Hi,
I have now a 64bit freebsd box and can not replicate the error. Also the
compile error I got where only a symbol problem dup in support_group and the
sasl prototype error.
$ uname -a
FreeBSD freebsd-81-64.freebsd.home 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon
Jul 19 02:36:49 UTC 2010
root@xxxxxxxxxxxxxxxxxxxxx:/usr/obj/usr/src/sys/GENERIC amd64
$ echo $KRB5_KTNAME
/usr/home/markus/squid_kerb_ldap-1.2.1a/squid.keytab
$ krb5-config --version
FreeBSD heimdal 1.1.0
$Id: krb5-config.in 20528 2007-04-22 13:22:16Z lha $
$ ktutil list
/usr/home/markus/squid_kerb_ldap-1.2.1a/squid.keytab:
Vno Type Principal
3 arcfour-hmac-md5 HTTP/opensuse11.suse.home@xxxxxxxxx
3 des3-cbc-sha1 HTTP/opensuse11.suse.home@xxxxxxxxx
3 des-cbc-crc HTTP/opensuse11.suse.home@xxxxxxxxx
$ ./squid_kerb_ldap -d -g SOCKS_ALLOW@xxxxxxxxx
2010/10/29 18:41:27| squid_kerb_ldap: Starting version 1.2.1a
2010/10/29 18:41:27| squid_kerb_ldap: Group list SOCKS_ALLOW@xxxxxxxxx
2010/10/29 18:41:27| squid_kerb_ldap: Group SOCKS_ALLOW Domain SUSE.HOME
2010/10/29 18:41:27| squid_kerb_ldap: Netbios list NULL
2010/10/29 18:41:27| squid_kerb_ldap: No netbios names defined.
markus@xxxxxxxxx
2010/10/29 18:41:33| squid_kerb_ldap: Got User: markus Domain: SUSE.HOME
2010/10/29 18:41:33| squid_kerb_ldap: User domain loop: group@domain
SOCKS_ALLOW@xxxxxxxxx
2010/10/29 18:41:33| squid_kerb_ldap: Found group@domain
SOCKS_ALLOW@xxxxxxxxx
2010/10/29 18:41:33| squid_kerb_ldap: Setup Kerberos credential cache
2010/10/29 18:41:33| squid_kerb_ldap: Get default keytab file name
2010/10/29 18:41:33| squid_kerb_ldap: Got default keytab file name
/usr/home/markus/squid_kerb_ldap-1.2.1a/squid.keytab
2010/10/29 18:41:33| squid_kerb_ldap: Get principal name from keytab
/usr/home/markus/squid_kerb_ldap-1.2.1a/squid.keytab
2010/10/29 18:41:33| squid_kerb_ldap: Keytab entry has realm name: SUSE.HOME
2010/10/29 18:41:33| squid_kerb_ldap: Found principal name:
HTTP/opensuse11.suse.home@xxxxxxxxx
2010/10/29 18:41:33| squid_kerb_ldap: Set credential cache to
MEMORY:squid_ldap_10239
2010/10/29 18:41:33| squid_kerb_ldap: Got principal name
HTTP/opensuse11.suse.home@xxxxxxxxx
2010/10/29 18:41:33| squid_kerb_ldap: Stored credentials
2010/10/29 18:41:43| squid_kerb_ldap: Initialise ldap connection
2010/10/29 18:41:43| squid_kerb_ldap: Canonicalise ldap server name for
domain SUSE.HOME
2010/10/29 18:41:48| squid_kerb_ldap: Resolved SRV _ldap._tcp.SUSE.HOME
record to opensuse11.suse.home
2010/10/29 18:41:48| squid_kerb_ldap: Resolved address 1 of SUSE.HOME to
opensuse11.suse.home
2010/10/29 18:41:48| squid_kerb_ldap: Resolved address 2 of SUSE.HOME to
opensuse11.suse.home
2010/10/29 18:41:48| squid_kerb_ldap: Resolved address 3 of SUSE.HOME to
opensuse11.suse.home
