Mirza Dedic | 15 Oct 02:05 2014

http_access deny for dstdomain acl not denying access to url.. what am I doing wrong?

Trying to understand what I am doing wrong with my ACLs (yes I've read the ACL guide on squid site.. but still confused).. My client is 172.16.10.101, trying to block access to facebook (and other dstdomain file lists), but it is not working from the client I can still access fb.

Is this because I have this rule below..?

acl localnet src 172.16.0.0/12
http_access allow localnet

Instead of denying everything access and manually maintaining rules, I want to allow http/https access for everything except explicitly defined ACLs (in this case the facebook acl as a test).

I've tried to set debugging to debug_options ALL,1 33,2 to see more info on ACLs (read on some site this is the debug flags to set) but I don't see any ACL details in my access.log file.

my squid.conf (for SQUID 3.3.3) file is below..

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443 8180 8443 563 1494 2598 8531
acl Safe_ports port 80 # http
acl Safe_ports port 81           # http for Pacific Brokerage
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # http
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080 8081 8082 8088 8180
acl Safe_ports port 3128         # Squid http server
acl Safe_ports port 1494 2598   # ICA - Citrix
acl Safe_ports port 7000 8000   # Oracle
acl Safe_ports port 9000         # Oracle
acl Safe_ports port 8530 # WSUS
acl Safe_ports port 55905 # WSUS
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT

http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost

acl ads dstdomain "/etc/squid/blacklists/ads/domains"
acl adult dstdomain "/etc/squid/blacklists/adult/domains"
acl gambling dstdomain "/etc/squid/blacklists/gambling/domains"
acl fb dstdomain .facebook.com

http_access allow localnet
http_access allow localhost

http_access deny ads adult gambling fb

http_access deny all

http_port 8080
dns_nameservers 172.16.11.3 172.16.11.2 172.16.11.1
visible_hostname www-proxy

hierarchy_stoplist cgi-bin ?

logformat oppy %ts.%03tu %6tr %>a %>A %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log daemon:/var/log/squid/access.log oppy
cache_store_log daemon:/var/log/squid/store.log
cache_log /var/log/squid/cache.log
cache_mem 64 MB
logfile_rotate 4
debug_options ALL,1
# ACL Debug Options
# debug_options ALL,1 33,2
# debug_options ALL,1 33,2 28,9
coredump_dir /var/log/squid/squid

shutdown_lifetime 3 seconds
dns_v4_first on
retry_on_error on
forward_max_tries 25
forward_timeout 30 seconds
connect_timeout 30 seconds
read_timeout 30 seconds
request_timeout 30 seconds
persistent_request_timeout 1 minute

cache_dir ufs /var/cache/squid 100 16 256
cache_mgr ittechs <at> domain.com

snmp_port 0
icp_port 0
htcp_port 0

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Thiago Farina | 14 Oct 20:14 2014
Picon

cache-control

Hi squiders,

We want to move the following Go code into squid, as we already have
squid in front of our Go server.

The code is:

func makeResourceHandler() func(http.ResponseWriter, *http.Request) {
  fileServer := http.FileServer(http.Dir("./"))
  return func(w http.ResponseWriter, r *http.Request) {
  w.Header().Add("Cache-Control", string(300))
    fileServer.ServeHTTP(w, r)
  }
}

and in the main() function we have:

http.HandleFunc("/res/", autogzip.HandleFunc(makeResourceHandler()))

The only thing close to this I found was 'header_access Cache-Control
allow all'.

What is the proper way to do this?

Thanks all (for reading) in advance, for any reply.

Any hint/point is appreciate.

Best regards,

--

-- 
Thiago Farina
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Mirza Dedic | 14 Oct 19:37 2014

Best way to deny access to URLs in Squid 3.3.x?

Just curious, what are some of you doing in your Squid environment as far as URL filtering goes? It seems there are a few options out there.. squidguard... dansguardian.. plain block lists.

What is the best practice to implement some sort of block list into squid? I've found urlblacklist.com that has a pretty good broken down URL block list by category, what would be the best way to go.. use dansguardian with this list or set it up in squid.conf as an "acl dstdomain" and feed in the block list file without calling an external helper application?

Thanks.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Matt de Pass | 14 Oct 18:17 2014

basic_ldap_auth and 389 Directory Server configuration help

Greetings,

I've been trying to configure LDAP authentication to our proxy (CentOS 6.5) but have been unable to
establish a connection with basic_ldap_auth. Following various online guides, I've configured Squid
with the following options and it appears to be working as expected, with the exception of authentication.

