Re: [squid-users] Squid 3.5.20 compile issue
On Tue, 2016-09-20 at 11:05 +0930, LYMN wrote: > On Mon, Sep 19, 2016 at 07:20:14PM -0600, James Lay wrote: > > > > > > Well last word on this...squid starts but dies with: > > /squid: symbol lookup error: ./squid: undefined symbol: > > SSL_set_alpn_protos > > So at this point I'll just go back to linking to libressl. Thanks > > all. > > > > What does a "ldd squid" output? You have built your openssl > libraries > to a non-standard place so perhaps squid cannot find them at run > time? > If this was the case then you either need to use LD_LIBRARY_PATH at > run > time or set LDFLAGS="-L/opt/openssl/lib -Wl,-R/opt/openssl/lib" at > squid > configure time. > > Woo hoo! Success! Looks like this works with openssl-1.0.1. Thanks much all! James___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.5.20 compile issue
On Mon, Sep 19, 2016 at 07:20:14PM -0600, James Lay wrote: > > Well last word on this...squid starts but dies with: > /squid: symbol lookup error: ./squid: undefined symbol: > SSL_set_alpn_protos > So at this point I'll just go back to linking to libressl. Thanks all. > What does a "ldd squid" output? You have built your openssl libraries to a non-standard place so perhaps squid cannot find them at run time? If this was the case then you either need to use LD_LIBRARY_PATH at run time or set LDFLAGS="-L/opt/openssl/lib -Wl,-R/opt/openssl/lib" at squid configure time. -- Brett Lymn This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies: BAE Systems Australia Limited - Australian Company Number 008 423 005 BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846 BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 228 864 Our registered office is Evans Building, Taranaki Road, Edinburgh Parks, Edinburgh, South Australia, 5111. If the identity of the sending company is not clear from the content of this email please contact the sender. This email and any attachments may contain confidential and legally privileged information. If you are not the intended recipient, do not copy or disclose its content, but please reply to this email immediately and highlight the error to the sender and then immediately delete the message. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.5.20 compile issue
On Mon, 2016-09-19 at 18:44 -0600, James Lay wrote: > On Tue, 2016-09-20 at 10:12 +0930, LYMN wrote: > > On Mon, Sep 19, 2016 at 06:37:44PM -0600, Alex Rousskov wrote: > > > > > > On 09/19/2016 06:22 PM, James Lay wrote: > > > > > > > > Ok so this is with the 1.0.2 branch of openssl: > > > > > > > > dso_dlfcn.c:(.text+0x11): undefined reference to `dlopen' > > > > dso_dlfcn.c:(.text+0x24): undefined reference to `dlsym' > > > > dso_dlfcn.c:(.text+0x2f): undefined reference to `dlclose' > > > You can probably force you way through this by linking with more > > > system > > > libraries, but I do not know exactly which ones you need. This > > > smells > > > like an environment or build configuration problem to me -- the > > > linker > > > does not know that your OpenSSL library depends on another system > > > library that provides those [dynamic linking] functions. > > > > > At a guess add this to the libraries list after openssl: -ldl > > > Thank you...where would I add that to? My config line? Here it is: > > ./configure --prefix=/opt --with-openssl=/opt/openssl --enable-ssl -- > enable-ssl-crtd --enable-linux-netfilter --enable-follow-x-forwarded- > for --with-large-files --sysconfdir=/opt/etc/squid --enable-external- > acl-helpers=none > > James > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users Well last word on this...squid starts but dies with: /squid: symbol lookup error: ./squid: undefined symbol: SSL_set_alpn_protos So at this point I'll just go back to linking to libressl. Thanks all. James___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.5.20 compile issue
On Tue, 2016-09-20 at 10:26 +0930, LYMN wrote: > On Mon, Sep 19, 2016 at 06:44:38PM -0600, James Lay wrote: > > > > > > > > > > > > > > > > At a guess add this to the libraries list after openssl: -ldl > > > > > Thank you...where would I add that to? My config line? Here it > > is: > > ./configure --prefix=/opt --with-openssl=/opt/openssl --enable-ssl > > -- > > enable-ssl-crtd --enable-linux-netfilter --enable-follow-x- > > forwarded- > > for --with-large-files --sysconfdir=/opt/etc/squid --enable- > > external- > > acl-helpers=none > > > try setting LIBS="-ldl" in the environment before you do the > configure. > > Thanks again Brett. Turns out you have to add the "shared" option: ./Configure enable-chacha enable-poly1305 --prefix=/opt/openssl shared linux-x86_64 which you knowkind of makes sense because it's like...a SHARED library 8-| Yugh..I hate being dumb. James___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.5.20 compile issue