2010/10/29 18:41:48| squid_kerb_ldap: Sorted ldap server names for domain
SUSE.HOME:
2010/10/29 18:41:48| squid_kerb_ldap: Host: opensuse11.suse.home Port: 389
Priority: 0 Weight: 0
2010/10/29 18:41:48| squid_kerb_ldap: Setting up connection to ldap server
opensuse11.suse.home:389
2010/10/29 18:41:48| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/10/29 18:41:48| squid_kerb_ldap: Successfully initialised connection to
ldap server opensuse11.suse.home:389
2010/10/29 18:41:48| squid_kerb_ldap: Search ldap server with bind path ""
and filter: (objectclass=*)
2010/10/29 18:41:48| squid_kerb_ldap: Search ldap entries for attribute :
schemaNamingContext
2010/10/29 18:41:48| squid_kerb_ldap: 0 ldap entries found with attribute :
schemaNamingContext
2010/10/29 18:41:48| squid_kerb_ldap: Did not find ldap entry for
subschemasubentry
2010/10/29 18:41:48| squid_kerb_ldap: Determined ldap server not as an
Active Directory server
2010/10/29 18:41:48| squid_kerb_ldap: Search ldap server with bind path
dc=SUSE,dc=HOME and filter : (memberuid=markus)
2010/10/29 18:41:48| squid_kerb_ldap: Found 0 ldap entries
2010/10/29 18:41:48| squid_kerb_ldap: Search for primary group membership:
"SOCKS_ALLOW"
2010/10/29 18:41:48| squid_kerb_ldap: Search ldap server with bind path
dc=SUSE,dc=HOME and filter: (uid=markus)
2010/10/29 18:41:48| squid_kerb_ldap: Found 1 ldap entry
2010/10/29 18:41:48| squid_kerb_ldap: Search ldap entries for attribute :
gidNumber
2010/10/29 18:41:48| squid_kerb_ldap: 1 ldap entry found with attribute :
gidNumber
2010/10/29 18:41:48| squid_kerb_ldap: Search ldap server with bind path
dc=SUSE,dc=HOME and filter: (&(gidNumber=1000)(objectclass=posixgroup))
2010/10/29 18:41:48| squid_kerb_ldap: Search ldap entries for attribute : cn
2010/10/29 18:41:48| squid_kerb_ldap: 1 ldap entry found with attribute : cn
2010/10/29 18:41:48| squid_kerb_ldap: "SOCKS_ALLOW" matches group name
"SOCKS_ALLOW"
2010/10/29 18:41:48| squid_kerb_ldap: Users primary group matches
SOCKS_ALLOW
2010/10/29 18:41:48| squid_kerb_ldap: Unbind ldap server
2010/10/29 18:41:48| squid_kerb_ldap: User markus is member of group@domain
SOCKS_ALLOW@xxxxxxxxx
OK
"Eugene M. Zheganin" <eugene@xxxxxxxxx> wrote in message
news:4CC662AF.7070707@xxxxxxxxxxxx
Hi.
On 07.12.2008 18:09, Markus Moeller wrote:
I did implement recursive group search in squid_kerb_ldap at
http://sourceforge.net/project/showfiles.php?group_id=196348.
Actually this is a very interesting helper, and I would like ti use it on
my production squids, 'cause my engineers are tired of managing hundreds
of users instead of a dozen of groups.
I downloaded it, but I had a bunch of problems with it.
If this isn't the appropriate maillist to discuss this helper, then just
stop at this point, and I'm sorry for this post.
