Hi Valentin,
I think the problem is here:
2014/06/03 15:52:59| squid_kerb_ldap: Search ldap server with bind path
CN=Schema,CN=Configuration,DC=dominion,DC=local and filter:
(ldapdisplayname=samaccountname)
2014/06/03 15:52:59| squid_kerb_ldap: Found 0 ldap entries
2014/06/03 15:52:59| squid_kerb_ldap: Determined ldap server not as an
Active Directory server
2014/06/03 15:52:59| squid_kerb_ldap: Error determining ldap server type:
Operations error
Do you know if everyone can access the schema of your ldap server ( I assume
it is a MS Active Directory server) ?
Markus
"Valentin G" wrote in message news:1857521401801103@xxxxxxxxxxxxxxxx...
Hi, help me solve my problem in configuring squid.......
DOMINION.LOCAL - win domain (2003+2008 forest 2003)
3 inet group in AD
user vvgulimov in group Internet_all
squid_kerb_ldap ver 1.2.2
cash.log
2014/06/03 15:52:59| squid_kerb_ldap: Got User: vvgulimov Domain:
DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: User domain loop: group@domain
Internet_all@NULL
2014/06/03 15:52:59| squid_kerb_ldap: Default domain loop: group@domain
Internet_all@NULL
2014/06/03 15:52:59| squid_kerb_ldap: Default group loop: group@domain
Internet_all@NULL
2014/06/03 15:52:59| squid_kerb_ldap: Found group@domain Internet_all@NULL
2014/06/03 15:52:59| squid_kerb_ldap: Setup Kerberos credential cache
2014/06/03 15:52:59| squid_kerb_ldap: Get default keytab file name
2014/06/03 15:52:59| squid_kerb_ldap: Got default keytab file name
/etc/squid/Proxy.keytab
2014/06/03 15:52:59| squid_kerb_ldap: Get principal name from keytab
/etc/squid/Proxy.keytab
2014/06/03 15:52:59| squid_kerb_ldap: Keytab entry has realm name:
DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Found principal name:
HTTP/proxy.dominion.local@DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Set credential cache to
MEMORY:squid_ldap_3062
2014/06/03 15:52:59| squid_kerb_ldap: Got principal name
HTTP/proxy.dominion.local@DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Stored credentials
2014/06/03 15:52:59| squid_kerb_ldap: Initialise ldap connection
2014/06/03 15:52:59| squid_kerb_ldap: Canonicalise ldap server name for
domain DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Resolved SRV _ldap._tcp.DOMINION.LOCAL
record to ruspb-a-sdc-1.dominion.local
2014/06/03 15:52:59| squid_kerb_ldap: Resolved SRV _ldap._tcp.DOMINION.LOCAL
record to ruspb-a-sdc-2.dominion.local
2014/06/03 15:52:59| squid_kerb_ldap: Resolved address 1 of DOMINION.LOCAL
to DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Resolved address 2 of DOMINION.LOCAL
to DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Resolved address 3 of DOMINION.LOCAL
to DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Adding DOMINION.LOCAL to list
2014/06/03 15:52:59| squid_kerb_ldap: Sorted ldap server names for domain
DOMINION.LOCAL:
2014/06/03 15:52:59| squid_kerb_ldap: Host: ruspb-a-sdc-2.dominion.local
Port: 389 Priority: 0 Weight: 100
2014/06/03 15:52:59| squid_kerb_ldap: Host: ruspb-a-sdc-1.dominion.local
Port: 389 Priority: 0 Weight: 100
2014/06/03 15:52:59| squid_kerb_ldap: Host: DOMINION.LOCAL Port: -1
Priority: -1 Weight: -1
2014/06/03 15:52:59| squid_kerb_ldap: Setting up connection to ldap server
ruspb-a-sdc-2.dominion.local:389
2014/06/03 15:52:59| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2014/06/03 15:52:59| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
Local error
2014/06/03 15:52:59| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2014/06/03 15:52:59| squid_kerb_ldap: Setting up connection to ldap server
ruspb-a-sdc-1.dominion.local:389
2014/06/03 15:52:59| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2014/06/03 15:52:59| squid_kerb_ldap: Successfully initialised connection to
ldap server ruspb-a-sdc-1.dominion.local:389
2014/06/03 15:52:59| squid_kerb_ldap: Search ldap server with bind path ""
and filter: (objectclass=*)
2014/06/03 15:52:59| squid_kerb_ldap: Search ldap entries for attribute :
schemaNamingContext
2014/06/03 15:52:59| squid_kerb_ldap: 1 ldap entry found with attribute :
schemaNamingContext
2014/06/03 15:52:59| squid_kerb_ldap: Search ldap server with bind path
CN=Schema,CN=Configuration,DC=dominion,DC=local and filter:
(ldapdisplayname=samaccountname)
2014/06/03 15:52:59| squid_kerb_ldap: Found 0 ldap entries
2014/06/03 15:52:59| squid_kerb_ldap: Determined ldap server not as an
Active Directory server
2014/06/03 15:52:59| squid_kerb_ldap: Error determining ldap server type:
Operations error
2014/06/03 15:52:59| squid_kerb_ldap: User vvgulimov is not member of
group@domain Internet_all@NULL
2014/06/03 15:52:59| squid_kerb_ldap: ERR
____________________________________________
squid.config
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -s
HTTP/proxy.dominion.local@DOMINION.LOCAL
auth_param negotiate children 20
auth_param negotiate keep_alive on
external_acl_type SQUID_KERB_LDAP1 ttl=1200 negative_ttl=3600 %LOGIN
/usr/lib/squid/squid_kerb_ldap -d -g Internet_all
external_acl_type SQUID_KERB_LDAP2 ttl=1200 negative_ttl=3600 %LOGIN
/usr/lib/squid/squid_kerb_ldap -d -g Internet_blacklist
external_acl_type SQUID_KERB_LDAP3 ttl=1200 negative_ttl=3600 %LOGIN
/usr/lib/squid/squid_kerb_ldap -d -g Internet_whitelist
acl AUTHENTICATED proxy_auth REQUIRED
acl Internet_all external SQUID_KERB_LDAP1
acl Internet_blacklist external SQUID_KERB_LDAP2
acl Internet_whitelist external SQUID_KERB_LDAP3
acl white_list url_regex -i "/etc/squid/white_list"
acl black_list url_regex -i "/etc/squid/black_list"
http_access allow Internet_whitelist white_list
http_access deny Internet_blacklist black_list
http_access allow Internet_all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# http_access allow localhost
http_access allow AUTHENTICATED
http_access deny all
_______________________________________
krb5.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 24h
renew_lifetime = 24h
forwardable = true
krb4_convert = false
}
[libdefaults]
default_realm = DOMINION.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
# proxiable = true
# For Windows 2007:
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
forwardable = yes
[realms]
DOMINION.LOCAL = {
# kdc = 192.168.235.4:88
kdc = 192.168.234.2:88
# admin_server = 192.168.235.4:749
admin_server = 192.168.234.2:749
default_domain = DOMINION.LOCAL
}
[domain_realm]
.dominion.local = DOMINION.LOCAL
dominion.local = DOMINION.LOCAL
[logging]
default = FILE:/var/log/krb5lib.log
kdc = FILE:/var/log/krb5kdc.log
kdc = SYSLOG:INFO AEMON
admin_server = FILE:/var/log/kadmin.log
____________________________________________________
thank you
ps. configure your mail ezm is very strong ..)