Nick,
The problem here is how the keytab entry was created. To authenticate
against AD the userprincipalname attribute must be set to the same as the
principla you want to authenticate. For a user it user the username e.g.
user1@DOMAIN will have a userprinciplanme of user1@DOMAIN. squid_kerb_ldap
uses the keytab entry (in your case host/rhnet5.[OMITTED]@[OMITTED]) but
does not find an AD entry with a userprinciplaname attribute set to
host/rhnet5.[OMITTED]@[OMITTED]. You could manually set it or use msktutil
to create another AD entry or use a user account (e.g. use ktutil (from MIT
Kerberos)
like ktutil
ktutil: addent -password -p user@domain -k 1 -e rc4-hmac
Password for user@domain
ktutil: wkt user.keytab
ktutil: exit
Markus
"Nick Cairncross" <Nick.Cairncross@xxxxxxxxxxxxxxx> wrote in message
news:C7B57C01.1BD68%Nick.Cairncross@xxxxxxxxxxxxxxxxxx
Markus,
Thanks for the extra info - I was indeed missing the cyrus dependency.
Installing it and compiling has given me squid_kerb_ldap.
However, my cache.log is now indicating an problem with a principal with
Kerberos.
2010/03/04 14:53:33| squid_kerb_ldap: Got User: NCairncross Domain:
[OMITTED]
2010/03/04 14:53:33| squid_kerb_ldap: User domain loop: group@domain
NetillaPDU@[OMITTED]
2010/03/04 14:53:33| squid_kerb_ldap: Found group@domain
SquidGroup@[OMITTED]
2010/03/04 14:53:33| squid_kerb_ldap: Setup Kerberos credential cache
2010/03/04 14:53:33| squid_kerb_ldap: Get default keytab file name
2010/03/04 14:53:33| squid_kerb_ldap: Got default keytab file name
/etc/squid/HTTP.keytab
2010/03/04 14:53:33| squid_kerb_ldap: Get principal name from keytab
/etc/squid/HTTP.keytab
2010/03/04 14:53:33| squid_kerb_ldap: Keytab entry has realm name: [OMITTED]
2010/03/04 14:53:33| squid_kerb_ldap: Found principal name:
host/rhnet5.[OMITTED]@[OMITTED]
2010/03/04 14:53:33| squid_kerb_ldap: Set credential cache to
MEMORY:squid_ldap_16609
2010/03/04 14:53:33| squid_kerb_ldap: Got principal name
host/rhnet5.[OMITTED]@[OMITTED]
2010/03/04 14:53:33| squid_kerb_ldap: Error while initialising credentials
from keytab : Client not found in Kerberos database
2010/03/04 14:53:33| squid_kerb_ldap: Error during setup of Kerberos
credential cache
2010/03/04 14:53:33| squid_kerb_ldap: User NCairncross is not member of
group@domain SquidGroup@[OMITTED] <-- which I am..
2010/03/04 14:53:33| squid_kerb_ldap: Default domain loop: group@domain
SquidGroup@[OMITTED]
2010/03/04 14:53:33| squid_kerb_ldap: Default group loop: group@domain
SquidGroup@[OMITTED]
Kadmin reveals the same error:
Authenticating as principal root/admin@[OMITTED] with password.
kadmin: Client not found in Kerberos database while initializing kadmin
interface
(The same is true after a kinit [my username])
The details of my klist -k are:
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 host/rhnet5.[OMITTED]@[OMITTED]
5 host/rhnet5.[OMITTED]@[OMITTED]
5 host/rhnet5.[OMITTED]@[OMITTED]
5 host/rhnet5@[OMITTED]
5 host/rhnet5@[OMITTED]
5 host/rhnet5@[OMITTED]
5 RHNET5$@[OMITTED]
5 RHNET5$@[OMITTED]
5 RHNET5$@[OMITTED]
5 HTTP/rhnet5.[OMITTED]@[OMITTED]
5 HTTP/rhnet5.[OMITTED]@[OMITTED]
5 HTTP/rhnet5.[OMITTED]@[OMITTED]
5 HTTP/rhnet5@[OMITTED]
5 HTTP/rhnet5@[OMITTED]
5 HTTP/rhnet5@[OMITTED]
My Kerberos authentication for domain users works ok and cache.log doesn't
throw up any errors. The RHNET5 AD computer account has the HTTP/rhnet5 and
HTTP/rhnet5.[OMITTED] principals.
