Hi Ricardo,
That looks basically all correct. Can you capture the traffic on port 88
( Kerberos ) with wireshark ? At this point
2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap server
srvarq.domain.local:389
2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
Local error
2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
you should see a Kerberos authentication request (AS-REQ ) for
HTTP/Firewall.domain.local followed by a successful reply (AS-REP). After
that you should see a TGS-REQ for ldap/server srvarq.domain.local with a
successful reply.
I think one of these requests is failing. Could you let me know the error
message ?
If it does not fail can you capture the traffic on port 389 ? It should
show a SASL/GSSAPI authentication of the ldap connection. Could you let me
know if that succeeded ?
Markus
"spiderslack" <[email protected]> wrote in message
news:[email protected]...
Hi Markus.
I setting the flag -d the follow output
root@Firewall:~/squid_kerb_ldap# ./squid_kerb_ldap -d -g
[email protected]
2011/10/04 20:52:43| squid_kerb_ldap: Starting version 1.2.2
2011/10/04 20:52:43| squid_kerb_ldap: Group list [email protected]
2011/10/04 20:52:43| squid_kerb_ldap: Group G_Internet_RH Domain
DOMAIN.LOCAL
2011/10/04 20:52:43| squid_kerb_ldap: Netbios list NULL
2011/10/04 20:52:43| squid_kerb_ldap: No netbios names defined.
2011/10/04 20:52:43| squid_kerb_ldap: ldap server list NULL
2011/10/04 20:52:43| squid_kerb_ldap: No ldap servers defined.
[email protected]
2011/10/04 20:52:53| squid_kerb_ldap: Got User: rodrigo.lopes Domain:
DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: User domain loop: group@domain
[email protected]
2011/10/04 20:52:53| squid_kerb_ldap: Found group@domain
[email protected]
2011/10/04 20:52:53| squid_kerb_ldap: Setup Kerberos credential cache
2011/10/04 20:52:53| squid_kerb_ldap: Get default keytab file name
2011/10/04 20:52:53| squid_kerb_ldap: Got default keytab file name
/etc/krb5.keytab
2011/10/04 20:52:53| squid_kerb_ldap: Get principal name from keytab
/etc/krb5.keytab
2011/10/04 20:52:53| squid_kerb_ldap: Keytab entry has realm name:
DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Found principal name:
HTTP/[email protected]
2011/10/04 20:52:53| squid_kerb_ldap: Set credential cache to
MEMORY:squid_ldap_15365
2011/10/04 20:52:53| squid_kerb_ldap: Got principal name
HTTP/[email protected]
2011/10/04 20:52:53| squid_kerb_ldap: Stored credentials
2011/10/04 20:52:53| squid_kerb_ldap: Initialise ldap connection
2011/10/04 20:52:53| squid_kerb_ldap: Canonicalise ldap server name for
domain DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Resolved SRV
_ldap._tcp.DOMAIN.LOCAL record to srvdc.lmvidros.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved SRV
_ldap._tcp.DOMAIN.LOCAL record to srvarq.lmvidros.loca
l
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 1 of DOMAIN.LOCAL
to srvdc.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 2 of DOMAIN.LOCAL
to srvdc.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 3 of DOMAIN.LOCAL
to srvdc.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 4 of DOMAIN.LOCAL
to srvarq.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 5 of DOMAIN.LOCAL
