Go to file
Christian Wittmer 42c155b8fa Accepting request 159652 from home:bruno_friedmann:branches:server:proxy
Rework the systemd squid.service to make it able to intialize cache directory (squid -z) fixing bnc#802635
Removing the unneeded bash wrapper
Upgrade to bugfixes upstream release 3.2.9

- New revision for squid.service (using only sed)
  handle multiple cache_dir line
  Added sed as require 
- Packaging : fixed systemd squid.service 
	- Rework on squid.service ExecStartPre line 
	  remove dependency on unfunctionnal wrapper 
	- Fix bnc#802635 (creating cache struture fail on first call)
	- Fixed Type=forking and remove the use off -N (non daemon flag)
	- Fixed missing pid file
	- Structural : add all -k to end of Exec/Stop line
	- Ulimit : Added LimitNOFile=4096 ( same value as in /etc/sysconfig)
		but there's no way to decode dynamically /etc/sysconfig
	- Remove syslog.target ( no need anymore : advise from fcrozat )
	- Clean up squid_cache_build.sh 
- Changes to squid-3.2.9 (12 Mar 2013):
	- Regression fix: Accept-Language header parse
	- Bug 3673: Silence 'Failed to select source' messages
	- Fix authentication headers sent on peer digest requests
	- Fix build error on Solaris, OpenIndiana, Omnios
- Changes to squid-3.2.8 (02 Mar 2013):
	- Bug 3767: tcp_outgoing_tos/mark ACLs do not obey acl_uses_indirect_client
	- Bug 3763: diskd Error: no filename in shm buffer
	- Bug 3752: objects that cannot be cached in memory are not cached on disk
	- Bug 3753: Removes the domain from the cache_peer server pconn key
	- Bug 3749: IDENT lookup using wrong ports to identify the user
	- Bug 3723: tcp_outgoing_tos/mark broken for CONNECT requests
	- Bug 3686: cache_dir max-size default fails
	- Bug 3515: crash in FtpStateData::ftpTimeout
	- Bug 3329: Quieten orphan Comm::Connection messages
	- Make squid -z for cache_dir rock preserve the rock DB

OBS-URL: https://build.opensuse.org/request/show/159652
OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=34
2013-03-24 13:45:57 +00:00
.gitattributes unlink from Factory 2012-10-22 19:07:11 +00:00
.gitignore unlink from Factory 2012-10-22 19:07:11 +00:00
pam.squid unlink from Factory 2012-10-22 19:07:11 +00:00
README.kerberos unlink from Factory 2012-10-22 19:07:11 +00:00
RELEASENOTES.html Accepting request 148340 from home:computersalat:devel:proxy 2013-01-13 20:38:48 +00:00
rpmlintrc unlink from Factory 2012-10-22 19:07:11 +00:00
squid-3.2.9.tar.bz2 Accepting request 159652 from home:bruno_friedmann:branches:server:proxy 2013-03-24 13:45:57 +00:00
squid-3.2.9.tar.bz2.asc Accepting request 159652 from home:bruno_friedmann:branches:server:proxy 2013-03-24 13:45:57 +00:00
squid-compiled_without_RPM_OPT_FLAGS.patch unlink from Factory 2012-10-22 19:07:11 +00:00
squid-config.patch Accepting request 148340 from home:computersalat:devel:proxy 2013-01-13 20:38:48 +00:00
squid-nobuilddates.patch Accepting request 148340 from home:computersalat:devel:proxy 2013-01-13 20:38:48 +00:00
squid.changes Accepting request 159652 from home:bruno_friedmann:branches:server:proxy 2013-03-24 13:45:57 +00:00
squid.init unlink from Factory 2012-10-22 19:07:11 +00:00
squid.keyring Accepting request 143935 from home:sbrabec:gpg-offline-verify 2012-12-30 15:34:43 +00:00
squid.logrotate unlink from Factory 2012-10-22 19:07:11 +00:00
squid.permissions unlink from Factory 2012-10-22 19:07:11 +00:00
squid.service Accepting request 159652 from home:bruno_friedmann:branches:server:proxy 2013-03-24 13:45:57 +00:00
squid.spec Accepting request 159652 from home:bruno_friedmann:branches:server:proxy 2013-03-24 13:45:57 +00:00
squid.sysconfig unlink from Factory 2012-10-22 19:07:11 +00:00
unsquid.pl unlink from Factory 2012-10-22 19:07:11 +00:00

This is the README.kerberos file
to have squid negotiate/authenticate via kerberos

any addons are very welcome 
comments could be posted to <chris(at)computersalat.de>


1) you need to add a "USER" inside your "Domain-Computers" Container
   called "squid".  Yes a "USER" and not a Computer.
   You may use another name, but why ?

2) After having successfully created the user, you need to create a 
   keytab file on your WIN box.

Example: !! This is all in one line !!

  ktpass -princ HTTP/squid@DOMAIN.REALM -pType KRB5_NT_PRINCIPAL \
  -mapuser squid -pass * -out HTTP.keytab

3) copy over HTTP.keytab to /etc/squid/ on your linux box

4) you have to tell your browsers to negotiate via kerberos

  Have a look at:

  a) Internet Explorer does not support Kerberos authentication with proxy servers
     http://support.microsoft.com/?scid=kb%3Ben-us%3B321728&x=19&y=14

	This limitation was removed in Windows Internet Explorer 7.

	If Integrated Windows Authentication is turned on in Internet Explorer
	for Windows 2000 and Windows XP, you can complete Kerberos authentication
	with Web servers either directly or through a proxy server. However,
	Internet Explorer cannot use Kerberos to authenticate with the proxy
	server itself.

  b) Unable to negotiate Kerberos authentication after upgrading to Internet Explorer 6
     http://support.microsoft.com/kb/299838/EN-US/

	To resolve this issue, enable Internet Explorer 6 to respond to
	a negotiate challenge and perform Kerberos authentication:

	1. In Internet Explorer, click Internet Options on the Tools menu.
	2. Click the Advanced tab, click to select the Enable
	   Integrated Windows Authentication (requires restart) check box
	   in the Security section, and then click OK.
	3. Restart Internet Explorer.

	Administrators can enable Integrated Windows Authentication by
	setting the EnableNegotiate DWORD value to 1 in the following registry key:

	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

	Note Internet Explorer 6, when used with Microsoft Windows 98,
	Microsoft Windows 98 Second Edition, Microsoft Windows Millennium Edition,
	and Microsoft Windows NT 4.0 does not respond to a negotiate challenge and
	default to NTLM (or Windows NT Challenge/Response) authentication even if
	the Enable Integrated Windows Authentication (requires restart) check
	box is selected because Kerberos authentication is not available on
	these operating systems.