I know I'm missing something straight-forward..
Nickcx
On 03/03/2010 23:56, "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote:
You will also need a cyrus-sasl-gssapi package to run squid_kerb_ldap with
SASL/GSSAPI authentication to AD or Openldap.
Markus
"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message
news:hmmmuv$ie3$1@xxxxxxxxxxxxxxxxxx
You need the ldap and sasl development packages.
Markus
"Nick Cairncross" <Nick.Cairncross@xxxxxxxxxxxxxxx> wrote in message
news:C7B3F825.1BB93%Nick.Cairncross@xxxxxxxxxxxxxxxxxx
Henrik,
Thanks for the pointers - I have added the missing dependencies. Now I
receive the following. The results of ./configure are at the bottom of the
email also. I must be missing some other dependencies?
Thanks again,
Nickcx
===
make all-recursive
make[1]: Entering directory `/root/Desktop/squid_kerb_ldap-1.2.1'
make[2]: Entering directory `/root/Desktop/squid_kerb_ldap-1.2.1'
gcc -DHAVE_CONFIG_H -I. -I/usr/include -g -O2 -Wall -Wno-unknown-pragmas
-Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes
-Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement
-Wshadow -MT squid_kerb_ldap.o -MD -MP -MF
.deps/squid_kerb_ldap.Tpo -c -o squid_kerb_ldap.o squid_kerb_ldap.c
mv -f .deps/squid_kerb_ldap.Tpo .deps/squid_kerb_ldap.Po
gcc -DHAVE_CONFIG_H -I. -I/usr/include -g -O2 -Wall -Wno-unknown-pragmas
-Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes
-Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement
-Wshadow -MT support_group.o -MD -MP -MF .deps/support_group.Tpo -c -o
support_group.o support_group.c
mv -f .deps/support_group.Tpo .deps/support_group.Po
gcc -DHAVE_CONFIG_H -I. -I/usr/include -g -O2 -Wall -Wno-unknown-pragmas
-Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes
-Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement
-Wshadow -MT support_netbios.o -MD -MP -MF
.deps/support_netbios.Tpo -c -o support_netbios.o support_netbios.c
mv -f .deps/support_netbios.Tpo .deps/support_netbios.Po
gcc -DHAVE_CONFIG_H -I. -I/usr/include -g -O2 -Wall -Wno-unknown-pragmas
-Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes
-Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement
-Wshadow -MT support_member.o -MD -MP -MF .deps/support_member.Tpo -c -o
support_member.o support_member.c
mv -f .deps/support_member.Tpo .deps/support_member.Po
gcc -DHAVE_CONFIG_H -I. -I/usr/include -g -O2 -Wall -Wno-unknown-pragmas
-Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes
-Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement
-Wshadow -MT support_krb5.o -MD -MP -MF .deps/support_krb5.Tpo -c -o
support_krb5.o support_krb5.c
mv -f .deps/support_krb5.Tpo .deps/support_krb5.Po
gcc -DHAVE_CONFIG_H -I. -I/usr/include -g -O2 -Wall -Wno-unknown-pragmas
-Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes
-Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement
-Wshadow -MT support_ldap.o -MD -MP -MF .deps/support_ldap.Tpo -c -o
support_ldap.o support_ldap.c
support_ldap.c:33: error: expected declaration specifiers or '...' before
'LDAP'
support_ldap.c:34: error: expected declaration specifiers or '...' before
'LDAP'
support_ldap.c:36: error: expected '=', ',', ';', 'asm' or '__attribute__'
before '*' token
support_ldap.c:50: error: expected declaration specifiers or '...' before
'LDAP'
support_ldap.c:50: error: expected declaration specifiers or '...' before
'LDAPMessage'
support_ldap.c:51: error: expected declaration specifiers or '...' before
'LDAP'
support_ldap.c:170:3: error: #error "No rebind functione defined"
support_ldap.c:277: error: expected declaration specifiers or '...' before
'LDAP'
support_ldap.c: In function 'check_AD':
support_ldap.c:278: error: 'LDAPMessage' undeclared (first use in this
function)
support_ldap.c:278: error: (Each undeclared identifier is reported only
once
support_ldap.c:278: error: for each function it appears in.)
