|
Hello Dia, Thank you for the reply, So, can this be a “MIT”
kerberos of HEIMDAL thing. Im use Samba4 for ADDC and that uses
heimdal. Even that the logs says : "Client 'HTTP/hostname.internet. Im using NFSv4 over kerberos, ssh over
kerberos, squid user auth already and that is working fine. ( on the same
server ) I dont have/use kadmin, since samba is my
KDC. The only thing i can think of besides MIT
or HEIMDAL is that i use a dedicated user, which is having the SPN for my proxy
server. A snip from my krb5.conf [libdefaults] default_realm = YOUR.REALM.TLD dns_lookup_kdc = true dns_lookup_realm = false Best regards, Louis Van: Diogenes S.
Jesus [mailto:splash@xxxxxxxxx] Hi there. Well, the log says "Client 'HTTP/hostname.internet. Check your krb5.conf on the squid host if you're pointing to
the right KDC and make sure the principal exists in the Kerberos database. kadmin.local and "getprinc HTTP/hostname.internet. Dio On Wed, Aug 24, 2016 at 1:03 PM, L.P.H. van Belle <belle@xxxxxxxxx> wrote: Hai, Im having
trouble to get the ext_kerberos_ldap_group_acl
working. I’ve
read : http://www.squid-cache.org/ Here is what
i have checked / done already. My keytab
file : klist -ekt
/etc/squid/keytab.PROXYSERVER- Keytab name:
FILE:/etc/squid/keytab. KVNO
Timestamp Principal ----
------------------- ------------------------------
1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.
1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.
1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.
The auth im
using ( which is working fine ) auth_param
negotiate program /usr/lib/squid/negotiate_ --kerberos
/usr/lib/squid/negotiate_ --ntlm
/usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN For testing
im starting on commandline the group acl: /usr/lib/squid3/ext_kerberos_ kerberos_ldap_group.cc(278):
pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Starting version
1.3.1sq support_group.cc(382):
pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Group list
internet-mail@xxxxxxxxxxxxxx support_group.cc(447):
pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Group
internet-mail Domain YOUR.REALM.TLD support_netbios.cc(83):
pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: Netbios list
internet-mail@NTDOMAIN support_netbios.cc(156):
pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: Netbios name
internet-mail Domain NTDOMAIN support_lserver.cc(82):
pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: ldap server list
NULL support_lserver.cc(86):
pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: No ldap servers
defined. when i test
with the user group now. testuser
internet-mail kerberos_ldap_group.cc(371):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: Got User: testuser
set default domain: YOUR.REALM.TLD kerberos_ldap_group.cc(376):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: Got User: testuser
Domain: YOUR.REALM.TLD support_member.cc(63):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: User domain loop:
group@domain internet-mail@xxxxxxxxxxxxxx support_member.cc(65):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found group@domain
internet-mail@xxxxxxxxxxxxxx support_ldap.cc(898):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Setup Kerberos
credential cache support_krb5.cc(127):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Set credential
cache to MEMORY:squid_ldap_21722 support_krb5.cc(138):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Get default keytab
file name support_krb5.cc(144):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got default keytab
file name /etc/squid/keytab.PROXYSERVER- support_krb5.cc(158):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Get principal name
from keytab /etc/squid/keytab.PROXYSERVER- support_krb5.cc(169):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has
realm name: YOUR.REALM.TLD support_krb5.cc(181):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal
name: HTTP/hostname.internet.domain. support_krb5.cc(196):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name
HTTP/hostname.internet.domain. support_krb5.cc(64):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while
initialising credentials from keytab : Client 'HTTP/hostname.internet. support_krb5.cc(169):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has
realm name: YOUR.REALM.TLD support_krb5.cc(181):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal
name: HTTP/hostname.internet.domain. support_krb5.cc(196):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name
HTTP/hostname.internet.domain. support_krb5.cc(64):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while
initialising credentials from keytab : Client 'HTTP/hostname.internet. support_krb5.cc(169):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has
realm name: YOUR.REALM.TLD support_krb5.cc(181):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal
name: HTTP/hostname.internet.domain. support_krb5.cc(196):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name HTTP/hostname.internet.domain. support_krb5.cc(64):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while
initialising credentials from keytab : Client 'HTTP/hostname.internet. support_krb5.cc(282):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Did not find a
principal in keytab for domain YOUR.REALM.TLD. support_krb5.cc(283):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Try to get principal
of trusted domain. support_krb5.cc(297):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has
principal: HTTP/hostname.internet.domain. support_krb5.cc(64):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while
initializing credentials from keytab : Client 'HTTP/hostname.internet. support_krb5.cc(297):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has
principal: HTTP/hostname.internet.domain. support_krb5.cc(64):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while
initializing credentials from keytab : Client 'HTTP/hostname.internet. support_krb5.cc(297):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has
principal: HTTP/hostname.internet.domain. support_krb5.cc(64):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while
initializing credentials from keytab : Client 'HTTP/hostname.internet. support_krb5.cc(366):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got no principal
name support_ldap.cc(903):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error during setup
of Kerberos credential cache support_member.cc(76):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: User testuser is not
member of group@domain internet-mail@xxxxxxxxxxxxxx support_member.cc(91):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Default domain
loop: group@domain internet-mail@xxxxxxxxxxxxxx support_member.cc(119):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Default group loop:
group@domain internet-mail@xxxxxxxxxxxxxx ERR kerberos_ldap_group.cc(411):
pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: ERR I dont see
what im missing here. I’m
running Debian Jessie, ldap is setup for SSL, samba 4.4.5 and squid 3.5.19. I did see
something about kerberos and groups but i can find that post. So anyone
any suggestion/tip howto debug this or why im getting “Error while
initializing credentials from keytab” Greetz, Louis
--
|
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
