[squid-users] Re: squid_kerb_group (again)

Markus Moeller Mon, 23 Dec 2013 08:40:38 -0800

Hi Eugene,

I can only guess that the memory cache is not working. Can you change ininclude/autoconf.h


/* Define if kerberos has MEMORY: cache support */
#define HAVE_KRB5_MEMORY_CACHE 1

to

#undef HAVE_KRB5_MEMORY_CACHE

and recompile ?

Markus

"Eugene M. Zheganin" wrote in messagenews:52b83e6c.8040...@norma.perm.ru...


Hi.

squid 3.3.11
FreeBSD 10.x

I'm fighting squid_kerb_group, sometimes it may become tricky. Here's
where I'm stuck at:

I'm launching this:

===Cut===
KRB5_KTNAME=/usr/local/etc/squid/squid.keytab
export KRB5_KTNAME

/usr/local/libexec/squid/ext_kerberos_ldap_group_acl \
   -a \
   -m 16 \
   -i \
   -ddd \
   -D NORMA.COM \
   -b cn=Users,dc=norma,dc=com \
   -S hq-gc.norma....@norma.com \
   -u proxy2 \
   -p XXXXXXXXXXXXXXXXXXX \
   -N soft...@norma.com \
   -g "Internet Users - Proxy2@"
===Cut===

and getting this:

===Cut===
./squid_kerb_group.sh
kerberos_ldap_group.cc(338): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: INFO: Starting version 1.3.0sq
support_group.cc(372): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: INFO: Group list Internet Users - Proxy2@
support_group.cc(437): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: INFO: Group Internet Users - Proxy2  Domain
support_netbios.cc(74): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: DEBUG: Netbios list soft...@norma.com
support_netbios.cc(147): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: DEBUG: Netbios name SOFTLAB  Domain NORMA.COM
support_lserver.cc(73): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: DEBUG: ldap server list hq-gc.norma....@norma.com
support_lserver.cc(137): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: DEBUG: ldap server hq-gc.norma.com Domain NORMA.COM
emz
kerberos_ldap_group.cc(430): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: INFO: Got User: emz set default domain: NORMA.COM
kerberos_ldap_group.cc(435): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: INFO: Got User: emz Domain: NORMA.COM
support_member.cc(55): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: User domain loop: group@domain Internet
Users - Proxy2@
support_member.cc(83): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Default domain loop: group@domain Internet
Users - Proxy2@
support_member.cc(85): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Found group@domain Internet Users - Proxy2@
support_ldap.cc(810): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
support_krb5.cc(91): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Get default keytab file name
support_krb5.cc(97): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Got default keytab file name
/usr/local/etc/squid/squid.keytab
support_krb5.cc(111): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Get principal name from keytab
/usr/local/etc/squid/squid.keytab
support_krb5.cc(119): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Keytab entry has realm name: NORMA.COM
support_krb5.cc(133): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Found principal name:
HTTP/proxy2.norma....@norma.com
support_krb5.cc(174): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_90134
support_krb5.cc(267): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Got principal name
HTTP/proxy2.norma....@norma.com
support_krb5.cc(311): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Stored credentials
support_ldap.cc(839): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Initialise ldap connection
support_ldap.cc(845): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain
NORMA.COM
support_resolv.cc(245): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Ldap server loop: lserver@domain
hq-gc.norma....@norma.com
support_resolv.cc(247): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Found lserver@domain hq-gc.norma....@norma.com
support_resolv.cc(441): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Sorted ldap server names for domain NORMA.COM:
support_resolv.cc(443): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Host: hq-gc.norma.com Port: -1 Priority: -2
Weight: -2
support_ldap.cc(854): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Setting up connection to ldap server
hq-gc.norma.com:389
support_ldap.cc(865): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_sasl.cc(274): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Local error
support_ldap.cc(869): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: ERROR: Error while binding to ldap server with
SASL/GSSAPI: Local error
support_ldap.cc(891): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Error during initialisation of ldap
connection: No error: 0
support_ldap.cc(951): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Error during initialisation of ldap
connection: No error: 0
support_member.cc(96): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: INFO: User emz is not member of group@domain
Internet Users - Proxy2@
support_member.cc(111): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Default group loop: group@domain Internet
Users - Proxy2@
ERR
kerberos_ldap_group.cc(470): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: ERR
===Cut==

However, using this keytab and script everything is ok when launching
from another servers.

Some additional info: I can successfully use a ldapsearch with
SASL/GSSAPI bind with this keytab:

===Cut===
# kdestroy
# klist

klist: No ticket file: /tmp/krb5cc_0
# kinit --keytab=/usr/local/etc/squid/squid.keytab HTTP/proxy2.norma.com
# klist
Credentials cache: FILE:/tmp/krb5cc_0
       Principal: HTTP/proxy2.norma....@norma.com

 Issued                Expires               Principal
Dec 23 19:37:11 2013  Dec 24 04:37:11 2013  krbtgt/norma....@norma.com
Dec 23 19:37:17 2013  Dec 24 04:37:11 2013  ldap/hq-gc.norma....@norma.com

# ldapsearch -H ldap://hq-gc.norma.com:389 -Y GSSAPI -O "maxssf=56" -b
"cn=Users,dc=nor .ma,dc=com" -W
"(&(sAMAccountname=emz)(memberOf=CN=Internet Users -
Proxy1,CN=Users,DC=norma,DC=com))"

Enter LDAP Password: [actually I press Enter here, and the password is
not null - so the keytab is used]
SASL/GSSAPI authentication started
SASL username: HTTP/proxy2.norma....@norma.com
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=Users,dc=norma,dc=com> with scope subtree
# filter: (&(sAMAccountname=emz)(memberOf=CN=Internet Users -
Proxy1,CN=Users,DC=norma,DC=com))
# requesting: ALL
#

# \D0\96\D0\B5\D0\B3\D0\B0\D0\BD\D0\B8\D0\BD
\D0\95\D0\B2\D0\B3\D0\B5\D0\BD\D
0\B8\D0\B9, Users, norma.com
dn::
Q0490JbQtdCz0LDQvdC40L0g0JXQstCz0LXQvdC40LksQ049VXNlcnMsREM9bm9ybWEsREM9Y
29t
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
[some more data in LDIF format not showing]
===Cut===

Looks like it's really some local problem, but I cannot figure out which
exactly.


Thanks.

Eugene.

[squid-users] Re: squid_kerb_group (again)

Reply via email to