Hi Markus.
On 10/05/2011 04:30 PM, Markus Moeller wrote:
Hi Ricardo,
That looks basically all correct. Can you capture the traffic on port 88
( Kerberos ) with wireshark ? At this point
2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap
server srvarq.domain.local:389
2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with
SASL/GSSAPI
2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
Local error
2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
you should see a Kerberos authentication request (AS-REQ ) for
HTTP/Firewall.domain.local followed by a successful reply (AS-REP).
After that you should see a TGS-REQ for ldap/server srvarq.domain.local
with a successful reply.
yes i see AS-REQ and AS-REP
------------------------------------
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
Client Name (Principal): HTTP/Firewall.domain.local
Name-type: Principal (1)
Name: HTTP
Name: Firewall.domain.local
Realm: DOMAIN.LOCAL
----------------------------
Kerberos AS-REP
Pvno: 5
MSG Type: AS-REP (11)
Client Realm: DOMAIN.LOCAL
Client Name (Principal): HTTP/Firewall.domain.local
Name-type: Principal (1)
Name: HTTP
Name: Firewall.domain.local
Ticket
Tkt-vno: 5
Realm: DOMAIN.LOCAL
-------------------------------
but not see TGS-REQ
After AS-REP then immediately got the tree-way handshake to port 389 and
then the following payload ldap
--------------------------------
Lightweight-Directory-Access-Protocol
LDAPMessage searchRequest(1) "<ROOT>" baseObject
messageID: 1
protocolOp: searchRequest (3)
searchRequest
baseObject:
scope: baseObject (0)
derefAliases: neverDerefAliases (0)
sizeLimit: 0
timeLimit: 0
typesOnly: False
Filter: (objectclass=*)
filter: present (7)
present: objectclass
attributes: 1 item
AttributeDescription: supportedSASLMechanisms
-----------------------------------------
and the answer I'd say something back but it does not show
Lightweight-Directory-Access-Protocol
LDAPMessage searchResEntry(1) "<ROOT>" [1 result]
messageID: 1
protocolOp: searchResEntry (4)
searchResEntry
objectName:
attributes: 1 item
PartialAttributeList item supportedSASLMechanisms
type: supportedSASLMechanisms
vals: 4 items
GSSAPI
GSS-SPNEGO
EXTERNAL
DIGEST-MD5
[Response To: 8]
[Time: 0.000462000 seconds]
Lightweight-Directory-Access-Protocol
LDAPMessage searchResDone(1) success [1 result]
messageID: 1
protocolOp: searchResDone (5)
searchResDone
resultCode: success (0)
matchedDN:
errorMessage:
[Response To: 8]
[Time: 0.000462000 seconds]
---------------------------------------------
I think one of these requests is failing. Could you let me know the error
message ?
If it does not fail can you capture the traffic on port 389 ? It should
show a SASL/GSSAPI authentication of the ldap connection. Could you let
me know if that succeeded ?
No, connection to SASL/GSSAPI would not occur because a set is missing
some step??
Can you try the following on your squid box:
kinit -kt <squid.keytab> HTTP/Firewall.domain.local@DOMAIN.LOCAL
ldapsearch -H ldap://srvarq.domain.local -s sub -b DC=DOMAIN,DC=LOACL
serviceprincipalname=ldap/srvarq.domain.local
You should get something like:
ldapsearch -H ldap://w2k3r2.win2003r2.home -s sub -b DC=WIN2003R2,DC=HOME
serviceprincipalname=ldap/w2k3r2.win2003r2.home
SASL/GSSAPI authentication started
SASL username: HTTP/squid.win2003r2.home@xxxxxxxxxxxxxx
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <DC=WIN2003R2,DC=HOME> with scope subtree
# filter: serviceprincipalname=ldap/w2k3r2.win2003r2.home
# requesting: ALL
#
# W2K3R2, Domain Controllers, win2003r2.home
dn: CN=W2K3R2,OU=Domain Controllers,DC=win2003r2,DC=home
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: W2K3R2
.....
If that fails you maybe missing cyrus-sasl-gssapi
Thanks for helpme
Regards
Regards
Markus
