Search squid archive

Re: Re: Re: Re: squid_ldap_group against nested groups/Ous

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Eugene,

The problem seems to be with SASL/GSSAPI authentication to AD. How did you create the keytab ? Can you capture the traffic on your proxy on port 88. You should see a TGS REQ for ldap/<fqdn of ldap server>.


Markus


"Eugene M. Zheganin" <emz@xxxxxxxxxxxxx> wrote in message news:4CDE5AAA.1070608@xxxxxxxxxxxxxxxx
 Hi.

On 05.11.2010 21:01, Markus Moeller wrote:
Hi

 I get the same successful results on 64 bit FreeBSD 8.0.

$ uname -a
FreeBSD freebsd-80-64.freebsd.home 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 root@xxxxxxxxxxxxxxxxxxxxx:/usr/obj/usr/src/sys/GENERIC amd64

$ ldd squid_kerb_ldap
squid_kerb_ldap:
       libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800652000)
       libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x80075b000)
       libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800860000)
       libhx509.so.10 => /usr/lib/libhx509.so.10 (0x8009cd000)
       libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x800b0c000)
       libcrypto.so.6 => /lib/libcrypto.so.6 (0x800c0e000)
       libasn1.so.10 => /usr/lib/libasn1.so.10 (0x800ea6000)
       libroken.so.10 => /usr/lib/libroken.so.10 (0x801025000)
       libcrypt.so.5 => /lib/libcrypt.so.5 (0x801136000)
       libldap-2.4.so.7 => /usr/local/lib/libldap-2.4.so.7 (0x80124f000)
       liblber-2.4.so.7 => /usr/local/lib/liblber-2.4.so.7 (0x801390000)
       libc.so.7 => /lib/libc.so.7 (0x80149d000)
       libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x8016d7000)
       libssl.so.6 => /usr/lib/libssl.so.6 (0x8017ef000)

Is it possible that you have another kerberos package installed ? How does your ldd look ? I installed a standard freebsd 8.0 84 bit plus ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/8.0-RELEASE/packages/net/openldap-sasl-client-2.4.18.tbz for ldap with sasl support.

First of all, sorry for a delayed answer, I'm not of that kind of persons that ask for help and never read answers. I had a couple of harsh weeks with crashes and late working. :)

Yes, I have multiple krb5 installations on machines where the build didn't succeed due to incompatible types, you were right. Also I have updated the production proxy that was on FreeBSD 7.2 to 8.1 (and had a harsh week due to wonderful em(4) issue, fixed in -STABLE), but now the building on this machine is fine, except one warning that can be easily fixed by removing -Werror (once again, why -Werror ?).

If you're interested the warning is about:

[...]
gcc -DHAVE_CONFIG_H -I. -I/usr/include -I/usr/local/include -g -O2 -Wall -Wno-unknown-pragmas -Wextra -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wshadow -MT support_group.o -MD -MP -MF .deps/support_group.Tpo -c -o support_group.o support_group.c
support_group.c: In function 'utf8dup':
support_group.c:43: warning: declaration of 'dup' shadows a global declaration
/usr/include/unistd.h:330: warning: shadowed declaration is here
[...]

So, the build succeed, helper doesn't crash on startup, but now I have problems connecting to ldap servers. I saw in your reply that you are using the KDC on a SuSe linux. I'm using KDC on Windows 2003/2008, and it does work just perfect with squid_ldap_group (but I really miss nested groups :)).

Debug looks like:

===Cut===
# ./squid_kerb_group.sh
2010/11/13 14:26:21| squid_kerb_ldap: Starting version 1.2.1a
2010/11/13 14:26:21| squid_kerb_ldap: Group list Internet%20Users%20-%20Proxy1@ 2010/11/13 14:26:21| squid_kerb_ldap: Group Internet%20Users%20-%20Proxy1 Domain
2010/11/13 14:26:21| squid_kerb_ldap: Netbios list SOFTLAB@xxxxxxxxx
2010/11/13 14:26:21| squid_kerb_ldap: Netbios name SOFTLAB Domain NORMA.COM
emz@xxxxxxxxx
2010/11/13 14:26:25| squid_kerb_ldap: Got User: emz Domain: NORMA.COM
2010/11/13 14:26:25| squid_kerb_ldap: User domain loop: group@domain Internet%20Users%20-%20Proxy1@ 2010/11/13 14:26:25| squid_kerb_ldap: Default domain loop: group@domain Internet%20Users%20-%20Proxy1@ 2010/11/13 14:26:25| squid_kerb_ldap: Found group@domain Internet%20Users%20-%20Proxy1@
2010/11/13 14:26:25| squid_kerb_ldap: Setup Kerberos credential cache
2010/11/13 14:26:25| squid_kerb_ldap: Get default keytab file name
2010/11/13 14:26:25| squid_kerb_ldap: Got default keytab file name /usr/local/etc/squid/HTTP.keytab 2010/11/13 14:26:25| squid_kerb_ldap: Get principal name from keytab /usr/local/etc/squid/HTTP.keytab 2010/11/13 14:26:25| squid_kerb_ldap: Keytab entry has realm name: NORMA.COM 2010/11/13 14:26:25| squid_kerb_ldap: Found principal name: HTTP/proxy-wizard.norma.com.@xxxxxxxxx 2010/11/13 14:26:25| squid_kerb_ldap: Set credential cache to MEMORY:squid_ldap_17129 2010/11/13 14:26:25| squid_kerb_ldap: Got principal name HTTP/proxy-wizard.norma.com.@xxxxxxxxx
2010/11/13 14:26:26| squid_kerb_ldap: Stored credentials
2010/11/13 14:26:26| squid_kerb_ldap: Initialise ldap connection
2010/11/13 14:26:26| squid_kerb_ldap: Canonicalise ldap server name for domain NORMA.COM 2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM record to spb-dc.norma.com 2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM record to sad-srv.norma.com 2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM record to hq-gc.norma.com 2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM record to hq-dc.norma.com 2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM record to nb-dc.norma.com 2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM record to sam-dc.norma.com 2010/11/13 14:26:26| squid_kerb_ldap: Resolved address 1 of NORMA.COM to 192.168.3.34 2010/11/13 14:26:26| squid_kerb_ldap: Resolved address 2 of NORMA.COM to 192.168.3.45 2010/11/13 14:26:26| squid_kerb_ldap: Resolved address 3 of NORMA.COM to 192.168.3.34 2010/11/13 14:26:26| squid_kerb_ldap: Resolved address 4 of NORMA.COM to 192.168.3.45 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 5 of NORMA.COM to 192.168.3.34 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 6 of NORMA.COM to 192.168.3.45 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 7 of NORMA.COM to 192.168.92.189 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 8 of NORMA.COM to 192.168.92.189 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 9 of NORMA.COM to 192.168.92.189 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 10 of NORMA.COM to 192.168.0.9 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 11 of NORMA.COM to 192.168.173.3 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 12 of NORMA.COM to 192.168.180.3 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 13 of NORMA.COM to 192.168.0.9 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 14 of NORMA.COM to 192.168.173.3 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 15 of NORMA.COM to 192.168.180.3 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 16 of NORMA.COM to 192.168.0.9 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 17 of NORMA.COM to 192.168.173.3 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 18 of NORMA.COM to 192.168.180.3 2010/11/13 14:26:27| squid_kerb_ldap: Sorted ldap server names for domain NORMA.COM: 2010/11/13 14:26:27| squid_kerb_ldap: Host: sad-srv.norma.com Port: 389 Priority: 0 Weight: 100 2010/11/13 14:26:27| squid_kerb_ldap: Host: hq-gc.norma.com Port: 389 Priority: 0 Weight: 100 2010/11/13 14:26:27| squid_kerb_ldap: Host: hq-dc.norma.com Port: 389 Priority: 0 Weight: 100 2010/11/13 14:26:27| squid_kerb_ldap: Host: nb-dc.norma.com Port: 389 Priority: 0 Weight: 100 2010/11/13 14:26:27| squid_kerb_ldap: Host: sam-dc.norma.com Port: 389 Priority: 0 Weight: 100 2010/11/13 14:26:27| squid_kerb_ldap: Host: spb-dc.norma.com Port: 389 Priority: 0 Weight: 100 2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.92.189 Port: -1 Priority: -1 Weight: -1 2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.0.9 Port: -1 Priority: -1 Weight: -1 2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.173.3 Port: -1 Priority: -1 Weight: -1 2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.3.34 Port: -1 Priority: -1 Weight: -1 2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.3.45 Port: -1 Priority: -1 Weight: -1 2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.180.3 Port: -1 Priority: -1 Weight: -1 2010/11/13 14:26:27| squid_kerb_ldap: Setting up connection to ldap server sad-srv.norma.com:389
