Re: [squid-users] Linking with *SSL
2016-05-20 17:06 GMT+03:00 Amos Jeffries: > On 13/05/2016 1:33 a.m., Spil Oss wrote: >>> Hi! >>> When we worked on squid port on FreeBSD one of the FreeBSD user >>> (Bernard Spil) noticed: >>> >>> When working on this, I ran into another issue. Perhaps maintainer can >>> fix that with upstream. I've now added LIBOPENSSL_LIBS="-lcrypto >>> -lssl" because of configure failing in configure.ac line 1348. >>> AC_CHECK_LIB(ssl,[SSL_library_init],[LIBOPENSSL_LIBS="-lssl $LIBOPENSSL_LIBS"],[AC_MSG_ERROR([library 'ssl' is required for OpenSSL]) >>> >>> You cannot link against libssl when not linking libcrypto as well >>> leading to an error with LibreSSL. This check should add -lcrypto in >>> addition to -lssl to pass. >>> >>> Is this something someone could take a look at? >> >> Hi All, >> >> Sorry for replying out-of-thread. >> >> What happens is that the check for SSL_library_init fails as -lcrypto >> is missing. >> >> Output from configure >> >>> checking for CRYPTO_new_ex_data in -lcrypto... yes >>> checking for SSL_library_init in -lssl... no >>> configure: error: library 'ssl' is required for OpenSSL >>> ===> Script "configure" failed unexpectedly. >> >> What I usually see in autoconf scripts is that temp CFLAGS etc are set >> before the test for SSL libs and reversed after the test. >> >> Adding LIBOPENSSL_LIBS="-lcrypto -lssl" to configure works as well >> >> Would be great if you can fix this! >> > > Hi, sorry for the long delay. Its been an interesting month. > > It seems we need to now stop relying on LIBS being set correctly by > autoconf when consecutive AC_CHECK_LIB are done. I'm trying out a fix > now and which should be in the next releases. > > FYI: Squid is increasingly using the pkg-config tool for resolving odd > library dependencies. If it is available this broken check will never be > reached. Hi, Amos, Bernard! I'm not sure if the 14679 patch changed anything. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Linking with *SSL
20 мая 2016 г. 18:31 пользователь "Amos Jeffries" <squ...@treenet.co.nz> написал: > > On 21/05/2016 2:53 a.m., Pavel Timofeev wrote: > > 20 мая 2016 г. 17:44 пользователь "Amos Jeffries" написал: > >> > >> On 21/05/2016 2:28 a.m., Pavel Timofeev wrote: > >>> > >>> Hi, Amos! > >>> Thank you! Should we create a bug report to track it? > >>> > >> > >> No need, I think. > > > > I just wanted to look at something and understand that it's done and it's > > time to test > > > > I've just applied it to trunk as rev.14679. A snapshot tarball should be > available in a couple of hours. Hopefully I'll have time to get it into > 3.5 tomorrow. If not then the day after. > > Amos Thanks a lot! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Linking with *SSL
20 мая 2016 г. 17:44 пользователь "Amos Jeffries" <squ...@treenet.co.nz> написал: > > On 21/05/2016 2:28 a.m., Pavel Timofeev wrote: > > > > Hi, Amos! > > Thank you! Should we create a bug report to track it? > > > > No need, I think. I just wanted to look at something and understand that it's done and it's time to test ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Linking with *SSL
Hi! When we worked on squid port on FreeBSD one of the FreeBSD user (Bernard Spil) noticed: When working on this, I ran into another issue. Perhaps maintainer can fix that with upstream. I've now added LIBOPENSSL_LIBS="-lcrypto -lssl" because of configure failing in configure.ac line 1348. > AC_CHECK_LIB(ssl,[SSL_library_init],[LIBOPENSSL_LIBS="-lssl > $LIBOPENSSL_LIBS"],[AC_MSG_ERROR([library 'ssl' is required for OpenSSL]) You cannot link against libssl when not linking libcrypto as well leading to an error with LibreSSL. This check should add -lcrypto in addition to -lssl to pass. Is this something someone could take a look at? ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Fresh Freebsd 10 and squid 2.7.9 Try to set MAKE_JOBS_UNSAFE error
Yes: don't use www/squid. It's marked as deprecated and will be removed in september. http://www.freshports.org/www/squid Use www/squid33 instead, which is 3.3.13 right now. 2014-08-28 17:02 GMT+04:00 Soporte Técnico sopo...@nodoalem.com.ar: I´m trying to install squid 2.7.9 in a fresh new freebsd 10 amd64 and make install show this error. Any idea? (i´m not finding in the net the solution...) Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to the maintainer. ___ Complete error post: make[5]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src --- errorpage.o --- mv -f .deps/errorpage.Tpo .deps/errorpage.Po --- external_acl.o --- mv -f .deps/external_acl.Tpo .deps/external_acl.Po --- fqdncache.o --- mv -f .deps/fqdncache.Tpo .deps/fqdncache.Po --- forward.o --- mv -f .deps/forward.Tpo .deps/forward.Po --- gopher.o --- mv -f .deps/gopher.Tpo .deps/gopher.Po --- helper.o --- mv -f .deps/helper.Tpo .deps/helper.Po --- ftp.o --- mv -f .deps/ftp.Tpo .deps/ftp.Po 1 error make[5]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src *** [all-recursive] Error code 1 make[4]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src 1 error make[4]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src *** [all] Error code 2 make[3]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src 1 error make[3]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src *** [all-recursive] Error code 1 make[2]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9 1 error make[2]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9 === Compilation failed unexpectedly. Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to the maintainer. *** Error code 1 Stop. make[1]: stopped in /usr/ports/www/squid *** Error code 1 Stop. make: stopped in /usr/ports/www/squid --- Este mensaje no contiene virus ni malware porque la protección de avast! Antivirus está activa. http://www.avast.com
Re: [squid-users] Fresh Freebsd 10 and squid 2.7.9 Try to set MAKE_JOBS_UNSAFE error
Or, wait for squid 3.4.7 in ports. There is a PR for that. 2014-08-28 17:14 GMT+04:00 Pavel Timofeev tim...@gmail.com: Yes: don't use www/squid. It's marked as deprecated and will be removed in september. http://www.freshports.org/www/squid Use www/squid33 instead, which is 3.3.13 right now. 2014-08-28 17:02 GMT+04:00 Soporte Técnico sopo...@nodoalem.com.ar: I´m trying to install squid 2.7.9 in a fresh new freebsd 10 amd64 and make install show this error. Any idea? (i´m not finding in the net the solution...) Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to the maintainer. ___ Complete error post: make[5]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src --- errorpage.o --- mv -f .deps/errorpage.Tpo .deps/errorpage.Po --- external_acl.o --- mv -f .deps/external_acl.Tpo .deps/external_acl.Po --- fqdncache.o --- mv -f .deps/fqdncache.Tpo .deps/fqdncache.Po --- forward.o --- mv -f .deps/forward.Tpo .deps/forward.Po --- gopher.o --- mv -f .deps/gopher.Tpo .deps/gopher.Po --- helper.o --- mv -f .deps/helper.Tpo .deps/helper.Po --- ftp.o --- mv -f .deps/ftp.Tpo .deps/ftp.Po 1 error make[5]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src *** [all-recursive] Error code 1 make[4]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src 1 error make[4]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src *** [all] Error code 2 make[3]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src 1 error make[3]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src *** [all-recursive] Error code 1 make[2]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9 1 error make[2]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9 === Compilation failed unexpectedly. Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to the maintainer. *** Error code 1 Stop. make[1]: stopped in /usr/ports/www/squid *** Error code 1 Stop. make: stopped in /usr/ports/www/squid --- Este mensaje no contiene virus ni malware porque la protección de avast! Antivirus está activa. http://www.avast.com
Re: [squid-users] Re: kerberos_ldap_group stopped working with subdomains
Thanks! I think I've noticed a typo in squid 3.4.7 # diff -u helpers/external_acl/kerberos_ldap_group/support_ldap.cc.orig helpers/external_acl/kerberos_ldap_group/support_ldap.cc --- helpers/external_acl/kerberos_ldap_group/support_ldap.cc.orig 2014-08-27 21:37:01.0 +0400 +++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2014-08-27 21:37:15.0 +0400 @@ -811,7 +811,7 @@ #endif } -if (kc (!margs-lurl || !margs-luser | !margs-lpass)) { +if (kc (!margs-lurl || !margs-luser || !margs-lpass)) { /* * If Kerberos fails and no url given exit here */ True? 2014-08-27 18:20 GMT+04:00 Amos Jeffries squ...@treenet.co.nz: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 26/08/2014 7:44 a.m., Markus Moeller wrote: Hi Pavel, Can you remove line 263 from support_krb5.cc and recompile ? It is fixed in the trunk for 3.5. The line is safe_free(principal_name); Regards Markus For the record, this fix is now in 3.4.7. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJT/elDAAoJELJo5wb/XPRjsk0H/irbDYvwbf8Asg/XWuxX1vK8 w0aiTACKtr/G3le2qpKz5eZLtG+6J5fznujN04wFDBdOmwfr4j+MWV8IcYO3Ij/y SfdsGIu7oRljQrBUMWop5Leyxg3kqYcQc+8316mlAgr4SdLeQTFN+8H+jpv2Rdv3 Ftxaf0/eVnnujnwnnU5UijVXJ5pur/IMeXv+raByCzFdRVJm4ooHxJYMwe5vYzgI ParSG9zlslZh3xR9Ae75Joo3R9S5PN6qnwiBTw4e73NP9m3aiDOyYHIOXIWEf2/Y BD4hlTm7j9sJWumyBh0b0VD2D05cYV7eVlZzOkqoBWsiTkBNMf4z5kEpmvenjt0= =RLho -END PGP SIGNATURE-
Re: [squid-users] Re: kerberos_ldap_group stopped working with subdomains
Hi Markus! I can't because all problems that I described and all of that pieces of logs I provided are from squid 3.4. Squid 3.3 works good, squid 3.4 doesn't. That's the problem. 2014-08-24 18:14 GMT+04:00 Markus Moeller hua...@moeller.plus.com: Hi Pavel, Can you use 3.4 then instead of 3.3 as it seems to have the problem fixed ? Markus Pavel Timofeev wrote in message news:CAAoTqftctS7GJfiS-k+RgN1uMkyujE_RdOFsZyBYFU1=dd8...@mail.gmail.com... That's how squid's 3.4.6 helper works with usern...@example.org kerberos_ldap_group.cc(372): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: INFO: Got User: username Domain: EXAMPLE.ORG support_member.cc(55): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: User domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(83): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Default domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(111): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Default group loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(113): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL support_ldap.cc(801): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(90): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(96): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Got default keytab file name /usr/local/etc/squid/squid.keytab support_krb5.cc(110): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Get principal name from keytab /usr/local/etc/squid/squid.keytab support_krb5.cc(119): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(133): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Found principal name: HTTP/proxy.example@example.org support_krb5.cc(174): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_45620 support_krb5.cc(270): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Got principal name HTTP/proxy.example@example.org support_krb5.cc(313): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Stored credentials support_ldap.cc(830): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Initialise ldap connection support_ldap.cc(836): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain EXAMPLE.ORG support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record to dc1.example.org support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record to dc2.example.org etc and no problems. 2014-08-21 14:54 GMT+04:00 Pavel Timofeev tim...@gmail.com: Group name in config is OCS-DenyInternet-G of course. 2014-08-21 14:48 GMT+04:00 Pavel Timofeev tim...@gmail.com: Hi! Please, help. I've been using squid 3.3.11 on FreeBSD 10 for a year. I have AD and kerberos authentification. Squid checks DenyInternet group membership through kerberos_ldap_group. My domain example.org has subdomains like south.example.org, west.example.org, etc. All users use proxy.example.org. Everything works fine. Here is config: auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s HTTP/proxy.example@example.org auth_param negotiate children 100 startup=30 idle=5 auth_param negotiate keep_alive external_acl_type no_inet_users ttl=3600 negative_ttl=3600 children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass Now I'm tring to migrate to squid 3.4.6. Same config. I've encountered with problem that kerberos_ldap_group stopped working with subdomain users like u...@south.example.org while it still works with u...@example.org. In general it started to complain ERROR: Error during setup of Kerberos credential cache in cache.log. When I turn on the debug I'm getting this: kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: INFO: Got User: ptimofeev Domain: SOUTH.EXAMPLE.ORG support_member.cc(55): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: User domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(83): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(111): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default group loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(113): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Found group@domain OCS
[squid-users] kerberos_ldap_group stopped working with subdomains
Hi! Please, help. I've been using squid 3.3.11 on FreeBSD 10 for a year. I have AD and kerberos authentification. Squid checks DenyInternet group membership through kerberos_ldap_group. My domain example.org has subdomains like south.example.org, west.example.org, etc. All users use proxy.example.org. Everything works fine. Here is config: auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s HTTP/proxy.example@example.org auth_param negotiate children 100 startup=30 idle=5 auth_param negotiate keep_alive external_acl_type no_inet_users ttl=3600 negative_ttl=3600 children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass Now I'm tring to migrate to squid 3.4.6. Same config. I've encountered with problem that kerberos_ldap_group stopped working with subdomain users like u...@south.example.org while it still works with u...@example.org. In general it started to complain ERROR: Error during setup of Kerberos credential cache in cache.log. When I turn on the debug I'm getting this: kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: INFO: Got User: ptimofeev Domain: SOUTH.EXAMPLE.ORG support_member.cc(55): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: User domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(83): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(111): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default group loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(113): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL support_ldap.cc(801): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(90): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(96): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Got default keytab file name /usr/local/etc/squid/squid.keytab support_krb5.cc(110): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Get principal name from keytab /usr/local/etc/squid/squid.keytab support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(174): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_13729 support_krb5.cc(186): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Did not find a principal in keytab for domain SOUTH.EXAMPLE.ORG. support_krb5.cc(187): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Try to get principal of trusted domain. support_krb5.cc(201): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/proxy.example@example.org support_krb5.cc(247): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Found trusted principal name: HTTP/proxy.example@example.org support_krb5.cc(315): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Got no principal name support_ldap.cc(806): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: ERROR: Error during setup of Kerberos credential cache support_member.cc(124): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: INFO: User ptimofeev is not member of group@domain OCS-DenyInternet-G@NULL kerberos_ldap_group.cc(407): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: ERR
[squid-users] Re: kerberos_ldap_group stopped working with subdomains
Group name in config is OCS-DenyInternet-G of course. 2014-08-21 14:48 GMT+04:00 Pavel Timofeev tim...@gmail.com: Hi! Please, help. I've been using squid 3.3.11 on FreeBSD 10 for a year. I have AD and kerberos authentification. Squid checks DenyInternet group membership through kerberos_ldap_group. My domain example.org has subdomains like south.example.org, west.example.org, etc. All users use proxy.example.org. Everything works fine. Here is config: auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s HTTP/proxy.example@example.org auth_param negotiate children 100 startup=30 idle=5 auth_param negotiate keep_alive external_acl_type no_inet_users ttl=3600 negative_ttl=3600 children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass Now I'm tring to migrate to squid 3.4.6. Same config. I've encountered with problem that kerberos_ldap_group stopped working with subdomain users like u...@south.example.org while it still works with u...@example.org. In general it started to complain ERROR: Error during setup of Kerberos credential cache in cache.log. When I turn on the debug I'm getting this: kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: INFO: Got User: ptimofeev Domain: SOUTH.EXAMPLE.ORG support_member.cc(55): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: User domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(83): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(111): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default group loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(113): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL support_ldap.cc(801): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(90): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(96): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Got default keytab file name /usr/local/etc/squid/squid.keytab support_krb5.cc(110): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Get principal name from keytab /usr/local/etc/squid/squid.keytab support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(174): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_13729 support_krb5.cc(186): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Did not find a principal in keytab for domain SOUTH.EXAMPLE.ORG. support_krb5.cc(187): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Try to get principal of trusted domain. support_krb5.cc(201): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/proxy.example@example.org support_krb5.cc(247): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Found trusted principal name: HTTP/proxy.example@example.org support_krb5.cc(315): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Got no principal name support_ldap.cc(806): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: ERROR: Error during setup of Kerberos credential cache support_member.cc(124): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: INFO: User ptimofeev is not member of group@domain OCS-DenyInternet-G@NULL kerberos_ldap_group.cc(407): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: ERR
[squid-users] Re: kerberos_ldap_group stopped working with subdomains
That's how squid's 3.4.6 helper works with usern...@example.org kerberos_ldap_group.cc(372): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: INFO: Got User: username Domain: EXAMPLE.ORG support_member.cc(55): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: User domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(83): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Default domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(111): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Default group loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(113): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL support_ldap.cc(801): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(90): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(96): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Got default keytab file name /usr/local/etc/squid/squid.keytab support_krb5.cc(110): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Get principal name from keytab /usr/local/etc/squid/squid.keytab support_krb5.cc(119): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(133): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Found principal name: HTTP/proxy.example@example.org support_krb5.cc(174): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_45620 support_krb5.cc(270): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Got principal name HTTP/proxy.example@example.org support_krb5.cc(313): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Stored credentials support_ldap.cc(830): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Initialise ldap connection support_ldap.cc(836): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain EXAMPLE.ORG support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record to dc1.example.org support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record to dc2.example.org etc and no problems. 2014-08-21 14:54 GMT+04:00 Pavel Timofeev tim...@gmail.com: Group name in config is OCS-DenyInternet-G of course. 2014-08-21 14:48 GMT+04:00 Pavel Timofeev tim...@gmail.com: Hi! Please, help. I've been using squid 3.3.11 on FreeBSD 10 for a year. I have AD and kerberos authentification. Squid checks DenyInternet group membership through kerberos_ldap_group. My domain example.org has subdomains like south.example.org, west.example.org, etc. All users use proxy.example.org. Everything works fine. Here is config: auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s HTTP/proxy.example@example.org auth_param negotiate children 100 startup=30 idle=5 auth_param negotiate keep_alive external_acl_type no_inet_users ttl=3600 negative_ttl=3600 children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass Now I'm tring to migrate to squid 3.4.6. Same config. I've encountered with problem that kerberos_ldap_group stopped working with subdomain users like u...@south.example.org while it still works with u...@example.org. In general it started to complain ERROR: Error during setup of Kerberos credential cache in cache.log. When I turn on the debug I'm getting this: kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: INFO: Got User: ptimofeev Domain: SOUTH.EXAMPLE.ORG support_member.cc(55): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: User domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(83): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(111): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default group loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(113): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL support_ldap.cc(801): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(90): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(96): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Got default keytab file name /usr/local/etc/squid/squid.keytab support_krb5.cc(110): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Get principal name from keytab /usr/local