Re: [squid-users] Re: Re: msktutil: Error: ldap_set_option (option=) failed (Can't contact LDAP server)
Hi Markus I took a new version of msktutil from their git-repository (http://repo.or.cz/w/msktutil.git). Now, I was able to create a computer-account in the ad with the same msktutil-command as I used before. Corresponding a statement from the msktutil-developer there were some bug fixed (which solved my problems) in the git-version. Thanks a lot for your help. Tom 2010/6/30 Markus Moeller hua...@moeller.plus.com: Hi Tom, I have a SLES 11 system I can test tomorrow. It looks like an option is not available. Error: ldap_set_option (option=) failed (Can't contact LDAP server) Markus Tom Tux tomtu...@gmail.com wrote in message news:aanlktimytn03x2zov8afj4_3plnuq9fea0iwwwddh...@mail.gmail.com... Hi Markus Here is the output: -- snip --- proxy-test-01:/usr/local/mskutil-0.4/sbin # ./msktutil -c -s HTTP/proxy-test-01.xx.yy -h proxy-test-01 -k /etc/krb5.keytab --computer-name proxy-test-01 --upn HTTP/proxy-test-01.xx.yy --server dc1.xx.yy --verbose -- init_password: Wiping the computer password structure -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-OINkN1 -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: proxy-test-01$ -- try_machine_keytab_princ: Trying to authenticate for proxy-test-01$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/proxy-test-01.xx.yy from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for proxy-test-01$ with password. -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 4 -- ldap_connect: Connecting to LDAP server: dc1.xx.yy try_tls=YES SASL/GSSAPI authentication started SASL username: administra...@xx.yy SASL SSF: 0 Error: ldap_set_option (option=) failed (Can't contact LDAP server) -- ~KRB5Context: Destroying Kerberos Context -- snap --- The computer-account already exists in the ad (joined with net ads join). The ktutil gives me no principals back: proxy-test-01:/usr/local/mskutil-0.4/sbin # ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal - ktutil: Thanks a lot. Kind regards Tom 2010/6/29 Markus Moeller hua...@moeller.plus.com: Can you post the whole output of msktutil with --verbose please. If msktutil fails with TLS on port 389 it will try again without TLS. Regards Markus Tom Tux tomtu...@gmail.com wrote in message news:aanlktil1fhq5ks3nx8mostkic2qoacz1xpmp6wh6r...@mail.gmail.com... this works. I'm also able to telnet with tcp 636 (ldaps). I'm just searching for a solution to kerberise squid without the need of winbind/smb. 2010/6/28 Nick Cairncross nick.cairncr...@condenast.co.uk: They seem ok. Telnet to your dc on 389? On 28/06/2010 14:40, Tom Tux tomtu...@gmail.com wrote: which ldap-libraries should be installed? The following devel-packages are installed (SLES11-System): - openldap2-devel - cyrus-sasl-devel 2010/6/28 Nick Cairncross nick.cairncr...@condenast.co.uk: Missing ldap libraries maybe? On 28/06/2010 12:32, Tom Tux tomtu...@gmail.com wrote: Hi I'm trying to generate a computer-account with msktutil: I got the following error: ... ... - ldap_connect: Connecting to LDAP server: dc1.domain.com try_tls=YES SASL/GSSAPI authentication started SASL username: ad...@domain.com SASL SSF: 0 Error: ldap_set_option (option=) failed (Can't contact LDAP server) -- ~KRB5Context: Destroying Kerberos Context I have a valid ticket (klist), initiated with adminu...@domain.com. Have someone any hints? I see, that the msktutil tries with tls (encrypted) on port 389 (ldap) on the domain-controller. Can I use native (unencrypted) ldap? Thanks a lot. Tom ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or
[squid-users] squid_kerb_ldap - Error while initialising credentials from keytab
Hi I'm trying to authenticate our clients with squid_kerb_ldap against our ad. There exists a global-group called Internet. My squid.conf looks like this: auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i auth_param negotiate children 10 auth_param negotiate keep_alive on external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g Internet acl inetAccess external SQUID_KERB_LDAP http_access allow inetAccess My klist -k looks like this: proxy-test-01:/usr/local/squid_kerb_ldap/bin # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 4 host/proxy-test-01.xx...@xx.yy 4 host/proxy-test-01.xx...@xx.yy 4 host/proxy-test-01.xx...@xx.yy 4 host/proxy-test...@xx.yy 4 host/proxy-test...@xx.yy 4 host/proxy-test...@xx.yy 4 proxy-test-...@xx.yy 4 proxy-test-...@xx.yy 4 proxy-test-...@xx.yy 4 HTTP/proxy-test-01.xx...@xx.yy 4 HTTP/proxy-test-01.xx...@xx.yy 4 HTTP/proxy-test-01.xx...@xx.yy 4 HTTP/proxy-test...@xx.yy 4 HTTP/proxy-test...@xx.yy 4 HTTP/proxy-test...@xx.yy 5 proxy-test-...@xx.yy 5 proxy-test-...@xx.yy 5 proxy-test-...@xx.yy 5 HTTP/proxy-test-01.xx...@xx.yy 5 HTTP/proxy-test-01.xx...@xx.yy 5 HTTP/proxy-test-01.xx...@xx.yy 5 HTTP/proxy-test...@xx.yy 5 HTTP/proxy-test...@xx.yy 5 HTTP/proxy-test...@xx.yy 5 host/proxy-test-01.xx...@xx.yy 5 host/proxy-test-01.xx...@xx.yy 5 host/proxy-test-01.xx...@xx.yy Without squid_kerb_ldap, the internet-access is working fine. With the helper, I got the following errors in the cache.log: 2010/06/30 09:45:48| squid_kerb_auth: INFO: User testu...@xx.yy authenticated 2010/06/30 09:45:48| squid_kerb_ldap: Got User: TESTUSER Domain: XX.YY 2010/06/30 09:45:48| squid_kerb_ldap: User domain loop: gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: Default domain loop: gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: Default group loop: gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: Found gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: Setup Kerberos credential cache 2010/06/30 09:45:48| squid_kerb_ldap: Get default keytab file name 2010/06/30 09:45:48| squid_kerb_ldap: Got default keytab file name /etc/krb5.keytab 2010/06/30 09:45:48| squid_kerb_ldap: Get principal name from keytab /etc/krb5.keytab 2010/06/30 09:45:48| squid_kerb_ldap: Keytab entry has realm name: XX.YY 2010/06/30 09:45:48| squid_kerb_ldap: Found principal name: host/proxy-test-01.xx...@xx.yy 2010/06/30 09:45:48| squid_kerb_ldap: Set credential cache to MEMORY:squid_ldap_22001 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name host/proxy-test-01.xx...@xx.yy 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising credentials from keytab : Client not found in Kerberos database 2010/06/30 09:45:48| squid_kerb_ldap: Error during setup of Kerberos credential cache 2010/06/30 09:45:48| squid_kerb_ldap: User TESTUSER is not member of gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: ERR 2010/06/30 09:45:48| squid_kerb_auth: INFO: User testu...@xx.yy authenticated What could this be? The user testuser is member of the ad-group Internet. Thanks a lot. Tom
RE: [squid-users] Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102)
Hi Markus/Henrik, Below is the information for your reference. Now even the authentication portion is not working at all for any single client. Tried hard recreating SPN using different accounts etc. but with no success. please help 1.---Output of cache.log-- 2010/06/30 15:56:34| storeDirWriteCleanLogs: Starting... 2010/06/30 15:56:34| Finished. Wrote 0 entries. 2010/06/30 15:56:34| Took 0.0 seconds ( 0.0 entries/sec). 2010/06/30 15:56:34| logfileRotate: /var/logs/inst1store.log 2010/06/30 15:56:34| logfileRotate (stdio): /var/logs/inst1store.log 2010/06/30 15:56:34| logfileRotate: /var/logs/inst1access.log 2010/06/30 15:56:34| logfileRotate (stdio): /var/logs/inst1access.log 2010/06/30 15:56:34| helperStatefulOpenServers: Starting 10 'squid_kerb_auth' processes 2010/06/30 15:56:34| helperOpenServers: Starting 5 'squid_kerb_ldap' processes 2010/06/30 15:56:34| helperOpenServers: Starting 5 'squid_kerb_ldap' processes 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| helperOpenServers: Starting 5 'squid_kerb_ldap' processes 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR3 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap:
[squid-users] Errors with sasl while compiling Squid 3.1.4
Hi When I run ./configure to prepare compilation on Squid 3.1.4 I got this = errors: checking /usr/include/sasl.h usability... no checking /usr/include/sasl.h presence... no checking for /usr/include/sasl.h... no checking sasl.h usability... no checking sasl.h presence... no checking for sasl.h... no configure: error: Neither SASL nor SASL2 found Whereas /usr/include/sasl.h is present in the right directory=20 Please help Cheers Herc. _ La boîte mail NOW Génération vous permet de réunir toutes vos boîtes mail dans Hotmail ! http://www.windowslive.fr/hotmail/nowgeneration/
[squid-users] Log dns error
Hi I wonder if there is a specifiq way to identify what sites has been logged by a dns resolution error? LD
[squid-users] sarg reports
Hola lista,, termino de instalar sarg, y ya estoy viendo los resultados. busque por internet y no logro entender los resultados del reporte yo tengo algo asi NUM USERID CONEXION BYTES %BYTES ENTRADA-CACHE-SALIDA TIEMPO UTILIZADO MILISEC %HORA donde dice ENTRADA-CACHE-SALIDA se refiere a lo que descargo desde internet y a lo que estaba en el cache ?' porque dice por ejemplo: NUM USERID CONEXIONBYTES %BYTES ENTRADA-CACHE-SALIDATIEMPO UTILIZADO MILISEC %HORA 1 10.10.10.xx 146.33K 3.66G 4.63% 9.10% 90.90% 114:08:40410.920.0213.65% 2 10.10.10.xx 49.88K 3.04G 3.85% 4.47%95.53% 77:55:04 280.504.556 2.49% Gracias
