[squid-users] Re: Re: Squid_ldap_kerb make from Markus Moeller on 2010-03-04 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Thu, 4 Mar 2010 20:23:26 -0000

Nick,

The problem here is how the keytab entry was created. To authenticate
against AD the userprincipalname attribute must be set to the same as the
principla you want to authenticate. For a user it user the username e.g.
user1_at_DOMAIN will have a userprinciplanme of user1_at_DOMAIN. squid_kerb_ldap
uses the keytab entry (in your case host/rhnet5.[OMITTED]@[OMITTED]) but
does not find an AD entry with a userprinciplaname attribute set to
host/rhnet5.[OMITTED]@[OMITTED]. You could manually set it or use msktutil
to create another AD entry or use a user account (e.g. use ktutil (from MIT
Kerberos)

like ktutil
ktutil: addent -password -p user_at_domain -k 1 -e rc4-hmac
Password for user_at_domain
ktutil: wkt user.keytab
ktutil: exit

Markus

"Nick Cairncross" <Nick.Cairncross_at_condenast.co.uk> wrote in message
news:C7B57C01.1BD68%Nick.Cairncross_at_condenast.co.uk...
Markus,

Thanks for the extra info - I was indeed missing the cyrus dependency.
Installing it and compiling has given me squid_kerb_ldap.

However, my cache.log is now indicating an problem with a principal with
Kerberos.

2010/03/04 14:53:33| squid_kerb_ldap: Got User: NCairncross Domain:
[OMITTED]
2010/03/04 14:53:33| squid_kerb_ldap: User domain loop: group_at_domain
NetillaPDU@[OMITTED]
2010/03/04 14:53:33| squid_kerb_ldap: Found group_at_domain
SquidGroup@[OMITTED]
2010/03/04 14:53:33| squid_kerb_ldap: Setup Kerberos credential cache
2010/03/04 14:53:33| squid_kerb_ldap: Get default keytab file name
2010/03/04 14:53:33| squid_kerb_ldap: Got default keytab file name
/etc/squid/HTTP.keytab
2010/03/04 14:53:33| squid_kerb_ldap: Get principal name from keytab
/etc/squid/HTTP.keytab
2010/03/04 14:53:33| squid_kerb_ldap: Keytab entry has realm name: [OMITTED]
2010/03/04 14:53:33| squid_kerb_ldap: Found principal name:
host/rhnet5.[OMITTED]@[OMITTED]
2010/03/04 14:53:33| squid_kerb_ldap: Set credential cache to
MEMORY:squid_ldap_16609
2010/03/04 14:53:33| squid_kerb_ldap: Got principal name
host/rhnet5.[OMITTED]@[OMITTED]
2010/03/04 14:53:33| squid_kerb_ldap: Error while initialising credentials
from keytab : Client not found in Kerberos database
2010/03/04 14:53:33| squid_kerb_ldap: Error during setup of Kerberos
credential cache
2010/03/04 14:53:33| squid_kerb_ldap: User NCairncross is not member of
group_at_domain SquidGroup@[OMITTED] <-- which I am..
2010/03/04 14:53:33| squid_kerb_ldap: Default domain loop: group_at_domain
SquidGroup@[OMITTED]
2010/03/04 14:53:33| squid_kerb_ldap: Default group loop: group_at_domain
SquidGroup@[OMITTED]

Kadmin reveals the same error:
Authenticating as principal root/admin@[OMITTED] with password.
kadmin: Client not found in Kerberos database while initializing kadmin
interface

(The same is true after a kinit [my username])

The details of my klist -k are:
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 host/rhnet5.[OMITTED]@[OMITTED]
   5 host/rhnet5.[OMITTED]@[OMITTED]
   5 host/rhnet5.[OMITTED]@[OMITTED]
   5 host/rhnet5@[OMITTED]
   5 host/rhnet5@[OMITTED]
   5 host/rhnet5@[OMITTED]
   5 RHNET5$@[OMITTED]
   5 RHNET5$@[OMITTED]
   5 RHNET5$@[OMITTED]
   5 HTTP/rhnet5.[OMITTED]@[OMITTED]
   5 HTTP/rhnet5.[OMITTED]@[OMITTED]
   5 HTTP/rhnet5.[OMITTED]@[OMITTED]
   5 HTTP/rhnet5@[OMITTED]
   5 HTTP/rhnet5@[OMITTED]
   5 HTTP/rhnet5@[OMITTED]

My Kerberos authentication for domain users works ok and cache.log doesn't
throw up any errors. The RHNET5 AD computer account has the HTTP/rhnet5 and
HTTP/rhnet5.[OMITTED] principals.

I know I'm missing something straight-forward..

Nickcx

On 03/03/2010 23:56, "Markus Moeller" <huaraz_at_moeller.plus.com> wrote:

You will also need a cyrus-sasl-gssapi package to run squid_kerb_ldap with
SASL/GSSAPI authentication to AD or Openldap.

Markus

"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
news:hmmmuv$ie3$1_at_dough.gmane.org...
> You need the ldap and sasl development packages.
>
> Markus
>
>
> "Nick Cairncross" <Nick.Cairncross_at_condenast.co.uk> wrote in message
> news:C7B3F825.1BB93%Nick.Cairncross_at_condenast.co.uk...
> Henrik,
>
> Thanks for the pointers - I have added the missing dependencies. Now I
> receive the following. The results of ./configure are at the bottom of the
> email also. I must be missing some other dependencies?
>
> Thanks again,
> Nickcx
>
> ===
>
> make all-recursive
> make[1]: Entering directory `/root/Desktop/squid_kerb_ldap-1.2.1'
> make[2]: Entering directory `/root/Desktop/squid_kerb_ldap-1.2.1'
> gcc -DHAVE_CONFIG_H -I. -I/usr/include -g -O2 -Wall -Wno-unknown-pragmas
> -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes
> -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement
> -Wshadow -MT squid_kerb_ldap.o -MD -MP -MF
> .deps/squid_kerb_ldap.Tpo -c -o squid_kerb_ldap.o squid_kerb_ldap.c
> mv -f .deps/squid_kerb_ldap.Tpo .deps/squid_kerb_ldap.Po
> gcc -DHAVE_CONFIG_H -I. -I/usr/include -g -O2 -Wall -Wno-unknown-pragmas
> -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes
> -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement
> -Wshadow -MT support_group.o -MD -MP -MF .deps/support_group.Tpo -c -o
> support_group.o support_group.c
> mv -f .deps/support_group.Tpo .deps/support_group.Po
> gcc -DHAVE_CONFIG_H -I. -I/usr/include -g -O2 -Wall -Wno-unknown-pragmas
> -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes
> -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement
> -Wshadow -MT support_netbios.o -MD -MP -MF
> .deps/support_netbios.Tpo -c -o support_netbios.o support_netbios.c
> mv -f .deps/support_netbios.Tpo .deps/support_netbios.Po
> gcc -DHAVE_CONFIG_H -I. -I/usr/include -g -O2 -Wall -Wno-unknown-pragmas
> -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes
> -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement
> -Wshadow -MT support_member.o -MD -MP -MF .deps/support_member.Tpo -c -o
> support_member.o support_member.c
> mv -f .deps/support_member.Tpo .deps/support_member.Po
> gcc -DHAVE_CONFIG_H -I. -I/usr/include -g -O2 -Wall -Wno-unknown-pragmas
> -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes
> -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement
> -Wshadow -MT support_krb5.o -MD -MP -MF .deps/support_krb5.Tpo -c -o
> support_krb5.o support_krb5.c
> mv -f .deps/support_krb5.Tpo .deps/support_krb5.Po
> gcc -DHAVE_CONFIG_H -I. -I/usr/include -g -O2 -Wall -Wno-unknown-pragmas
> -Wextra -Werror -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings -Wstrict-prototypes
> -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement
> -Wshadow -MT support_ldap.o -MD -MP -MF .deps/support_ldap.Tpo -c -o
> support_ldap.o support_ldap.c
> support_ldap.c:33: error: expected declaration specifiers or '...' before
> 'LDAP'
> support_ldap.c:34: error: expected declaration specifiers or '...' before
> 'LDAP'
> support_ldap.c:36: error: expected '=', ',', ';', 'asm' or '__attribute__'
> before '*' token
> support_ldap.c:50: error: expected declaration specifiers or '...' before
> 'LDAP'
> support_ldap.c:50: error: expected declaration specifiers or '...' before
> 'LDAPMessage'
> support_ldap.c:51: error: expected declaration specifiers or '...' before
> 'LDAP'
> support_ldap.c:170:3: error: #error "No rebind functione defined"
> support_ldap.c:277: error: expected declaration specifiers or '...' before
> 'LDAP'
> support_ldap.c: In function 'check_AD':
> support_ldap.c:278: error: 'LDAPMessage' undeclared (first use in this
> function)
> support_ldap.c:278: error: (Each undeclared identifier is reported only
> once
> support_ldap.c:278: error: for each function it appears in.)
> support_ldap.c:278: error: 'res' undeclared (first use in this function)
> cc1: warnings being treated as errors
> support_ldap.c:279: warning: ISO C90 forbids mixed declarations and code
> support_ldap.c:293: warning: implicit declaration of function
> 'ldap_search_ext_s'
> support_ldap.c:293: error: 'ld' undeclared (first use in this function)
> support_ldap.c:293: error: 'LDAP_SCOPE_BASE' undeclared (first use in this
> function)
> support_ldap.c:296: error: 'LDAP_SUCCESS' undeclared (first use in this
> function)
> support_ldap.c:297: error: too many arguments to function 'get_attributes'
> support_ldap.c:300: warning: implicit declaration of function
> 'ldap_msgfree'
> support_ldap.c:303: error: 'LDAP_SCOPE_SUBTREE' undeclared (first use in
> this function)
> support_ldap.c:306: warning: implicit declaration of function
> 'ldap_count_entries'
> support_ldap.c: At top level:
> support_ldap.c:328: error: expected declaration specifiers or '...' before
> 'LDAP'
> support_ldap.c: In function 'search_group_tree':
> support_ldap.c:329: error: 'LDAPMessage' undeclared (first use in this
> function)
> support_ldap.c:329: error: 'res' undeclared (first use in this function)
> support_ldap.c:330: warning: ISO C90 forbids mixed declarations and code
> support_ldap.c:366: error: 'ld' undeclared (first use in this function)
> support_ldap.c:366: error: 'LDAP_SCOPE_SUBTREE' undeclared (first use in
> this function)
> support_ldap.c:372: error: 'LDAP_SUCCESS' undeclared (first use in this
> function)
> support_ldap.c:373: warning: implicit declaration of function
> 'ldap_err2string'
> support_ldap.c:373: warning: format '%s' expects type 'char *', but
> argument 5 has type 'int'
> support_ldap.c:374: warning: implicit declaration of function
> 'ldap_unbind_s'
> support_ldap.c:382: error: too many arguments to function 'get_attributes'
> support_ldap.c:384: error: too many arguments to function 'get_attributes'
> support_ldap.c:423: warning: passing argument 5 of 'search_group_tree'
> makes integer from pointer without a cast
> support_ldap.c:423: error: too many arguments to function
> 'search_group_tree'
> support_ldap.c: At top level:
> support_ldap.c:454: error: expected declaration specifiers or '...' before
> 'LDAP'
> support_ldap.c: In function 'ldap_set_defaults':
> support_ldap.c:459: error: 'LDAP_VERSION3' undeclared (first use in this
> function)
> support_ldap.c:460: warning: implicit declaration of function
> 'ldap_set_option'
> support_ldap.c:460: error: 'ld' undeclared (first use in this function)
> support_ldap.c:460: error: 'LDAP_OPT_PROTOCOL_VERSION' undeclared (first
> use in this function)
> support_ldap.c:461: error: 'LDAP_SUCCESS' undeclared (first use in this
> function)
> support_ldap.c:463: warning: format '%s' expects type 'char *', but
> argument 5 has type 'int'
> support_ldap.c:466: error: 'LDAP_OPT_REFERRALS' undeclared (first use in
> this function)
> support_ldap.c:466: error: 'LDAP_OPT_OFF' undeclared (first use in this
> function)
> support_ldap.c:469: warning: format '%s' expects type 'char *', but
> argument 5 has type 'int'
> support_ldap.c: In function 'ldap_set_ssl_defaults':
> support_ldap.c:558: error: 'LDAP_SUCCESS' undeclared (first use in this
> function)
> support_ldap.c:485: warning: unused parameter 'margs'
> support_ldap.c: At top level:
> support_ldap.c:561: error: expected declaration specifiers or '...' before
> 'LDAP'
> support_ldap.c:561: error: expected declaration specifiers or '...' before
> 'LDAPMessage'
> support_ldap.c: In function 'get_attributes':
> support_ldap.c:576: error: 'LDAPMessage' undeclared (first use in this
> function)
> support_ldap.c:576: error: 'msg' undeclared (first use in this function)
> support_ldap.c:577: warning: ISO C90 forbids mixed declarations and code
> support_ldap.c:586: warning: implicit declaration of function
> 'ldap_first_entry'
> support_ldap.c:586: error: 'ld' undeclared (first use in this function)
> support_ldap.c:586: error: 'res' undeclared (first use in this function)
> support_ldap.c:586: warning: implicit declaration of function
> 'ldap_next_entry'
> support_ldap.c:589: error: 'BerElement' undeclared (first use in this
> function)
> support_ldap.c:589: error: 'b' undeclared (first use in this function)
> support_ldap.c:590: warning: ISO C90 forbids mixed declarations and code
> support_ldap.c:592: warning: implicit declaration of function
> 'ldap_msgtype'
> support_ldap.c:594: error: 'LDAP_RES_SEARCH_ENTRY' undeclared (first use
> in this function)
> support_ldap.c:596: warning: implicit declaration of function
> 'ldap_first_attribute'
> support_ldap.c:596: warning: assignment makes pointer from integer without
> a cast
> support_ldap.c:597: warning: implicit declaration of function
> 'ldap_next_attribute'
> support_ldap.c:597: warning: assignment makes pointer from integer without
> a cast
> support_ldap.c:604: warning: implicit declaration of function
> 'ldap_get_values_len'
> support_ldap.c:604: warning: assignment makes pointer from integer without
> a cast
> support_ldap.c:613: error: dereferencing pointer to incomplete type
> support_ldap.c:614: error: dereferencing pointer to incomplete type
> support_ldap.c:614: error: dereferencing pointer to incomplete type
> support_ldap.c:615: error: dereferencing pointer to incomplete type
> support_ldap.c:619: warning: implicit declaration of function
> 'ber_bvecfree'
> support_ldap.c:621: warning: implicit declaration of function
> 'ldap_memfree'
> support_ldap.c:623: warning: implicit declaration of function 'ber_free'
> support_ldap.c:625: error: 'LDAP_RES_SEARCH_REFERENCE' undeclared (first
> use in this function)
> support_ldap.c:629: error: 'LDAP_RES_SEARCH_RESULT' undeclared (first use
> in this function)
> support_ldap.c: At top level:
> support_ldap.c:648: error: expected '=', ',', ';', 'asm' or
> '__attribute__' before '*' token
> support_ldap.c: In function 'get_memberof':
> support_ldap.c:811: error: 'LDAP' undeclared (first use in this function)
> support_ldap.c:811: error: 'ld' undeclared (first use in this function)
> support_ldap.c:812: error: 'LDAPMessage' undeclared (first use in this
> function)
> support_ldap.c:812: error: 'res' undeclared (first use in this function)
> support_ldap.c:816: warning: ISO C90 forbids mixed declarations and code
> support_ldap.c:891: warning: implicit declaration of function
> 'tool_ldap_open'
> support_ldap.c:919: warning: implicit declaration of function
> 'ldap_unbind'
> support_ldap.c:971: warning: implicit declaration of function
> 'ldap_simple_bind_s'
> support_ldap.c:972: error: 'LDAP_SUCCESS' undeclared (first use in this
> function)
> support_ldap.c:973: warning: format '%s' expects type 'char *', but
> argument 5 has type 'int'
> support_ldap.c:981: warning: implicit declaration of function
> 'ldap_set_rebind_proc'
> support_ldap.c:981: error: 'ldap_simple_rebind' undeclared (first use in
> this function)
> support_ldap.c:1011: error: too many arguments to function 'check_AD'
> support_ldap.c:1013: warning: format '%s' expects type 'char *', but
> argument 5 has type 'int'
> support_ldap.c:1035: error: 'LDAP_SCOPE_SUBTREE' undeclared (first use in
> this function)
> support_ldap.c:1042: warning: format '%s' expects type 'char *', but
> argument 5 has type 'int'
> support_ldap.c:1055: error: too many arguments to function
> 'get_attributes'
> support_ldap.c:1057: error: too many arguments to function
> 'get_attributes'
> support_ldap.c:1101: warning: passing argument 5 of 'search_group_tree'
> makes integer from pointer without a cast
> support_ldap.c:1101: error: too many arguments to function
> 'search_group_tree'
> support_ldap.c:1166: error: too many arguments to function
> 'get_attributes'
> support_ldap.c:1191: error: too many arguments to function
> 'get_attributes'
> support_ldap.c:1245: warning: format '%s' expects type 'char *', but
> argument 5 has type 'int'
> make[2]: *** [support_ldap.o] Error 1
> make[2]: Leaving directory `/root/Desktop/squid_kerb_ldap-1.2.1'
> make[1]: *** [all-recursive] Error 1
> make[1]: Leaving directory `/root/Desktop/squid_kerb_ldap-1.2.1'
> make: *** [all] Error 2
>
> ====
>
> ./configure result..
>
>
> [root_at_RHNET5 squid_kerb_ldap-1.2.1]# ./configure
> checking for a BSD-compatible install... /usr/bin/install -c
> checking whether build environment is sane... yes
> checking for a thread-safe mkdir -p... /bin/mkdir -p
> checking for gawk... gawk
> checking whether make sets $(MAKE)... yes
> checking for gcc... gcc
> checking for C compiler default output file name... a.out
> checking whether the C compiler works... yes
> checking whether we are cross compiling... no
> checking for suffix of executables...
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ISO C89... none needed
> checking for style of include used by make... GNU
> checking dependency style of gcc... gcc3
> checking how to run the C preprocessor... gcc -E
> checking for grep that handles long lines and -e... /bin/grep
> checking for egrep... /bin/grep -E
> checking for ANSI C header files... yes
> checking for sys/types.h... yes
> checking for sys/stat.h... yes
> checking for stdlib.h... yes
> checking for string.h... yes
> checking for memory.h... yes
> checking for strings.h... yes
> checking for inttypes.h... yes
> checking for stdint.h... yes
> checking for unistd.h... yes
> checking size of short... 2
> checking size of int... 4
> checking size of long... 4
> checking for krb5-config... yes
> checking krb5.h usability... yes
> checking krb5.h presence... yes
> checking for krb5.h... yes
> checking com_err.h usability... no
> checking com_err.h presence... no
> checking for com_err.h... no
> checking gssapi.h usability... yes
> checking gssapi.h presence... yes
> checking for gssapi.h... yes
> checking gssapi/gssapi.h usability... yes
> checking gssapi/gssapi.h presence... yes
> checking for gssapi/gssapi.h... yes
> checking gssapi/gssapi_krb5.h usability... yes
> checking gssapi/gssapi_krb5.h presence... yes
> checking for gssapi/gssapi_krb5.h... yes
> checking gssapi/gssapi_generic.h usability... yes
> checking gssapi/gssapi_generic.h presence... yes
> checking for gssapi/gssapi_generic.h... yes
> checking whether krb5_kt_free_entry is declared... no
> checking for krb5_kt_free_entry in -lkrb5... yes
> checking for krb5_get_init_creds_keytab in -lkrb5... yes
> checking ldap.h usability... no
> checking ldap.h presence... no
> checking for ldap.h... no
> checking lber.h usability... no
> checking lber.h presence... no
> checking for lber.h... no
> checking for main in -llber... no
> checking for main in -lldap... no
> checking for struct ldap_url_desc.lud_scheme... no
> checking for ldapssl_client_init in -lldap... no
> checking for ldap_url_desc2str in -lldap... no
> checking for ldap_url_parse in -lldap... no
> checking sasl.h usability... no
> checking sasl.h presence... no
> checking for sasl.h... no
> checking sasl/sasl.h usability... no
> checking sasl/sasl.h presence... no
> checking for sasl/sasl.h... no
> configure: ## -----------------------------##
> configure: ##
> configure: ## mit has been selected
> configure: ##
> configure: ## -----------------------------##
> configure: creating ./config.status
> config.status: creating Makefile
> config.status: creating config.h
> config.status: executing depfiles commands
> configure: updating config.h
>
>
>
> On 02/03/2010 19:07, "Henrik Nordstrom" <henrik_at_henriknordstrom.net>
> wrote:
>
> tis 2010-03-02 klockan 17:34 +0000 skrev Nick Cairncross:
>
>> It seems to be complaining about krb5.h.. it doesn't appear on my server
>> though I am successfully using Kerberos (configured using Samba).
>
> You need the kerberos development libraries & headers installed. Not
> needed for using Kerberos but very much needed for compiling Kerberos
> enabled applications.
>
> On RedHat/Fedora the needed package is "krb5-devel". On Debian/Ubuntu
> it's "libkrb5-dev".
>
> Regards
> Henrik
>
>
>
> ** Please consider the environment before printing this e-mail **
>
> The information contained in this e-mail is of a confidential nature and
> is intended only for the addressee. If you are not the intended
> addressee, any disclosure, copying or distribution by you is prohibited
> and may be unlawful. Disclosure to any party other than the addressee,
> whether inadvertent or otherwise, is not intended to waive privilege or
> confidentiality. Internet communications are not secure and therefore
> Conde Nast does not accept legal responsibility for the contents of this
> message. Any views or opinions expressed are those of the author.
>
> Company Registration details:
> The Conde Nast Publications Ltd
> Vogue House
> Hanover Square
> London W1S 1JU
>
> Registered in London No. 226900
>
>
>

** Please consider the environment before printing this e-mail **

The information contained in this e-mail is of a confidential nature and is
intended only for the addressee. If you are not the intended addressee, any
disclosure, copying or distribution by you is prohibited and may be
unlawful. Disclosure to any party other than the addressee, whether
inadvertent or otherwise, is not intended to waive privilege or
confidentiality. Internet communications are not secure and therefore Conde
Nast does not accept legal responsibility for the contents of this message.
Any views or opinions expressed are those of the author.

Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU

Registered in London No. 226900
Received on Fri Mar 05 2010 - 01:23:30 MST

This archive was generated by hypermail 2.2.0 : Fri Mar 05 2010 - 12:00:03 MST