Hi Eugene,
I can only guess that the memory cache is not working. Can you change in
include/autoconf.h
/* Define if kerberos has MEMORY: cache support */
#define HAVE_KRB5_MEMORY_CACHE 1
to
#undef HAVE_KRB5_MEMORY_CACHE
and recompile ?
Markus
"Eugene M. Zheganin" wrote in message
news:52B83E6C.8040305@xxxxxxxxxxxxx...
Hi.
squid 3.3.11
FreeBSD 10.x
I'm fighting squid_kerb_group, sometimes it may become tricky. Here's
where I'm stuck at:
I'm launching this:
===Cut===
KRB5_KTNAME=/usr/local/etc/squid/squid.keytab
export KRB5_KTNAME
/usr/local/libexec/squid/ext_kerberos_ldap_group_acl \
-a \
-m 16 \
-i \
-ddd \
-D NORMA.COM \
-b cn=Users,dc=norma,dc=com \
-S hq-gc.norma.com@xxxxxxxxx \
-u proxy2 \
-p XXXXXXXXXXXXXXXXXXX \
-N SOFTLAB@xxxxxxxxx \
-g "Internet Users - Proxy2@"
===Cut===
and getting this:
===Cut===
./squid_kerb_group.sh
kerberos_ldap_group.cc(338): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: INFO: Starting version 1.3.0sq
support_group.cc(372): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: INFO: Group list Internet Users - Proxy2@
support_group.cc(437): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: INFO: Group Internet Users - Proxy2 Domain
support_netbios.cc(74): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: DEBUG: Netbios list SOFTLAB@xxxxxxxxx
support_netbios.cc(147): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: DEBUG: Netbios name SOFTLAB Domain NORMA.COM
support_lserver.cc(73): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: DEBUG: ldap server list hq-gc.norma.com@xxxxxxxxx
support_lserver.cc(137): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: DEBUG: ldap server hq-gc.norma.com Domain NORMA.COM
emz
kerberos_ldap_group.cc(430): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: INFO: Got User: emz set default domain: NORMA.COM
kerberos_ldap_group.cc(435): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: INFO: Got User: emz Domain: NORMA.COM
support_member.cc(55): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: User domain loop: group@domain Internet
Users - Proxy2@
support_member.cc(83): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Default domain loop: group@domain Internet
Users - Proxy2@
support_member.cc(85): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Found group@domain Internet Users - Proxy2@
support_ldap.cc(810): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
support_krb5.cc(91): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Get default keytab file name
support_krb5.cc(97): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Got default keytab file name
/usr/local/etc/squid/squid.keytab
support_krb5.cc(111): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Get principal name from keytab
/usr/local/etc/squid/squid.keytab
support_krb5.cc(119): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Keytab entry has realm name: NORMA.COM
support_krb5.cc(133): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Found principal name:
HTTP/proxy2.norma.com@xxxxxxxxx
support_krb5.cc(174): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_90134
support_krb5.cc(267): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Got principal name
HTTP/proxy2.norma.com@xxxxxxxxx
support_krb5.cc(311): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Stored credentials
support_ldap.cc(839): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Initialise ldap connection
support_ldap.cc(845): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain
NORMA.COM
support_resolv.cc(245): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Ldap server loop: lserver@domain
hq-gc.norma.com@xxxxxxxxx
support_resolv.cc(247): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Found lserver@domain hq-gc.norma.com@xxxxxxxxx
support_resolv.cc(441): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Sorted ldap server names for domain NORMA.COM:
support_resolv.cc(443): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Host: hq-gc.norma.com Port: -1 Priority: -2
Weight: -2
support_ldap.cc(854): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Setting up connection to ldap server
hq-gc.norma.com:389
support_ldap.cc(865): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_sasl.cc(274): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Local error
support_ldap.cc(869): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: ERROR: Error while binding to ldap server with
SASL/GSSAPI: Local error
support_ldap.cc(891): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Error during initialisation of ldap
connection: No error: 0
support_ldap.cc(951): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Error during initialisation of ldap
connection: No error: 0
support_member.cc(96): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: INFO: User emz is not member of group@domain
Internet Users - Proxy2@
support_member.cc(111): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Default group loop: group@domain Internet
Users - Proxy2@
ERR
kerberos_ldap_group.cc(470): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: ERR
===Cut==
However, using this keytab and script everything is ok when launching
from another servers.
Some additional info: I can successfully use a ldapsearch with
SASL/GSSAPI bind with this keytab:
===Cut===
# kdestroy
# klist
klist: No ticket file: /tmp/krb5cc_0
# kinit --keytab=/usr/local/etc/squid/squid.keytab HTTP/proxy2.norma.com
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: HTTP/proxy2.norma.com@xxxxxxxxx
Issued Expires Principal
Dec 23 19:37:11 2013 Dec 24 04:37:11 2013 krbtgt/NORMA.COM@xxxxxxxxx
Dec 23 19:37:17 2013 Dec 24 04:37:11 2013 ldap/hq-gc.norma.com@xxxxxxxxx
# ldapsearch -H ldap://hq-gc.norma.com:389 -Y GSSAPI -O "maxssf=56" -b
"cn=Users,dc=nor .ma,dc=com" -W
"(&(sAMAccountname=emz)(memberOf=CN=Internet Users -
Proxy1,CN=Users,DC=norma,DC=com))"
Enter LDAP Password: [actually I press Enter here, and the password is
not null - so the keytab is used]
SASL/GSSAPI authentication started
SASL username: HTTP/proxy2.norma.com@xxxxxxxxx
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=Users,dc=norma,dc=com> with scope subtree
# filter: (&(sAMAccountname=emz)(memberOf=CN=Internet Users -
Proxy1,CN=Users,DC=norma,DC=com))
# requesting: ALL
#
# \D0\96\D0\B5\D0\B3\D0\B0\D0\BD\D0\B8\D0\BD
\D0\95\D0\B2\D0\B3\D0\B5\D0\BD\D
0\B8\D0\B9, Users, norma.com
dn::
Q0490JbQtdCz0LDQvdC40L0g0JXQstCz0LXQvdC40LksQ049VXNlcnMsREM9bm9ybWEsREM9Y
29t
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
[some more data in LDIF format not showing]
===Cut===
Looks like it's really some local problem, but I cannot figure out which
exactly.
Thanks.
Eugene.