[squid-users] Squid 3.1.4 keeps giving Access Denied intermittently
Hi, We have been using Squid for many years now and recently we upgraded from 2.7 to 3.1 version. Since upgrading we started getting intermittent Access Denied messages for sites that we can access normally. For example, if we access www.google.com we get the site straightaway at times and on other times we get Access Denied message. Then, if we keep refreshing the page, the site comes up. We had our ISP connection checked by their support staff who visited our premises and got a Windows laptop connect directly without the proxy and everything was working excellently. With Squid 2.7 everything worked as a charm. So I am wondering what must be wrong. Any help would be greatly appreciated. Thanks in advance. Regards, Nitin
Re: [squid-users] Errors with sasl while compiling Squid 3.1.4
Found, Did not installed C++, just everything is working well except that in the config.log the file ip_tproxy.h is not found. I did not found any package containing this file. If someone can help. Cheers Herc. 2010/6/30 Babelo Gmvsdm hercul...@hotmail.com - Masquer le texte des messages précédents - Hi When I run ./configure to prepare compilation on Squid 3.1.4 I got this = errors: checking /usr/include/sasl.h usability... no checking /usr/include/sasl.h presence... no checking for /usr/include/sasl.h... no checking sasl.h usability... no checking sasl.h presence... no checking for sasl.h... no configure: error: Neither SASL nor SASL2 found Whereas /usr/include/sasl.h is present in the right directory=20 Please help Cheers Herc. _ _ Hotmail : Simple et Efficace qui vous facilite la vie… Découvrez la NOW génération ! http://www.windowslive.fr/hotmail/nowgeneration/
RE: [squid-users] Startup/shutdown script which was working perfactly alright for squid 3.0stable25 is not working for squid 2.7 stable9.0
Hi Amos, I just found that running it from rc.local works but is it ok to run it through there in CENTOS?? squidautostart.sh- #!/bin/sh KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME KRB5RCACHETYPE=none export KRB5RCACHETYPE echo -n $Starting squid instance2: /usr/sbin/squid -D -s -f /etc/squid/inst2squid.conf echo -n $Starting squid instance1: /usr/sbin/squid -D -s -f /etc/squid/inst1squid.conf Are the variables exported in the script are available to the running instances of squid through rc.local or not? (For the time program is running) I also think that for running squid manually to export these variables for all user i had to define them in /etc/profile .am i right? please guide. thanking you regards, Bilal Date: Mon, 24 May 2010 00:52:39 +1200 From: squ...@treenet.co.nz To: squid-users@squid-cache.org Subject: Re: [squid-users] Startup/shutdown script which was working perfactly alright for squid 3.0stable25 is not working for squid 2.7 stable9.0 GIGO . wrote: Hi all, I am able to run squid manually however whenever i try to run it through the startup/shutdown script it fails. This is the same script working for squid 3.0 stable 25 however i am not being able to figure out that why its failing on squid 2.7 stable 9? Neither of the instance starts with system startup. Please guide me i be thankful. My startup script and tail of cache.log for both instances is below. #!/bin/sh # #my script case $1 in start) /usr/sbin/squid -D -s -f /etc/squid/squidcache.conf /usr/sbin/squid -D -s -f /etc/squid/squid.conf #The below line is to automatically start apache with system startup /usr/sbin/httpd -k start #KRB5_KTNAME=/etc/squid/HTTP.keytab #export KRB5_KTNAME #KRB5RCACHETYPE=none #export KRB5RCACHETYPE ;; stop) /usr/sbin/squid -k shutdown -f /etc/squid/squidcache.conf echo Shutting down squid secondary process /usr/sbin/squid -k shutdown -f /etc/squid/squid.conf echo Shutting down squid main process # The below line is to automatically stop apache at system shutdown /usr/sbin/httpd -k stop ;; esac The script looks right to me. tail instance 2 cache file: 2010/05/22 06:05:18| Beginning Validation Procedure 2010/05/22 06:05:18| Completed Validation Procedure 2010/05/22 06:05:18| Validated 0 Entries 2010/05/22 06:05:18| store_swap_size = 0k 2010/05/22 06:05:18| storeLateRelease: released 0 objects 2010/05/22 06:09:28| Preparing for shutdown after 62 requests This message means the Squid instance has received the shutdown signal from some external process. Either kill or squid -k shutdown. 2010/05/22 06:09:28| Waiting 30 seconds for active connections to finish 2010/05/22 06:09:28| FD 16 Closing HTTP connection 2010/05/22 06:09:28| WARNING: store_rewriter #1 (FD 7) exited 2010/05/22 06:09:28| Too few store_rewriter processes are running 2010/05/22 06:09:28| Starting new helpers 2010/05/22 06:09:28| helperOpenServers: Starting 1 'storeurl.pl' processes That may be a bug, restarting helpers on shutdown looks wrong. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3 _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
