Search squid archive

Re: Re: Squid authenticate via squid_kerb_ldap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Markus.

I setting the flag -d the follow output

root@Firewall:~/squid_kerb_ldap# ./squid_kerb_ldap -d -g G_Internet_RH@DOMAIN.LOCAL
2011/10/04 20:52:43| squid_kerb_ldap: Starting version 1.2.2
2011/10/04 20:52:43| squid_kerb_ldap: Group list G_Internet_RH@DOMAIN.LOCAL
2011/10/04 20:52:43| squid_kerb_ldap: Group G_Internet_RH Domain DOMAIN.LOCAL
2011/10/04 20:52:43| squid_kerb_ldap: Netbios list NULL
2011/10/04 20:52:43| squid_kerb_ldap: No netbios names defined.
2011/10/04 20:52:43| squid_kerb_ldap: ldap server list NULL
2011/10/04 20:52:43| squid_kerb_ldap: No ldap servers defined.
rodrigo.lopes@DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Got User: rodrigo.lopes Domain: DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: User domain loop: group@domain G_Internet_RH@DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: Found group@domain G_Internet_RH@DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Setup Kerberos credential cache
2011/10/04 20:52:53| squid_kerb_ldap: Get default keytab file name
2011/10/04 20:52:53| squid_kerb_ldap: Got default keytab file name /etc/krb5.keytab 2011/10/04 20:52:53| squid_kerb_ldap: Get principal name from keytab /etc/krb5.keytab 2011/10/04 20:52:53| squid_kerb_ldap: Keytab entry has realm name: DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: Found principal name: HTTP/Firewall.domain.local@DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: Set credential cache to MEMORY:squid_ldap_15365 2011/10/04 20:52:53| squid_kerb_ldap: Got principal name HTTP/Firewall.domain.local@DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Stored credentials
2011/10/04 20:52:53| squid_kerb_ldap: Initialise ldap connection
2011/10/04 20:52:53| squid_kerb_ldap: Canonicalise ldap server name for domain DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: Resolved SRV _ldap._tcp.DOMAIN.LOCAL record to srvdc.lmvidros.local 2011/10/04 20:52:53| squid_kerb_ldap: Resolved SRV _ldap._tcp.DOMAIN.LOCAL record to srvarq.lmvidros.loca
l
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 1 of DOMAIN.LOCAL to srvdc.domain.local 2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 2 of DOMAIN.LOCAL to srvdc.domain.local 2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 3 of DOMAIN.LOCAL to srvdc.domain.local 2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 4 of DOMAIN.LOCAL to srvarq.domain.local 2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 5 of DOMAIN.LOCAL to srvarq.domain.local 2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 6 of DOMAIN.LOCAL to srvarq.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Adding DOMAIN.LOCAL to list
2011/10/04 20:52:53| squid_kerb_ldap: Sorted ldap server names for domain DOMAIN.LOCAL: 2011/10/04 20:52:53| squid_kerb_ldap: Host: srvarq.domain.local Port: 389 Priority: 0 Weight: 100 2011/10/04 20:52:53| squid_kerb_ldap: Host: srvdc.domain.local Port: 389 Priority: 0 Weight: 100 2011/10/04 20:52:53| squid_kerb_ldap: Host: DOMAIN.LOCAL Port: -1 Priority: -2 Weight: -2 2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap server srvarq.domain.local:389
2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap server srvdc.domain.local:389
2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap server DOMAIN.LOCAL:389
2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2011/10/04 20:52:53| squid_kerb_ldap: Error during initialisation of ldap connection: Bad file descriptor 2011/10/04 20:52:53| squid_kerb_ldap: Error during initialisation of ldap connection: Bad file descriptor 2011/10/04 20:52:53| squid_kerb_ldap: User rodrigo.lopes is not member of group@domain G_Internet_RH@DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: Default domain loop: group@domain G_Internet_RH@DOMAIN.LOCAL 2011/10/04 20:52:53| squid_kerb_ldap: Default group loop: group@domain G_Internet_RH@DOMAIN.LOCAL
ERR
2011/10/04 20:52:53| squid_kerb_ldap: ERR

I trying settings the sasl. I installed libsasl-dev and recompile squid_kerb_ldap. I setting the file /etc/default/saslauthd and /etc/saslauthd.conf

root@Firewall:~/squid_kerb_ldap# cat /etc/default/saslauthd | egrep -v -r '(^#|^$)'
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-d -c -m /var/run/saslauthd"
root@Firewall:~/squid_kerb_ldap#


root@Firewall:~/squid_kerb_ldap# cat /etc/saslauthd.conf
ldap_servers: ldap://192.168.0.8/
ldap_search_base: DC=domain,DC=local
ldap_base_dn: DC=domain,DC=local
ldap_auth_method: bind
ldap_bind_dn: CN=Ricardo,OU=NOC,DC=domain,DC=local
ldap_bind_pw: 123456
ldap_filter: (sAMAccountName=%u)
ldap_use_sasl: no
root@Firewall:~/squid_kerb_ldap#


Via testsaslauthd the authentication work with username and password of Active Directory

root@Firewall:~/squid_kerb_ldap# testsaslauthd -u ricardo.dias -p 123456
0: OK "Success."
root@Firewall:~/squid_kerb_ldap#

Any Idea

Regards



On 10/04/2011 05:56 PM, Markus Moeller wrote:
Hi Ricardo,

Can you add a -d option for debug out put to squid_kerb_ldap ? It should help to pin point the problem. squid_kerb_ldap uses the kerberos keytab entry to authenticate to Active directory which fails. Can you also capture with tcpdump the kerberos traffic on port 88 and ldap on port 389.

Markus


"Ricardo Barbosa" <spiderslack@xxxxxxxxxxxx> wrote in message news:1317680715.75499.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx...
Hi all,

I'm riding squid authenticating via kerberos helper squid_kerb_auth works perfectly but not squid_kerb_ldap. Initially collect messages in the logs of the SASL support and as well the history list.

http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-auth-with-Active-Directory-td3023076.html

But the squid_kerb_ldap recompiled with support for SASL and the message changed.


==> /var/log/squid/access.log <==
1317680370.168 0 192.168.0.10 TCP_DENIED/407 1695 GET http://www.google.com.br/ - NONE/- text/html
1317680370.380 210 192.168.0.10 TCP_DENIED/403 1817 GET
http://www.google.com.br/ ricardo.dias@DOMAIN.LOCAL NONE/- text/html

==> /var/log/squid/cache.log <==
2011/10/03 18:19:30| squid_kerb_auth: Got 'YR
YIIFmgYGKwYBBQUCoIIFjjCCBYqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBWAEggVcYIIFWAYJKoZIhvcSAQICAQBuggVHMIIFQ6ADAgEFoQMCAQ6iBwMFACAAAACjggQ+YYIEOjCCBDagAwIBBaEQGw5MTVZJRFJPUy5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF2ZpcmV3YWxsLmxtdmlkcm9zLmxvY2Fso4ID7zCCA+ugAwIBF6EDAgEDooID3QSCA9k4YTrWFqDYgDafBFV3i+4wautEM5eF4SzW1YbJTkymx5HXyCY5QS0dE7Ze7HpQ1K1T6sGOevwQu6whLKJATjsSgk5wVInA2xg13XqF8quGZ8VKzdpiY/Avuuw0YNntBO5bLwaLQcIv/h0/VpjlCKuMBArCsePv1wbPPFW84gmFUDv/mmH1dvDdgYmP4uzQGCbIdG9xWHyRIg+KMszGme5p8RUtX9LNccStkp22RFIapXLIV0/OH0LhfZP3HMtgvNEPJZMMw8ITCsYJSw/MowTaaAPZWr4c7GcndBloEEskuxURpZaI4UenfUf6jUdpzdhA+pBtUk4saNUQeNghyrVJw79o1D9y27UI4bEee4/XYCCK1qFu0y2kpvdFeAhHDYbQ8av3MfX2Q988RrFhTPDNyUzynC4v4aQ7JdUvMf/RtsQ5uZb2yVMCyh0dPzP0TGosmSIQf5g9wgxN/oXf3l8S1sBD/BGBhs+iJcWaemKQkii4aUuxpMMhTBftQE0qTnnR8F0II/EJJWFC/n9AHp/H2ufxWbgWGk2METW3zsCeMS1COGiHXrgmTvxD0IZEVxg+QASw/9wr0vHMmaq3AZdrXgi/D0thiZQvsRiJX7VoIy7X2iG2k/sfHqjrIWcGdTWE3tQhkU6LfcI5uMGGQrzvs+i4nXCaQfBO7orvaET nD9OgdPdVqnJY7L1tkytnnwwG3NHACb3pHIIhfApEo1nLbcgtXR7hly2OH1TlMt/UHiWn0it99cTGttFPdigURZxTE3/QIRR+tzITd5QRKyI+9D0fOTVVU1WvreC1LvKTdsx0ch3zeUsiKiFkXQdGVSWNxdtbqzvJMxNhOFZUKVaujk6N3I3bCu4xiPUIX1jhLqagHBCH1bDvGH5x+bOp0bC3Lx/OLalepvo4iGBaGwL+zfd8LhtoPl3nyGx6r7F3D/LKJfSnl1prbeC0Ojopw2tFncunRmG9HxqVHHsnstrGGxB87MErgbUjwZvD3X5MJEiux+WuJUfs8/zLy+G7mjcnhz1AG4eFhV4ZHkQomvBmWSM8qMMCfj4GHxfvrenxcsH3rH7vogZttlx3FOIxaOlmda8rBXrEflq8Y+cFCLI8SNUHyRheR/lk3GDnNa3w29xgb9OgcfOWeuAT8yOyQx15iToQKsYlvDiUat6gOFIy+YOfusG87xGGrPsdS3WslgSC1O2HTPLQSOi+4tcPxvkCeuebB0tnNUJvX9aFbBmEL8bnos6zC9LwQ3dOjs6mXMg0qI3eqwMBK7+3CRcPOF5PSjN7n41TMxDISRPlAKfpGKl41YTbRuzepIHrMIHooAMCAReigeAEgd0mz28nEIjaYLg3I8EDbx027m0cI18PdsvZZlYkHazwIkp5S96YxpBEgXkIxULkv3RVa+LVNbYM6wGCClwAaql3NkhFTzyDvs8JcsuqBRl3pbPoRWA1EnAz66xMroPpfWwIMi0saH5+IJpdkZ+2nVW5CsKoyw+cblN0X42zLf68mpBxmM7JQhhksDfvPqKQy3A5T33LtnWz7xzEXpxrKHW3ivPlIrQr5uC4iQSDT4W7bMRun+mtipVdmdOLHp6W9VpIf/5od03KKRUUMu1xTh8rHw82nPc+kSFYVSVaYQ=='
from squid (length: 1923).
2011/10/03 18:19:30| squid_kerb_auth: parseNegTokenInit failed with rc=101
2011/10/03 18:19:30| squid_kerb_auth: AF
oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqzbebthiHgCEREbPIvAB3Lbw65r75GC0zTez9tgTpso+5fXFhD6J1a0NvPb9m9e99huzEE1DpCgmZUPV4g8jAXU3QAqtsfze0UwMUFovlVJqy9V/r1mBNFse2RoO+R/x2aLJkOi1atZRx4g==
ricardo.dias@DOMAIN.LOCAL

2011/10/03 18:22:44| squid_kerb_auth: AF oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqdvBcdVow3J1ERn8EmDHGdq5zxXqQzUso3aEN8V7qnxE9iXPE4RKHzIDWBJdjtCu8x7Pop5k6fBc9X4+tK9s6B7o+xbIHj3N5BU5h1w3RtgbyyNokJ324XlZ5gWKFGfvfwTkKGJJ9Hw96gg== ricardo.dias@DOMAIN.LOCAL 2011/10/03 18:22:44| squid_kerb_ldap: Got User: ricardo.dias Domain: DOMAIN.LOCAL 2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error 2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error 2011/10/03 18:22:44| squid_kerb_ldap: User ricardo.dias is not member of group@domain G_Internet_RH@NULL


Anyone have any idea where I am wrong.







[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux