Re: Squid authenticate via squid_kerb_ldap

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

Hi Ricardo,

 Can you add a -d option for debug out put to squid_kerb_ldap ? It should 
help to pin point the problem. squid_kerb_ldap uses the kerberos keytab 
entry to authenticate to Active directory which fails.  Can you also capture 
with tcpdump the kerberos traffic on port 88  and ldap on port 389.

Markus


"Ricardo Barbosa" <spiderslack@xxxxxxxxxxxx> wrote in message 
news:1317680715.75499.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx...
Hi all,

I'm riding squid authenticating via kerberos helper squid_kerb_auth works 
perfectly but not squid_kerb_ldap. Initially collect messages in the logs of 
the SASL support and as well the history list.

http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-auth-with-Active-Directory-td3023076.html

But the squid_kerb_ldap recompiled with support for SASL and the message 
changed.


==> /var/log/squid/access.log <==
1317680370.168 0 192.168.0.10 TCP_DENIED/407 1695 GET 
http://www.google.com.br/ - NONE/- text/html
1317680370.380 210 192.168.0.10 TCP_DENIED/403 1817 GET
http://www.google.com.br/ ricardo.dias@DOMAIN.LOCAL NONE/- text/html

==> /var/log/squid/cache.log <==
2011/10/03 18:19:30| squid_kerb_auth: Got 'YR
YIIFmgYGKwYBBQUCoIIFjjCCBYqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBWAEggVcYIIFWAYJKoZIhvcSAQICAQBuggVHMIIFQ6ADAgEFoQMCAQ6iBwMFACAAAACjggQ+YYIEOjCCBDagAwIBBaEQGw5MTVZJRFJPUy5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF2ZpcmV3YWxsLmxtdmlkcm9zLmxvY2Fso4ID7zCCA+ugAwIBF6EDAgEDooID3QSCA9k4YTrWFqDYgDafBFV3i+4wautEM5eF4SzW1YbJTkymx5HXyCY5QS0dE7Ze7HpQ1K1T6sGOevwQu6whLKJATjsSgk5wVInA2xg13XqF8quGZ8VKzdpiY/Avuuw0YNntBO5bLwaLQcIv/h0/VpjlCKuMBArCsePv1wbPPFW84gmFUDv/mmH1dvDdgYmP4uzQGCbIdG9xWHyRIg+KMszGme5p8RUtX9LNccStkp22RFIapXLIV0/OH0LhfZP3HMtgvNEPJZMMw8ITCsYJSw/MowTaaAPZWr4c7GcndBloEEskuxURpZaI4UenfUf6jUdpzdhA+pBtUk4saNUQeNghyrVJw79o1D9y27UI4bEee4/XYCCK1qFu0y2kpvdFeAhHDYbQ8av3MfX2Q988RrFhTPDNyUzynC4v4aQ7JdUvMf/RtsQ5uZb2yVMCyh0dPzP0TGosmSIQf5g9wgxN/oXf3l8S1sBD/BGBhs+iJcWaemKQkii4aUuxpMMhTBftQE0qTnnR8F0II/EJJWFC/n9AHp/H2ufxWbgWGk2METW3zsCeMS1COGiHXrgmTvxD0IZEVxg+QASw/9wr0vHMmaq3AZdrXgi/D0thiZQvsRiJX7VoIy7X2iG2k/sfHqjrIWcGdTWE3tQhkU6LfcI5uMGGQrzvs+i4nXCaQfBO7orvaET
nD9OgdPdVqnJY7L1tkytnnwwG3NHACb3pHIIhfApEo1nLbcgtXR7hly2OH1TlMt/UHiWn0it99cTGttFPdigURZxTE3/QIRR+tzITd5QRKyI+9D0fOTVVU1WvreC1LvKTdsx0ch3zeUsiKiFkXQdGVSWNxdtbqzvJMxNhOFZUKVaujk6N3I3bCu4xiPUIX1jhLqagHBCH1bDvGH5x+bOp0bC3Lx/OLalepvo4iGBaGwL+zfd8LhtoPl3nyGx6r7F3D/LKJfSnl1prbeC0Ojopw2tFncunRmG9HxqVHHsnstrGGxB87MErgbUjwZvD3X5MJEiux+WuJUfs8/zLy+G7mjcnhz1AG4eFhV4ZHkQomvBmWSM8qMMCfj4GHxfvrenxcsH3rH7vogZttlx3FOIxaOlmda8rBXrEflq8Y+cFCLI8SNUHyRheR/lk3GDnNa3w29xgb9OgcfOWeuAT8yOyQx15iToQKsYlvDiUat6gOFIy+YOfusG87xGGrPsdS3WslgSC1O2HTPLQSOi+4tcPxvkCeuebB0tnNUJvX9aFbBmEL8bnos6zC9LwQ3dOjs6mXMg0qI3eqwMBK7+3CRcPOF5PSjN7n41TMxDISRPlAKfpGKl41YTbRuzepIHrMIHooAMCAReigeAEgd0mz28nEIjaYLg3I8EDbx027m0cI18PdsvZZlYkHazwIkp5S96YxpBEgXkIxULkv3RVa+LVNbYM6wGCClwAaql3NkhFTzyDvs8JcsuqBRl3pbPoRWA1EnAz66xMroPpfWwIMi0saH5+IJpdkZ+2nVW5CsKoyw+cblN0X42zLf68mpBxmM7JQhhksDfvPqKQy3A5T33LtnWz7xzEXpxrKHW3ivPlIrQr5uC4iQSDT4W7bMRun+mtipVdmdOLHp6W9VpIf/5od03KKRUUMu1xTh8rHw82nPc+kSFYVSVaYQ=='
from squid (length: 1923).
2011/10/03 18:19:30| squid_kerb_auth: parseNegTokenInit failed with rc=101
2011/10/03 18:19:30| squid_kerb_auth: AF
oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqzbebthiHgCEREbPIvAB3Lbw65r75GC0zTez9tgTpso+5fXFhD6J1a0NvPb9m9e99huzEE1DpCgmZUPV4g8jAXU3QAqtsfze0UwMUFovlVJqy9V/r1mBNFse2RoO+R/x2aLJkOi1atZRx4g==
ricardo.dias@DOMAIN.LOCAL

2011/10/03 18:22:44| squid_kerb_auth: AF 
oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqdvBcdVow3J1ERn8EmDHGdq5zxXqQzUso3aEN8V7qnxE9iXPE4RKHzIDWBJdjtCu8x7Pop5k6fBc9X4+tK9s6B7o+xbIHj3N5BU5h1w3RtgbyyNokJ324XlZ5gWKFGfvfwTkKGJJ9Hw96gg== 
ricardo.dias@DOMAIN.LOCAL
2011/10/03 18:22:44| squid_kerb_ldap: Got User: ricardo.dias Domain: 
DOMAIN.LOCAL
2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: 
Local error
2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server 
with SASL/GSSAPI: Local error
2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: 
Local error
2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server 
with SASL/GSSAPI: Local error
2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: 
Local error
2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server 
with SASL/GSSAPI: Local error
2011/10/03 18:22:44| squid_kerb_ldap: User ricardo.dias is not member of 
group@domain G_Internet_RH@NULL


Anyone have any idea where I am wrong.