to srvarq.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 6 of DOMAIN.LOCAL
to srvarq.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Adding DOMAIN.LOCAL to list
2011/10/04 20:52:53| squid_kerb_ldap: Sorted ldap server names for
domain DOMAIN.LOCAL:
2011/10/04 20:52:53| squid_kerb_ldap: Host: srvarq.domain.local Port:
389 Priority: 0 Weight: 100
2011/10/04 20:52:53| squid_kerb_ldap: Host: srvdc.domain.local Port: 389
Priority: 0 Weight: 100
2011/10/04 20:52:53| squid_kerb_ldap: Host: DOMAIN.LOCAL Port: -1
Priority: -2 Weight: -2
2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap
server srvarq.domain.local:389
2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap
server srvdc.domain.local:389
2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap
server DOMAIN.LOCAL:389
2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Error during initialisation of
ldap connection: Bad file descriptor
2011/10/04 20:52:53| squid_kerb_ldap: Error during initialisation of
ldap connection: Bad file descriptor
2011/10/04 20:52:53| squid_kerb_ldap: User rodrigo.lopes is not member
of group@domain [email protected]
2011/10/04 20:52:53| squid_kerb_ldap: Default domain loop: group@domain
[email protected]
2011/10/04 20:52:53| squid_kerb_ldap: Default group loop: group@domain
[email protected]
ERR
2011/10/04 20:52:53| squid_kerb_ldap: ERR
I trying settings the sasl. I installed libsasl-dev and recompile
squid_kerb_ldap. I setting the file /etc/default/saslauthd and
/etc/saslauthd.conf
root@Firewall:~/squid_kerb_ldap# cat /etc/default/saslauthd | egrep -v
-r '(^#|^$)'
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-d -c -m /var/run/saslauthd"
root@Firewall:~/squid_kerb_ldap#
root@Firewall:~/squid_kerb_ldap# cat /etc/saslauthd.conf
ldap_servers: ldap://192.168.0.8/
ldap_search_base: DC=domain,DC=local
ldap_base_dn: DC=domain,DC=local
ldap_auth_method: bind
ldap_bind_dn: CN=Ricardo,OU=NOC,DC=domain,DC=local
ldap_bind_pw: 123456
ldap_filter: (sAMAccountName=%u)
ldap_use_sasl: no
root@Firewall:~/squid_kerb_ldap#
Via testsaslauthd the authentication work with username and password of
Active Directory
root@Firewall:~/squid_kerb_ldap# testsaslauthd -u ricardo.dias -p 123456
0: OK "Success."
root@Firewall:~/squid_kerb_ldap#
Any Idea
Regards
On 10/04/2011 05:56 PM, Markus Moeller wrote:
Hi Ricardo,
Can you add a -d option for debug out put to squid_kerb_ldap ? It should
help to pin point the problem. squid_kerb_ldap uses the kerberos keytab
entry to authenticate to Active directory which fails. Can you also
capture with tcpdump the kerberos traffic on port 88 and ldap on port
389.
Markus
"Ricardo Barbosa" <[email protected]> wrote in message
news:[email protected]...
Hi all,
I'm riding squid authenticating via kerberos helper squid_kerb_auth works
perfectly but not squid_kerb_ldap. Initially collect messages in the logs
of the SASL support and as well the history list.
http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-auth-with-Active-Directory-td3023076.html
But the squid_kerb_ldap recompiled with support for SASL and the message
changed.
==> /var/log/squid/access.log <==
1317680370.168 0 192.168.0.10 TCP_DENIED/407 1695 GET
http://www.google.com.br/ - NONE/- text/html