On Tue, 2016-09-20 at 10:12 +0930, LYMN wrote: > On Mon, Sep 19, 2016 at 06:37:44PM -0600, Alex Rousskov wrote: > > > > On 09/19/2016 06:22 PM, James Lay wrote: > > > > > > Ok so this is with the 1.0.2 branch of openssl: > > > > > > dso_dlfcn.c:(.text+0x11): undefined reference to `dlopen' > > > dso_dlfcn.c:(.text+0x24): undefined reference to `dlsym' > > > dso_dlfcn.c:(.text+0x2f): undefined reference to `dlclose' > > You can probably force you way through this by linking with more > > system > > libraries, but I do not know exactly which ones you need. This > > smells > > like an environment or build configuration problem to me -- the > > linker > > does not know that your OpenSSL library depends on another system > > library that provides those [dynamic linking] functions. > > > At a guess add this to the libraries list after openssl: -ldl > Thank you...where would I add that to? My config line? Here it is: ./configure --prefix=/opt --with-openssl=/opt/openssl --enable-ssl -- enable-ssl-crtd --enable-linux-netfilter --enable-follow-x-forwarded- for --with-large-files --sysconfdir=/opt/etc/squid --enable-external- acl-helpers=none James___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.5.20 compile issue
On Mon, Sep 19, 2016 at 06:37:44PM -0600, Alex Rousskov wrote: > On 09/19/2016 06:22 PM, James Lay wrote: > > Ok so this is with the 1.0.2 branch of openssl: > > > > dso_dlfcn.c:(.text+0x11): undefined reference to `dlopen' > > dso_dlfcn.c:(.text+0x24): undefined reference to `dlsym' > > dso_dlfcn.c:(.text+0x2f): undefined reference to `dlclose' > > You can probably force you way through this by linking with more system > libraries, but I do not know exactly which ones you need. This smells > like an environment or build configuration problem to me -- the linker > does not know that your OpenSSL library depends on another system > library that provides those [dynamic linking] functions. > At a guess add this to the libraries list after openssl: -ldl -- Brett Lymn This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies: BAE Systems Australia Limited - Australian Company Number 008 423 005 BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846 BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 228 864 Our registered office is Evans Building, Taranaki Road, Edinburgh Parks, Edinburgh, South Australia, 5111. If the identity of the sending company is not clear from the content of this email please contact the sender. This email and any attachments may contain confidential and legally privileged information. If you are not the intended recipient, do not copy or disclose its content, but please reply to this email immediately and highlight the error to the sender and then immediately delete the message. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.5.20 compile issue
Thanks...off to git cloning the 1.0.1 branch...all this work for chacha and poly...yugh 8-| James On Mon, 2016-09-19 at 18:37 -0600, Alex Rousskov wrote: > On 09/19/2016 06:22 PM, James Lay wrote: > > > > Ok so this is with the 1.0.2 branch of openssl: > > > > dso_dlfcn.c:(.text+0x11): undefined reference to `dlopen' > > dso_dlfcn.c:(.text+0x24): undefined reference to `dlsym' > > dso_dlfcn.c:(.text+0x2f): undefined reference to `dlclose' > You can probably force you way through this by linking with more > system > libraries, but I do not know exactly which ones you need. This smells > like an environment or build configuration problem to me -- the > linker > does not know that your OpenSSL library depends on another system > library that provides those [dynamic linking] functions. > > > > > > Should I just try something different? 1.0.1? 1.0? > I know that both v1.0 and v1.0.1 work in many environments. YMMV. > > Alex.___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.5.20 compile issue
