[squid-users] Re: Squid authenticate via squid_kerb_ldap

Tue, 04 Oct 2011 14:56:49 -0700 

Hi Ricardo,
Can you add a -d option for debug out put to squid_kerb_ldap ? It should help to pin point the problem. squid_kerb_ldap uses the kerberos keytab entry to authenticate to Active directory which fails. Can you also capture with tcpdump the kerberos traffic on port 88 and ldap on port 389. 

Markus



"Ricardo Barbosa" <[email protected]> wrote in message 
news:[email protected]...

Hi all,


I'm riding squid authenticating via kerberos helper squid_kerb_auth works 
perfectly but not squid_kerb_ldap. Initially collect messages in the logs of 
the SASL support and as well the history list.


http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-auth-with-Active-Directory-td3023076.html


But the squid_kerb_ldap recompiled with support for SASL and the message 
changed.



==> /var/log/squid/access.log <==

1317680370.168 0 192.168.0.10 TCP_DENIED/407 1695 GET 
http://www.google.com.br/ - NONE/- text/html

1317680370.380 210 192.168.0.10 TCP_DENIED/403 1817 GET
http://www.google.com.br/ [email protected] NONE/- text/html

==> /var/log/squid/cache.log <==
2011/10/03 18:19:30| squid_kerb_auth: Got 'YR
YIIFmgYGKwYBBQUCoIIFjjCCBYqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBWAEggVcYIIFWAYJKoZIhvcSAQICAQBuggVHMIIFQ6ADAgEFoQMCAQ6iBwMFACAAAACjggQ+YYIEOjCCBDagAwIBBaEQGw5MTVZJRFJPUy5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF2ZpcmV3YWxsLmxtdmlkcm9zLmxvY2Fso4ID7zCCA+ugAwIBF6EDAgEDooID3QSCA9k4YTrWFqDYgDafBFV3i+4wautEM5eF4SzW1YbJTkymx5HXyCY5QS0dE7Ze7HpQ1K1T6sGOevwQu6whLKJATjsSgk5wVInA2xg13XqF8quGZ8VKzdpiY/Avuuw0YNntBO5bLwaLQcIv/h0/VpjlCKuMBArCsePv1wbPPFW84gmFUDv/mmH1dvDdgYmP4uzQGCbIdG9xWHyRIg+KMszGme5p8RUtX9LNccStkp22RFIapXLIV0/OH0LhfZP3HMtgvNEPJZMMw8ITCsYJSw/MowTaaAPZWr4c7GcndBloEEskuxURpZaI4UenfUf6jUdpzdhA+pBtUk4saNUQeNghyrVJw79o1D9y27UI4bEee4/XYCCK1qFu0y2kpvdFeAhHDYbQ8av3MfX2Q988RrFhTPDNyUzynC4v4aQ7JdUvMf/RtsQ5uZb2yVMCyh0dPzP0TGosmSIQf5g9wgxN/oXf3l8S1sBD/BGBhs+iJcWaemKQkii4aUuxpMMhTBftQE0qTnnR8F0II/EJJWFC/n9AHp/H2ufxWbgWGk2METW3zsCeMS1COGiHXrgmTvxD0IZEVxg+QASw/9wr0vHMmaq3AZdrXgi/D0thiZQvsRiJX7VoIy7X2iG2k/sfHqjrIWcGdTWE3tQhkU6LfcI5uMGGQrzvs+i4nXCaQfBO7orvaET
nD9OgdPdVqnJY7L1tkytnnwwG3NHACb3pHIIhfApEo1nLbcgtXR7hly2OH1TlMt/UHiWn0it99cTGttFPdigURZxTE3/QIRR+tzITd5QRKyI+9D0fOTVVU1WvreC1LvKTdsx0ch3zeUsiKiFkXQdGVSWNxdtbqzvJMxNhOFZUKVaujk6N3I3bCu4xiPUIX1jhLqagHBCH1bDvGH5x+bOp0bC3Lx/OLalepvo4iGBaGwL+zfd8LhtoPl3nyGx6r7F3D/LKJfSnl1prbeC0Ojopw2tFncunRmG9HxqVHHsnstrGGxB87MErgbUjwZvD3X5MJEiux+WuJUfs8/zLy+G7mjcnhz1AG4eFhV4ZHkQomvBmWSM8qMMCfj4GHxfvrenxcsH3rH7vogZttlx3FOIxaOlmda8rBXrEflq8Y+cFCLI8SNUHyRheR/lk3GDnNa3w29xgb9OgcfOWeuAT8yOyQx15iToQKsYlvDiUat6gOFIy+YOfusG87xGGrPsdS3WslgSC1O2HTPLQSOi+4tcPxvkCeuebB0tnNUJvX9aFbBmEL8bnos6zC9LwQ3dOjs6mXMg0qI3eqwMBK7+3CRcPOF5PSjN7n41TMxDISRPlAKfpGKl41YTbRuzepIHrMIHooAMCAReigeAEgd0mz28nEIjaYLg3I8EDbx027m0cI18PdsvZZlYkHazwIkp5S96YxpBEgXkIxULkv3RVa+LVNbYM6wGCClwAaql3NkhFTzyDvs8JcsuqBRl3pbPoRWA1EnAz66xMroPpfWwIMi0saH5+IJpdkZ+2nVW5CsKoyw+cblN0X42zLf68mpBxmM7JQhhksDfvPqKQy3A5T33LtnWz7xzEXpxrKHW3ivPlIrQr5uC4iQSDT4W7bMRun+mtipVdmdOLHp6W9VpIf/5od03KKRUUMu1xTh8rHw82nPc+kSFYVSVaYQ=='
from squid (length: 1923).
2011/10/03 18:19:30| squid_kerb_auth: parseNegTokenInit failed with rc=101
2011/10/03 18:19:30| squid_kerb_auth: AF
oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqzbebthiHgCEREbPIvAB3Lbw65r75GC0zTez9tgTpso+5fXFhD6J1a0NvPb9m9e99huzEE1DpCgmZUPV4g8jAXU3QAqtsfze0UwMUFovlVJqy9V/r1mBNFse2RoO+R/x2aLJkOi1atZRx4g==
[email protected]


2011/10/03 18:22:44| squid_kerb_auth: AF 
oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqdvBcdVow3J1ERn8EmDHGdq5zxXqQzUso3aEN8V7qnxE9iXPE4RKHzIDWBJdjtCu8x7Pop5k6fBc9X4+tK9s6B7o+xbIHj3N5BU5h1w3RtgbyyNokJ324XlZ5gWKFGfvfwTkKGJJ9Hw96gg== 
[email protected]
2011/10/03 18:22:44| squid_kerb_ldap: Got User: ricardo.dias Domain: 
DOMAIN.LOCAL
2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: 
Local error
2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server 
with SASL/GSSAPI: Local error
2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: 
Local error
2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server 
with SASL/GSSAPI: Local error
2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: 
Local error
2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server 
with SASL/GSSAPI: Local error
2011/10/03 18:22:44| squid_kerb_ldap: User ricardo.dias is not member of 
group@domain G_Internet_RH@NULL



Anyone have any idea where I am wrong.
























					Reply via email to