My target system is FreeBSD 8.0-RELASE-p2/amd64. It has heimdal 1.0.1
Kerberos V in the base system.
a) First of all, 1.2.1a fails to build:
===Code===
cc1: warnings being treated as errors
support_krb5.c: In function 'krb5_create_cache':
support_krb5.c:117: warning: format '%s' expects type 'char *', but
argument 5 has type 'krb5_data'
support_krb5.c:122: error: incompatible type for argument 2 of
'strcasecmp'
support_krb5.c:251: error: incompatible type for argument 1 of 'strlen'
support_krb5.c:252: error: incompatible type for argument 1 of 'strlen'
support_krb5.c:252: warning: format '%s' expects type 'char *', but
argument 5 has type 'krb5_data'
support_krb5.c:252: warning: format '%s' expects type 'char *', but
argument 5 has type 'krb5_data'
*** Error code 1
Stop in /usr/home/emz/squid_kerb_ldap/1/squid_kerb_ldap-1.2.1a.
*** Error code 1
Stop in /usr/home/emz/squid_kerb_ldap/1/squid_kerb_ldap-1.2.1a.
*** Error code 1
Stop in /usr/home/emz/squid_kerb_ldap/1/squid_kerb_ldap-1.2.1a.
===Cut===
This can be fixed, as all of these errors are caused by the fact that
entry.principal->realm is a structure, and the code expect it to be char
*, so it's pretty obvious that char * has to be here, and krb5_data.data
is the only thing that appears to be char; so I changed
entry.principal->realm to entry.principal->realm.data. I had one more
problem with -Werror switch:
===Cut===
cc1: warnings being treated as errors
In file included from support_sasl.c:30:
/usr/local/include/sasl/sasl.h:349: warning: function declaration isn't a
prototype
===Cut===
Since my C skills are considerably low, I simply remowed -Werror switch
and uild succeeded.
b) then it fails to run, crashing at keytab parsing. So may be things
aren't that obvious and I failed to do the proper fixing:
===Cut===
%./squid_kerb_ldap -b cn=Users,dc=norma,dc=com -g "Internal Users -
Crystal@" -u dca -p sabbracadabra -N SOFTLAB@xxxxxxxxx -d -i
2010/10/26 10:50:05| squid_kerb_ldap: Starting version 1.2.1a
2010/10/26 10:50:05| squid_kerb_ldap: Group list Internal Users - Crystal@
2010/10/26 10:50:05| squid_kerb_ldap: Group Internal Users - Crystal
Domain
2010/10/26 10:50:05| squid_kerb_ldap: Netbios list SOFTLAB@xxxxxxxxx
2010/10/26 10:50:05| squid_kerb_ldap: Netbios name SOFTLAB Domain
NORMA.COM
emz@xxxxxxxxx
2010/10/26 10:50:10| squid_kerb_ldap: Got User: emz Domain: NORMA.COM
2010/10/26 10:50:10| squid_kerb_ldap: User domain loop: group@domain
Internal Users - Crystal@
2010/10/26 10:50:10| squid_kerb_ldap: Default domain loop: group@domain
Internal Users - Crystal@
2010/10/26 10:50:10| squid_kerb_ldap: Found group@domain Internal Users -
Crystal@
2010/10/26 10:50:10| squid_kerb_ldap: Setup Kerberos credential cache
2010/10/26 10:50:10| squid_kerb_ldap: Get default keytab file name
2010/10/26 10:50:10| squid_kerb_ldap: Got default keytab file name
/usr/local/etc/squid/squid.keytab
2010/10/26 10:50:10| squid_kerb_ldap: Get principal name from keytab
/usr/local/etc/squid/squid.keytab
ÐÑÐÐÐÐ ÐÐÑÐÑÐÑÐÐ ÐÐ ÑÐÐÐ(core dumped)
===Cut===
Stacktrace:
===Cut===
# gdb squid_kerb_ldap squid_kerb_ldap.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "amd64-marcel-freebsd"...
Core was generated by `squid_kerb_ldap'.
Program terminated with signal 10, Bus error.
Reading symbols from /usr/lib/libgssapi.so.10...done.
Loaded symbols for /usr/lib/libgssapi.so.10
Reading symbols from /usr/lib/libheimntlm.so.10...done.
