Hi Ricardo,
That looks basically all correct. Can you capture the traffic on port 88
( Kerberos ) with wireshark ? At this point
2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap server
srvarq.domain.local:389
2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
Local error
2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
you should see a Kerberos authentication request (AS-REQ ) for
HTTP/Firewall.domain.local followed by a successful reply (AS-REP). After
that you should see a TGS-REQ for ldap/server srvarq.domain.local with a
successful reply.
I think one of these requests is failing. Could you let me know the error
message ?
If it does not fail can you capture the traffic on port 389 ? It should
show a SASL/GSSAPI authentication of the ldap connection. Could you let me
know if that succeeded ?
Markus
"spiderslack" <spiderslack@xxxxxxxxxxxx> wrote in message
news:4E8BBB28.1030009@xxxxxxxxxxxx...
Hi Markus.
I setting the flag -d the follow output
root@Firewall:~/squid_kerb_ldap# ./squid_kerb_ldap -d -g
G_Internet_RH@DOMAIN.LOCAL
2011/10/04 20:52:43| squid_kerb_ldap: Starting version 1.2.2
2011/10/04 20:52:43| squid_kerb_ldap: Group list G_Internet_RH@DOMAIN.LOCAL
2011/10/04 20:52:43| squid_kerb_ldap: Group G_Internet_RH Domain
DOMAIN.LOCAL
2011/10/04 20:52:43| squid_kerb_ldap: Netbios list NULL
2011/10/04 20:52:43| squid_kerb_ldap: No netbios names defined.
2011/10/04 20:52:43| squid_kerb_ldap: ldap server list NULL
2011/10/04 20:52:43| squid_kerb_ldap: No ldap servers defined.
rodrigo.lopes@DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Got User: rodrigo.lopes Domain:
DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: User domain loop: group@domain
G_Internet_RH@DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Found group@domain
G_Internet_RH@DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Setup Kerberos credential cache
2011/10/04 20:52:53| squid_kerb_ldap: Get default keytab file name
2011/10/04 20:52:53| squid_kerb_ldap: Got default keytab file name
/etc/krb5.keytab
2011/10/04 20:52:53| squid_kerb_ldap: Get principal name from keytab
/etc/krb5.keytab
2011/10/04 20:52:53| squid_kerb_ldap: Keytab entry has realm name:
DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Found principal name:
HTTP/Firewall.domain.local@DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Set credential cache to
MEMORY:squid_ldap_15365
2011/10/04 20:52:53| squid_kerb_ldap: Got principal name
HTTP/Firewall.domain.local@DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Stored credentials
2011/10/04 20:52:53| squid_kerb_ldap: Initialise ldap connection
2011/10/04 20:52:53| squid_kerb_ldap: Canonicalise ldap server name for
domain DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Resolved SRV
_ldap._tcp.DOMAIN.LOCAL record to srvdc.lmvidros.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved SRV
_ldap._tcp.DOMAIN.LOCAL record to srvarq.lmvidros.loca
l
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 1 of DOMAIN.LOCAL
to srvdc.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 2 of DOMAIN.LOCAL
to srvdc.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 3 of DOMAIN.LOCAL
to srvdc.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 4 of DOMAIN.LOCAL
to srvarq.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 5 of DOMAIN.LOCAL
to srvarq.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 6 of DOMAIN.LOCAL
to srvarq.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Adding DOMAIN.LOCAL to list
2011/10/04 20:52:53| squid_kerb_ldap: Sorted ldap server names for
domain DOMAIN.LOCAL:
2011/10/04 20:52:53| squid_kerb_ldap: Host: srvarq.domain.local Port:
389 Priority: 0 Weight: 100
2011/10/04 20:52:53| squid_kerb_ldap: Host: srvdc.domain.local Port: 389
Priority: 0 Weight: 100
2011/10/04 20:52:53| squid_kerb_ldap: Host: DOMAIN.LOCAL Port: -1
Priority: -2 Weight: -2
2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap
server srvarq.domain.local:389
2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap
server srvdc.domain.local:389
2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap
server DOMAIN.LOCAL:389
2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Error during initialisation of
ldap connection: Bad file descriptor
2011/10/04 20:52:53| squid_kerb_ldap: Error during initialisation of
ldap connection: Bad file descriptor
2011/10/04 20:52:53| squid_kerb_ldap: User rodrigo.lopes is not member
of group@domain G_Internet_RH@DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Default domain loop: group@domain
G_Internet_RH@DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Default group loop: group@domain
G_Internet_RH@DOMAIN.LOCAL
ERR
2011/10/04 20:52:53| squid_kerb_ldap: ERR
I trying settings the sasl. I installed libsasl-dev and recompile
squid_kerb_ldap. I setting the file /etc/default/saslauthd and
/etc/saslauthd.conf
root@Firewall:~/squid_kerb_ldap# cat /etc/default/saslauthd | egrep -v
-r '(^#|^$)'
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-d -c -m /var/run/saslauthd"
root@Firewall:~/squid_kerb_ldap#
root@Firewall:~/squid_kerb_ldap# cat /etc/saslauthd.conf
ldap_servers: ldap://192.168.0.8/
ldap_search_base: DC=domain,DC=local
ldap_base_dn: DC=domain,DC=local
ldap_auth_method: bind
ldap_bind_dn: CN=Ricardo,OU=NOC,DC=domain,DC=local
ldap_bind_pw: 123456
ldap_filter: (sAMAccountName=%u)
ldap_use_sasl: no
root@Firewall:~/squid_kerb_ldap#
Via testsaslauthd the authentication work with username and password of
Active Directory
root@Firewall:~/squid_kerb_ldap# testsaslauthd -u ricardo.dias -p 123456
0: OK "Success."
root@Firewall:~/squid_kerb_ldap#
Any Idea
Regards
On 10/04/2011 05:56 PM, Markus Moeller wrote:
Hi Ricardo,
Can you add a -d option for debug out put to squid_kerb_ldap ? It should
help to pin point the problem. squid_kerb_ldap uses the kerberos keytab
entry to authenticate to Active directory which fails. Can you also
capture with tcpdump the kerberos traffic on port 88 and ldap on port
389.
Markus
"Ricardo Barbosa" <spiderslack@xxxxxxxxxxxx> wrote in message
news:1317680715.75499.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx...
Hi all,
I'm riding squid authenticating via kerberos helper squid_kerb_auth works
perfectly but not squid_kerb_ldap. Initially collect messages in the logs
of the SASL support and as well the history list.
http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-auth-with-Active-Directory-td3023076.html
But the squid_kerb_ldap recompiled with support for SASL and the message
changed.
==> /var/log/squid/access.log <==
1317680370.168 0 192.168.0.10 TCP_DENIED/407 1695 GET
http://www.google.com.br/ - NONE/- text/html
1317680370.380 210 192.168.0.10 TCP_DENIED/403 1817 GET
http://www.google.com.br/ ricardo.dias@DOMAIN.LOCAL NONE/- text/html
==> /var/log/squid/cache.log <==
2011/10/03 18:19:30| squid_kerb_auth: Got 'YR
YIIFmgYGKwYBBQUCoIIFjjCCBYqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBWAEggVcYIIFWAYJKoZIhvcSAQICAQBuggVHMIIFQ6ADAgEFoQMCAQ6iBwMFACAAAACjggQ+YYIEOjCCBDagAwIBBaEQGw5MTVZJRFJPUy5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF2ZpcmV3YWxsLmxtdmlkcm9zLmxvY2Fso4ID7zCCA+ugAwIBF6EDAgEDooID3QSCA9k4YTrWFqDYgDafBFV3i+4wautEM5eF4SzW1YbJTkymx5HXyCY5QS0dE7Ze7HpQ1K1T6sGOevwQu6whLKJATjsSgk5wVInA2xg13XqF8quGZ8VKzdpiY/Avuuw0YNntBO5bLwaLQcIv/h0/VpjlCKuMBArCsePv1wbPPFW84gmFUDv/mmH1dvDdgYmP4uzQGCbIdG9xWHyRIg+KMszGme5p8RUtX9LNccStkp22RFIapXLIV0/OH0LhfZP3HMtgvNEPJZMMw8ITCsYJSw/MowTaaAPZWr4c7GcndBloEEskuxURpZaI4UenfUf6jUdpzdhA+pBtUk4saNUQeNghyrVJw79o1D9y27UI4bEee4/XYCCK1qFu0y2kpvdFeAhHDYbQ8av3MfX2Q988RrFhTPDNyUzynC4v4aQ7JdUvMf/RtsQ5uZb2yVMCyh0dPzP0TGosmSIQf5g9wgxN/oXf3l8S1sBD/BGBhs+iJcWaemKQkii4aUuxpMMhTBftQE0qTnnR8F0II/EJJWFC/n9AHp/H2ufxWbgWGk2METW3zsCeMS1COGiHXrgmTvxD0IZEVxg+QASw/9wr0vHMmaq3AZdrXgi/D0thiZQvsRiJX7VoIy7X2iG2k/sfHqjrIWcGdTWE3tQhkU6LfcI5uMGGQrzvs+i4nXCaQfBO7orvaET
nD9OgdPdVqnJY7L1tkytnnwwG3NHACb3pHIIhfApEo1nLbcgtXR7hly2OH1TlMt/UHiWn0it99cTGttFPdigURZxTE3/QIRR+tzITd5QRKyI+9D0fOTVVU1WvreC1LvKTdsx0ch3zeUsiKiFkXQdGVSWNxdtbqzvJMxNhOFZUKVaujk6N3I3bCu4xiPUIX1jhLqagHBCH1bDvGH5x+bOp0bC3Lx/OLalepvo4iGBaGwL+zfd8LhtoPl3nyGx6r7F3D/LKJfSnl1prbeC0Ojopw2tFncunRmG9HxqVHHsnstrGGxB87MErgbUjwZvD3X5MJEiux+WuJUfs8/zLy+G7mjcnhz1AG4eFhV4ZHkQomvBmWSM8qMMCfj4GHxfvrenxcsH3rH7vogZttlx3FOIxaOlmda8rBXrEflq8Y+cFCLI8SNUHyRheR/lk3GDnNa3w29xgb9OgcfOWeuAT8yOyQx15iToQKsYlvDiUat6gOFIy+YOfusG87xGGrPsdS3WslgSC1O2HTPLQSOi+4tcPxvkCeuebB0tnNUJvX9aFbBmEL8bnos6zC9LwQ3dOjs6mXMg0qI3eqwMBK7+3CRcPOF5PSjN7n41TMxDISRPlAKfpGKl41YTbRuzepIHrMIHooAMCAReigeAEgd0mz28nEIjaYLg3I8EDbx027m0cI18PdsvZZlYkHazwIkp5S96YxpBEgXkIxULkv3RVa+LVNbYM6wGCClwAaql3NkhFTzyDvs8JcsuqBRl3pbPoRWA1EnAz66xMroPpfWwIMi0saH5+IJpdkZ+2nVW5CsKoyw+cblN0X42zLf68mpBxmM7JQhhksDfvPqKQy3A5T33LtnWz7xzEXpxrKHW3ivPlIrQr5uC4iQSDT4W7bMRun+mtipVdmdOLHp6W9VpIf/5od03KKRUUMu1xTh8rHw82nPc+kSFYVSVaYQ=='
from squid (length: 1923).
2011/10/03 18:19:30| squid_kerb_auth: parseNegTokenInit failed with rc=101
2011/10/03 18:19:30| squid_kerb_auth: AF
oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqzbebthiHgCEREbPIvAB3Lbw65r75GC0zTez9tgTpso+5fXFhD6J1a0NvPb9m9e99huzEE1DpCgmZUPV4g8jAXU3QAqtsfze0UwMUFovlVJqy9V/r1mBNFse2RoO+R/x2aLJkOi1atZRx4g==
ricardo.dias@DOMAIN.LOCAL
2011/10/03 18:22:44| squid_kerb_auth: AF
oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqdvBcdVow3J1ERn8EmDHGdq5zxXqQzUso3aEN8V7qnxE9iXPE4RKHzIDWBJdjtCu8x7Pop5k6fBc9X4+tK9s6B7o+xbIHj3N5BU5h1w3RtgbyyNokJ324XlZ5gWKFGfvfwTkKGJJ9Hw96gg==
ricardo.dias@DOMAIN.LOCAL
2011/10/03 18:22:44| squid_kerb_ldap: Got User: ricardo.dias Domain:
DOMAIN.LOCAL
2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
Local error
2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
Local error
2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
Local error
2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/03 18:22:44| squid_kerb_ldap: User ricardo.dias is not member of
group@domain G_Internet_RH@NULL
Anyone have any idea where I am wrong.