[squid-users] Re: Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102)
The error message says it: 2010/06/30 15:56:39| squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. No such file or directory Which means you did not set the environment variable KRB5_KTNAME in the startup script. See http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos Regards Markus GIGO . gi...@msn.com wrote in message news:snt134-w1253f4526c3ce839aec160b9...@phx.gbl... Hi Markus/Henrik, Below is the information for your reference. Now even the authentication portion is not working at all for any single client. Tried hard recreating SPN using different accounts etc. but with no success. please help 1.---Output of cache.log-- 2010/06/30 15:56:34| storeDirWriteCleanLogs: Starting... 2010/06/30 15:56:34| Finished. Wrote 0 entries. 2010/06/30 15:56:34| Took 0.0 seconds ( 0.0 entries/sec). 2010/06/30 15:56:34| logfileRotate: /var/logs/inst1store.log 2010/06/30 15:56:34| logfileRotate (stdio): /var/logs/inst1store.log 2010/06/30 15:56:34| logfileRotate: /var/logs/inst1access.log 2010/06/30 15:56:34| logfileRotate (stdio): /var/logs/inst1access.log 2010/06/30 15:56:34| helperStatefulOpenServers: Starting 10 'squid_kerb_auth' processes 2010/06/30 15:56:34| helperOpenServers: Starting 5 'squid_kerb_ldap' processes 2010/06/30 15:56:34| helperOpenServers: Starting 5 'squid_kerb_ldap' processes 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| helperOpenServers: Starting 5 'squid_kerb_ldap' processes 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR3 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34|
[squid-users] Authenticate domain user
Hi All, I use Kerberos authentication for my domain computers and users. All works well except for the following scenario: If a non-domain PC (i.e. workgroup) is pointed to squid (fqdn) I receive an unsatisfiable login prompt for my squid proxy. After three attempts with domain\username and password if I then click on the link displayed on the Access Denied squid error (e.g. www.Hotmail.com) I am able to access the browse the internet. Strange, no? Cache.log show for the three fails 2010/06/30 15:03:56| squid_kerb_auth: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2010/06/30 15:03:56| squid_kerb_auth: Decode 'TlRMTVNTUAABB4IIogAFASgKDw==' (decoded length: 40). 2010/06/30 15:03:56| squid_kerb_auth: received type 1 NTLM token 2010/06/30 15:03:56| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2010/06/30 15:03:56| squid_kerb_auth: Got 'YR TlRMTVNTUAABB4IIogAFASgKDw==' from squid (length: 59). 2010/06/30 15:03:56| squid_kerb_auth: Decode 'TlRMTVNTUAABB4IIogAFASgKDw==' (decoded length: 40). 2010/06/30 15:03:56| squid_kerb_auth: received type 1 NTLM token 2010/06/30 15:03:56| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' And then shows my token username etc as expected when I click on the 'denied' web-link.. Any help would be greatly appreciated N The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
[squid-users] Re: squid_kerb_ldap - Error while initialising credentials from keytab
Hi Tom squid_kerb_ldap tries to use the keytab to authenticate squid against AD. The keytab contains basically the password for the user http/fqdn which maps in AD to the userprincipalname attribute. In your case squid_kerb_ldap tries to use host/proxy-test-01.xx...@xx.yy but does not find in AD an entry which has the userprincipalname attribute with that value and therfore can not check group memberships. msktutil has the option --upn which will set the AD attribute accordingly (see alsohttp://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name host/proxy-test-01.xx...@xx.yy 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising credentials from keytab : Client not found in Kerberos database Regards Markus Tom Tux tomtu...@gmail.com wrote in message news:aanlktilz_wefjeu1bmnpsgvnhahte6rjmr6bja-uu...@mail.gmail.com... Hi I'm trying to authenticate our clients with squid_kerb_ldap against our ad. There exists a global-group called Internet. My squid.conf looks like this: auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i auth_param negotiate children 10 auth_param negotiate keep_alive on external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g Internet acl inetAccess external SQUID_KERB_LDAP http_access allow inetAccess My klist -k looks like this: proxy-test-01:/usr/local/squid_kerb_ldap/bin # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 4 host/proxy-test-01.xx...