support_ldap.c:278: error: 'res' undeclared (first use in this function)
cc1: warnings being treated as errors
support_ldap.c:279: warning: ISO C90 forbids mixed declarations and code
support_ldap.c:293: warning: implicit declaration of function
'ldap_search_ext_s'
support_ldap.c:293: error: 'ld' undeclared (first use in this function)
support_ldap.c:293: error: 'LDAP_SCOPE_BASE' undeclared (first use in this
function)
support_ldap.c:296: error: 'LDAP_SUCCESS' undeclared (first use in this
function)
support_ldap.c:297: error: too many arguments to function 'get_attributes'
support_ldap.c:300: warning: implicit declaration of function
'ldap_msgfree'
support_ldap.c:303: error: 'LDAP_SCOPE_SUBTREE' undeclared (first use in
this function)
support_ldap.c:306: warning: implicit declaration of function
'ldap_count_entries'
support_ldap.c: At top level:
support_ldap.c:328: error: expected declaration specifiers or '...' before
'LDAP'
support_ldap.c: In function 'search_group_tree':
support_ldap.c:329: error: 'LDAPMessage' undeclared (first use in this
function)
support_ldap.c:329: error: 'res' undeclared (first use in this function)
support_ldap.c:330: warning: ISO C90 forbids mixed declarations and code
support_ldap.c:366: error: 'ld' undeclared (first use in this function)
support_ldap.c:366: error: 'LDAP_SCOPE_SUBTREE' undeclared (first use in
this function)
support_ldap.c:372: error: 'LDAP_SUCCESS' undeclared (first use in this
function)
support_ldap.c:373: warning: implicit declaration of function
'ldap_err2string'
support_ldap.c:373: warning: format '%s' expects type 'char *', but
argument 5 has type 'int'
support_ldap.c:374: warning: implicit declaration of function
'ldap_unbind_s'
support_ldap.c:382: error: too many arguments to function 'get_attributes'
support_ldap.c:384: error: too many arguments to function 'get_attributes'
support_ldap.c:423: warning: passing argument 5 of 'search_group_tree'
makes integer from pointer without a cast
support_ldap.c:423: error: too many arguments to function
'search_group_tree'
support_ldap.c: At top level:
support_ldap.c:454: error: expected declaration specifiers or '...' before
'LDAP'
support_ldap.c: In function 'ldap_set_defaults':
support_ldap.c:459: error: 'LDAP_VERSION3' undeclared (first use in this
function)
support_ldap.c:460: warning: implicit declaration of function
'ldap_set_option'
support_ldap.c:460: error: 'ld' undeclared (first use in this function)
support_ldap.c:460: error: 'LDAP_OPT_PROTOCOL_VERSION' undeclared (first
use in this function)
support_ldap.c:461: error: 'LDAP_SUCCESS' undeclared (first use in this
function)
support_ldap.c:463: warning: format '%s' expects type 'char *', but
argument 5 has type 'int'
support_ldap.c:466: error: 'LDAP_OPT_REFERRALS' undeclared (first use in
this function)
support_ldap.c:466: error: 'LDAP_OPT_OFF' undeclared (first use in this
function)
support_ldap.c:469: warning: format '%s' expects type 'char *', but
argument 5 has type 'int'
support_ldap.c: In function 'ldap_set_ssl_defaults':
support_ldap.c:558: error: 'LDAP_SUCCESS' undeclared (first use in this
function)
support_ldap.c:485: warning: unused parameter 'margs'
support_ldap.c: At top level:
support_ldap.c:561: error: expected declaration specifiers or '...' before
'LDAP'
support_ldap.c:561: error: expected declaration specifiers or '...' before
'LDAPMessage'
support_ldap.c: In function 'get_attributes':
support_ldap.c:576: error: 'LDAPMessage' undeclared (first use in this
function)
support_ldap.c:576: error: 'msg' undeclared (first use in this function)
support_ldap.c:577: warning: ISO C90 forbids mixed declarations and code
support_ldap.c:586: warning: implicit declaration of function
'ldap_first_entry'
support_ldap.c:586: error: 'ld' undeclared (first use in this function)
support_ldap.c:586: error: 'res' undeclared (first use in this function)
support_ldap.c:586: warning: implicit declaration of function