Squid Cache: Version 3.4.8
configure options:  '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/lib/squid' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid'
'--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
'--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools'
'--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter'
'--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock'
'--enable-wccpv2' '--enable-esi' '--enable-ssl' '--enable-ssl-crtd' '--enable-icmp'
'--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl'
'--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' 'CFLAGS=-O2
-g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4
-m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC'
'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig' '--enable-ltdlconvenience'
'--with-ldap=yes' '--enable-debug-cbdata' --enable-ltdl-convenience

We have a 389 Directory Server (CentOS 6.5) with a very basic configuration, which also appears to work
correctly. From the proxy host, we can successfully query the directory.

ldapsearch -LLLx -h ldap01 -p 389 -D 'cn=directory manager' -w {password} -b "ou=People,dc=ourdomain,dc=com"

results in

dn: uid=myusername,ou=People,dc=ourdomain,dc=com
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Name
givenName: First
uid: myusername
uidNumber: 556
gidNumber: 660
cn: First Name
homeDirectory: /home/myusername
mail: myusername <at> ourdomain.com
loginShell: /bin/tcsh
gecos: First Name
shadowLastChange: -1
shadowMin: -1
shadowMax: -1
shadowWarning: 7
userPassword:: e1NTBOR42203QmNGayx2VjcydAycFdminZNQk5YlNqYhxRGc9PQ=
 =

However, testing connectivity using the authentication module and the following arguments appears to
yield a hang necessitating a ctrl-c exit.

/usr/lib64/squid/basic_ldap_auth -v 3 -b ou=People,dc=ourdomain,dc=com -D 'cn=directory manager'
-w {password} -h ldap01 -Z

attempting the same with digest_ldap_auth doesn’t cause a hang but instead displays the usage instructions.

/usr/lib64/squid/digest_ldap_auth -v 3 -b ou=People,dc=ourdomain,dc=com -D 'cn=directory manager'
-w {password}  -h ldap01 -Z

Modifying the arguments as below causes a hang

/usr/lib64/squid/digest_ldap_auth -b ou=People,dc=ourdomain,dc=com -A "cn=userPassword" -F
"%s=uid" -D 'cn=directory manager' -w {password}  -h ldap01 -Z

Can somebody point me in the direction of the logs to be looking at to determine what could be wrong, or
suggest some troubleshooting steps. The access log on the directory server suggests the authentication
module isn’t able to to communicate when ldapsearch can, so I suspect my arguments are incorrect. I’d
appreciate any tips.

Thanks.

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Satish Thareja | 14 Oct 13:20 2014
Picon

Squid not accounting server response

Hi,

I trying to get a video cached wherein the client sends a range
request for the video object(Range: bytes=36798-103701442) which gets
converted to request without range(range_offset_limit set to 10MB).

What I see, is after squid serves the client request and gets about
103262382 bytes of data, there is no further reads on the server side
file descriptor and the server side connection times out after 15
minutes(timeout limit).

But the packet capture on the squid machine suggest that the whole
object is being sent by the server and squid is seeing upto 103262382
bytes only.
Is this a known issue with squid?

Thanks,
Satish
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Robert Hundley | 14 Oct 11:26 2014
Picon

Problems with filtering when using chrome

Hi,

I’m trying to use squid to do some basic filtering. I have added an ACL to filtering based on regular expressions, and added in a few strings I’d like not to load.

These work correctly on IE and firefox, but in chrome the page loads.

It correctly records TCP_DENIED/403 3674 CONNECT www.dropbox.com:443 - NONE/- text/html, but the site then loads regardless.

 

Chrome also seems to struggle with internal hosts; they refuse to load even though I have added the nodes to the hosts file, which seems to have worked for other browsers.

 

This originally occurred on 3.1, though I have since updated to 3.4.8 and am still experiencing this

 

Has anyone come across the same / any similar issues?

 

Robert Hundley HND (Computing)
IT Support Engineer

Resource Group
Tel: +44 (0) 1905 368 550       Fax: +44 (0) 1905 353 271     Web: http://www.resourcegroup.co.uk

Keep In Touch...
For regular updates on marketing news, events and activities,
follow us on Facebook and LinkedIn.

expert solutions, adding value

The information contained in this e-mail is intended only for the person or entity to which it is addressed and may contain confidential and / or privileged material. If you are not the intended recipient of this e-mail, the use of this information or any disclosure, copying or distribution is prohibited and may be unlawful. If you received this in error, please contact the sender and delete the material from any computer. Only Resource Group Ltd employees with Director status have authority to bind the company. Resource Group Ltd. Registered office: 4th Floor, Horton House, Exchange Flags, Liverpool, L2 3YL, England. Company registration number: 02667200. Registered in England.

 

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
lionxyes@gmail.com | 14 Oct 08:17 2014
Picon

some question about compiling squid with Cygwin

Hello, everybody!

