|
Ok reply to myself so other users know
this also. if you create a user for the HTTP services
and you dont use msktutil but like me samba-tool or something else. Read : http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
carefully. and the clue was this line for me. Squid "login"
to Windows Active Directory or Unix kdc as user
<HTTP/<fqdn-squid>@DOMAIN.COM>. This requires Active
Directory to have an attribute userPrincipalname set to
<HTTP/<fqdn-squid>@DOMAIN.COM> for the associated
acount. This is usaully done by using msktutil. But this is not done by samba-tools samba-tool setup fro squid i used, was as
followed. samba-tool user create squid1-service
--description="Unprivileged user for SQUID1-Proxy Services"
--random-password samba-tool user setexpiry squid1-service –noexpiry samba-tool spn add HTTP/proxy.internal.domain.tld
squid1-service Now this results in : My UPN was set to the username@xxxxxxxxxxxxxxxxxxx (
as it should ). My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM
( as is should ) samba-tool spn list squid1-service squid1-service User
CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX has the
following servicePrincipalName: HTTP/proxy.internal.domain.tld HTTP/proxy.internal.domain.tld@YOUR.REALM.T Now i changed my UPN from username@xxxxxxxxxxxxxxxxxxx
to the (SPN name) HTTP/proxyserver.internal.domain.tld@REALM
Solved my initial problem. This should be in my optionion be changed
to search for the SPN in ext_kerberos_ldap_group. Now i have LDAPS messages, see below, im
adding the _ldaps SRV records now ,but i dont get why im getting : Set certificate file for ldap server to
/etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE) Im already having : TLS_CACERT
/etc/ssl/certs/ca-certificates.crt Which contains the needed certs. Did i find 2 small bugs here? Or is this a “Debian” related
thing? Debug output. /usr/lib/squid3/ext_kerberos_ldap_group_acl
-g internet-mail@xxxxxxxxxxxxxx -D YOUR.REALM.TLD -N internet-mail@NTDOMAIN -s
-i -d kerberos_ldap_group.cc(278): pid=6902
:2016/08/24 16:10:07| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=6902
:2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group list
internet-mail@xxxxxxxxxxxxxx support_group.cc(447): pid=6902
:2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group internet-mail Domain
YOUR.REALM.TLD support_netbios.cc(83): pid=6902
:2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios list
internet-mail@NTDOMAIN support_netbios.cc(156): pid=6902
:2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios name internet-mail
Domain NTDOMAIN support_lserver.cc(82): pid=6902
:2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=6902
:2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: No ldap servers defined. testuser internet-mail kerberos_ldap_group.cc(371): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser set default
domain: YOUR.REALM.TLD kerberos_ldap_group.cc(376): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser Domain:
YOUR.REALM.TLD support_member.cc(63): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: User domain loop:
group@domain internet-mail@xxxxxxxxxxxxxx support_member.cc(65): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found group@domain
internet-mail@xxxxxxxxxxxxxx support_ldap.cc(898): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(127): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Set credential cache to
MEMORY:squid_ldap_6902 support_krb5.cc(138): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(144): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Got default keytab file name
/etc/squid/keytab.PROXYSERVER-HTTP support_krb5.cc(158): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Get principal name from keytab
/etc/squid/keytab.PROXYSERVER-HTTP support_krb5.cc(169): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD support_krb5.cc(181): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Found principal name:
HTTP/proxy.internal.domain.tld@xxxxxxxxxxxxxx support_krb5.cc(196): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Got principal name
HTTP/proxy.internal.domain.tld@xxxxxxxxxxxxxx support_krb5.cc(260): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Stored credentials support_ldap.cc(927): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Initialise ldap connection support_ldap.cc(931): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Enable SSL to ldap servers support_ldap.cc(933): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain
YOUR.REALM.TLD support_resolv.cc(289): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resolving service
record _ldaps._tcp.YOUR.REALM.TLD with res_search support_resolv.cc(71): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: ERROR: res_search: Unknown service
record: _ldaps._tcp.YOUR.REALM.TLD support_resolv.cc(379): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved SRV
_ldap._tcp.YOUR.REALM.TLD record to samba-dc2.internal.domain.tld support_resolv.cc(379): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved SRV
_ldap._tcp.YOUR.REALM.TLD record to samba-dc1.internal.domain.tld support_resolv.cc(207): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 1 of
YOUR.REALM.TLD to samba-dc1.internal.domain.tld support_resolv.cc(207): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 2 of
YOUR.REALM.TLD to samba-dc1.internal.domain.tld support_resolv.cc(207): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 3 of
YOUR.REALM.TLD to samba-dc1.internal.domain.tld support_resolv.cc(207): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 4 of
YOUR.REALM.TLD to samba-dc2.internal.domain.tld support_resolv.cc(207): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Resolved address 5 of YOUR.REALM.TLD to
samba-dc2.internal.domain.tld support_resolv.cc(207): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 6 of
YOUR.REALM.TLD to samba-dc2.internal.domain.tld support_resolv.cc(407): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Adding YOUR.REALM.TLD to list support_resolv.cc(443): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Sorted ldap server names for
domain YOUR.REALM.TLD: support_resolv.cc(445): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host:
samba-dc1.internal.domain.tld Port: 389 Priority: 0 Weight: 100 support_resolv.cc(445): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host: samba-dc2.internal.domain.tld
Port: 389 Priority: 0 Weight: 100 support_resolv.cc(445): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host: YOUR.REALM.TLD Port: -1
Priority: -2 Weight: -2 support_ldap.cc(942): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Setting up connection to ldap server
samba-dc1.internal.domain.tld:389 support_ldap.cc(786): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(531): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap
server. support_ldap.cc(544): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to
/etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE) support_ldap.cc(800): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap
server: Can't contact LDAP server support_ldap.cc(953): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(276): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't
contact LDAP server support_ldap.cc(957): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: Error while binding to ldap server with
SASL/GSSAPI: Can't contact LDAP server support_ldap.cc(942): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Setting up connection to ldap server
samba-dc2.internal.domain.tld:389 support_ldap.cc(786): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(531): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap
server. support_ldap.cc(544): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to
/etc/ssl/certs/cert.pem.(Changeable through setting environment variable
TLS_CACERTFILE) support_ldap.cc(800): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap
server: Can't contact LDAP server support_ldap.cc(953): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(276): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't
contact LDAP server support_ldap.cc(957): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: Error while binding to ldap server with
SASL/GSSAPI: Can't contact LDAP server support_ldap.cc(942): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Setting up connection to ldap server
YOUR.REALM.TLD:389 support_ldap.cc(786): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(531): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap
server. support_ldap.cc(544): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to
/etc/ssl/certs/cert.pem.(Changeable through setting environment variable
TLS_CACERTFILE) support_ldap.cc(800): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap
server: Can't contact LDAP server support_ldap.cc(953): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(276): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't
contact LDAP server support_ldap.cc(957): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: Error while binding to ldap server with
SASL/GSSAPI: Can't contact LDAP server support_ldap.cc(979): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Error during initialisation of ldap
connection: No such file or directory support_ldap.cc(1048): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Error during initialisation
of ldap connection: No such file or directory support_member.cc(76): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: INFO: User testuser is not member of
group@domain internet-mail@xxxxxxxxxxxxxx support_member.cc(91): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Default domain loop:
group@domain internet-mail@xxxxxxxxxxxxxx support_member.cc(119): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Default group loop:
group@domain internet-mail@xxxxxxxxxxxxxx |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
