|
Hi,
I would say they are bugs. The first “issue” is as you say
more about understanding the difference between UPN and SPN and how the tools
use them. The helper tries to “authenticate” squid to AD as a user with
the found SPN name, so the UPN must be the same as the SPN. There is no
easy way to query what the UPN for the SPN is.
Also msktutil (my preferred tool) creates a machine account not a
user account in AD. The reason I prefer this is that often user accounts have a
global password policy e.g. change every 60 days otherwise it will be locked.
machine accounts do not have that limitation. But as I said it is just my
preference.
Regarding the certifcate check I do not use any ldap.conf
settings. I require an export
TLS_CACERTFILE=/mydir/myfile.pem in the squid startup file.
Maybe in the next version I see how I can determine the right ldap.conf file and
check if the CACERTFILE variable is already set.
Kind regards
Markus
"L.P.H. van Belle" <belle@xxxxxxxxx> wrote in message
news:vmime.57bdb617.37c8.575130a1134f9a07@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx... Ok reply to myself so
other users know this also. if you create a user
for the HTTP services and you dont use msktutil but like me samba-tool or something else.
Read :
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
carefully. and the clue was this
line for me. Squid "login" to
Windows Active Directory or Unix kdc as user
<HTTP/<fqdn-squid>@DOMAIN.COM>. This requires Active
Directory to have an attribute userPrincipalname set to
<HTTP/<fqdn-squid>@DOMAIN.COM> for the associated
acount. This is usaully done by using msktutil. But this is not done by
samba-tools samba-tool setup fro
squid i used, was as followed. samba-tool user create
squid1-service --description="Unprivileged user for SQUID1-Proxy Services"
--random-password samba-tool user
setexpiry squid1-service –noexpiry samba-tool spn add
HTTP/proxy.internal.domain.tld squid1-service Now this results in :
My UPN was set to the
username@xxxxxxxxxxxxxxxxxxx ( as it should ).
My SPN was set to
HTTP/proxyserver.internal.domain.tld@REALM ( as is should )
samba-tool spn list
squid1-service squid1-service User
CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX has the
following servicePrincipalName:
HTTP/proxy.internal.domain.tld
HTTP/proxy.internal.domain.tld@YOUR.REALM.T Now i changed my UPN
from username@xxxxxxxxxxxxxxxxxxx to the (SPN name)
HTTP/proxyserver.internal.domain.tld@REALM Solved my initial
problem. This should be in my
optionion be changed to search for the SPN in
ext_kerberos_ldap_group. Now i have LDAPS
messages, see below, im adding the _ldaps SRV records now ,but i dont get why im
getting : Set certificate file
for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting
environment variable TLS_CACERTFILE) Im already having :
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Which contains the
needed certs. Did i find 2 small bugs
here? Or is this a “Debian”
related thing? Debug output.
/usr/lib/squid3/ext_kerberos_ldap_group_acl
-g internet-mail@xxxxxxxxxxxxxx -D YOUR.REALM.TLD -N internet-mail@NTDOMAIN -s
-i -d kerberos_ldap_group.cc(278):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Starting version
1.3.1sq support_group.cc(382):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group list
internet-mail@xxxxxxxxxxxxxx support_group.cc(447):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group
internet-mail Domain YOUR.REALM.TLD support_netbios.cc(83):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios list
internet-mail@NTDOMAIN support_netbios.cc(156):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios name
internet-mail Domain NTDOMAIN support_lserver.cc(82):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: ldap server list
NULL support_lserver.cc(86):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: No ldap servers
defined. testuser
internet-mail kerberos_ldap_group.cc(371):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser set
default domain: YOUR.REALM.TLD kerberos_ldap_group.cc(376):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser
Domain: YOUR.REALM.TLD support_member.cc(63):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: User domain loop:
group@domain internet-mail@xxxxxxxxxxxxxx support_member.cc(65):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found group@domain
internet-mail@xxxxxxxxxxxxxx support_ldap.cc(898):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setup Kerberos
credential cache support_krb5.cc(127):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set credential cache
to MEMORY:squid_ldap_6902 support_krb5.cc(138):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Get default keytab
file name support_krb5.cc(144):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Got default keytab
file name /etc/squid/keytab.PROXYSERVER-HTTP support_krb5.cc(158):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Get principal name
from keytab /etc/squid/keytab.PROXYSERVER-HTTP support_krb5.cc(169):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Keytab entry has
realm name: YOUR.REALM.TLD support_krb5.cc(181):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found principal name:
HTTP/proxy.internal.domain.tld@xxxxxxxxxxxxxx support_krb5.cc(196):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Got principal name
HTTP/proxy.internal.domain.tld@xxxxxxxxxxxxxx support_krb5.cc(260):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Stored
credentials support_ldap.cc(927):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Initialise ldap
connection support_ldap.cc(931):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable SSL to ldap
servers support_ldap.cc(933):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Canonicalise ldap
server name for domain YOUR.REALM.TLD support_resolv.cc(289):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resolving
service record _ldaps._tcp.YOUR.REALM.TLD with
res_search support_resolv.cc(71):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: res_search: Unknown
service record: _ldaps._tcp.YOUR.REALM.TLD support_resolv.cc(379):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved SRV
_ldap._tcp.YOUR.REALM.TLD record to
samba-dc2.internal.domain.tld support_resolv.cc(379):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved SRV
_ldap._tcp.YOUR.REALM.TLD record to
samba-dc1.internal.domain.tld support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 1 of
YOUR.REALM.TLD to samba-dc1.internal.domain.tld support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 2 of
YOUR.REALM.TLD to samba-dc1.internal.domain.tld support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 3 of
YOUR.REALM.TLD to samba-dc1.internal.domain.tld support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 4 of
YOUR.REALM.TLD to samba-dc2.internal.domain.tld support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 5 of
YOUR.REALM.TLD to samba-dc2.internal.domain.tld support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 6 of
YOUR.REALM.TLD to samba-dc2.internal.domain.tld support_resolv.cc(407):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Adding YOUR.REALM.TLD
to list support_resolv.cc(443):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Sorted ldap server
names for domain YOUR.REALM.TLD: support_resolv.cc(445):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host:
samba-dc1.internal.domain.tld Port: 389 Priority: 0 Weight:
100 support_resolv.cc(445):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host:
samba-dc2.internal.domain.tld Port: 389 Priority: 0 Weight:
100 support_resolv.cc(445):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host: YOUR.REALM.TLD
Port: -1 Priority: -2 Weight: -2 support_ldap.cc(942):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection
to ldap server samba-dc1.internal.domain.tld:389 support_ldap.cc(786):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL
defaults support_ldap.cc(531):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server
certificate check for ldap server. support_ldap.cc(544):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file
for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting
environment variable TLS_CACERTFILE) support_ldap.cc(800):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting
start_tls for ldap server: Can't contact LDAP
server support_ldap.cc(953):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server
with SASL/GSSAPI support_sasl.cc(276):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR:
ldap_sasl_interactive_bind_s error: Can't contact LDAP
server support_ldap.cc(957):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding
to ldap server with SASL/GSSAPI: Can't contact LDAP
server support_ldap.cc(942):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection
to ldap server samba-dc2.internal.domain.tld:389 support_ldap.cc(786):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL
defaults support_ldap.cc(531):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server
certificate check for ldap server. support_ldap.cc(544):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file
for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting
environment variable TLS_CACERTFILE) support_ldap.cc(800):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting
start_tls for ldap server: Can't contact LDAP
server support_ldap.cc(953):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server
with SASL/GSSAPI support_sasl.cc(276):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR:
ldap_sasl_interactive_bind_s error: Can't contact LDAP
server support_ldap.cc(957):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding
to ldap server with SASL/GSSAPI: Can't contact LDAP
server support_ldap.cc(942):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection
to ldap server YOUR.REALM.TLD:389 support_ldap.cc(786):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL
defaults support_ldap.cc(531):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server
certificate check for ldap server. support_ldap.cc(544):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file
for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting
environment variable TLS_CACERTFILE) support_ldap.cc(800):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting
start_tls for ldap server: Can't contact LDAP
server support_ldap.cc(953):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server
with SASL/GSSAPI support_sasl.cc(276):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR:
ldap_sasl_interactive_bind_s error: Can't contact LDAP
server support_ldap.cc(957):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding
to ldap server with SASL/GSSAPI: Can't contact LDAP
server support_ldap.cc(979):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Error during
initialisation of ldap connection: No such file or
directory support_ldap.cc(1048):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Error during
initialisation of ldap connection: No such file or
directory support_member.cc(76):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: User testuser is not
member of group@domain internet-mail@xxxxxxxxxxxxxx support_member.cc(91):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Default domain loop:
group@domain internet-mail@xxxxxxxxxxxxxx support_member.cc(119):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Default group loop:
group@domain internet-mail@xxxxxxxxxxxxxx
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