Recently i need run squid 3.x(x >= 1) on windows, and i found related wiki from this url:

    http://wiki.squid-cache.org/KnowledgeBase/Windows 

From this i know there are two methods of running squid on windows.
    1. Compiling with Cygwin
    2. Compiling with MinGW
and squid series 3 has major build issues on all Windows compiler systems. And there is no 
solution of the issues about compiling with MinGw.

but then i readed that there have been unconfirmed reports from some users of building up 
to squid-3.3 successfully and producing a usable executable. Cygwin project provide version 
3.3.3 packages.

I was excited. I tried it immediately, but i failed when i make it. I had sucessfully compiled suqid-2.7 
in the same environmnent.

so, are there people of compiling squid 3.3.3 with Cygwin successfully. and can give me some help?
lionxyes <at> gmail.com
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Robert Watson | 13 Oct 18:33 2014

NET::ERR_CERT_COMMON_NAME_INVALID

an addendum to my previous post.
I get NET::ERR_CERT_COMMON_NAME_INVALID when using chrome
I get a squid error page when using IE

The following error was encountered while trying to retrieve the URL: ://204.44.2.199:443

Failed to establish a secure connection to 204.44.2.199

The system returned:

(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Handshake with SSL server failed: [No Error]

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Not sure if this helps, but I could sure use some help.  Thanks,

Robert

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Lawrence Pingree | 8 Oct 16:23 2014

Squid website malware?

 

 

 

"Convert your dreams to achievable and realistic goals, this way the journey is satisfying and progressive." - LP

 

Best regards,

The Geek Guy

Lawrence Pingree

http://www.lawrencepingree.com/resume/

 

Author of "The Manager's Guide to Becoming Great"

http://www.Management-Book.com

 

 

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Robert Watson | 13 Oct 18:23 2014

Re: transparent proxy https and self signed certificate error

Ok, finally got the certificate installed properly and can proxy some https sites (gmail, google) but I get an error when going to a bank website.....
NET::ERR_CERT_COMMON_NAME_INVALID
when I created the certificate, I purposefully left the common name blank as per several articles on ssl_bump.  So I'm assuming it's complaining about the CN generated by squid/ssl_bump?

On Mon, Oct 13, 2014 at 9:22 AM, Robert Watson <robert <at> gillecaluim.com> wrote:
Ok, finally got the certificate installed properly and can proxy some https sites (gmail, google) but I get an error when going to a bank website.....
NET::ERR_CERT_COMMON_NAME_INVALID
when I created the certificate, I purposefully left the common name blank as per several articles on ssl_bump.  So I'm assuming it's complaining about the CN generated by squid/ssl_bump?



On Mon, Oct 6, 2014 at 12:39 AM, Amos Jeffries <squid3 <at> treenet.co.nz> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 6/10/2014 4:24 p.m., Robert Watson wrote:
> still trying to get this working.  To eliminate the self signed
> certificate issue, I got a official signed certificate from
> Starfield Tech. LLC. They've sent two certifcates but I'm unsure
> how to use these certificates since the ssl_bump parameters only
> have one certificate as a parameter

The CA is very unlikely to be issuing you certificates capable of use
in Squid in the way intended. It is illegal for a trusted root CA to
do so in the country they are registered. Besides that it is downright
foolish for them to give up their trust reputation. Look at what
happened to DigiNotar.

The point of self-signed is that _your Squid_ is the root CA signer.

The ssl-bump feature in current Squid makes parameter cert= take the
self-signed CA certificate in PEM format. Squid generates the rest of
the certificte chain as necessary.

>
> On Sun, Oct 5, 2014 at 8:52 AM, Eliezer Croitoru wrote:
>
> On 10/05/2014 01:22 PM, Amos Jeffries wrote:
>>>> MSIE 11 seems to be growing in popularity for some reason
>>>> ;-)
>>>>
>>>> Amos
>
> And Still there is:
> http://bugs.squid-cache.org/show_bug.cgi?id=4115
>
> For now I am using ssl_crtd of 3.4.5 for google ssl bump to work.
>
> Eliezer

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUMkdGAAoJELJo5wb/XPRjygMH/Rk0EYwCgluL1YCWNa8cTZHN
RkPNY1fTbe7U0ioB7J69KTJ07XH8sy0w9bChB5s/siodi3WD8ogZ3VdtEYxcqjf1
9yhb771Il3IiVaAiuF62FHWTEHjwHwTcBVR7/cDxigPW2VuSyyhZsdA8ayl1ZUXO
jW44IH5g0Sja7KVJAfS67AANG4Sp4vMh1rGdXpbP8Bq8QGposL3viGh51z3k6/OP
Dok8oVIsIluICLc8sLAKJbJwaBYSh0SLBrnNUv0Yl6+MtAFNfViXJGa3OfRG5ucQ
aTS9Be4vzJthVdV1+tTtqubCvjrYB7PqQcfL9VzA4UlvQovgPDAnVMO074Kyjug=
=k3K8
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Mirza Dedic | 13 Oct 02:47 2014

cygwin (running on Win2K3 and 2K8) + squid 3.3.3 + negotiate_kerberos_auth

I’ve got a Squid 3.3.3 running on Windows 2003 (and 2008) box via CYGWIN, works with the basic config.

 

My next step is to put in some authentication in place, in this case Kerberos using..

 

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/vis-squid.VAND1.OPPY.COM

auth_param negotiate children 10

auth_param negotiate keep_alive on

 

Before I can do this, I need to get a keytab file and setup the proper SPNs, on CYGWIN we don’t have Samba so I am using  msktutil to create the computer account and keytab/SPNs; specifically one that works under CYGWIN (https://github.com/fd00/yacp/tree/master/msktutil).

 

When I try to create the keytab as per http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos by running...

msktutil -c -b "CN=computers" -s HTTP/xxx-squid.MY.DOMAIN.COM -k /etc/squid/PROXY.keytab --computer-name xxx-squid --upn HTTP/ xxx-squid.MY.DOMAIN.COM--server DCSRV02 --enctypes 28 –verbose

 

It runs but dies at..

 

-- ldap_get_pwdLastSet: pwdLastSet is 130576191605205669

-- set_password: Successfully set password, waiting for it to be reflected in LDAP.

-- ldap_get_pwdLastSet: pwdLastSet is 130576191607895789

-- set_password: Successfully reset computer's password

-- set_password: Setting samba machine trust account password

The syntax of this command is:

 

 

NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |

      HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION |

      SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]

 

Setting samba secret failed with error code 256

Error: set_password failed

Hint: Does your password policy allow to change vis-squid's password?

      For example, there could be a "Minimum password age" policy preventing

      passwords from being changed too frequently. If so, you can reset the

      password instead of changing it using the --user-creds-only option.

      Be aware that you need a ticket of a user with administrative privileges

      for that.

-- ~msktutil_exec: Destroying msktutil_exec

-- ldap_cleanup: Disconnecting from LDAP server

-- init_password: Wiping the password structure

-- ~KRB5Context: Destroying Kerberos Context

 

Looks like it is trying to use Samba’s “net” command which is different than the net command above (windows). So I edited http://repo.or.cz/w/msktutil.git/blob/9f22f3ec6efa0a6f8bb122fb14095a1ab50d3d6c:/msktpass.cpp and commented out the block of code that tries to run “net changesecretpw” samba cmd (I thought the whole purpose of msktutil was an alternative way to perform net ads keytab create so why is it  running that cmdlet…) then re-compiled msktutil and re-ran it..

 

It went through this time with..

 

-- ldap_get_pwdLastSet: pwdLastSet is 130576324675479078

-- set_password: Successfully reset computer's password

-- set_password: Setting samba machine trust account password

-- set_password: Successfully set samba machine trust account password

-- ldap_add_principal: Checking that adding principal HTTP/xxx-squid.MY.DOMAIN.COM to vis-squid won't cause a conflict

-- ldap_add_principal: Adding principal HTTP/xxx-squid.MY.DOMAIN.COM to LDAP entry

-- execute: Updating all entries for rmt-server01.MY.DOMAIN.COM in the keytab WRFILE:/etc/squid/PROXY.keytab

 

-- update_keytab: Updating all entires for vis-squid

-- ldap_get_kvno: KVNO is 4

-- add_principal_keytab: Adding principal to keytab: vis-squid

-- add_principal_keytab:     Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x17

-- add_principal_keytab:     Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x11

-- add_principal_keytab:     Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x12

-- add_principal_keytab: Adding principal to keytab: HTTP/xxx-squid.MY.DOMAIN.COM

-- add_principal_keytab: Removing entries with kvno < 0

-- add_principal_keytab:     Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x17

-- add_principal_keytab:     Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x11

-- add_principal_keytab:     Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x12

-- ~msktutil_exec: Destroying msktutil_exec

-- ldap_cleanup: Disconnecting from LDAP server

-- init_password: Wiping the password structure

-- ~KRB5Context: Destroying Kerberos Context

 

In AD I can see a new user account named “xxx-squid” (should this not be a computer object instead of a user object?), so now back to Squid (stop/start) and try hitting google.com via IE9/IE10/IE11 I get..

 

2014/10/12 17:37:14 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information. Key version number for principal in key table is incorrect'

 

So.. something is still not right with my setup.. any suggestions? Can I create the keytab file on my Active Directory server and copy the file and use it instead?

 

With the recent release of SQUID 3.3.3 to CYGWIN (http://sourceware.mirrors.tds.net/pub/sourceware.org/cygwin/x86/release/squid/) I’ve been at it for a few days trying to make it work but stuck at getting SSO with negotiate_kerberos_auth..

 

Any ideas?

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Gmane