from:"Pavel Timofeev"

Re: [squid-users] Linking with *SSL

2016-07-11 Thread Pavel Timofeev

2016-05-20 17:06 GMT+03:00 Amos Jeffries :
> On 13/05/2016 1:33 a.m., Spil Oss wrote:
>>> Hi!
>>> When we worked on squid port on FreeBSD one of the FreeBSD user
>>> (Bernard Spil) noticed:
>>>
>>> When working on this, I ran into another issue. Perhaps maintainer can
>>> fix that with upstream. I've now added LIBOPENSSL_LIBS="-lcrypto
>>> -lssl" because of configure failing in configure.ac line 1348.
>>>
 AC_CHECK_LIB(ssl,[SSL_library_init],[LIBOPENSSL_LIBS="-lssl 
 $LIBOPENSSL_LIBS"],[AC_MSG_ERROR([library 'ssl' is required for OpenSSL])
>>>
>>> You cannot link against libssl when not linking libcrypto as well
>>> leading to an error with LibreSSL. This check should add -lcrypto in
>>> addition to -lssl to pass.
>>>
>>> Is this something someone could take a look at?
>>
>> Hi All,
>>
>> Sorry for replying out-of-thread.
>>
>> What happens is that the check for SSL_library_init fails as -lcrypto
>> is missing.
>>
>> Output from configure
>>
>>> checking for CRYPTO_new_ex_data in -lcrypto... yes
>>> checking for SSL_library_init in -lssl... no
>>> configure: error: library 'ssl' is required for OpenSSL
>>> ===>  Script "configure" failed unexpectedly.
>>
>> What I usually see in autoconf scripts is that temp CFLAGS etc are set
>> before the test for SSL libs and reversed after the test.
>>
>> Adding LIBOPENSSL_LIBS="-lcrypto -lssl" to configure works as well
>>
>> Would be great if you can fix this!
>>
>
> Hi, sorry for the long delay. Its been an interesting month.
>
> It seems we need to now stop relying on LIBS being set correctly by
> autoconf when consecutive AC_CHECK_LIB are done. I'm trying out a fix
> now and which should be in the next releases.
>
> FYI: Squid is increasingly using the pkg-config tool for resolving odd
> library dependencies. If it is available this broken check will never be
> reached.


Hi, Amos, Bernard!
I'm not sure if the 14679 patch changed anything.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Linking with *SSL

2016-05-20 Thread Pavel Timofeev

20 мая 2016 г. 18:31 пользователь "Amos Jeffries" <squ...@treenet.co.nz>
написал:
>
> On 21/05/2016 2:53 a.m., Pavel Timofeev wrote:
> > 20 мая 2016 г. 17:44 пользователь "Amos Jeffries" написал:
> >>
> >> On 21/05/2016 2:28 a.m., Pavel Timofeev wrote:
> >>>
> >>> Hi, Amos!
> >>> Thank you! Should we create a bug report to track it?
> >>>
> >>
> >> No need, I think.
> >
> > I just wanted to look at something and understand that it's done and
it's
> > time to test
> >
>
> I've just applied it to trunk as rev.14679. A snapshot tarball should be
> available in a couple of hours. Hopefully I'll have time to get it into
> 3.5 tomorrow. If not then the day after.
>
> Amos

Thanks a lot!
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Linking with *SSL

2016-05-20 Thread Pavel Timofeev

20 мая 2016 г. 17:44 пользователь "Amos Jeffries" <squ...@treenet.co.nz>
написал:
>
> On 21/05/2016 2:28 a.m., Pavel Timofeev wrote:
> >
> > Hi, Amos!
> > Thank you! Should we create a bug report to track it?
> >
>
> No need, I think.

I just wanted to look at something and understand that it's done and it's
time to test
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Linking with *SSL

2016-05-10 Thread Pavel Timofeev

Hi!
When we worked on squid port on FreeBSD one of the FreeBSD user
(Bernard Spil) noticed:



When working on this, I ran into another issue. Perhaps maintainer can
fix that with upstream. I've now added LIBOPENSSL_LIBS="-lcrypto
-lssl" because of configure failing in configure.ac line 1348.

> AC_CHECK_LIB(ssl,[SSL_library_init],[LIBOPENSSL_LIBS="-lssl 
> $LIBOPENSSL_LIBS"],[AC_MSG_ERROR([library 'ssl' is required for OpenSSL])

You cannot link against libssl when not linking libcrypto as well
leading to an error with LibreSSL. This check should add -lcrypto in
addition to -lssl to pass.



Is this something someone could take a look at?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fresh Freebsd 10 and squid 2.7.9 Try to set MAKE_JOBS_UNSAFE error

2014-08-28 Thread Pavel Timofeev

Yes: don't use www/squid. It's marked as deprecated and will be
removed in september.
http://www.freshports.org/www/squid

Use www/squid33 instead, which is 3.3.13 right now.

2014-08-28 17:02 GMT+04:00 Soporte Técnico sopo...@nodoalem.com.ar:
 I´m trying to install squid 2.7.9 in a fresh new freebsd 10 amd64 and make
 install show this error.

 Any idea?

 (i´m not finding in the net the solution...)

 Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to
 the maintainer.



 ___

 Complete error post:

 make[5]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src
 --- errorpage.o ---
 mv -f .deps/errorpage.Tpo .deps/errorpage.Po
 --- external_acl.o ---
 mv -f .deps/external_acl.Tpo .deps/external_acl.Po
 --- fqdncache.o ---
 mv -f .deps/fqdncache.Tpo .deps/fqdncache.Po
 --- forward.o ---
 mv -f .deps/forward.Tpo .deps/forward.Po
 --- gopher.o ---
 mv -f .deps/gopher.Tpo .deps/gopher.Po
 --- helper.o ---
 mv -f .deps/helper.Tpo .deps/helper.Po
 --- ftp.o ---
 mv -f .deps/ftp.Tpo .deps/ftp.Po
 1 error

 make[5]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src
 *** [all-recursive] Error code 1

 make[4]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src
 1 error

 make[4]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src
 *** [all] Error code 2

 make[3]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src
 1 error

 make[3]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src
 *** [all-recursive] Error code 1

 make[2]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9
 1 error

 make[2]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9
 === Compilation failed unexpectedly.
 Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to
 the maintainer.
 *** Error code 1

 Stop.
 make[1]: stopped in /usr/ports/www/squid
 *** Error code 1

 Stop.
 make: stopped in /usr/ports/www/squid


 ---
 Este mensaje no contiene virus ni malware porque la protección de avast! 
 Antivirus está activa.
 http://www.avast.com

Re: [squid-users] Fresh Freebsd 10 and squid 2.7.9 Try to set MAKE_JOBS_UNSAFE error

2014-08-28 Thread Pavel Timofeev

Or, wait for squid 3.4.7 in ports. There is a PR for that.

2014-08-28 17:14 GMT+04:00 Pavel Timofeev tim...@gmail.com:
 Yes: don't use www/squid. It's marked as deprecated and will be
 removed in september.
 http://www.freshports.org/www/squid

 Use www/squid33 instead, which is 3.3.13 right now.

 2014-08-28 17:02 GMT+04:00 Soporte Técnico sopo...@nodoalem.com.ar:
 I´m trying to install squid 2.7.9 in a fresh new freebsd 10 amd64 and make
 install show this error.

 Any idea?

 (i´m not finding in the net the solution...)

 Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to
 the maintainer.



 ___

 Complete error post:

 make[5]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src
 --- errorpage.o ---
 mv -f .deps/errorpage.Tpo .deps/errorpage.Po
 --- external_acl.o ---
 mv -f .deps/external_acl.Tpo .deps/external_acl.Po
 --- fqdncache.o ---
 mv -f .deps/fqdncache.Tpo .deps/fqdncache.Po
 --- forward.o ---
 mv -f .deps/forward.Tpo .deps/forward.Po
 --- gopher.o ---
 mv -f .deps/gopher.Tpo .deps/gopher.Po
 --- helper.o ---
 mv -f .deps/helper.Tpo .deps/helper.Po
 --- ftp.o ---
 mv -f .deps/ftp.Tpo .deps/ftp.Po
 1 error

 make[5]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src
 *** [all-recursive] Error code 1

 make[4]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src
 1 error

 make[4]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src
 *** [all] Error code 2

 make[3]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src
 1 error

 make[3]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9/src
 *** [all-recursive] Error code 1

 make[2]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9
 1 error

 make[2]: stopped in /usr/ports/www/squid/work/squid-2.7.STABLE9
 === Compilation failed unexpectedly.
 Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to
 the maintainer.
 *** Error code 1

 Stop.
 make[1]: stopped in /usr/ports/www/squid
 *** Error code 1

 Stop.
 make: stopped in /usr/ports/www/squid


 ---
 Este mensaje no contiene virus ni malware porque la protección de avast! 
 Antivirus está activa.
 http://www.avast.com

Re: [squid-users] Re: kerberos_ldap_group stopped working with subdomains

2014-08-27 Thread Pavel Timofeev

Thanks!

I think I've noticed a typo in squid 3.4.7

# diff -u helpers/external_acl/kerberos_ldap_group/support_ldap.cc.orig
helpers/external_acl/kerberos_ldap_group/support_ldap.cc
--- helpers/external_acl/kerberos_ldap_group/support_ldap.cc.orig
 2014-08-27 21:37:01.0 +0400
+++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc
2014-08-27 21:37:15.0 +0400
@@ -811,7 +811,7 @@
 #endif
 }

-if (kc  (!margs-lurl || !margs-luser | !margs-lpass)) {
+if (kc  (!margs-lurl || !margs-luser || !margs-lpass)) {
 /*
  * If Kerberos fails and no url given exit here
  */

True?

2014-08-27 18:20 GMT+04:00 Amos Jeffries squ...@treenet.co.nz:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 26/08/2014 7:44 a.m., Markus Moeller wrote:
 Hi Pavel,

 Can you remove line 263 from support_krb5.cc and recompile ?  It is
 fixed in the trunk for 3.5.

 The line is safe_free(principal_name);

 Regards Markus


 For the record, this fix is now in 3.4.7.

 Amos

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0.22 (MingW32)

 iQEcBAEBAgAGBQJT/elDAAoJELJo5wb/XPRjsk0H/irbDYvwbf8Asg/XWuxX1vK8
 w0aiTACKtr/G3le2qpKz5eZLtG+6J5fznujN04wFDBdOmwfr4j+MWV8IcYO3Ij/y
 SfdsGIu7oRljQrBUMWop5Leyxg3kqYcQc+8316mlAgr4SdLeQTFN+8H+jpv2Rdv3
 Ftxaf0/eVnnujnwnnU5UijVXJ5pur/IMeXv+raByCzFdRVJm4ooHxJYMwe5vYzgI
 ParSG9zlslZh3xR9Ae75Joo3R9S5PN6qnwiBTw4e73NP9m3aiDOyYHIOXIWEf2/Y
 BD4hlTm7j9sJWumyBh0b0VD2D05cYV7eVlZzOkqoBWsiTkBNMf4z5kEpmvenjt0=
 =RLho
 -END PGP SIGNATURE-

Re: [squid-users] Re: kerberos_ldap_group stopped working with subdomains

2014-08-25 Thread Pavel Timofeev

Hi Markus!
I can't because all problems that I described and all of that pieces
of logs I provided are from squid 3.4.
Squid 3.3 works good, squid 3.4 doesn't. That's the problem.

2014-08-24 18:14 GMT+04:00 Markus Moeller hua...@moeller.plus.com:
 Hi Pavel,

   Can you use 3.4 then instead of 3.3 as it seems to have the problem fixed
 ?

 Markus

 Pavel Timofeev  wrote in message
 news:CAAoTqftctS7GJfiS-k+RgN1uMkyujE_RdOFsZyBYFU1=dd8...@mail.gmail.com...


 That's how squid's 3.4.6 helper works with usern...@example.org

 kerberos_ldap_group.cc(372): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: INFO: Got User: username Domain: EXAMPLE.ORG
 support_member.cc(55): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: User domain loop: group@domain
 OCS-DenyInternet-G@NULL
 support_member.cc(83): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: Default domain loop: group@domain
 OCS-DenyInternet-G@NULL
 support_member.cc(111): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: Default group loop: group@domain
 OCS-DenyInternet-G@NULL
 support_member.cc(113): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL
 support_ldap.cc(801): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
 support_krb5.cc(90): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: Get default keytab file name
 support_krb5.cc(96): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: Got default keytab file name
 /usr/local/etc/squid/squid.keytab
 support_krb5.cc(110): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: Get principal name from keytab
 /usr/local/etc/squid/squid.keytab
 support_krb5.cc(119): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
 support_krb5.cc(133): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: Found principal name:
 HTTP/proxy.example@example.org
 support_krb5.cc(174): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: Set credential cache to
 MEMORY:squid_ldap_45620
 support_krb5.cc(270): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: Got principal name
 HTTP/proxy.example@example.org
 support_krb5.cc(313): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: Stored credentials
 support_ldap.cc(830): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: Initialise ldap connection
 support_ldap.cc(836): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain
 EXAMPLE.ORG
 support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record
 to dc1.example.org
 support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30|
 kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record
 to dc2.example.org

 etc and no problems.





 2014-08-21 14:54 GMT+04:00 Pavel Timofeev tim...@gmail.com:

 Group name in config is OCS-DenyInternet-G of course.

 2014-08-21 14:48 GMT+04:00 Pavel Timofeev tim...@gmail.com:

 Hi!
 Please, help.
 I've been using squid 3.3.11 on FreeBSD 10 for a year.
 I have AD and kerberos authentification. Squid checks DenyInternet
 group membership through kerberos_ldap_group. My domain example.org
 has subdomains like south.example.org, west.example.org, etc. All
 users use proxy.example.org.
 Everything works fine. Here is config:

 auth_param negotiate program
 /usr/local/libexec/squid/negotiate_kerberos_auth -s
 HTTP/proxy.example@example.org
 auth_param negotiate children 100 startup=30 idle=5
 auth_param negotiate keep_alive

 external_acl_type no_inet_users ttl=3600 negative_ttl=3600
 children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN
 /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g
 DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass

 Now I'm tring to migrate to squid 3.4.6. Same config.
 I've encountered with problem that kerberos_ldap_group stopped working
 with subdomain users like u...@south.example.org while it still works
 with u...@example.org.
 In general it started to complain ERROR: Error during setup of
 Kerberos credential cache in cache.log.
 When I turn on the debug I'm getting this:


 kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: INFO: Got User: ptimofeev Domain:
 SOUTH.EXAMPLE.ORG
 support_member.cc(55): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: User domain loop: group@domain
 OCS-DenyInternet-G@NULL
 support_member.cc(83): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Default domain loop: group@domain
 OCS-DenyInternet-G@NULL
 support_member.cc(111): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Default group loop: group@domain
 OCS-DenyInternet-G@NULL
 support_member.cc(113): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Found group@domain OCS

[squid-users] kerberos_ldap_group stopped working with subdomains

2014-08-21 Thread Pavel Timofeev

Hi!
Please, help.
I've been using squid 3.3.11 on FreeBSD 10 for a year.
I have AD and kerberos authentification. Squid checks DenyInternet
group membership through kerberos_ldap_group. My domain example.org
has subdomains like south.example.org, west.example.org, etc. All
users use proxy.example.org.
Everything works fine. Here is config:

auth_param negotiate program
/usr/local/libexec/squid/negotiate_kerberos_auth -s
HTTP/proxy.example@example.org
auth_param negotiate children 100 startup=30 idle=5
auth_param negotiate keep_alive

external_acl_type no_inet_users ttl=3600 negative_ttl=3600
children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN
/usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g
DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass

Now I'm tring to migrate to squid 3.4.6. Same config.
I've encountered with problem that kerberos_ldap_group stopped working
with subdomain users like u...@south.example.org while it still works
with u...@example.org.
In general it started to complain ERROR: Error during setup of
Kerberos credential cache in cache.log.
When I turn on the debug I'm getting this:


kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: INFO: Got User: ptimofeev Domain:
SOUTH.EXAMPLE.ORG
support_member.cc(55): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: User domain loop: group@domain
OCS-DenyInternet-G@NULL
support_member.cc(83): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Default domain loop: group@domain
OCS-DenyInternet-G@NULL
support_member.cc(111): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Default group loop: group@domain
OCS-DenyInternet-G@NULL
support_member.cc(113): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL
support_ldap.cc(801): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
support_krb5.cc(90): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Get default keytab file name
support_krb5.cc(96): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Got default keytab file name
/usr/local/etc/squid/squid.keytab
support_krb5.cc(110): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Get principal name from keytab
/usr/local/etc/squid/squid.keytab
support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
support_krb5.cc(174): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Set credential cache to
MEMORY:squid_ldap_13729
support_krb5.cc(186): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Did not find a principal in keytab for
domain SOUTH.EXAMPLE.ORG.
support_krb5.cc(187): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Try to get principal of trusted domain.
support_krb5.cc(201): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Keytab entry has principal:
HTTP/proxy.example@example.org
support_krb5.cc(247): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Found trusted principal name:
HTTP/proxy.example@example.org
support_krb5.cc(315): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Got no principal name
support_ldap.cc(806): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: ERROR: Error during setup of Kerberos credential
cache
support_member.cc(124): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: INFO: User ptimofeev is not member of
group@domain OCS-DenyInternet-G@NULL
kerberos_ldap_group.cc(407): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: ERR

[squid-users] Re: kerberos_ldap_group stopped working with subdomains

2014-08-21 Thread Pavel Timofeev

Group name in config is OCS-DenyInternet-G of course.

2014-08-21 14:48 GMT+04:00 Pavel Timofeev tim...@gmail.com:
 Hi!
 Please, help.
 I've been using squid 3.3.11 on FreeBSD 10 for a year.
 I have AD and kerberos authentification. Squid checks DenyInternet
 group membership through kerberos_ldap_group. My domain example.org
 has subdomains like south.example.org, west.example.org, etc. All
 users use proxy.example.org.
 Everything works fine. Here is config:

 auth_param negotiate program
 /usr/local/libexec/squid/negotiate_kerberos_auth -s
 HTTP/proxy.example@example.org
 auth_param negotiate children 100 startup=30 idle=5
 auth_param negotiate keep_alive

 external_acl_type no_inet_users ttl=3600 negative_ttl=3600
 children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN
 /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g
 DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass

 Now I'm tring to migrate to squid 3.4.6. Same config.
 I've encountered with problem that kerberos_ldap_group stopped working
 with subdomain users like u...@south.example.org while it still works
 with u...@example.org.
 In general it started to complain ERROR: Error during setup of
 Kerberos credential cache in cache.log.
 When I turn on the debug I'm getting this:


 kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: INFO: Got User: ptimofeev Domain:
 SOUTH.EXAMPLE.ORG
 support_member.cc(55): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: User domain loop: group@domain
 OCS-DenyInternet-G@NULL
 support_member.cc(83): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Default domain loop: group@domain
 OCS-DenyInternet-G@NULL
 support_member.cc(111): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Default group loop: group@domain
 OCS-DenyInternet-G@NULL
 support_member.cc(113): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL
 support_ldap.cc(801): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
 support_krb5.cc(90): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Get default keytab file name
 support_krb5.cc(96): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Got default keytab file name
 /usr/local/etc/squid/squid.keytab
 support_krb5.cc(110): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Get principal name from keytab
 /usr/local/etc/squid/squid.keytab
 support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
 support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
 support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
 support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
 support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
 support_krb5.cc(174): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Set credential cache to
 MEMORY:squid_ldap_13729
 support_krb5.cc(186): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Did not find a principal in keytab for
 domain SOUTH.EXAMPLE.ORG.
 support_krb5.cc(187): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Try to get principal of trusted domain.
 support_krb5.cc(201): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Keytab entry has principal:
 HTTP/proxy.example@example.org
 support_krb5.cc(247): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Found trusted principal name:
 HTTP/proxy.example@example.org
 support_krb5.cc(315): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Got no principal name
 support_ldap.cc(806): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: ERROR: Error during setup of Kerberos credential
 cache
 support_member.cc(124): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: INFO: User ptimofeev is not member of
 group@domain OCS-DenyInternet-G@NULL
 kerberos_ldap_group.cc(407): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: ERR

[squid-users] Re: kerberos_ldap_group stopped working with subdomains

2014-08-21 Thread Pavel Timofeev

That's how squid's 3.4.6 helper works with usern...@example.org

kerberos_ldap_group.cc(372): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: INFO: Got User: username Domain: EXAMPLE.ORG
support_member.cc(55): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: User domain loop: group@domain
OCS-DenyInternet-G@NULL
support_member.cc(83): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Default domain loop: group@domain
OCS-DenyInternet-G@NULL
support_member.cc(111): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Default group loop: group@domain
OCS-DenyInternet-G@NULL
support_member.cc(113): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL
support_ldap.cc(801): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
support_krb5.cc(90): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Get default keytab file name
support_krb5.cc(96): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Got default keytab file name
/usr/local/etc/squid/squid.keytab
support_krb5.cc(110): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Get principal name from keytab
/usr/local/etc/squid/squid.keytab
support_krb5.cc(119): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
support_krb5.cc(133): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Found principal name:
HTTP/proxy.example@example.org
support_krb5.cc(174): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Set credential cache to
MEMORY:squid_ldap_45620
support_krb5.cc(270): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Got principal name
HTTP/proxy.example@example.org
support_krb5.cc(313): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Stored credentials
support_ldap.cc(830): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Initialise ldap connection
support_ldap.cc(836): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain
EXAMPLE.ORG
support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record
to dc1.example.org
support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record
to dc2.example.org

etc and no problems.





2014-08-21 14:54 GMT+04:00 Pavel Timofeev tim...@gmail.com:
 Group name in config is OCS-DenyInternet-G of course.

 2014-08-21 14:48 GMT+04:00 Pavel Timofeev tim...@gmail.com:
 Hi!
 Please, help.
 I've been using squid 3.3.11 on FreeBSD 10 for a year.
 I have AD and kerberos authentification. Squid checks DenyInternet
 group membership through kerberos_ldap_group. My domain example.org
 has subdomains like south.example.org, west.example.org, etc. All
 users use proxy.example.org.
 Everything works fine. Here is config:

 auth_param negotiate program
 /usr/local/libexec/squid/negotiate_kerberos_auth -s
 HTTP/proxy.example@example.org
 auth_param negotiate children 100 startup=30 idle=5
 auth_param negotiate keep_alive

 external_acl_type no_inet_users ttl=3600 negative_ttl=3600
 children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN
 /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g
 DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass

 Now I'm tring to migrate to squid 3.4.6. Same config.
 I've encountered with problem that kerberos_ldap_group stopped working
 with subdomain users like u...@south.example.org while it still works
 with u...@example.org.
 In general it started to complain ERROR: Error during setup of
 Kerberos credential cache in cache.log.
 When I turn on the debug I'm getting this:


 kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: INFO: Got User: ptimofeev Domain:
 SOUTH.EXAMPLE.ORG
 support_member.cc(55): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: User domain loop: group@domain
 OCS-DenyInternet-G@NULL
 support_member.cc(83): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Default domain loop: group@domain
 OCS-DenyInternet-G@NULL
 support_member.cc(111): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Default group loop: group@domain
 OCS-DenyInternet-G@NULL
 support_member.cc(113): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL
 support_ldap.cc(801): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
 support_krb5.cc(90): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Get default keytab file name
 support_krb5.cc(96): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Got default keytab file name
 /usr/local/etc/squid/squid.keytab
 support_krb5.cc(110): pid=13729 :2014/08/21 13:58:53|
 kerberos_ldap_group: DEBUG: Get principal name from keytab
 /usr/local

Re: [squid-users] Linking with *SSL

Re: [squid-users] Linking with *SSL

Re: [squid-users] Linking with *SSL

[squid-users] Linking with *SSL

Re: [squid-users] Fresh Freebsd 10 and squid 2.7.9 Try to set MAKE_JOBS_UNSAFE error

Re: [squid-users] Fresh Freebsd 10 and squid 2.7.9 Try to set MAKE_JOBS_UNSAFE error

Re: [squid-users] Re: kerberos_ldap_group stopped working with subdomains

Re: [squid-users] Re: kerberos_ldap_group stopped working with subdomains

[squid-users] kerberos_ldap_group stopped working with subdomains

[squid-users] Re: kerberos_ldap_group stopped working with subdomains

[squid-users] Re: kerberos_ldap_group stopped working with subdomains

11 matches

Site Navigation

Mail list logo

Footer information