Re: [squid-users] Re: squid_ldap_group against nested groups/Ous

From: Eugene M. Zheganin <eugene_at_zhegan.in>
Date: Tue, 26 Oct 2010 11:10:07 +0600

  Hi.

On 07.12.2008 18:09, Markus Moeller wrote:
> I did implement recursive group search in squid_kerb_ldap at
> http://sourceforge.net/project/showfiles.php?group_id=196348.
>

Actually this is a very interesting helper, and I would like ti use it
on my production squids, 'cause my engineers are tired of managing
hundreds of users instead of a dozen of groups.

I downloaded it, but I had a bunch of problems with it.

If this isn't the appropriate maillist to discuss this helper, then just
stop at this point, and I'm sorry for this post.

My target system is FreeBSD 8.0-RELASE-p2/amd64. It has heimdal 1.0.1
Kerberos V in the base system.

a) First of all, 1.2.1a fails to build:

===Code===
cc1: warnings being treated as errors
support_krb5.c: In function 'krb5_create_cache':
support_krb5.c:117: warning: format '%s' expects type 'char *', but
argument 5 has type 'krb5_data'
support_krb5.c:122: error: incompatible type for argument 2 of 'strcasecmp'
support_krb5.c:251: error: incompatible type for argument 1 of 'strlen'
support_krb5.c:252: error: incompatible type for argument 1 of 'strlen'
support_krb5.c:252: warning: format '%s' expects type 'char *', but
argument 5 has type 'krb5_data'
support_krb5.c:252: warning: format '%s' expects type 'char *', but
argument 5 has type 'krb5_data'
*** Error code 1

Stop in /usr/home/emz/squid_kerb_ldap/1/squid_kerb_ldap-1.2.1a.
*** Error code 1

Stop in /usr/home/emz/squid_kerb_ldap/1/squid_kerb_ldap-1.2.1a.
*** Error code 1

Stop in /usr/home/emz/squid_kerb_ldap/1/squid_kerb_ldap-1.2.1a.
===Cut===

This can be fixed, as all of these errors are caused by the fact that
entry.principal->realm is a structure, and the code expect it to be char
*, so it's pretty obvious that char * has to be here, and krb5_data.data
is the only thing that appears to be char; so I changed
entry.principal->realm to entry.principal->realm.data. I had one more
problem with -Werror switch:

===Cut===
cc1: warnings being treated as errors
In file included from support_sasl.c:30:
/usr/local/include/sasl/sasl.h:349: warning: function declaration isn't
a prototype
===Cut===

Since my C skills are considerably low, I simply remowed -Werror switch
and uild succeeded.

b) then it fails to run, crashing at keytab parsing. So may be things
aren't that obvious and I failed to do the proper fixing:

===Cut===
%./squid_kerb_ldap -b cn=Users,dc=norma,dc=com -g "Internal Users -
Crystal@" -u dca -p sabbracadabra -N SOFTLAB_at_NORMA.COM -d -i
2010/10/26 10:50:05| squid_kerb_ldap: Starting version 1.2.1a
2010/10/26 10:50:05| squid_kerb_ldap: Group list Internal Users - Crystal@
2010/10/26 10:50:05| squid_kerb_ldap: Group Internal Users - Crystal
Domain
2010/10/26 10:50:05| squid_kerb_ldap: Netbios list SOFTLAB_at_NORMA.COM
2010/10/26 10:50:05| squid_kerb_ldap: Netbios name SOFTLAB Domain NORMA.COM
emz_at_NORMA.COM
2010/10/26 10:50:10| squid_kerb_ldap: Got User: emz Domain: NORMA.COM
2010/10/26 10:50:10| squid_kerb_ldap: User domain loop: group_at_domain
Internal Users - Crystal@
2010/10/26 10:50:10| squid_kerb_ldap: Default domain loop: group_at_domain
Internal Users - Crystal@
2010/10/26 10:50:10| squid_kerb_ldap: Found group_at_domain Internal Users
- Crystal@
2010/10/26 10:50:10| squid_kerb_ldap: Setup Kerberos credential cache
2010/10/26 10:50:10| squid_kerb_ldap: Get default keytab file name
2010/10/26 10:50:10| squid_kerb_ldap: Got default keytab file name
/usr/local/etc/squid/squid.keytab
2010/10/26 10:50:10| squid_kerb_ldap: Get principal name from keytab
/usr/local/etc/squid/squid.keytab
Ошибка адресации на шине(core dumped)
===Cut===

Stacktrace:

