gavali@xxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: missing negotiate_kerberos_auth on my squid
Message-ID:
                <OF9C6F8F89.5CF2ECB1-ON80257FC0.003EE232-80257FC0.003F5EF7@xxxxxxx>
Content-Type: text/plain; charset="utf-8"

Hello ;
I have installed latest squid 3.5.19 on red hat Linux yesterday. That
means I am new to squid and linux.
able to start the squid and its working fine.
now we are trying to authenticate user via Kerberos with windows AD. but
facing issues.
followed the steps provided on
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
But unable to find negotiate_kerberos_auth  on my Linux box at any
location.
now I need to know where i can find/download  negotiate_kerberos_auth  and
compile it to make authentication successful.

Thanks & Regards
Nilesh Suresh Gavali
Tata Consultancy Services
3rd Floor, Tithebarn House
Tithebarn Street
Liverpool - L2 2NZ
United Kingdom
Mailto: nilesh.gavali@xxxxxxx
Website:
http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                       Business Solutions
                       Consulting
____________________________________________

Tata Consultancy Services Limited , incorporated  with limited liability
and registered with Registrar of Companies, Mumbai, India - No: 11-84781
HQ : Nirmal Building , 9th Floor, Nariman Point, Mumbai - 400 021, India -
Registered  in UK : 18 Grosvenor Place, London SW1X 7HS - BR :007627
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://lists.squid-cache.org/pipermail/squid-users/attachments/20160527/b812d6ac/attachment-0001.html>

------------------------------

Message: 6
Date: Fri, 27 May 2016 13:41:34 +0200
From: L.P.H. van Belle <belle@xxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxx  <squid-users@xxxxxxxxxxxxxxx>
Subject: Re: missing negotiate_kerberos_auth on my squid
Message-ID:
                <vmime.5748326e.63bf.32264d027089be4e@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
               
Content-Type: text/plain; charset="windows-1252"

Should be include imo.

 

Shoud be in any Squid-3.2 and later.

 

And on my debian server its locate here.

/usr/lib/squid/negotiate_kerberos_auth

 

Did you enable : --enable-auth-negotiate=kerberos,wrapper on compile ?

 

Run squid –v to check it.

 

Greetz,

 

Louis

 

 


Van: squid-users [
mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Nilesh Gavali
Verzonden: vrijdag 27 mei 2016 13:32
Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx
Onderwerp: missing negotiate_kerberos_auth on my squid


 

Hello ;
 I have installed latest squid 3.5.19 on red hat Linux yesterday. That means I am new to squid and linux.
able to start the squid and its working fine.
now we are trying to authenticate user via Kerberos with windows AD. but facing issues.
followed the steps provided on
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
But unable to find negotiate_kerberos_auth  on my Linux box at any location.
now I need to know where i can find/download  negotiate_kerberos_auth  and compile it to make authentication successful.

Thanks & Regards
Nilesh Suresh Gavali
Tata Consultancy Services
3rd Floor, Tithebarn House
Tithebarn Street
Liverpool - L2 2NZ
United Kingdom
Mailto: nilesh.gavali@xxxxxxx
Website:
http://www.tcs.com
____________________________________________
Experience certainty.        IT Services
                       Business Solutions
                       Consulting
____________________________________________

Tata Consultancy Services Limited , incorporated  with limited liability and registered with Registrar of Companies, Mumbai, India - No: 11-84781
HQ : Nirmal Building , 9th Floor, Nariman Point, Mumbai - 400 021, India -  Registered  in UK : 18 Grosvenor Place, London SW1X 7HS - BR :007627

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://lists.squid-cache.org/pipermail/squid-users/attachments/20160527/bbeb60e2/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


------------------------------

End of squid-users Digest, Vol 21, Issue 101
********************************************

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
#acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
#acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

# enable kerberos authentication
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.domain.org@xxxxxxxxxx
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive off

# require proxy authentication
acl auth proxy_auth REQUIRED

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access deny !auth
http_access allow auth
http_access deny all

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 8080
never_direct allow all

cache_peer 10.50.x.xx parent 8080 0 default
cache_peer_access 10.50.x.xxx allow localnet
cache_peer_access 10.50.x.xxx deny all


# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/cache/squid 2048 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

dns_nameservers hostname1.domain.org
cache_effective_user squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux