|
Hello Markus, Thank you for the explanation, that helped
a lot. I use the TLS_CACERTFILE in the init script now and that works for me . ( in debian the /etc/default/squid ) >>The helper tries to
“authenticate” squid to AD as a user with the found SPN name, so
the UPN must be the same as the SPN. There is no easy way to query what
the UPN for the SPN is. Ah, this helped identify-ing so other
small things to. >>msktutil (my preferred tool) Since i try to use only debian packages
the msktutil is not available for me. >>Also msktutil (my preferred tool)
creates a machine account not a user account in AD. >>The reason I prefer this is that
often user accounts have a global password policy e.g. change every 60 days
otherwise it will be locked. >>machine accounts do not have that
limitation. But as I said it is just my preference. Thats not correct in my optionion. A the
computer account, works the (almost) same an user account. Like a computer account = a user account.
some pointers : https://technet.microsoft.com/en-us/library/cc731641(v=ws.11).aspx I used a seperated user since i wanted to
have 2 proxy on 1 service account, but due to the UPS/SPN thing, thats not options anymore, not thats a
problem, I’ll change to add the computer to the samba domain and add the UPN/SPN on the computer account
where needed. Which maybe even a better option. Thanks again for you replies. Best regards, Louis Van: squid-users
[mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Markus Moeller Hi, I would say they are bugs.
The first “issue” is as you say more about understanding the
difference between UPN and SPN and how the tools use them. The helper
tries to “authenticate” squid to AD as a user with the found SPN
name, so the UPN must be the same as the SPN. There is no easy way to
query what the UPN for the SPN is. Also msktutil (my preferred tool)
creates a machine account not a user account in AD. The reason I prefer this is
that often user accounts have a global password policy e.g. change every 60
days otherwise it will be locked. machine accounts do not have that limitation.
But as I said it is just my preference. Regarding the certifcate
check I do not use any ldap.conf settings. I require an export
TLS_CACERTFILE=/mydir/myfile.pem in the squid startup file.
Maybe in the next version I see how I can determine the right ldap.conf file
and check if the CACERTFILE variable is already set. Kind regards Markus "L.P.H. van
Belle" <belle@xxxxxxxxx> wrote in message news:vmime.57bdb617.37c8.575130a1134f9a07@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx... Ok reply to myself so other users know
this also. if you create a user for the HTTP services
and you dont use msktutil but like me samba-tool or something else. Read : http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
carefully. and the clue was this line for me. Squid "login"
to Windows Active Directory or Unix kdc as user <HTTP/<fqdn-squid>@DOMAIN.COM>.
This requires Active
Directory to have an attribute userPrincipalname set to
<HTTP/<fqdn-squid>@DOMAIN.COM> for the associated
acount. This is usaully done by using msktutil. But this is not done by samba-tools samba-tool setup fro squid i used, was as
followed. samba-tool user create squid1-service
--description="Unprivileged user for SQUID1-Proxy Services"
--random-password samba-tool user setexpiry squid1-service
–noexpiry samba-tool spn add HTTP/proxy.internal.domain.tld
squid1-service Now this results in : My UPN was set to the
username@xxxxxxxxxxxxxxxxxxx ( as it should ). My SPN was set to
HTTP/proxyserver.internal.domain.tld@REALM ( as is should ) samba-tool spn list squid1-service squid1-service User
CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX has the
following servicePrincipalName:
HTTP/proxy.internal.domain.tld
HTTP/proxy.internal.domain.tld@YOUR.REALM.T Now i changed my UPN from
username@xxxxxxxxxxxxxxxxxxx to the (SPN name)
HTTP/proxyserver.internal.domain.tld@REALM Solved my initial problem. This should be in my optionion be changed
to search for the SPN in ext_kerberos_ldap_group. Now i have LDAPS messages, see below, im
adding the _ldaps SRV records now ,but i dont get why im getting : Set certificate file for ldap server to
/etc/ssl/certs/cert.pem.(Changeable through setting environment variable
TLS_CACERTFILE) Im already having :
TLS_CACERT /etc/ssl/certs/ca-certificates.crt Which contains the needed certs. Did i find 2 small bugs here? Or is this a “Debian” related
thing? Debug output. /usr/lib/squid3/ext_kerberos_ldap_group_acl
-g internet-mail@xxxxxxxxxxxxxx -D YOUR.REALM.TLD -N internet-mail@NTDOMAIN -s
-i -d kerberos_ldap_group.cc(278): pid=6902
:2016/08/24 16:10:07| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=6902
:2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group list
internet-mail@xxxxxxxxxxxxxx support_group.cc(447): pid=6902
:2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group internet-mail
Domain YOUR.REALM.TLD support_netbios.cc(83): pid=6902
:2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios list
internet-mail@NTDOMAIN support_netbios.cc(156): pid=6902
:2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios name
internet-mail Domain NTDOMAIN support_lserver.cc(82): pid=6902
:2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=6902
:2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: No ldap servers defined. testuser internet-mail kerberos_ldap_group.cc(371): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser set default
domain: YOUR.REALM.TLD kerberos_ldap_group.cc(376): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser Domain:
YOUR.REALM.TLD support_member.cc(63): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: User domain loop:
group@domain internet-mail@xxxxxxxxxxxxxx support_member.cc(65): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found group@domain
internet-mail@xxxxxxxxxxxxxx support_ldap.cc(898): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(127): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Set credential cache to
MEMORY:squid_ldap_6902 support_krb5.cc(138): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(144): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Got default keytab file name
/etc/squid/keytab.PROXYSERVER-HTTP support_krb5.cc(158): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Get principal name from keytab