===Cut===
# gdb squid_kerb_ldap squid_kerb_ldap.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...
Core was generated by `squid_kerb_ldap'.
Program terminated with signal 10, Bus error.
Reading symbols from /usr/lib/libgssapi.so.10...done.
Loaded symbols for /usr/lib/libgssapi.so.10
Reading symbols from /usr/lib/libheimntlm.so.10...done.
Loaded symbols for /usr/lib/libheimntlm.so.10
Reading symbols from /usr/lib/libkrb5.so.10...done.
Loaded symbols for /usr/lib/libkrb5.so.10
Reading symbols from /usr/lib/libhx509.so.10...done.
Loaded symbols for /usr/lib/libhx509.so.10
Reading symbols from /usr/lib/libcom_err.so.5...done.
Loaded symbols for /usr/lib/libcom_err.so.5
Reading symbols from /lib/libcrypto.so.6...done.
Loaded symbols for /lib/libcrypto.so.6
Reading symbols from /usr/lib/libasn1.so.10...done.
Loaded symbols for /usr/lib/libasn1.so.10
Reading symbols from /usr/lib/libroken.so.10...done.
Loaded symbols for /usr/lib/libroken.so.10
Reading symbols from /lib/libcrypt.so.5...done.
Loaded symbols for /lib/libcrypt.so.5
Reading symbols from /usr/local/lib/libldap-2.4.so.7...done.
Loaded symbols for /usr/local/lib/libldap-2.4.so.7
Reading symbols from /usr/local/lib/liblber-2.4.so.7...done.
Loaded symbols for /usr/local/lib/liblber-2.4.so.7
Reading symbols from /lib/libc.so.7...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /usr/lib/libssl.so.6...done.
Loaded symbols for /usr/lib/libssl.so.6
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0 0x00000008008a4b14 in krb5_kt_next_entry () from /usr/lib/libkrb5.so.10
(gdb) bt
#0 0x00000008008a4b14 in krb5_kt_next_entry () from /usr/lib/libkrb5.so.10
#1 0x0000000000000000 in ?? ()
#2 0x0000000000000001 in ?? ()
#3 0x0000000000000000 in ?? ()
#4 0x0000000000000000 in ?? ()
#5 0x0000000000000000 in ?? ()
#6 0x0000000000000000 in ?? ()
#7 0x000000080190f130 in ?? ()
#8 0x0000000000000000 in ?? ()
#9 0x0000000000000000 in ?? ()
#10 0x0000000000000000 in ?? ()
#11 0x636f6c2f7273752f in ?? ()
#12 0x732f6374652f6c61 in ?? ()
#13 0x7571732f64697571 in ?? ()
#14 0x617479656b2e6469 in ?? ()
#15 0x0000000000000062 in ?? ()
#16 0x0000000000000000 in ?? ()
#17 0x0000000000000000 in ?? ()
#18 0x0000000000000000 in ?? ()
#19 0x000000000050c97f in buf.7098 ()
#20 0x4d9b4030ed3e2720 in ?? ()
#21 0x0000000000000000 in ?? ()
#22 0x00000008016a2880 in __stderrp () from /lib/libc.so.7
#23 0x00007fffffffc760 in ?? ()
#24 0x000000000040acd0 in ?? ()
#25 0x000000000050c5a0 in ?? ()
#26 0x00007fffffffc901 in ?? ()
#27 0x00007fffffffc990 in ?? ()
#28 0x000000080158210c in vfprintf () from /lib/libc.so.7
#29 0x0000000801571b48 in fprintf () from /lib/libc.so.7
#30 0x0000000000406aa6 in get_memberof (margs=0x7fffffffe290,
user=0x7fffffffc990 "emz",
     domain=0x7fffffffc994 "NORMA.COM", group=0x8019020a0 "Internal
Users - Crystal") at support_ldap.c:845
#31 0x0000000000404614 in check_memberof (margs=0x7fffffffe290,
user=0x7fffffffc990 "emz",
     domain=0x7fffffffc994 "NORMA.COM") at support_member.c:81
#32 0x0000000000403051 in main (argc=Variable "argc" is not available.
) at squid_kerb_ldap.c:352
(gdb)
===Cut===

I should say that the keytab is a working one from production squid, and
it works with ntlm_auth helper from samba suite with spnego ptotocol.

Any help would be greatly appreciated, especially from Markus. :)

Thanks, Eugene.
Received on Tue Oct 26 2010 - 05:10:30 MDT

This archive was generated by hypermail 2.2.0 : Sat Oct 30 2010 - 12:00:03 MDT