[squid-users] Re: Fwd: squid_kerb_ldap trabl

Tue, 03 Jun 2014 11:23:24 -0700 

Hi Valentin,

I think the problem is here:
2014/06/03 15:52:59| squid_kerb_ldap: Search ldap server with bind path CN=Schema,CN=Configuration,DC=dominion,DC=local and filter: (ldapdisplayname=samaccountname) 
2014/06/03 15:52:59| squid_kerb_ldap: Found 0 ldap entries
2014/06/03 15:52:59| squid_kerb_ldap: Determined ldap server not as an Active Directory server 2014/06/03 15:52:59| squid_kerb_ldap: Error determining ldap server type: Operations error
Do you know if everyone can access the schema of your ldap server ( I assume it is a MS Active Directory server) ? 

Markus



"Valentin G"  wrote in message news:1857521401801...@web29m.yandex.ru...




Hi, help me solve my problem in configuring squid.......

DOMINION.LOCAL -  win domain  (2003+2008  forest 2003)
3  inet group in AD

user  vvgulimov  in group  Internet_all

squid_kerb_ldap  ver 1.2.2

cash.log
2014/06/03 15:52:59| squid_kerb_ldap: Got User: vvgulimov Domain: DOMINION.LOCAL 2014/06/03 15:52:59| squid_kerb_ldap: User domain loop: group@domain Internet_all@NULL 2014/06/03 15:52:59| squid_kerb_ldap: Default domain loop: group@domain Internet_all@NULL 2014/06/03 15:52:59| squid_kerb_ldap: Default group loop: group@domain Internet_all@NULL 
2014/06/03 15:52:59| squid_kerb_ldap: Found group@domain Internet_all@NULL
2014/06/03 15:52:59| squid_kerb_ldap: Setup Kerberos credential cache
2014/06/03 15:52:59| squid_kerb_ldap: Get default keytab file name
2014/06/03 15:52:59| squid_kerb_ldap: Got default keytab file name /etc/squid/Proxy.keytab 2014/06/03 15:52:59| squid_kerb_ldap: Get principal name from keytab /etc/squid/Proxy.keytab 2014/06/03 15:52:59| squid_kerb_ldap: Keytab entry has realm name: DOMINION.LOCAL 2014/06/03 15:52:59| squid_kerb_ldap: Found principal name: HTTP/proxy.dominion.local@DOMINION.LOCAL 2014/06/03 15:52:59| squid_kerb_ldap: Set credential cache to MEMORY:squid_ldap_3062 2014/06/03 15:52:59| squid_kerb_ldap: Got principal name HTTP/proxy.dominion.local@DOMINION.LOCAL 
2014/06/03 15:52:59| squid_kerb_ldap: Stored credentials
2014/06/03 15:52:59| squid_kerb_ldap: Initialise ldap connection
2014/06/03 15:52:59| squid_kerb_ldap: Canonicalise ldap server name for domain DOMINION.LOCAL 2014/06/03 15:52:59| squid_kerb_ldap: Resolved SRV _ldap._tcp.DOMINION.LOCAL record to ruspb-a-sdc-1.dominion.local 2014/06/03 15:52:59| squid_kerb_ldap: Resolved SRV _ldap._tcp.DOMINION.LOCAL record to ruspb-a-sdc-2.dominion.local 2014/06/03 15:52:59| squid_kerb_ldap: Resolved address 1 of DOMINION.LOCAL to DOMINION.LOCAL 2014/06/03 15:52:59| squid_kerb_ldap: Resolved address 2 of DOMINION.LOCAL to DOMINION.LOCAL 2014/06/03 15:52:59| squid_kerb_ldap: Resolved address 3 of DOMINION.LOCAL to DOMINION.LOCAL 
2014/06/03 15:52:59| squid_kerb_ldap: Adding DOMINION.LOCAL to list
2014/06/03 15:52:59| squid_kerb_ldap: Sorted ldap server names for domain DOMINION.LOCAL: 2014/06/03 15:52:59| squid_kerb_ldap: Host: ruspb-a-sdc-2.dominion.local Port: 389 Priority: 0 Weight: 100 2014/06/03 15:52:59| squid_kerb_ldap: Host: ruspb-a-sdc-1.dominion.local Port: 389 Priority: 0 Weight: 100 2014/06/03 15:52:59| squid_kerb_ldap: Host: DOMINION.LOCAL Port: -1 Priority: -1 Weight: -1 2014/06/03 15:52:59| squid_kerb_ldap: Setting up connection to ldap server ruspb-a-sdc-2.dominion.local:389 
2014/06/03 15:52:59| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2014/06/03 15:52:59| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2014/06/03 15:52:59| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2014/06/03 15:52:59| squid_kerb_ldap: Setting up connection to ldap server ruspb-a-sdc-1.dominion.local:389 
2014/06/03 15:52:59| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2014/06/03 15:52:59| squid_kerb_ldap: Successfully initialised connection to ldap server ruspb-a-sdc-1.dominion.local:389 2014/06/03 15:52:59| squid_kerb_ldap: Search ldap server with bind path "" and filter: (objectclass=*) 2014/06/03 15:52:59| squid_kerb_ldap: Search ldap entries for attribute : schemaNamingContext 2014/06/03 15:52:59| squid_kerb_ldap: 1 ldap entry found with attribute : schemaNamingContext 2014/06/03 15:52:59| squid_kerb_ldap: Search ldap server with bind path CN=Schema,CN=Configuration,DC=dominion,DC=local and filter: (ldapdisplayname=samaccountname) 
2014/06/03 15:52:59| squid_kerb_ldap: Found 0 ldap entries
2014/06/03 15:52:59| squid_kerb_ldap: Determined ldap server not as an Active Directory server 2014/06/03 15:52:59| squid_kerb_ldap: Error determining ldap server type: Operations error 2014/06/03 15:52:59| squid_kerb_ldap: User vvgulimov is not member of group@domain Internet_all@NULL 
2014/06/03 15:52:59| squid_kerb_ldap: ERR

____________________________________________

squid.config
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -s HTTP/proxy.dominion.local@DOMINION.LOCAL 
auth_param negotiate children 20
auth_param negotiate keep_alive on
external_acl_type SQUID_KERB_LDAP1 ttl=1200 negative_ttl=3600 %LOGIN /usr/lib/squid/squid_kerb_ldap -d -g Internet_all external_acl_type SQUID_KERB_LDAP2 ttl=1200 negative_ttl=3600 %LOGIN /usr/lib/squid/squid_kerb_ldap -d -g Internet_blacklist external_acl_type SQUID_KERB_LDAP3 ttl=1200 negative_ttl=3600 %LOGIN /usr/lib/squid/squid_kerb_ldap -d -g Internet_whitelist 

acl AUTHENTICATED proxy_auth REQUIRED

acl Internet_all external SQUID_KERB_LDAP1
acl Internet_blacklist external SQUID_KERB_LDAP2
acl Internet_whitelist external SQUID_KERB_LDAP3

acl white_list url_regex -i "/etc/squid/white_list"
acl black_list url_regex -i "/etc/squid/black_list"

http_access allow Internet_whitelist white_list
http_access deny Internet_blacklist black_list
http_access allow Internet_all

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# http_access allow localhost
http_access allow AUTHENTICATED
http_access deny all

_______________________________________
krb5.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 24h
renew_lifetime = 24h
forwardable = true
krb4_convert = false
}

[libdefaults]
default_realm = DOMINION.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
#        proxiable = true

# For Windows 2007:
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 
forwardable = yes

[realms]
DOMINION.LOCAL = {
# kdc = 192.168.235.4:88
kdc = 192.168.234.2:88
# admin_server = 192.168.235.4:749
admin_server = 192.168.234.2:749
default_domain = DOMINION.LOCAL
}

[domain_realm]
.dominion.local = DOMINION.LOCAL
dominion.local = DOMINION.LOCAL
[logging]
default = FILE:/var/log/krb5lib.log
kdc = FILE:/var/log/krb5kdc.log
kdc = SYSLOG:INFO AEMON
admin_server = FILE:/var/log/kadmin.log

____________________________________________________

thank you
ps. configure your mail ezm is very strong ..)

Reply via email to