1317680370.380 210 192.168.0.10 TCP_DENIED/403 1817 GET
http://www.google.com.br/ [email protected] NONE/- text/html
==> /var/log/squid/cache.log <==
2011/10/03 18:19:30| squid_kerb_auth: Got 'YR
YIIFmgYGKwYBBQUCoIIFjjCCBYqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBWAEggVcYIIFWAYJKoZIhvcSAQICAQBuggVHMIIFQ6ADAgEFoQMCAQ6iBwMFACAAAACjggQ+YYIEOjCCBDagAwIBBaEQGw5MTVZJRFJPUy5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF2ZpcmV3YWxsLmxtdmlkcm9zLmxvY2Fso4ID7zCCA+ugAwIBF6EDAgEDooID3QSCA9k4YTrWFqDYgDafBFV3i+4wautEM5eF4SzW1YbJTkymx5HXyCY5QS0dE7Ze7HpQ1K1T6sGOevwQu6whLKJATjsSgk5wVInA2xg13XqF8quGZ8VKzdpiY/Avuuw0YNntBO5bLwaLQcIv/h0/VpjlCKuMBArCsePv1wbPPFW84gmFUDv/mmH1dvDdgYmP4uzQGCbIdG9xWHyRIg+KMszGme5p8RUtX9LNccStkp22RFIapXLIV0/OH0LhfZP3HMtgvNEPJZMMw8ITCsYJSw/MowTaaAPZWr4c7GcndBloEEskuxURpZaI4UenfUf6jUdpzdhA+pBtUk4saNUQeNghyrVJw79o1D9y27UI4bEee4/XYCCK1qFu0y2kpvdFeAhHDYbQ8av3MfX2Q988RrFhTPDNyUzynC4v4aQ7JdUvMf/RtsQ5uZb2yVMCyh0dPzP0TGosmSIQf5g9wgxN/oXf3l8S1sBD/BGBhs+iJcWaemKQkii4aUuxpMMhTBftQE0qTnnR8F0II/EJJWFC/n9AHp/H2ufxWbgWGk2METW3zsCeMS1COGiHXrgmTvxD0IZEVxg+QASw/9wr0vHMmaq3AZdrXgi/D0thiZQvsRiJX7VoIy7X2iG2k/sfHqjrIWcGdTWE3tQhkU6LfcI5uMGGQrzvs+i4nXCaQfBO7orvaET
nD9OgdPdVqnJY7L1tkytnnwwG3NHACb3pHIIhfApEo1nLbcgtXR7hly2OH1TlMt/UHiWn0it99cTGttFPdigURZxTE3/QIRR+tzITd5QRKyI+9D0fOTVVU1WvreC1LvKTdsx0ch3zeUsiKiFkXQdGVSWNxdtbqzvJMxNhOFZUKVaujk6N3I3bCu4xiPUIX1jhLqagHBCH1bDvGH5x+bOp0bC3Lx/OLalepvo4iGBaGwL+zfd8LhtoPl3nyGx6r7F3D/LKJfSnl1prbeC0Ojopw2tFncunRmG9HxqVHHsnstrGGxB87MErgbUjwZvD3X5MJEiux+WuJUfs8/zLy+G7mjcnhz1AG4eFhV4ZHkQomvBmWSM8qMMCfj4GHxfvrenxcsH3rH7vogZttlx3FOIxaOlmda8rBXrEflq8Y+cFCLI8SNUHyRheR/lk3GDnNa3w29xgb9OgcfOWeuAT8yOyQx15iToQKsYlvDiUat6gOFIy+YOfusG87xGGrPsdS3WslgSC1O2HTPLQSOi+4tcPxvkCeuebB0tnNUJvX9aFbBmEL8bnos6zC9LwQ3dOjs6mXMg0qI3eqwMBK7+3CRcPOF5PSjN7n41TMxDISRPlAKfpGKl41YTbRuzepIHrMIHooAMCAReigeAEgd0mz28nEIjaYLg3I8EDbx027m0cI18PdsvZZlYkHazwIkp5S96YxpBEgXkIxULkv3RVa+LVNbYM6wGCClwAaql3NkhFTzyDvs8JcsuqBRl3pbPoRWA1EnAz66xMroPpfWwIMi0saH5+IJpdkZ+2nVW5CsKoyw+cblN0X42zLf68mpBxmM7JQhhksDfvPqKQy3A5T33LtnWz7xzEXpxrKHW3ivPlIrQr5uC4iQSDT4W7bMRun+mtipVdmdOLHp6W9VpIf/5od03KKRUUMu1xTh8rHw82nPc+kSFYVSVaYQ=='
from squid (length: 1923).
2011/10/03 18:19:30| squid_kerb_auth: parseNegTokenInit failed with rc=101
2011/10/03 18:19:30| squid_kerb_auth: AF
oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqzbebthiHgCEREbPIvAB3Lbw65r75GC0zTez9tgTpso+5fXFhD6J1a0NvPb9m9e99huzEE1DpCgmZUPV4g8jAXU3QAqtsfze0UwMUFovlVJqy9V/r1mBNFse2RoO+R/x2aLJkOi1atZRx4g==
[email protected]
2011/10/03 18:22:44| squid_kerb_auth: AF
oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqdvBcdVow3J1ERn8EmDHGdq5zxXqQzUso3aEN8V7qnxE9iXPE4RKHzIDWBJdjtCu8x7Pop5k6fBc9X4+tK9s6B7o+xbIHj3N5BU5h1w3RtgbyyNokJ324XlZ5gWKFGfvfwTkKGJJ9Hw96gg==
[email protected]
2011/10/03 18:22:44| squid_kerb_ldap: Got User: ricardo.dias Domain:
DOMAIN.LOCAL
2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
Local error
2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
Local error
2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
Local error
2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/03 18:22:44| squid_kerb_ldap: User ricardo.dias is not member of
group@domain G_Internet_RH@NULL
Anyone have any idea where I am wrong.