/etc/squid/keytab.PROXYSERVER-HTTP support_krb5.cc(169): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Keytab entry has realm name:
YOUR.REALM.TLD support_krb5.cc(181): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Found principal name:
HTTP/proxy.internal.domain.tld@xxxxxxxxxxxxxx support_krb5.cc(196): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Got principal name HTTP/proxy.internal.domain.tld@xxxxxxxxxxxxxx support_krb5.cc(260): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Stored credentials support_ldap.cc(927): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Initialise ldap connection support_ldap.cc(931): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Enable SSL to ldap servers support_ldap.cc(933): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain
YOUR.REALM.TLD support_resolv.cc(289): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resolving service
record _ldaps._tcp.YOUR.REALM.TLD with res_search support_resolv.cc(71): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: ERROR: res_search: Unknown service
record: _ldaps._tcp.YOUR.REALM.TLD support_resolv.cc(379): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved SRV
_ldap._tcp.YOUR.REALM.TLD record to samba-dc2.internal.domain.tld support_resolv.cc(379): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved SRV
_ldap._tcp.YOUR.REALM.TLD record to samba-dc1.internal.domain.tld support_resolv.cc(207): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 1 of
YOUR.REALM.TLD to samba-dc1.internal.domain.tld support_resolv.cc(207): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 2 of
YOUR.REALM.TLD to samba-dc1.internal.domain.tld support_resolv.cc(207): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 3 of
YOUR.REALM.TLD to samba-dc1.internal.domain.tld support_resolv.cc(207): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 4 of
YOUR.REALM.TLD to samba-dc2.internal.domain.tld support_resolv.cc(207): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 5 of
YOUR.REALM.TLD to samba-dc2.internal.domain.tld support_resolv.cc(207): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 6 of
YOUR.REALM.TLD to samba-dc2.internal.domain.tld support_resolv.cc(407): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Adding YOUR.REALM.TLD to list support_resolv.cc(443): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Sorted ldap server names for
domain YOUR.REALM.TLD: support_resolv.cc(445): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host:
samba-dc1.internal.domain.tld Port: 389 Priority: 0 Weight: 100 support_resolv.cc(445): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host:
samba-dc2.internal.domain.tld Port: 389 Priority: 0 Weight: 100 support_resolv.cc(445): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host: YOUR.REALM.TLD Port: -1
Priority: -2 Weight: -2 support_ldap.cc(942): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Setting up connection to ldap server
samba-dc1.internal.domain.tld:389 support_ldap.cc(786): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(531): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap
server. support_ldap.cc(544): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to
/etc/ssl/certs/cert.pem.(Changeable through setting environment variable
TLS_CACERTFILE) support_ldap.cc(800): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap
server: Can't contact LDAP server support_ldap.cc(953): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(276): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't
contact LDAP server support_ldap.cc(957): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: Error while binding to ldap server with
SASL/GSSAPI: Can't contact LDAP server support_ldap.cc(942): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Setting up connection to ldap server
samba-dc2.internal.domain.tld:389 support_ldap.cc(786): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(531): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap
server. support_ldap.cc(544): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to
/etc/ssl/certs/cert.pem.(Changeable through setting environment variable
TLS_CACERTFILE) support_ldap.cc(800): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap
server: Can't contact LDAP server support_ldap.cc(953): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(276): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't
contact LDAP server support_ldap.cc(957): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: Error while binding to ldap server with
SASL/GSSAPI: Can't contact LDAP server support_ldap.cc(942): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Setting up connection to ldap server
YOUR.REALM.TLD:389 support_ldap.cc(786): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(531): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap
server. support_ldap.cc(544): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to
/etc/ssl/certs/cert.pem.(Changeable through setting environment variable
TLS_CACERTFILE) support_ldap.cc(800): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap
server: Can't contact LDAP server support_ldap.cc(953): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(276): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't
contact LDAP server support_ldap.cc(957): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: ERROR: Error while binding to ldap server with
SASL/GSSAPI: Can't contact LDAP server support_ldap.cc(979): pid=6902 :2016/08/24
16:10:12| kerberos_ldap_group: DEBUG: Error during initialisation of ldap
connection: No such file or directory support_ldap.cc(1048): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Error during initialisation
of ldap connection: No such file or directory support_member.cc(76): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: INFO: User testuser is not member of
group@domain internet-mail@xxxxxxxxxxxxxx support_member.cc(91): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Default domain loop:
group@domain internet-mail@xxxxxxxxxxxxxx support_member.cc(119): pid=6902
:2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Default group loop:
group@domain internet-mail@xxxxxxxxxxxxxx _______________________________________________ |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