'ldap_next_entry'
support_ldap.c:589: error: 'BerElement' undeclared (first use in this
function)
support_ldap.c:589: error: 'b' undeclared (first use in this function)
support_ldap.c:590: warning: ISO C90 forbids mixed declarations and code
support_ldap.c:592: warning: implicit declaration of function
'ldap_msgtype'
support_ldap.c:594: error: 'LDAP_RES_SEARCH_ENTRY' undeclared (first use
in this function)
support_ldap.c:596: warning: implicit declaration of function
'ldap_first_attribute'
support_ldap.c:596: warning: assignment makes pointer from integer without
a cast
support_ldap.c:597: warning: implicit declaration of function
'ldap_next_attribute'
support_ldap.c:597: warning: assignment makes pointer from integer without
a cast
support_ldap.c:604: warning: implicit declaration of function
'ldap_get_values_len'
support_ldap.c:604: warning: assignment makes pointer from integer without
a cast
support_ldap.c:613: error: dereferencing pointer to incomplete type
support_ldap.c:614: error: dereferencing pointer to incomplete type
support_ldap.c:614: error: dereferencing pointer to incomplete type
support_ldap.c:615: error: dereferencing pointer to incomplete type
support_ldap.c:619: warning: implicit declaration of function
'ber_bvecfree'
support_ldap.c:621: warning: implicit declaration of function
'ldap_memfree'
support_ldap.c:623: warning: implicit declaration of function 'ber_free'
support_ldap.c:625: error: 'LDAP_RES_SEARCH_REFERENCE' undeclared (first
use in this function)
support_ldap.c:629: error: 'LDAP_RES_SEARCH_RESULT' undeclared (first use
in this function)
support_ldap.c: At top level:
support_ldap.c:648: error: expected '=', ',', ';', 'asm' or
'__attribute__' before '*' token
support_ldap.c: In function 'get_memberof':
support_ldap.c:811: error: 'LDAP' undeclared (first use in this function)
support_ldap.c:811: error: 'ld' undeclared (first use in this function)
support_ldap.c:812: error: 'LDAPMessage' undeclared (first use in this
function)
support_ldap.c:812: error: 'res' undeclared (first use in this function)
support_ldap.c:816: warning: ISO C90 forbids mixed declarations and code
support_ldap.c:891: warning: implicit declaration of function
'tool_ldap_open'
support_ldap.c:919: warning: implicit declaration of function
'ldap_unbind'
support_ldap.c:971: warning: implicit declaration of function
'ldap_simple_bind_s'
support_ldap.c:972: error: 'LDAP_SUCCESS' undeclared (first use in this
function)
support_ldap.c:973: warning: format '%s' expects type 'char *', but
argument 5 has type 'int'
support_ldap.c:981: warning: implicit declaration of function
'ldap_set_rebind_proc'
support_ldap.c:981: error: 'ldap_simple_rebind' undeclared (first use in
this function)
support_ldap.c:1011: error: too many arguments to function 'check_AD'
support_ldap.c:1013: warning: format '%s' expects type 'char *', but
argument 5 has type 'int'
support_ldap.c:1035: error: 'LDAP_SCOPE_SUBTREE' undeclared (first use in
this function)
support_ldap.c:1042: warning: format '%s' expects type 'char *', but
argument 5 has type 'int'
support_ldap.c:1055: error: too many arguments to function
'get_attributes'
support_ldap.c:1057: error: too many arguments to function
'get_attributes'
support_ldap.c:1101: warning: passing argument 5 of 'search_group_tree'
makes integer from pointer without a cast
support_ldap.c:1101: error: too many arguments to function
'search_group_tree'
support_ldap.c:1166: error: too many arguments to function
'get_attributes'
support_ldap.c:1191: error: too many arguments to function
'get_attributes'
support_ldap.c:1245: warning: format '%s' expects type 'char *', but
argument 5 has type 'int'
make[2]: *** [support_ldap.o] Error 1
make[2]: Leaving directory `/root/Desktop/squid_kerb_ldap-1.2.1'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/Desktop/squid_kerb_ldap-1.2.1'
make: *** [all] Error 2
====
./configure result..
[root@RHNET5 squid_kerb_ldap-1.2.1]# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking size of short... 2
checking size of int... 4
checking size of long... 4
checking for krb5-config... yes
checking krb5.h usability... yes
checking krb5.h presence... yes
checking for krb5.h... yes
checking com_err.h usability... no
checking com_err.h presence... no
checking for com_err.h... no
checking gssapi.h usability... yes
checking gssapi.h presence... yes
checking for gssapi.h... yes
checking gssapi/gssapi.h usability... yes
checking gssapi/gssapi.h presence... yes
checking for gssapi/gssapi.h... yes
checking gssapi/gssapi_krb5.h usability... yes
checking gssapi/gssapi_krb5.h presence... yes
checking for gssapi/gssapi_krb5.h... yes
checking gssapi/gssapi_generic.h usability... yes
checking gssapi/gssapi_generic.h presence... yes
checking for gssapi/gssapi_generic.h... yes
checking whether krb5_kt_free_entry is declared... no
checking for krb5_kt_free_entry in -lkrb5... yes
checking for krb5_get_init_creds_keytab in -lkrb5... yes
checking ldap.h usability... no
checking ldap.h presence... no
checking for ldap.h... no
checking lber.h usability... no
checking lber.h presence... no
checking for lber.h... no
checking for main in -llber... no
checking for main in -lldap... no
checking for struct ldap_url_desc.lud_scheme... no
checking for ldapssl_client_init in -lldap... no
checking for ldap_url_desc2str in -lldap... no
checking for ldap_url_parse in -lldap... no
checking sasl.h usability... no
checking sasl.h presence... no
checking for sasl.h... no
checking sasl/sasl.h usability... no
checking sasl/sasl.h presence... no
checking for sasl/sasl.h... no
configure: ## -----------------------------##
configure: ##
configure: ## mit has been selected
configure: ##
configure: ## -----------------------------##
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
config.status: executing depfiles commands
configure: updating config.h
On 02/03/2010 19:07, "Henrik Nordstrom" <henrik@xxxxxxxxxxxxxxxxxxx>
wrote:
tis 2010-03-02 klockan 17:34 +0000 skrev Nick Cairncross:
It seems to be complaining about krb5.h.. it doesn't appear on my server
though I am successfully using Kerberos (configured using Samba).
You need the kerberos development libraries & headers installed. Not
needed for using Kerberos but very much needed for compiling Kerberos
enabled applications.
On RedHat/Fedora the needed package is "krb5-devel". On Debian/Ubuntu
it's "libkrb5-dev".
Regards
Henrik
** Please consider the environment before printing this e-mail **
The information contained in this e-mail is of a confidential nature and
is intended only for the addressee. If you are not the intended
addressee, any disclosure, copying or distribution by you is prohibited
and may be unlawful. Disclosure to any party other than the addressee,
whether inadvertent or otherwise, is not intended to waive privilege or
confidentiality. Internet communications are not secure and therefore
Conde Nast does not accept legal responsibility for the contents of this
message. Any views or opinions expressed are those of the author.
Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU
Registered in London No. 226900
** Please consider the environment before printing this e-mail **
The information contained in this e-mail is of a confidential nature and is
intended only for the addressee. If you are not the intended addressee, any
disclosure, copying or distribution by you is prohibited and may be
unlawful. Disclosure to any party other than the addressee, whether
inadvertent or otherwise, is not intended to waive privilege or
confidentiality. Internet communications are not secure and therefore Conde
Nast does not accept legal responsibility for the contents of this message.
Any views or opinions expressed are those of the author.
Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU
Registered in London No. 226900