On 09/19/2016 06:22 PM, James Lay wrote: > Ok so this is with the 1.0.2 branch of openssl: > > dso_dlfcn.c:(.text+0x11): undefined reference to `dlopen' > dso_dlfcn.c:(.text+0x24): undefined reference to `dlsym' > dso_dlfcn.c:(.text+0x2f): undefined reference to `dlclose' You can probably force you way through this by linking with more system libraries, but I do not know exactly which ones you need. This smells like an environment or build configuration problem to me -- the linker does not know that your OpenSSL library depends on another system library that provides those [dynamic linking] functions. > Should I just try something different? 1.0.1? 1.0? I know that both v1.0 and v1.0.1 work in many environments. YMMV. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid 3.5.20 compile issue
Ok so this is with the 1.0.2 branch of openssl: make[3]: Entering directory `/home//nobackup/build/squid- 3.5.20/src/ssl' /bin/bash ../../libtool --tag=CXX --mode=link g++ -Wall -Wpointer- arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual -Werror -pipe -D_REENTRANT -m64 -g -O2 -march=native -std=c++11 -m64 -g -o ssl_crtd ssl_crtd.o certificate_db.o libsslutil.la -L/opt/openssl/lib -lssl -lcrypto../../compat/libcompat-squid.la libtool: link: g++ -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual -Werror -pipe -D_REENTRANT -m64 -g -O2 -march=native -std=c++11 -m64 -g -o ssl_crtd ssl_crtd.o certificate_db.o ./.libs/libsslutil.a -L/opt/openssl/lib -lssl -lcrypto ../../compat/.libs/libcompat-squid.a /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_globallookup': dso_dlfcn.c:(.text+0x11): undefined reference to `dlopen' dso_dlfcn.c:(.text+0x24): undefined reference to `dlsym' dso_dlfcn.c:(.text+0x2f): undefined reference to `dlclose' /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_func': dso_dlfcn.c:(.text+0x334): undefined reference to `dlsym' dso_dlfcn.c:(.text+0x3db): undefined reference to `dlerror' /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var': dso_dlfcn.c:(.text+0x454): undefined reference to `dlsym' dso_dlfcn.c:(.text+0x4fb): undefined reference to `dlerror' /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_load': dso_dlfcn.c:(.text+0x569): undefined reference to `dlopen' dso_dlfcn.c:(.text+0x5cb): undefined reference to `dlclose' dso_dlfcn.c:(.text+0x603): undefined reference to `dlerror' /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_pathbyaddr': dso_dlfcn.c:(.text+0x68f): undefined reference to `dladdr' dso_dlfcn.c:(.text+0x6f1): undefined reference to `dlerror' /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload': dso_dlfcn.c:(.text+0x742): undefined reference to `dlclose' collect2: error: ld returned 1 exit status make[3]: *** [ssl_crtd] Error 1 make[3]: Leaving directory `/home/nobackup/build/squid-3.5.20/src/ssl' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/nobackup/build/squid-3.5.20/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/home/nobackup/build/squid-3.5.20/src' make: *** [all-recursive] Error 1 Should I just try something different? 1.0.1? 1.0? Thank you. James___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.5.20 fails to compile with openssl
On 2016-09-19 16:05, Alex Rousskov wrote: On 09/19/2016 04:01 PM, James Lay wrote: Openssl git latest commit version commit e2562bbbe1e1c68ec5a3e02c1f151fd6149ee2ae. Please see http://bugs.squid-cache.org/show_bug.cgi?id=4599 Thank you, Alex. And there you go...thanks Alex. James ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.5.20 fails to compile with openssl
On 09/19/2016 04:01 PM, James Lay wrote: > Openssl git latest commit version commit > e2562bbbe1e1c68ec5a3e02c1f151fd6149ee2ae. Please see http://bugs.squid-cache.org/show_bug.cgi?id=4599 Thank you, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid 3.5.20 fails to compile with openssl
So I know I posted this a while ago...thought I'd give it a shot today, but still no luck: make[3]: Entering directory `/home/nobackup/build/squid-3.5.20/src/anyp' depbase=`echo PortCfg.