2010/11/13 14:26:27| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:28| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2010/11/13 14:26:28| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2010/11/13 14:26:28| squid_kerb_ldap: Setting up connection to ldap server hq-gc.norma.com:389
2010/11/13 14:26:28| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:29| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2010/11/13 14:26:29| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2010/11/13 14:26:29| squid_kerb_ldap: Setting up connection to ldap server hq-dc.norma.com:389
2010/11/13 14:26:29| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:29| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2010/11/13 14:26:29| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2010/11/13 14:26:29| squid_kerb_ldap: Setting up connection to ldap server nb-dc.norma.com:389
2010/11/13 14:26:29| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:29| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2010/11/13 14:26:29| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2010/11/13 14:26:29| squid_kerb_ldap: Setting up connection to ldap server sam-dc.norma.com:389
2010/11/13 14:26:29| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:30| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2010/11/13 14:26:30| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2010/11/13 14:26:30| squid_kerb_ldap: Setting up connection to ldap server spb-dc.norma.com:389
2010/11/13 14:26:30| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:30| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2010/11/13 14:26:30| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2010/11/13 14:26:30| squid_kerb_ldap: Setting up connection to ldap server 192.168.92.189:389
2010/11/13 14:26:30| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:31| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2010/11/13 14:26:31| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2010/11/13 14:26:31| squid_kerb_ldap: Setting up connection to ldap server 192.168.0.9:389
2010/11/13 14:26:31| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:31| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2010/11/13 14:26:31| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2010/11/13 14:26:31| squid_kerb_ldap: Setting up connection to ldap server 192.168.173.3:389
2010/11/13 14:26:31| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:32| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2010/11/13 14:26:32| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2010/11/13 14:26:32| squid_kerb_ldap: Setting up connection to ldap server 192.168.3.34:389
2010/11/13 14:26:32| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:32| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2010/11/13 14:26:32| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2010/11/13 14:26:32| squid_kerb_ldap: Setting up connection to ldap server 192.168.3.45:389
2010/11/13 14:26:32| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:33| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2010/11/13 14:26:33| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2010/11/13 14:26:33| squid_kerb_ldap: Setting up connection to ldap server 192.168.180.3:389
2010/11/13 14:26:33| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:33| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2010/11/13 14:26:33| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2010/11/13 14:26:33| squid_kerb_ldap: Error during initialisation of ldap connection: Bad file descriptor 2010/11/13 14:26:33| squid_kerb_ldap: Error during initialisation of ldap connection: Bad file descriptor 2010/11/13 14:26:33| squid_kerb_ldap: User emz is not member of group@domain Internet%20Users%20-%20Proxy1@ 2010/11/13 14:26:33| squid_kerb_ldap: Default group loop: group@domain Internet%20Users%20-%20Proxy1@
ERR
2010/11/13 14:26:33| squid_kerb_ldap: ERR
===Cut===


I'm using openldap-client built with sasl support too.
Any thought on what I'm doing wrong ?


Thanks.

Eugene.





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux