I believe this has to be the problem, but how do I solve it? Its almost at the end of the whole listing support_ldap.cc(333): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap server with bind path "" and filter: (objectclass=*) support_ldap.cc(602): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : schemaNamingContext support_ldap.cc(645): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: 1 ldap entry found with attribute : schemaNamingContext support_ldap.cc(342): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap server with bind path CN=Schema,CN=Configuration,DC=bnh,DC=local and filter: (ldapdisplayname=samaccountname) kerberos_ldap_group.cc(283): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRaamregeling@ support_group.cc(447): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRaamregeling Domain support_netbios.cc(83): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(87): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(82): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined. kerberos_ldap_group.cc(283): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRaamregeling@ support_group.cc(447): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRaamregeling Domain support_netbios.cc(83): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(87): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(82): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined. kerberos_ldap_group.cc(283): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRaamregeling@ support_group.cc(447): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRaamregeling Domain support_netbios.cc(83): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(87): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(82): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined. 2018/02/20 17:02:21 kid1| helperOpenServers: Starting 5/5 'ext_kerberos_ldap_group_acl' processes kerberos_ldap_group.cc(283): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRaamregeling@ support_group.cc(447): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRaamregeling Domain support_netbios.cc(83): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(87): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(82): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined. kerberos_ldap_group.cc(283): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRaamregeling@ support_group.cc(447): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRaamregeling Domain support_netbios.cc(83): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(87): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(82): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined. kerberos_ldap_group.cc(283): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRestrictedAdult@ support_group.cc(447): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRestrictedAdult Domain support_netbios.cc(83): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(87): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(82): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined. kerberos_ldap_group.cc(283): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRestrictedAdult@ support_group.cc(447): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRestrictedAdult Domain support_netbios.cc(83): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(87): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(82): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined. kerberos_ldap_group.cc(283): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRestrictedAdult@ support_group.cc(447): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRestrictedAdult Domain support_netbios.cc(83): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(87): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(82): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined. kerberos_ldap_group.cc(283): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRestrictedAdult@ support_group.cc(447): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRestrictedAdult Domain support_netbios.cc(83): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(87): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(82): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined. kerberos_ldap_group.cc(283): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRestrictedAdult@ support_group.cc(447): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRestrictedAdult Domain support_netbios.cc(83): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(87): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(82): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined. kerberos_ldap_group.cc(381): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: INFO: Got User: Jeroen.Ruijter Domain: BNH.LOCAL support_member.cc(63): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: User domain loop: group@domain ADGroupRaamregeling@ support_member.cc(91): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Default domain loop: group@domain ADGroupRaamregeling@ support_member.cc(93): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Found group@domain ADGroupRaamregeling@ support_ldap.cc(898): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(127): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_2951 support_krb5.cc(138): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(144): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/krb5.keytab support_krb5.cc(158): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/krb5.keytab support_krb5.cc(169): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Keytab entry has realm name: BNH.LOCAL support_krb5.cc(189): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Found principal name: HTTP/bhlnx03.bnh.local@BNH.LOCAL support_krb5.cc(205): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Got principal name HTTP/bhlnx03.bnh.local@BNH.LOCAL support_krb5.cc(269): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Stored credentials support_ldap.cc(927): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Initialise ldap connection support_ldap.cc(933): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain BNH.LOCAL support_resolv.cc(379): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.BNH.LOCAL record to BHAD02.bnh.local support_resolv.cc(379): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.BNH.LOCAL record to BHAD01.bnh.local support_resolv.cc(379): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.BNH.LOCAL record to bhad02.bnh.local support_resolv.cc(379): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.BNH.LOCAL record to bhad01.bnh.local support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved address 1 of BNH.LOCAL to BHAD02.bnh.local support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved address 2 of BNH.LOCAL to BHAD02.bnh.local support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved address 3 of BNH.LOCAL to BHAD02.bnh.local support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved address 4 of BNH.LOCAL to BHAD01.bnh.local support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved address 5 of BNH.LOCAL to BHAD01.bnh.local support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved address 6 of BNH.LOCAL to BHAD01.bnh.local support_resolv.cc(407): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Adding BNH.LOCAL to list support_resolv.cc(443): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain BNH.LOCAL: support_resolv.cc(445): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Host: BHAD01.bnh.local Port: 389 Priority: 0 Weight: 100 support_resolv.cc(445): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Host: BHAD02.bnh.local Port: 389 Priority: 0 Weight: 100 support_resolv.cc(445): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Host: BNH.LOCAL Port: -1 Priority: -2 Weight: -2 support_ldap.cc(942): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Setting up connection to ldap server BHAD01.bnh.local:389 support_ldap.cc(953): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_ldap.cc(967): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Successfully initialised connection to ldap server BHAD01.bnh.local:389 support_ldap.cc(333): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap server with bind path "" and filter: (objectclass=*) support_ldap.cc(602): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : schemaNamingContext support_ldap.cc(645): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: 1 ldap entry found with attribute : schemaNamingContext support_ldap.cc(342): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap server with bind path CN=Schema,CN=Configuration,DC=bnh,DC=local and filter: (ldapdisplayname=samaccountname) support_ldap.cc(345): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Found 0 ldap entries support_ldap.cc(350): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Determined ldap server not as an Active Directory server support_ldap.cc(1061): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: ERROR: Error determining ldap server type: Operations error support_member.cc(104): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: INFO: User Jeroen.Ruijter is not member of group@domain ADGroupRaamregeling@ support_member.cc(119): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Default group loop: group@domain ADGroupRaamregeling@ kerberos_ldap_group.cc(416): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: ERR -----Oorspronkelijk bericht----- Van: Jeroen Ruijter Verzonden: maandag 19 februari 2018 11:19 Aan: 'Amos Jeffries'; squid-users@xxxxxxxxxxxxxxxxxxxxx Onderwerp: RE: kerberos authentication with kerberos groups Do you advise to use capitals or small characters for the domain name? -----Oorspronkelijk bericht----- Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Amos Jeffries Verzonden: vrijdag 16 februari 2018 18:58 Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx Onderwerp: Re: kerberos authentication with kerberos groups On 17/02/18 02:02, Jeroen Ruijter wrote: > I'm trying to replace my basic ldap authentication by kerberos single > sign on. > NP: Despite what some claim, SSO is not unique to NTLM and Kerberos authentication. It is a behaviour of the tools used. As such it can be done with *any* authentication type if the tools used perform the necessary behaviour. > The user can succesfully login with single sign on, but I have > restriction on groups and that is where it goes wrong. What exactly does this "going wrong" look like? Also, what version of Squid are you working with? (the "squid -v" output please) > > I would like to use -r to trim the domain name, but when I do so it > seems to work even less. > > Someone any ideas what to try, I believe the system is loking wrong in > active directory but adding -b OU=Users,DC=yyy,DC=local does not help > me further You have some things looking for ".local" and others for ".LOCAL". I'm not sure if case insensitivity exists in all those places they are being used, so that is one potential cause of problems. > ======= > > > > auth_param negotiate program /usr/sbin/negotiate_wrapper_auth -d > --ntlm /usr/bin/ntlm_auth --diagnostics > --helper-protocol=squid-2.5-ntlmssp > --domain=yyy --kerberos /usr/sbin/negotiate_kerberos_auth -d -s > GSS_C_NO_NAME > > auth_param negotiate children 20 startup=0 idle=1 > > auth_param negotiate keep_alive off > > > > external_acl_type XXX_InternetAllowed ttl=3600 negative_ttl=3600 > %LOGIN /usr/sbin/ext_kerberos_ldap_group_acl -b > OU=Users,OU=BenH,DC=yyy,DC=local -g AD_XXX_InternetAllowed@yyy.LOCAL > -d > > external_acl_type RestrictedAdult ttl=3600 negative_ttl=3600 %LOGIN > /usr/sbin/ext_kerberos_ldap_group_acl -b > OU=Users,OU=BenH,DC=yyy,DC=local -g ADGroupRestrictedAdult@yyy.LOCAL > -d > > > > acl XXX_InternetAllowed external XXX_InternetAllowed > > acl XXX_Adult external XXX_Adult > ... > > http_access deny auth !XXX_InternetAllowed The above says the users entire login is to be rejected if they are not a member of the XXX_InternetAllowed group. That should work but it is better to reject failed logins fully first, then do the group checks separately. Like this: http_access deny !auth http_access deny !XXX_InternetAllowed all > > http_access deny XXX_Adult XXX_AdultX > you could gain a fair bit of performance back by making that check the dstdomain before the slow external lookup: http_access deny XXX_AdultX XXX_Adult all > http_access allow localnet > > http_access allow localhost > > http_access deny all > > > > ======== > ... > > support_ldap.cc(342): pid=7612 :2018/02/16 11:50:07| > kerberos_ldap_group: DEBUG: Search ldap server with bind path > CN=Schema,CN=Configuration,DC=bnh,DC=local and filter: > (ldapdisplayname=samaccountname) > > support_ldap.cc(345): pid=7612 :2018/02/16 11:50:07| > kerberos_ldap_group: DEBUG: Found 0 ldap entries > > support_ldap.cc(350): pid=7612 :2018/02/16 11:50:07| > kerberos_ldap_group: DEBUG: Determined ldap server not as an Active > Directory server > > support_ldap.cc(1061): pid=7612 :2018/02/16 11:50:07| > kerberos_ldap_group: ERROR: Error determining ldap server type: > Operations error > > support_member.cc(76): pid=7612 :2018/02/16 11:50:07| > kerberos_ldap_group: INFO: User Administrator is not member of > group@domain AD_XXX_InternetAllowed@YYY.LOCAL > Looks like it is working to me. The helper tries several methods of locating a server, two fail but the third seems to work and produces the above result. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