Loaded symbols for /usr/lib/libheimntlm.so.10
Reading symbols from /usr/lib/libkrb5.so.10...done.
Loaded symbols for /usr/lib/libkrb5.so.10
Reading symbols from /usr/lib/libhx509.so.10...done.
Loaded symbols for /usr/lib/libhx509.so.10
Reading symbols from /usr/lib/libcom_err.so.5...done.
Loaded symbols for /usr/lib/libcom_err.so.5
Reading symbols from /lib/libcrypto.so.6...done.
Loaded symbols for /lib/libcrypto.so.6
Reading symbols from /usr/lib/libasn1.so.10...done.
Loaded symbols for /usr/lib/libasn1.so.10
Reading symbols from /usr/lib/libroken.so.10...done.
Loaded symbols for /usr/lib/libroken.so.10
Reading symbols from /lib/libcrypt.so.5...done.
Loaded symbols for /lib/libcrypt.so.5
Reading symbols from /usr/local/lib/libldap-2.4.so.7...done.
Loaded symbols for /usr/local/lib/libldap-2.4.so.7
Reading symbols from /usr/local/lib/liblber-2.4.so.7...done.
Loaded symbols for /usr/local/lib/liblber-2.4.so.7
Reading symbols from /lib/libc.so.7...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /usr/lib/libssl.so.6...done.
Loaded symbols for /usr/lib/libssl.so.6
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0 0x00000008008a4b14 in krb5_kt_next_entry () from
/usr/lib/libkrb5.so.10
(gdb) bt
#0 0x00000008008a4b14 in krb5_kt_next_entry () from
/usr/lib/libkrb5.so.10
#1 0x0000000000000000 in ?? ()
#2 0x0000000000000001 in ?? ()
#3 0x0000000000000000 in ?? ()
#4 0x0000000000000000 in ?? ()
#5 0x0000000000000000 in ?? ()
#6 0x0000000000000000 in ?? ()
#7 0x000000080190f130 in ?? ()
#8 0x0000000000000000 in ?? ()
#9 0x0000000000000000 in ?? ()
#10 0x0000000000000000 in ?? ()
#11 0x636f6c2f7273752f in ?? ()
#12 0x732f6374652f6c61 in ?? ()
#13 0x7571732f64697571 in ?? ()
#14 0x617479656b2e6469 in ?? ()
#15 0x0000000000000062 in ?? ()
#16 0x0000000000000000 in ?? ()
#17 0x0000000000000000 in ?? ()
#18 0x0000000000000000 in ?? ()
#19 0x000000000050c97f in buf.7098 ()
#20 0x4d9b4030ed3e2720 in ?? ()
#21 0x0000000000000000 in ?? ()
#22 0x00000008016a2880 in __stderrp () from /lib/libc.so.7
#23 0x00007fffffffc760 in ?? ()
#24 0x000000000040acd0 in ?? ()
#25 0x000000000050c5a0 in ?? ()
#26 0x00007fffffffc901 in ?? ()
#27 0x00007fffffffc990 in ?? ()
#28 0x000000080158210c in vfprintf () from /lib/libc.so.7
#29 0x0000000801571b48 in fprintf () from /lib/libc.so.7
#30 0x0000000000406aa6 in get_memberof (margs=0x7fffffffe290,
user=0x7fffffffc990 "emz",
domain=0x7fffffffc994 "NORMA.COM", group=0x8019020a0 "Internal Users -
Crystal") at support_ldap.c:845
#31 0x0000000000404614 in check_memberof (margs=0x7fffffffe290,
user=0x7fffffffc990 "emz",
domain=0x7fffffffc994 "NORMA.COM") at support_member.c:81
#32 0x0000000000403051 in main (argc=Variable "argc" is not available.
) at squid_kerb_ldap.c:352
(gdb)
===Cut===
I should say that the keytab is a working one from production squid, and
it works with ntlm_auth helper from samba suite with spnego ptotocol.
Any help would be greatly appreciated, especially from Markus. :)
Thanks, Eugene.