@xx.yy 4 host/proxy-test-01.xx...@xx.yy 4 host/proxy-test-01.xx...@xx.yy 4 host/proxy-test...@xx.yy 4 host/proxy-test...@xx.yy 4 host/proxy-test...@xx.yy 4 proxy-test-...@xx.yy 4 proxy-test-...@xx.yy 4 proxy-test-...@xx.yy 4 HTTP/proxy-test-01.xx...@xx.yy 4 HTTP/proxy-test-01.xx...@xx.yy 4 HTTP/proxy-test-01.xx...@xx.yy 4 HTTP/proxy-test...@xx.yy 4 HTTP/proxy-test...@xx.yy 4 HTTP/proxy-test...@xx.yy 5 proxy-test-...@xx.yy 5 proxy-test-...@xx.yy 5 proxy-test-...@xx.yy 5 HTTP/proxy-test-01.xx...@xx.yy 5 HTTP/proxy-test-01.xx...@xx.yy 5 HTTP/proxy-test-01.xx...@xx.yy 5 HTTP/proxy-test...@xx.yy 5 HTTP/proxy-test...@xx.yy 5 HTTP/proxy-test...@xx.yy 5 host/proxy-test-01.xx...@xx.yy 5 host/proxy-test-01.xx...@xx.yy 5 host/proxy-test-01.xx...@xx.yy Without squid_kerb_ldap, the internet-access is working fine. With the helper, I got the following errors in the cache.log: 2010/06/30 09:45:48| squid_kerb_auth: INFO: User testu...@xx.yy authenticated 2010/06/30 09:45:48| squid_kerb_ldap: Got User: TESTUSER Domain: XX.YY 2010/06/30 09:45:48| squid_kerb_ldap: User domain loop: gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: Default domain loop: gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: Default group loop: gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: Found gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: Setup Kerberos credential cache 2010/06/30 09:45:48| squid_kerb_ldap: Get default keytab file name 2010/06/30 09:45:48| squid_kerb_ldap: Got default keytab file name /etc/krb5.keytab 2010/06/30 09:45:48| squid_kerb_ldap: Get principal name from keytab /etc/krb5.keytab 2010/06/30 09:45:48| squid_kerb_ldap: Keytab entry has realm name: XX.YY 2010/06/30 09:45:48| squid_kerb_ldap: Found principal name: host/proxy-test-01.xx...@xx.yy 2010/06/30 09:45:48| squid_kerb_ldap: Set credential cache to MEMORY:squid_ldap_22001 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name host/proxy-test-01.xx...@xx.yy 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising credentials from keytab : Client not found in Kerberos database 2010/06/30 09:45:48| squid_kerb_ldap: Error during setup of Kerberos credential cache 2010/06/30 09:45:48| squid_kerb_ldap: User TESTUSER is not member of gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: ERR 2010/06/30 09:45:48| squid_kerb_auth: INFO: User testu...@xx.yy authenticated What could this be? The user testuser is member of the ad-group Internet. Thanks a lot. Tom
[squid-users] Re: Re: Re: squid_kerb_auth (parseNegTokenInit failed with rc=102)
Hi, From your log file I also see that squid_kerb_ldap is crashing. Can you get the latest version 1.2.1a ? If you have already that version I would need to debug it to find the reason for the crash in free(). Regards Markus GIGO . gi...@msn.com wrote in message news:snt134-w1253f4526c3ce839aec160b9...@phx.gbl... Hi Markus/Henrik, Below is the information for your reference. Now even the authentication portion is not working at all for any single client. Tried hard recreating SPN using different accounts etc. but with no success. please help 1.---Output of cache.log-- 2010/06/30 15:56:34| storeDirWriteCleanLogs: Starting... 2010/06/30 15:56:34| Finished. Wrote 0 entries. 2010/06/30 15:56:34| Took 0.0 seconds ( 0.0 entries/sec). 2010/06/30 15:56:34| logfileRotate: /var/logs/inst1store.log 2010/06/30 15:56:34| logfileRotate (stdio): /var/logs/inst1store.log 2010/06/30 15:56:34| logfileRotate: /var/logs/inst1access.log 2010/06/30 15:56:34| logfileRotate (stdio): /var/logs/inst1access.log 2010/06/30 15:56:34| helperStatefulOpenServers: Starting 10 'squid_kerb_auth' processes 2010/06/30 15:56:34| helperOpenServers: Starting 5 'squid_kerb_ldap' processes 2010/06/30 15:56:34| helperOpenServers: Starting 5 'squid_kerb_ldap' processes 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR1 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| helperOpenServers: Starting 5 'squid_kerb_ldap' processes 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR2 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Group INETGRLHR3 Domain MAILSERVER.v.local 2010/06/30 15:56:34| squid_kerb_ldap: Netbios list NULL 2010/06/30 15:56:34| squid_kerb_ldap: No netbios names defined. 2010/06/30 15:56:34| squid_kerb_ldap: Starting version 1.2.1 2010/06/30 15:56:34| squid_kerb_ldap: Group list inetgrl...@mailserver.v.local 2010/06/30
[squid-users] Re: Re: Re: msktutil: Error: ldap_set_option (option=) failed (Can't contact LDAP server)
Hi Tom, My msktutil version 0.3.16-7 worked fine on SLES11 (against Windows 2003 R2 Active Directory). Regards Markus Tom Tux tomtu...@gmail.com wrote in message news:aanlktikv8uvkdz0kyuaf_t2ybgri9ycrol4dmf6mv...@mail.gmail.com... Hi Markus I took a new version of msktutil from their git-repository (http://repo.or.cz/w/msktutil.git). Now, I was able to create a computer-account in the ad with the same msktutil-command as I used before. Corresponding a statement from the msktutil-developer there were some bug fixed (which solved my problems) in the git-version. Thanks a lot for your help. Tom 2010/6/30 Markus Moeller hua...@moeller.plus.com: Hi Tom, I have a SLES 11 system I can test tomorrow. It looks like an option is not available. Error: ldap_set_option (option=) failed (Can't contact LDAP server) Markus Tom Tux tomtu...@gmail.com wrote in message news:aanlktimytn03x2zov8afj4_3plnuq9fea0iwwwddh...@mail.gmail.com... Hi Markus Here is the output: -- snip --- proxy-test-01:/usr/local/mskutil-0.4/sbin # ./msktutil -c -s HTTP/proxy-test-01.xx.yy -h proxy-test-01 -k /etc/krb5.keytab --computer-name proxy-test-01 --upn HTTP/proxy-test-01.xx.yy --server dc1.xx.yy --verbose -- init_password: Wiping the computer password structure -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-OINkN1 -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: proxy-test-01$ -- try_machine_keytab_princ: Trying to authenticate for proxy-test-01$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/proxy-test-01.xx.yy from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for proxy-test-01$ with password. -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 4 -- ldap_connect: Connecting to LDAP server: dc1.xx.yy try_tls=YES SASL/GSSAPI authentication started SASL username: administra...@xx.yy SASL SSF: 0 Error: ldap_set_option (option=) failed (Can't contact LDAP server) -- ~KRB5Context: Destroying Kerberos Context -- snap --- The computer-account already exists in the ad (joined with net ads join). The ktutil gives me no principals back: proxy-test-01:/usr/local/mskutil-0.4/sbin # ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal - ktutil: Thanks a lot. Kind regards Tom 2010/6/29 Markus Moeller hua...@moeller.plus.com: Can you post the whole output of msktutil with --verbose please. If msktutil fails with TLS on port 389 it will try again without TLS. Regards Markus Tom Tux tomtu...@gmail.com wrote in message news:aanlktil1fhq5ks3nx8mostkic2qoacz1xpmp6wh6r...@mail.gmail.com... this works. I'm also able to telnet with tcp 636 (ldaps). I'm just searching for a solution to kerberise squid without the need of winbind/smb. 2010/6/28 Nick Cairncross nick.cairncr...@condenast.co.uk: They seem ok. Telnet to your dc on 389? On 28/06/2010 14:40, Tom Tux tomtu...@gmail.com wrote: which ldap-libraries should be installed? The following devel-packages are installed (SLES11-System): - openldap2-devel - cyrus-sasl-devel 2010/6/28 Nick Cairncross nick.cairncr...@condenast.co.uk: Missing ldap libraries maybe? On 28/06/2010 12:32, Tom Tux tomtu...@gmail.com wrote: Hi I'm trying to generate a computer-account with msktutil: I got the following error: ... ... - ldap_connect: Connecting to LDAP server: dc1.domain.com try_tls=YES SASL/GSSAPI authentication started SASL username: ad...@domain.com SASL SSF: 0 Error: ldap_set_option (option=) failed (Can't contact LDAP server) -- ~KRB5Context: Destroying Kerberos Context I have a valid ticket (klist), initiated with adminu...@domain.com. Have someone any hints? I see, that the msktutil tries with tls (encrypted) on port 389 (ldap) on the domain-controller. Can I use native (unencrypted) ldap? Thanks a lot. Tom ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet
Re: [squid-users] Errors with sasl while compiling Squid 3.1.4
On Wed, 30 Jun 2010 19:05:17 +0200, Babelo Gmvsdm hercul...@hotmail.com wrote: Found, Did not installed C++, just everything is working well except that in the config.log the file ip_tproxy.h is not found. I did not found any package containing this file. If someone can help. Ignore unless you require version *2* of TPROXY. It's a file created by custom kernel patching for that obsolete version of TPROXY. Current Kernels and Squid support version 4. Amos
RE: [squid-users] Startup/shutdown script which was working perfactly alright for squid 3.0stable25 is not working for squid 2.7 stable9.0
On Wed, 30 Jun 2010 19:19:55 +, GIGO . gi...@msn.com wrote: Hi Amos, I just found that running it from rc.local works but is it ok to run it through there in CENTOS?? As far as I know. I'm no expert on boot levels or CentOS though. Amos
Re: [squid-users] Squid 3.1.4 keeps giving Access Denied intermittently
On Wed, 30 Jun 2010 16:32:34 + (UTC), Nitin nitin.netwo...@gmail.com wrote: Hi, We have been using Squid for many years now and recently we upgraded from 2.7 to 3.1 version. Since upgrading we started getting intermittent Access Denied messages for sites that we can access normally. For example, if we access www.google.com we get the site straightaway at times and on other times we get Access Denied message. Then, if we keep refreshing the page, the site comes up. We had our ISP connection checked by their support staff who visited our premises and got a Windows laptop connect directly without the proxy and everything was working excellently. With Squid 2.7 everything worked as a charm. So I am wondering what must be wrong. Any help would be greatly appreciated. Thanks in advance. Regards, Nitin It's very hard to tell without a lot more info. Config setup, traces or logs for the time when access was denied? Amos
Re: [squid-users] Re: Re: Re: msktutil: Error: ldap_set_option (option=) failed (Can't contact LDAP server)
Hi Markus I tried with version 0.4. With this release, I got errors. But as I wrote in one post before...I got a fixed version from git...and with this, it works now. Thank you. Regards, Tom 2010/6/30 Markus Moeller hua...@moeller.plus.com: Hi Tom, My msktutil version 0.3.16-7 worked fine on SLES11 (against Windows 2003 R2 Active Directory). Regards Markus Tom Tux tomtu...@gmail.com wrote in message news:aanlktikv8uvkdz0kyuaf_t2ybgri9ycrol4dmf6mv...@mail.gmail.com... Hi Markus I took a new version of msktutil from their git-repository (http://repo.or.cz/w/msktutil.git). Now, I was able to create a computer-account in the ad with the same msktutil-command as I used before. Corresponding a statement from the msktutil-developer there were some bug fixed (which solved my problems) in the git-version. Thanks a lot for your help. Tom 2010/6/30 Markus Moeller hua...@moeller.plus.com: Hi Tom, I have a SLES 11 system I can test tomorrow. It looks like an option is not available. Error: ldap_set_option (option=) failed (Can't contact LDAP server) Markus Tom Tux tomtu...@gmail.com wrote in message news:aanlktimytn03x2zov8afj4_3plnuq9fea0iwwwddh...@mail.gmail.com... Hi Markus Here is the output: -- snip --- proxy-test-01:/usr/local/mskutil-0.4/sbin # ./msktutil -c -s HTTP/proxy-test-01.xx.yy -h proxy-test-01 -k /etc/krb5.keytab --computer-name proxy-test-01 --upn HTTP/proxy-test-01.xx.yy --server dc1.xx.yy --verbose -- init_password: Wiping the computer password structure -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-OINkN1 -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: proxy-test-01$ -- try_machine_keytab_princ: Trying to authenticate for proxy-test-01$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/proxy-test-01.xx.yy from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for proxy-test-01$ with password. -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 4 -- ldap_connect: Connecting to LDAP server: dc1.xx.yy try_tls=YES SASL/GSSAPI authentication started SASL username: administra...@xx.yy SASL SSF: 0 Error: ldap_set_option (option=) failed (Can't contact LDAP server) -- ~KRB5Context: Destroying Kerberos Context -- snap --- The computer-account already exists in the ad (joined with net ads join). The ktutil gives me no principals back: proxy-test-01:/usr/local/mskutil-0.4/sbin # ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal - ktutil: Thanks a lot. Kind regards Tom 2010/6/29 Markus Moeller hua...@moeller.plus.com: Can you post the whole output of msktutil with --verbose please. If msktutil fails with TLS on port 389 it will try again without TLS. Regards Markus Tom Tux tomtu...@gmail.com wrote in message news:aanlktil1fhq5ks3nx8mostkic2qoacz1xpmp6wh6r...@mail.gmail.com... this works. I'm also able to telnet with tcp 636 (ldaps). I'm just searching for a solution to kerberise squid without the need of winbind/smb. 2010/6/28 Nick Cairncross nick.cairncr...@condenast.co.uk: They seem ok. Telnet to your dc on 389? On 28/06/2010 14:40, Tom Tux tomtu...@gmail.com wrote: which ldap-libraries should be installed? The following devel-packages are installed (SLES11-System): - openldap2-devel - cyrus-sasl-devel 2010/6/28 Nick Cairncross nick.cairncr...@condenast.co.uk: Missing ldap libraries maybe? On 28/06/2010 12:32, Tom Tux tomtu...@gmail.com wrote: Hi I'm trying to generate a computer-account with msktutil: I got the following error: ... ... - ldap_connect: Connecting to LDAP server: dc1.domain.com try_tls=YES SASL/GSSAPI authentication started SASL username: ad...@domain.com SASL SSF: 0 Error: ldap_set_option (option=) failed (Can't contact LDAP server) -- ~KRB5Context: Destroying Kerberos Context I have a valid ticket (klist), initiated with adminu...@domain.com. Have someone any hints? I see, that the msktutil tries with tls (encrypted) on port 389 (ldap) on the domain-controller. Can I use native (unencrypted) ldap? Thanks a lot. Tom ** Please consider the environment before printing this e-mail ** The information contained in this e-mail