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\ /bin/bash ../../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib -I../../src -I../../include-I/opt/openssl/include -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual -Werror -pipe -D_REENTRANT -m64 -g -O2 -march=native -std=c++11 -MT PortCfg.lo -MD -MP -MF $depbase.Tpo -c -o PortCfg.lo PortCfg.cc &&\ mv -f $depbase.Tpo $depbase.Plo libtool: compile: g++ -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib -I../../src -I../../include -I/opt/openssl/include -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual -Werror -pipe -D_REENTRANT -m64 -g -O2 -march=native -std=c++11 -MT PortCfg.lo -MD -MP -MF .deps/PortCfg.Tpo -c PortCfg.cc -fPIC -DPIC -o .libs/PortCfg.o In file included from ../../src/anyp/PortCfg.h:18:0, from PortCfg.cc:10: ../../src/ssl/gadgets.h:83:45: error: ‘CRYPTO_LOCK_X509’ was not declared in this scope typedef LockingPointerX509_Pointer; ^ ../../src/ssl/gadgets.h:83:61: error: template argument 3 is invalid typedef LockingPointer X509_Pointer; ^ ../../src/ssl/gadgets.h:83:75: error: invalid type in declaration before ‘;’ token typedef LockingPointer X509_Pointer; ^ ../../src/ssl/gadgets.h:89:53: error: ‘CRYPTO_LOCK_EVP_PKEY’ was not declared in this scope typedef LockingPointer EVP_PKEY_Pointer; ^ ../../src/ssl/gadgets.h:89:73: error: template argument 3 is invalid typedef LockingPointer EVP_PKEY_Pointer; ^ ../../src/ssl/gadgets.h:89:91: error: invalid type in declaration before ‘;’ token typedef LockingPointer EVP_PKEY_Pointer; ^ ../../src/ssl/gadgets.h:116:43: error: ‘CRYPTO_LOCK_SSL’ was not declared in this scope typedef LockingPointer SSL_Pointer; ^ ../../src/ssl/gadgets.h:116:58: error: template argument 3 is invalid typedef LockingPointer SSL_Pointer; ^ ../../src/ssl/gadgets.h:116:71: error: invalid type in declaration before ‘;’ token typedef LockingPointer SSL_Pointer; ^ make[3]: *** [PortCfg.lo] Error 1 make[3]: Leaving directory `/home/nobackup/build/squid-3.5.20/src/anyp' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/nobackup/build/squid-3.5.20/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/home/nobackup/build/squid-3.5.20/src' make: *** [all-recursive] Error 1 Openssl git latest commit version commit e2562bbbe1e1c68ec5a3e02c1f151fd6149ee2ae. thank you. James ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] What's the algorithm to achieve AclRandom
On 09/19/2016 06:29 AM, ysu yang wrote: >> A. Define "session" in HTTP or Squid terms that Squid understands. Write >> ACLs (likely including an external ACL or an eCAP adapter) that will >> define a "session" for any given transaction and annotate same-session >> transactions accordingly. Load balance based on sessions instead of >> random events. The same external ACL or eCAP adapter can define load >> balancing by annotating the transaction according to the ICAP service it >> should be directed to. > I see your point,but I didn't find what I wanted in ACLs. i would like to > achieve load balancing based on IP(maybe implement by Source IP hash > algorithm).Do you have a idea. Consider using an external ACL (i.e., Squid calling your custom script when deciding whether the ACL matched). Your script gets the client IP from Squid and, as a side effect, returns a transaction annotation to Squid. Squid uses that annotation (via the "note" ACL) in the adaptation_access rules to route the traffic to the right ICAP service (or service set). > And,If one ICAP sever go down, can squid check it is down and will not send > message to it See http://www.squid-cache.org/Doc/config/adaptation_service_set/ Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Web Whatsapp, Dropbox... problem
On Mon, Sep 19, 2016 at 10:39 AM, erdosain9wrote: > mm > so... > i think this is working for non take the certificate > > acl step1 at_step SslBump1 > acl excludeSSL ssl::server_name_regex web/.whatsapp/.com > wrong slashes... you want "\" > > ssl_bump peek step1 > ssl_bump splice excludeSSL > ssl_bump bump all > > but, anyway something more is happening because well... dosent work. > another point of view?? > Yes, you still had something wrong. Also, i'm not sure if you need to anchor the RE to prevent it matching something like "web.whatsapp.com.malware.tld" in the server name. Maybe someone closer to the code can answer that question... Jok ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Web Whatsapp, Dropbox... problem
mm so... i think this is working for non take the certificate acl step1 at_step SslBump1 acl excludeSSL ssl::server_name_regex web/.whatsapp/.com ssl_bump peek step1 ssl_bump splice excludeSSL ssl_bump bump all but, anyway something more is happening because well... dosent work. another point of view?? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Web-Whatsapp-Dropbox-problem-tp4679299p4679596.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
Yes, You can fix that by setting the SPN : HTTP/host.you.domain.tld in UPN I had that too, changed it and it is working perfect now. See subject : Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe ) Greetz, Louis > -Oorspronkelijk bericht- > Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens > Silamael Darkomen > Verzonden: maandag 19 september 2016 14:20 > Aan: squid-users@lists.squid-cache.org > Onderwerp: Re: [squid-users] Problem with Kerberos and > ext_kerberos_ldap_group_acl not being able to reach realm's KDC > > > On 19.09.2016 14:08, L.P.H. van Belle wrote: > > Well thats strange. > > No i cant speak about openBSD, but below is pretty general. > > > > When you test, did you set this before the test. > > KRB5_KTNAME=/etc/squid/proxy.keytab > > And does that keytab contain the HTTP/SPN > > And test/check if you see http/SPN in the UPN, if not try that also. > > After that change the > > I just tested again to make my groups more flexible. > > > > /usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4 \ > > -D YOUR.REALM.TLD \ > > -N ntdom...@your.realm.tld \ > > - S dc1.your.dnsdomain@your.realm.tld \ > > -i -d > > This one is without the -g so we can use more group names, > > but test with -g first. > > > > from this example like. But i change the ldap group to kerberos group > here. > > > http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Prox > y > > That's all there, environment is correctly set up. Keytab looks good. > As said before, the negotiate_kerberos_auth part works like a charm. > All I get is a bunch of messages complaining about not being able to > reach any KDC in realm while initializing the credentials of the keytab... > Thought that it might be a DNS issue but even configuring DNS so that > the AD server does all the DNS stuff did not change a bit :( > > -- Matthias > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] What's the algorithm to achieve AclRandom
Firstly of all.Thanks for your advice. > B. Adjust the ICAP service to store information about "sessions" in > such > a way that different service instances can share it. For example, if > all > ICAP services run on the same machine, they can use shared memory > segments to exchange information among each other. I have no ability to achieve that different ICAP servers share same memory. > A. Define "session" in HTTP or Squid terms that Squid understands. > Write > ACLs (likely including an external ACL or an eCAP adapter) that will > define a "session" for any given transaction and annotate same-session > transactions accordingly. Load balance based on sessions instead of > random events. The same external ACL or eCAP adapter can define load > balancing by annotating the transaction according to the ICAP service > it > should be directed to. I see your point,but I didn't find what I wanted in ACLs. i would like to achieve load balancing based on IP(maybe implement by Source IP hash algorithm).Do you have a idea. And,If one ICAP sever go down, can squid check it is down and will not send message to it Thanks in advance -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/c-icap-load-balancing-tp4679500p4679592.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
On 19.09.2016 14:08, L.P.H. van Belle wrote: > Well thats strange. > No i cant speak about openBSD, but below is pretty general. > > When you test, did you set this before the test. > KRB5_KTNAME=/etc/squid/proxy.keytab > And does that keytab contain the HTTP/SPN > And test/check if you see http/SPN in the UPN, if not try that also. > After that change the > I just tested again to make my groups more flexible. > > /usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4 \ > -D YOUR.REALM.TLD \ > -N ntdom...@your.realm.tld \ > - S dc1.your.dnsdomain@your.realm.tld \ > -i -d > This one is without the -g so we can use more group names, > but test with -g first. > > from this example like. But i change the ldap group to kerberos group here. > http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy That's all there, environment is correctly set up. Keytab looks good. As said before, the negotiate_kerberos_auth part works like a charm. All I get is a bunch of messages complaining about not being able to reach any KDC in realm while initializing the credentials of the keytab... Thought that it might be a DNS issue but even configuring DNS so that the AD server does all the DNS stuff did not change a bit :( -- Matthias ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
Well thats strange. No i cant speak about openBSD, but below is pretty general. When you test, did you set this before the test. KRB5_KTNAME=/etc/squid/proxy.keytab And does that keytab contain the HTTP/SPN And test/check if you see http/SPN in the UPN, if not try that also. After that change the I just tested again to make my groups more flexible. /usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4 \ -D YOUR.REALM.TLD \ -N ntdom...@your.realm.tld \ - S dc1.your.dnsdomain@your.realm.tld \ -i -d This one is without the -g so we can use more group names, but test with -g first. from this example like. But i change the ldap group to kerberos group here. http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy When i now put in "username groupname" after staring with the line above to testout im getting. support_member.cc(69): pid=23472 :2016/09/19 13:55:39| kerberos_ldap_group: INFO: User username is member of group@domain groupn...@your.realm.tld OK kerberos_ldap_group.cc(408): pid=23472 :2016/09/19 13:55:39| kerberos_ldap_group: DEBUG: OK this is all i have in krb5.conf [libdefaults] default_keytab_name = /etc/krb5.keytab default_realm = YOUR.REALM.TLD dns_lookup_kdc = true dns_lookup_realm = false ticket_lifetime = 24h ccache_type = 4 forwardable = true and the ad dc lookup works, if you set the SPN in the UPN, at least works for me. I have my systems keytab as default keytab and KRB5_KTNAME=/etc/squid/proxy.keytab export KRB5_KTNAME TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt export TLS_CACERTFILE Is set in the /etc/default/squid3 So im thinking review the keytab setup and the variable. And: >The AD is reachable from the proxy machine but DNS is not done by the AD >but on the proxy machine itself. Same here, but i do have a forward zone in the dns for my ad domain. Hope this helps a bit. Greetz, Louis > -Oorspronkelijk bericht- > Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens > Silamael Darkomen > Verzonden: maandag 19 september 2016 13:35 > Aan: squid-users@lists.squid-cache.org > Onderwerp: Re: [squid-users] Problem with Kerberos and > ext_kerberos_ldap_group_acl not being able to reach realm's KDC > > On 16.09.2016 10:52, L.P.H. van Belle wrote: > > I think you forgot in your test, that you may need to modify the default > > kerberos ticket used. > > > > > > > > > > > > I suggest you change you config a bit to something like > > > > > > > > external_acl_type internet-win-allowed %LOGIN > > /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \ > > > > -D YOUR.REALM.TLD \ > > > > -g allowed-inter...@your.realm.tld \ > > > > -N ntdom...@your.realm.tld \ > > > > -S > > > dc1.your.dnsdomain@your.realm.tld:dc2.your.dnsdomain@your.realm.tl > D > > Hello, > > Tried your suggestions but that doesn't change anything. > Furthermore the ext_kerberos_ldap_group_acl creates a core dump after > iterating over all the entries for the keytab... > Any further ideas? > > -- Matthias > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
On 16.09.2016 22:11, Markus Moeller wrote: > Hi Silamael, > > Can you perform a kinit u...@example.com ? Does the squid user > have read access to krb5.conf ? > > Markus Hello Markus, Yes, the permissions are correctly set up so that Squid and it's processes can read every file needed. For it seems that the Heimdal library ignores the dns_lookup_kdc and dns_lookup_realm options in the krb5.conf... As written in my other response, the helper also crashes at the end. I'll take a look on the stack trace... -- Matthias ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
On 16.09.2016 10:52, L.P.H. van Belle wrote: > I think you forgot in your test, that you may need to modify the default > kerberos ticket used. > > > > > > I suggest you change you config a bit to something like > > > > external_acl_type internet-win-allowed %LOGIN > /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \ > > -D YOUR.REALM.TLD \ > > -g allowed-inter...@your.realm.tld \ > > -N ntdom...@your.realm.tld \ > > -S > dc1.your.dnsdomain@your.realm.tld:dc2.your.dnsdomain@your.realm.tld Hello, Tried your suggestions but that doesn't change anything. Furthermore the ext_kerberos_ldap_group_acl creates a core dump after iterating over all the entries for the keytab... Any further ideas? -- Matthias ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users