Hi Markus! I can't because all problems that I described and all of that pieces of logs I provided are from squid 3.4. Squid 3.3 works good, squid 3.4 doesn't. That's the problem. 2014-08-24 18:14 GMT+04:00 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: > Hi Pavel, > > Can you use 3.4 then instead of 3.3 as it seems to have the problem fixed > ? > > Markus > > "Pavel Timofeev" wrote in message > news:CAAoTqftctS7GJfiS-k+RgN1uMkyujE_RdOFsZyBYFU1=Dd8n7w@xxxxxxxxxxxxxx... > > > That's how squid's 3.4.6 helper works with username@xxxxxxxxxxx > > kerberos_ldap_group.cc(372): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: INFO: Got User: username Domain: EXAMPLE.ORG > support_member.cc(55): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: User domain loop: group@domain > OCS-DenyInternet-G@NULL > support_member.cc(83): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: Default domain loop: group@domain > OCS-DenyInternet-G@NULL > support_member.cc(111): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: Default group loop: group@domain > OCS-DenyInternet-G@NULL > support_member.cc(113): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL > support_ldap.cc(801): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: Setup Kerberos credential cache > support_krb5.cc(90): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: Get default keytab file name > support_krb5.cc(96): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: Got default keytab file name > /usr/local/etc/squid/squid.keytab > support_krb5.cc(110): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: Get principal name from keytab > /usr/local/etc/squid/squid.keytab > support_krb5.cc(119): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG > support_krb5.cc(133): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: Found principal name: > HTTP/proxy.example.org@xxxxxxxxxxx > support_krb5.cc(174): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: Set credential cache to > MEMORY:squid_ldap_45620 > support_krb5.cc(270): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: Got principal name > HTTP/proxy.example.org@xxxxxxxxxxx > support_krb5.cc(313): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: Stored credentials > support_ldap.cc(830): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: Initialise ldap connection > support_ldap.cc(836): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain > EXAMPLE.ORG > support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record > to dc1.example.org > support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30| > kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record > to dc2.example.org > > etc and no problems. > > > > > > 2014-08-21 14:54 GMT+04:00 Pavel Timofeev <timp87@xxxxxxxxx>: >> >> Group name in config is OCS-DenyInternet-G of course. >> >> 2014-08-21 14:48 GMT+04:00 Pavel Timofeev <timp87@xxxxxxxxx>: >>> >>> Hi! >>> Please, help. >>> I've been using squid 3.3.11 on FreeBSD 10 for a year. >>> I have AD and kerberos authentification. Squid checks DenyInternet >>> group membership through kerberos_ldap_group. My domain example.org >>> has subdomains like south.example.org, west.example.org, etc. All >>> users use proxy.example.org. >>> Everything works fine. Here is config: >>> >>> auth_param negotiate program >>> /usr/local/libexec/squid/negotiate_kerberos_auth -s >>> HTTP/proxy.example.org@xxxxxxxxxxx >>> auth_param negotiate children 100 startup=30 idle=5 >>> auth_param negotiate keep_alive >>> >>> external_acl_type no_inet_users ttl=3600 negative_ttl=3600 >>> children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN >>> /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g >>> DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass >>> >>> Now I'm tring to migrate to squid 3.4.6. Same config. >>> I've encountered with problem that kerberos_ldap_group stopped working >>> with subdomain users like user@xxxxxxxxxxxxxxxxx while it still works >>> with user@xxxxxxxxxxx. >>> In general it started to complain "ERROR: Error during setup of >>> Kerberos credential cache" in cache.log. >>> When I turn on the debug I'm getting this: >>> >>> >>> kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: INFO: Got User: ptimofeev Domain: >>> SOUTH.EXAMPLE.ORG >>> support_member.cc(55): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: User domain loop: group@domain >>> OCS-DenyInternet-G@NULL >>> support_member.cc(83): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Default domain loop: group@domain >>> OCS-DenyInternet-G@NULL >>> support_member.cc(111): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Default group loop: group@domain >>> OCS-DenyInternet-G@NULL >>> support_member.cc(113): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL >>> support_ldap.cc(801): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Setup Kerberos credential cache >>> support_krb5.cc(90): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Get default keytab file name >>> support_krb5.cc(96): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Got default keytab file name >>> /usr/local/etc/squid/squid.keytab >>> support_krb5.cc(110): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Get principal name from keytab >>> /usr/local/etc/squid/squid.keytab >>> support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG >>> support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG >>> support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG >>> support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG >>> support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG >>> support_krb5.cc(174): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Set credential cache to >>> MEMORY:squid_ldap_13729 >>> support_krb5.cc(186): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Did not find a principal in keytab for >>> domain SOUTH.EXAMPLE.ORG. >>> support_krb5.cc(187): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Try to get principal of trusted domain. >>> support_krb5.cc(201): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Keytab entry has principal: >>> HTTP/proxy.example.org@xxxxxxxxxxx >>> support_krb5.cc(247): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Found trusted principal name: >>> HTTP/proxy.example.org@xxxxxxxxxxx >>> support_krb5.cc(315): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: Got no principal name >>> support_ldap.cc(806): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: ERROR: Error during setup of Kerberos credential >>> cache >>> support_member.cc(124): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: INFO: User ptimofeev is not member of >>> group@domain OCS-DenyInternet-G@NULL >>> kerberos_ldap_group.cc(407): pid=13729 :2014/08/21 13:58:53| >>> kerberos_ldap_group: DEBUG: ERR > > >