Re: [squid-users] Re: squid_kerb_ldap - Error while initialising credentials from keytab
Hi Markus Thank you. So, I made my kerberos-configuration from scratch. This will mean: - Delete computer-account in AD - Remove /etc/krb5.keytab - Check with setspn -L proxy-test-01 if there were no SPN's - OK. Then I created the account again with the following command: ./msktutil -c -s HTTP/proxy-test-01.xx.yy -h proxy-test-01.xx.yy -k /etc/krb5.keytab --computer-name proxy-test-01 --upn HTTP/proxy-test-01.xx.yy --server dc 1.xx.yy --verbose The computer-account was created successfully. In the msktutil-output, I can see, that the KVNO is set to 2. On the Domain-Controller, I can also see, that the msDS-KeyVersionNumber is also set to 2. But I'm not able to authenticate. I got the following squid-cache-error: 2010/07/01 07:37:04| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key version number for principal in key table is incorrect' What's wrong here? I tried with kinit and kinit -R again - no success. How can I fix this problem? Regards Tom 2010/6/30 Markus Moeller hua...@moeller.plus.com: Hi Tom squid_kerb_ldap tries to use the keytab to authenticate squid against AD. The keytab contains basically the password for the user http/fqdn which maps in AD to the userprincipalname attribute. In your case squid_kerb_ldap tries to use host/proxy-test-01.xx...@xx.yy but does not find in AD an entry which has the userprincipalname attribute with that value and therfore can not check group memberships. msktutil has the option --upn which will set the AD attribute accordingly (see alsohttp://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name host/proxy-test-01.xx...@xx.yy 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising credentials from keytab : Client not found in Kerberos database Regards Markus Tom Tux tomtu...@gmail.com wrote in message news:aanlktilz_wefjeu1bmnpsgvnhahte6rjmr6bja-uu...@mail.gmail.com... Hi I'm trying to authenticate our clients with squid_kerb_ldap against our ad. There exists a global-group called Internet. My squid.conf looks like this: auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i auth_param negotiate children 10 auth_param negotiate keep_alive on external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g Internet acl inetAccess external SQUID_KERB_LDAP http_access allow inetAccess My klist -k looks like this: proxy-test-01:/usr/local/squid_kerb_ldap/bin # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 4 host/proxy-test-01.xx...@xx.yy 4 host/proxy-test-01.xx...@xx.yy 4 host/proxy-test-01.xx...@xx.yy 4 host/proxy-test...@xx.yy 4 host/proxy-test...@xx.yy 4 host/proxy-test...@xx.yy 4 proxy-test-...@xx.yy 4 proxy-test-...@xx.yy 4 proxy-test-...@xx.yy 4 HTTP/proxy-test-01.xx...@xx.yy 4 HTTP/proxy-test-01.xx...@xx.yy 4 HTTP/proxy-test-01.xx...@xx.yy 4 HTTP/proxy-test...@xx.yy 4 HTTP/proxy-test...@xx.yy 4 HTTP/proxy-test...@xx.yy 5 proxy-test-...@xx.yy 5 proxy-test-...@xx.yy 5 proxy-test-...@xx.yy 5 HTTP/proxy-test-01.xx...@xx.yy 5 HTTP/proxy-test-01.xx...@xx.yy 5 HTTP/proxy-test-01.xx...@xx.yy 5 HTTP/proxy-test...@xx.yy 5 HTTP/proxy-test...@xx.yy 5 HTTP/proxy-test...@xx.yy 5 host/proxy-test-01.xx...@xx.yy 5 host/proxy-test-01.xx...@xx.yy 5 host/proxy-test-01.xx...@xx.yy Without squid_kerb_ldap, the internet-access is working fine. With the helper, I got the following errors in the cache.log: 2010/06/30 09:45:48| squid_kerb_auth: INFO: User testu...@xx.yy authenticated 2010/06/30 09:45:48| squid_kerb_ldap: Got User: TESTUSER Domain: XX.YY 2010/06/30 09:45:48| squid_kerb_ldap: User domain loop: gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: Default domain loop: gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: Default group loop: gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: Found gr...@domain inter...@null 2010/06/30 09:45:48| squid_kerb_ldap: Setup Kerberos credential cache 2010/06/30 09:45:48| squid_kerb_ldap: Get default keytab file name 2010/06/30 09:45:48| squid_kerb_ldap: Got default keytab file name /etc/krb5.keytab 2010/06/30 09:45:48| squid_kerb_ldap: Get principal name from keytab /etc/krb5.keytab 2010/06/30 09:45:48| squid_kerb_ldap: Keytab entry has realm name: XX.YY 2010/06/30 09:45:48| squid_kerb_ldap: Found principal name: host/proxy-test-01.xx...@xx.yy 2010/06/30 09:45:48| squid_kerb_ldap: Set credential cache to MEMORY:squid_ldap_22001 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name host/proxy-test-01.xx...@xx.yy 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising