<HTML><HEAD></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>Hi Joao,</DIV>
<DIV> </DIV>
<DIV> OK now you use the authentication rule. </DIV>
<DIV> </DIV>
<DIV> How did you create the keytab ? Does the hostname
match the keytab entry ?</DIV>
<DIV> </DIV>
<DIV> Can you run the helper with –d to get more debug ? </DIV>
<DIV> </DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV style="FONT-FAMILY: ; COLOR: ; TEXT-DECORATION: ; DISPLAY: inline">
<DIV style="FONT-FAMILY: ; LINE-HEIGHT: normal">
<DIV><FONT face=Tahoma><FONT style="FONT-SIZE: 10pt"></FONT></FONT> </DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><FONT face=Tahoma><B><FONT
style="FONT-SIZE: 10pt">From:</FONT></B><FONT style="FONT-SIZE: 10pt">
</FONT></FONT><FONT style="FONT-SIZE: 10pt"><A title=jaumshock@gmail.com
href="mailto:jaumshock@gmail.com"><FONT face=Tahoma>Joao Paulo Monticelli
Gaspar</FONT></A></FONT><FONT face=Tahoma><FONT style="FONT-SIZE: 10pt">
</FONT></FONT></DIV>
<DIV><FONT face=Tahoma><B><FONT style="FONT-SIZE: 10pt">Sent:</FONT></B><FONT
style="FONT-SIZE: 10pt"> Thursday, March 19, 2015 12:41 AM</FONT></FONT></DIV>
<DIV><FONT face=Tahoma><B><FONT style="FONT-SIZE: 10pt">To:</FONT></B><FONT
style="FONT-SIZE: 10pt"> </FONT></FONT><FONT style="FONT-SIZE: 10pt"><A
title=huaraz@moeller.plus.com href="mailto:huaraz@moeller.plus.com"><FONT
face=Tahoma>Markus Moeller</FONT></A></FONT><FONT face=Tahoma><FONT
style="FONT-SIZE: 10pt"> </FONT></FONT></DIV>
<DIV><FONT face=Tahoma><B><FONT style="FONT-SIZE: 10pt">Subject:</FONT></B><FONT
style="FONT-SIZE: 10pt"> Re: [squid-users] Squid + AD + Kerb auth
question</FONT></FONT></DIV></DIV></DIV>
<DIV> </DIV></DIV>
<DIV style="FONT-FAMILY: ; COLOR: ; TEXT-DECORATION: ; DISPLAY: inline">
<DIV dir=ltr>gettin access denied now
<DIV> </DIV>
<DIV>watch the logs</DIV>
<DIV> </DIV>
<DIV>
<DIV> </DIV>
<DIV>==> /var/log/squid/squid.out <==</DIV>
<DIV> </DIV>
<DIV>==> /var/log/squid/access.log <==</DIV>
<DIV>1426725527.219 1 192.168.1.251 TCP_DENIED/407
4509 GET <A
href="http://www.eset.com.br/download/business">http://www.eset.com.br/download/business</A>
- NONE/- text/html</DIV>
<DIV> </DIV>
<DIV>==> /var/log/squid/cache.log <==</DIV>
<DIV>2015/03/18 21:38:47| authenticateNegotiateHandleReply: Error validating
user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified
GSS failure. Minor code may provide more information. '</DIV></DIV>
<DIV> </DIV>
<DIV>guess my SOO isnt working right?</DIV></DIV>
<DIV class=gmail_extra>
<DIV> </DIV>
<DIV class=gmail_quote>2015-03-18 20:46 GMT-03:00 Markus Moeller <SPAN
dir=ltr><<A href="mailto:huaraz@moeller.plus.com"
target=_blank>huaraz@moeller.plus.com</A>></SPAN>:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-FAMILY: ; COLOR: ">
<DIV>
<DIV>
<DIV><FONT face=Tahoma><FONT style="FONT-SIZE: 10pt">Hi
Joao</FONT></FONT></DIV>
<DIV><FONT face=Tahoma></FONT> </DIV>
<DIV><FONT face=Tahoma><FONT style="FONT-SIZE: 10pt">Then you
hit</FONT></FONT></DIV>
<DIV><FONT face=Tahoma></FONT> </DIV>
<DIV>http_access allow localnet<BR></DIV>
<DIV> </DIV>
<DIV>and not</DIV>
<DIV> </DIV>
<DIV>http_access allow ad_auth</DIV>
<DIV> </DIV>
<DIV>Comment out the following line in squid.conf </DIV>
<DIV> </DIV>http_access allow localnet<BR>
<DIV> </DIV>
<DIV>and try again.</DIV>
<DIV> </DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV style="BACKGROUND: #f5f5f5"><SPAN>
<DIV><FONT face=Tahoma><B><FONT style="FONT-SIZE: 10pt">From:</FONT></B><FONT
style="FONT-SIZE: 10pt"> </FONT></FONT><FONT style="FONT-SIZE: 10pt"><A
title=jaumshock@gmail.com href="mailto:jaumshock@gmail.com"
target=_blank><FONT face=Tahoma>Joao Paulo Monticelli
Gaspar</FONT></A></FONT><FONT face=Tahoma><FONT style="FONT-SIZE: 10pt">
</FONT></FONT></DIV></SPAN>
<DIV><FONT face=Tahoma><B><FONT style="FONT-SIZE: 10pt">Sent:</FONT></B><FONT
style="FONT-SIZE: 10pt"> Wednesday, March 18, 2015 11:38
PM</FONT></FONT></DIV><SPAN>
<DIV><FONT face=Tahoma><B><FONT style="FONT-SIZE: 10pt">To:</FONT></B><FONT
style="FONT-SIZE: 10pt"> </FONT></FONT><FONT style="FONT-SIZE: 10pt"><A
title=huaraz@moeller.plus.com href="mailto:huaraz@moeller.plus.com"
target=_blank><FONT face=Tahoma>Markus Moeller</FONT></A></FONT><FONT
face=Tahoma><FONT style="FONT-SIZE: 10pt"> </FONT></FONT></DIV>
<DIV><FONT face=Tahoma><B><FONT
style="FONT-SIZE: 10pt">Subject:</FONT></B><FONT style="FONT-SIZE: 10pt"> Re:
[squid-users] Squid + AD + Kerb auth
question</FONT></FONT></DIV></SPAN></DIV></DIV>
<DIV> </DIV></DIV>
<DIV><SPAN>
<DIV dir=ltr>yes, I'm using localnet, this is a virtual test lab enviorment,
here are some log entries
<DIV> </DIV>
<DIV>
<DIV>1426694349.225 59653 192.168.1.251 TCP_MISS/200 4775 CONNECT <A
href="http://p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i2-v6exp3-ds.metric.gstatic.com:443"
target=_blank>p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i2-v6exp3-ds.metric.gstatic.com:443</A>
- DIRECT/<A href="http://216.58.222.35" target=_blank>216.58.222.35</A>
-</DIV>
<DIV>1426694352.258 62686 192.168.1.251 TCP_MISS/200 4774 CONNECT <A
href="http://p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i1-v6exp3-v4.metric.gstatic.com:443"
target=_blank>p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i1-v6exp3-v4.metric.gstatic.com:443</A>
- DIRECT/<A href="http://216.58.222.46" target=_blank>216.58.222.46</A>
-</DIV>
<DIV>1426694613.543 58996 192.168.1.251 TCP_MISS/200 1112 CONNECT <A
href="http://safebrowsing.google.com:443"
target=_blank>safebrowsing.google.com:443</A> - DIRECT/<A
href="http://173.194.42.133" target=_blank>173.194.42.133</A> -</DIV></DIV>
<DIV> </DIV>
<DIV>when I looked at the access.log manual pages I saw that if squid cant get
user info, he uses the - sign on the access, and we can see it there, but why
he cant get the user info?</DIV>
<DIV> </DIV></DIV></SPAN>
<DIV class=gmail_extra>
<DIV> </DIV>
<DIV class=gmail_quote>2015-03-18 20:20 GMT-03:00 Markus Moeller <SPAN
dir=ltr><<A href="mailto:huaraz@moeller.plus.com"
target=_blank>huaraz@moeller.plus.com</A>></SPAN>:
<DIV>
<DIV class=h5><BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV dir=ltr>
<DIV dir=ltr>
<DIV>
<DIV>Hi,</DIV>
<DIV> </DIV>
<DIV> From which network do you surf ? From localnet ? </DIV>
<DIV> </DIV>
<DIV> Can you send sample log entries ?</DIV>
<DIV> </DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV>
<DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV><FONT face=Tahoma><B><FONT
style="FONT-SIZE: 10pt">From:</FONT></B><FONT style="FONT-SIZE: 10pt">
</FONT></FONT><FONT style="FONT-SIZE: 10pt"><A title=jaumshock@gmail.com
href="mailto:jaumshock@gmail.com" target=_blank><FONT face=Tahoma>Joao Paulo
Monticelli Gaspar</FONT></A></FONT><FONT face=Tahoma><FONT
style="FONT-SIZE: 10pt"> </FONT></FONT></DIV>
<DIV><FONT face=Tahoma><B><FONT
style="FONT-SIZE: 10pt">Sent:</FONT></B><FONT style="FONT-SIZE: 10pt">
Wednesday, March 18, 2015 9:18 PM</FONT></FONT></DIV>
<DIV><FONT face=Tahoma><B><FONT style="FONT-SIZE: 10pt">To:</FONT></B><FONT
style="FONT-SIZE: 10pt"> </FONT></FONT><FONT style="FONT-SIZE: 10pt"><A
title=huaraz@moeller.plus.com href="mailto:huaraz@moeller.plus.com"
target=_blank><FONT face=Tahoma>Markus Moeller</FONT></A></FONT><FONT
face=Tahoma><FONT style="FONT-SIZE: 10pt"> </FONT></FONT></DIV>
<DIV><FONT face=Tahoma><B><FONT
style="FONT-SIZE: 10pt">Subject:</FONT></B><FONT style="FONT-SIZE: 10pt">
Re: [squid-users] Squid + AD + Kerb auth
question</FONT></FONT></DIV></DIV></DIV>
<DIV> </DIV></DIV>
<DIV>
<DIV>
<DIV>
<DIV dir=ltr>squid.conf
<DIV> </DIV>
<DIV>
<DIV>visible_hostname proxy.joznet.local</DIV>
<DIV> </DIV>
<DIV>auth_param negotiate program /usr/lib64/squid/squid_kerb_auth</DIV>
<DIV>auth_param negotiate children 10</DIV>
<DIV>auth_param negotiate keep_alive on</DIV>
<DIV>auth_param basic credentialsttl 2 hours</DIV>
<DIV> </DIV>
<DIV>acl ad_auth proxy_auth REQUIRED</DIV>
<DIV> </DIV>
<DIV>acl manager proto cache_object</DIV>
<DIV>acl localhost src <A href="http://127.0.0.1/32"
target=_blank>127.0.0.1/32</A> ::1</DIV>
<DIV>acl to_localhost dst <A href="http://127.0.0.0/8"
target=_blank>127.0.0.0/8</A> <A href="http://0.0.0.0/32"
target=_blank>0.0.0.0/32</A> ::1</DIV>
<DIV> </DIV>
<DIV>acl localnet src <A href="http://192.168.1.0/24"
target=_blank>192.168.1.0/24</A><SPAN style="WHITE-SPACE: pre-wrap">
</SPAN># RFC1918 possible internal network</DIV>
<DIV>acl localnet src fc00::/7 # RFC
4193 local private network range</DIV>
<DIV>acl localnet src fe80::/10 # RFC 4291
link-local (directly plugged) machines</DIV>
<DIV> </DIV>
<DIV>acl SSL_ports port 443</DIV>
<DIV>acl Safe_ports port 80<SPAN style="WHITE-SPACE: pre-wrap"> </SPAN>#
http</DIV>
<DIV>acl Safe_ports port 21<SPAN style="WHITE-SPACE: pre-wrap"> </SPAN>#
ftp</DIV>
<DIV>acl Safe_ports port 443<SPAN style="WHITE-SPACE: pre-wrap"> </SPAN>#
https</DIV>
<DIV>acl Safe_ports port 70<SPAN style="WHITE-SPACE: pre-wrap"> </SPAN>#
gopher</DIV>
<DIV>acl Safe_ports port 210<SPAN style="WHITE-SPACE: pre-wrap"> </SPAN>#
wais</DIV>
<DIV>acl Safe_ports port 1025-65535<SPAN style="WHITE-SPACE: pre-wrap">
</SPAN># unregistered ports</DIV>
<DIV>acl Safe_ports port 280<SPAN style="WHITE-SPACE: pre-wrap"> </SPAN>#
http-mgmt</DIV>
<DIV>acl Safe_ports port 488<SPAN style="WHITE-SPACE: pre-wrap"> </SPAN>#
gss-http</DIV>
<DIV>acl Safe_ports port 591<SPAN style="WHITE-SPACE: pre-wrap"> </SPAN>#
filemaker</DIV>
<DIV>acl Safe_ports port 777<SPAN style="WHITE-SPACE: pre-wrap"> </SPAN>#
multiling http</DIV>
<DIV>acl CONNECT method CONNECT</DIV>
<DIV> </DIV>
<DIV>http_access allow manager localhost</DIV>
<DIV>http_access deny manager</DIV>
<DIV> </DIV>
<DIV>http_access deny !Safe_ports<BR></DIV>
<DIV> </DIV>
<DIV>http_access deny CONNECT !SSL_ports<BR></DIV>
<DIV> </DIV>
<DIV>http_access allow localnet<BR></DIV>
<DIV>http_access allow localhost</DIV>
<DIV>http_access allow ad_auth</DIV>
<DIV>http_access deny all<BR></DIV>
<DIV> </DIV>
<DIV>http_port 3128</DIV>
<DIV> </DIV>
<DIV>hierarchy_stoplist cgi-bin ?<BR></DIV>
<DIV> </DIV>
<DIV>coredump_dir /var/spool/squid<BR></DIV>
<DIV> </DIV>
<DIV>refresh_pattern ^ftp:<SPAN style="WHITE-SPACE: pre-wrap">
</SPAN>1440<SPAN style="WHITE-SPACE: pre-wrap"> </SPAN>20%<SPAN
style="WHITE-SPACE: pre-wrap"> </SPAN>10080<BR></DIV>
<DIV>refresh_pattern ^gopher:<SPAN style="WHITE-SPACE: pre-wrap">
</SPAN>1440<SPAN style="WHITE-SPACE: pre-wrap"> </SPAN>0%<SPAN
style="WHITE-SPACE: pre-wrap"> </SPAN>1440</DIV>
<DIV>refresh_pattern -i (/cgi-bin/|\?) 0<SPAN style="WHITE-SPACE: pre-wrap">
</SPAN>0%<SPAN style="WHITE-SPACE: pre-wrap"> </SPAN>0</DIV>
<DIV>refresh_pattern .<SPAN style="WHITE-SPACE: pre-wrap"> </SPAN>0<SPAN
style="WHITE-SPACE: pre-wrap"> </SPAN>20%<SPAN
style="WHITE-SPACE: pre-wrap"> </SPAN>4320</DIV></DIV>
<DIV> </DIV>
<DIV>****************************************************************************************</DIV>
<DIV>krb5.conf</DIV>
<DIV> </DIV>
<DIV>
<DIV>[logging]</DIV>
<DIV>default = FILE:/var/log/krb5libs.log</DIV>
<DIV>kdc = FILE:/var/log/krb5kdc.log</DIV>
<DIV>admin_server = FILE:/var/log/kadmind.log</DIV>
<DIV> </DIV>
<DIV>[libdefaults]</DIV>
<DIV>default_realm = JOZNET.LOCAL</DIV>
<DIV>dns_lookup_realm = false</DIV>
<DIV>dns_lookup_kdc = false</DIV>
<DIV>ticket_lifetime = 24h</DIV>
<DIV>renew_lifetime = 7d</DIV>
<DIV>forwardable = true</DIV>
<DIV> </DIV>
<DIV>; for Windows 2008 with AES</DIV>
<DIV> </DIV>
<DIV>; default_tgs_enctypes =
aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5</DIV>
<DIV>; default_tkt_enctypes =
aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5</DIV>
<DIV>; permitted_enctypes =
aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5</DIV>
<DIV> </DIV>
<DIV>; for MIT/Heimdal kdc no need to restrict encryption type</DIV>
<DIV> </DIV>
<DIV>[realms]</DIV>
<DIV>JOZNET.LOCAL = {</DIV>
<DIV> kdc = srvjoznt.joznet.local:88</DIV>
<DIV> admin_server = srvjoznt.joznet.local:749</DIV>
<DIV> default_domain = joznet.local </DIV>
<DIV>}</DIV>
<DIV> </DIV>
<DIV>[domain_realm]</DIV>
<DIV>.joznet.local= JOZNET.LOCAL</DIV>
<DIV>joznet.local= JOZNET.LOCAL</DIV>
<DIV> </DIV>
<DIV>[pam]</DIV>
<DIV>debuf = false</DIV>
<DIV>ticket_lifetime = 36000</DIV>
<DIV>renew_lifetime = 36000</DIV>
<DIV>forwardable = true</DIV>
<DIV>krb4_convert = false</DIV>
<DIV> </DIV></DIV></DIV></DIV></DIV>
<DIV class=gmail_extra>
<DIV> </DIV>
<DIV class=gmail_quote>
<DIV>
<DIV>2015-03-18 17:54 GMT-03:00 Markus Moeller <SPAN dir=ltr><<A
href="mailto:huaraz@moeller.plus.com"
target=_blank>huaraz@moeller.plus.com</A>></SPAN>:<BR></DIV></DIV>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV dir=ltr>
<DIV dir=ltr>
<DIV>
<DIV>How does the config file look like ? </DIV>
<DIV>
<DIV>
<DIV> </DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV>
<DIV>"Joao Paulo Monticelli Gaspar" <<A
href="mailto:jaumshock@gmail.com"
target=_blank>jaumshock@gmail.com</A>> wrote in message
news:CAFjXhx=idbdXEQxbZy56tr5m3FZTasu2tqGwLcLYdi_S-s3eQg@mail.gmail.com...</DIV></DIV></DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV>
<DIV>
<DIV>
<DIV dir=ltr>Hey people
<DIV> </DIV>
<DIV>I have a doubt and couldn't find the answer anywhere yet, I'm using
SQUID integrate to a W2K8 AD server with kerb auth, and everything works
fine, the main reason of chosing this setup is for the SingleSignOn
capabilities of the configuration, but on my ACCESS.LOG I cant see the
users that are visitating the sites...</DIV>
<DIV> </DIV>
<DIV>is possible to show that info with this setup, or by any other setup
use maintain the SOO?</DIV>
<DIV> </DIV>
<DIV>Thx in advance.</DIV></DIV></DIV></DIV>
<HR>
_______________________________________________<BR>squid-users mailing
list<BR><A href="mailto:squid-users@lists.squid-cache.org"
target=_blank>squid-users@lists.squid-cache.org</A><BR><A
href="http://lists.squid-cache.org/listinfo/squid-users"
target=_blank>http://lists.squid-cache.org/listinfo/squid-users</A><BR></DIV></DIV></DIV></DIV></DIV></DIV></DIV>
<DIV>
<DIV><BR>_______________________________________________<BR>squid-users
mailing list<BR><A href="mailto:squid-users@lists.squid-cache.org"
target=_blank>squid-users@lists.squid-cache.org</A><BR><A
href="http://lists.squid-cache.org/listinfo/squid-users"
target=_blank>http://lists.squid-cache.org/listinfo/squid-users</A><BR><BR></DIV></DIV></BLOCKQUOTE></DIV>
<DIV> </DIV></DIV></DIV></DIV></DIV></DIV><BR>_______________________________________________<BR>squid-users
mailing list<BR><A href="mailto:squid-users@lists.squid-cache.org"
target=_blank>squid-users@lists.squid-cache.org</A><BR><A
href="http://lists.squid-cache.org/listinfo/squid-users"
target=_blank>http://lists.squid-cache.org/listinfo/squid-users</A><BR><BR></BLOCKQUOTE></DIV></DIV></DIV>
<DIV> </DIV></DIV></DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style="FONT-FAMILY: ; COLOR: ; TEXT-DECORATION: ; DISPLAY: inline"></DIV></DIV></DIV></DIV></DIV><BR>_______________________________________________<BR>squid-users
mailing list<BR><A
href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</A><BR><A
href="http://lists.squid-cache.org/listinfo/squid-users"
target=_blank>http://lists.squid-cache.org/listinfo/squid-users</A><BR><BR></BLOCKQUOTE></DIV>
<DIV> </DIV></DIV></DIV></DIV></DIV></BODY></HTML>