[squid-users] Re: Re: Re: Re: squid_ldap_group against nested groups/Ous from Markus Moeller on 2010-11-13 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 13 Nov 2010 17:07:21 -0000

Hi Eugene,

The problem seems to be with SASL/GSSAPI authentication to AD. How did
you create the keytab ? Can you capture the traffic on your proxy on port
88. You should see a TGS REQ for ldap/<fqdn of ldap server>.

Markus

"Eugene M. Zheganin" <emz_at_norma.perm.ru> wrote in message
news:4CDE5AAA.1070608_at_norma.perm.ru...
> Hi.
>
> On 05.11.2010 21:01, Markus Moeller wrote:
>> Hi
>>
>> I get the same successful results on 64 bit FreeBSD 8.0.
>>
>> $ uname -a
>> FreeBSD freebsd-80-64.freebsd.home 8.0-RELEASE FreeBSD 8.0-RELEASE #0:
>> Sat Nov 21 15:02:08 UTC 2009
>> root_at_mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
>>
>> $ ldd squid_kerb_ldap
>> squid_kerb_ldap:
>> libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800652000)
>> libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x80075b000)
>> libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800860000)
>> libhx509.so.10 => /usr/lib/libhx509.so.10 (0x8009cd000)
>> libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x800b0c000)
>> libcrypto.so.6 => /lib/libcrypto.so.6 (0x800c0e000)
>> libasn1.so.10 => /usr/lib/libasn1.so.10 (0x800ea6000)
>> libroken.so.10 => /usr/lib/libroken.so.10 (0x801025000)
>> libcrypt.so.5 => /lib/libcrypt.so.5 (0x801136000)
>> libldap-2.4.so.7 => /usr/local/lib/libldap-2.4.so.7 (0x80124f000)
>> liblber-2.4.so.7 => /usr/local/lib/liblber-2.4.so.7 (0x801390000)
>> libc.so.7 => /lib/libc.so.7 (0x80149d000)
>> libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x8016d7000)
>> libssl.so.6 => /usr/lib/libssl.so.6 (0x8017ef000)
>>
>> Is it possible that you have another kerberos package installed ? How
>> does your ldd look ? I installed a standard freebsd 8.0 84 bit plus
>> ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/8.0-RELEASE/packages/net/openldap-sasl-client-2.4.18.tbz
>> for ldap with sasl support.
>>
> First of all, sorry for a delayed answer, I'm not of that kind of persons
> that ask for help and never read answers. I had a couple of harsh weeks
> with crashes and late working. :)
>
> Yes, I have multiple krb5 installations on machines where the build didn't
> succeed due to incompatible types, you were right. Also I have updated the
> production proxy that was on FreeBSD 7.2 to 8.1 (and had a harsh week due
> to wonderful em(4) issue, fixed in -STABLE), but now the building on this
> machine is fine, except one warning that can be easily fixed by
> removing -Werror (once again, why -Werror ?).
>
> If you're interested the warning is about:
>
> [...]
> gcc -DHAVE_CONFIG_H -I. -I/usr/include -I/usr/local/include -g -O2 -Wall
> -Wno-unknown-pragmas -Wextra -Wcomment -Wpointer-arith -Wcast-align -Wwrite-strings
> -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement
> -Wshadow -MT support_group.o -MD -MP -MF .deps/support_group.Tpo -c -o
> support_group.o support_group.c
> support_group.c: In function 'utf8dup':
> support_group.c:43: warning: declaration of 'dup' shadows a global
> declaration
> /usr/include/unistd.h:330: warning: shadowed declaration is here
> [...]
>
> So, the build succeed, helper doesn't crash on startup, but now I have
> problems connecting to ldap servers.
> I saw in your reply that you are using the KDC on a SuSe linux. I'm using
> KDC on Windows 2003/2008, and it does work just perfect with
> squid_ldap_group (but I really miss nested groups :)).
>
> Debug looks like:
>
> ===Cut===
> # ./squid_kerb_group.sh
> 2010/11/13 14:26:21| squid_kerb_ldap: Starting version 1.2.1a
> 2010/11/13 14:26:21| squid_kerb_ldap: Group list
> Internet%20Users%20-%20Proxy1@
> 2010/11/13 14:26:21| squid_kerb_ldap: Group Internet%20Users%20-%20Proxy1
> Domain
> 2010/11/13 14:26:21| squid_kerb_ldap: Netbios list SOFTLAB_at_NORMA.COM
> 2010/11/13 14:26:21| squid_kerb_ldap: Netbios name SOFTLAB Domain
> NORMA.COM
> emz_at_norma.com
> 2010/11/13 14:26:25| squid_kerb_ldap: Got User: emz Domain: NORMA.COM
> 2010/11/13 14:26:25| squid_kerb_ldap: User domain loop: group_at_domain
> Internet%20Users%20-%20Proxy1@
> 2010/11/13 14:26:25| squid_kerb_ldap: Default domain loop: group_at_domain
> Internet%20Users%20-%20Proxy1@
> 2010/11/13 14:26:25| squid_kerb_ldap: Found group_at_domain
> Internet%20Users%20-%20Proxy1@
> 2010/11/13 14:26:25| squid_kerb_ldap: Setup Kerberos credential cache
> 2010/11/13 14:26:25| squid_kerb_ldap: Get default keytab file name
> 2010/11/13 14:26:25| squid_kerb_ldap: Got default keytab file name
> /usr/local/etc/squid/HTTP.keytab
> 2010/11/13 14:26:25| squid_kerb_ldap: Get principal name from keytab
> /usr/local/etc/squid/HTTP.keytab
> 2010/11/13 14:26:25| squid_kerb_ldap: Keytab entry has realm name:
> NORMA.COM
> 2010/11/13 14:26:25| squid_kerb_ldap: Found principal name:
> HTTP/proxy-wizard.norma.com._at_NORMA.COM
> 2010/11/13 14:26:25| squid_kerb_ldap: Set credential cache to
> MEMORY:squid_ldap_17129
> 2010/11/13 14:26:25| squid_kerb_ldap: Got principal name
> HTTP/proxy-wizard.norma.com._at_NORMA.COM
> 2010/11/13 14:26:26| squid_kerb_ldap: Stored credentials
> 2010/11/13 14:26:26| squid_kerb_ldap: Initialise ldap connection
> 2010/11/13 14:26:26| squid_kerb_ldap: Canonicalise ldap server name for
> domain NORMA.COM
> 2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM
> record to spb-dc.norma.com
> 2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM
> record to sad-srv.norma.com
> 2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM
> record to hq-gc.norma.com
> 2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM
> record to hq-dc.norma.com
> 2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM
> record to nb-dc.norma.com
> 2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM
> record to sam-dc.norma.com
> 2010/11/13 14:26:26| squid_kerb_ldap: Resolved address 1 of NORMA.COM to
> 192.168.3.34
> 2010/11/13 14:26:26| squid_kerb_ldap: Resolved address 2 of NORMA.COM to
> 192.168.3.45
> 2010/11/13 14:26:26| squid_kerb_ldap: Resolved address 3 of NORMA.COM to
> 192.168.3.34
> 2010/11/13 14:26:26| squid_kerb_ldap: Resolved address 4 of NORMA.COM to
> 192.168.3.45
> 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 5 of NORMA.COM to
> 192.168.3.34
> 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 6 of NORMA.COM to
> 192.168.3.45
> 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 7 of NORMA.COM to
> 192.168.92.189
> 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 8 of NORMA.COM to
> 192.168.92.189
> 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 9 of NORMA.COM to
> 192.168.92.189
> 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 10 of NORMA.COM to
> 192.168.0.9
> 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 11 of NORMA.COM to
> 192.168.173.3
> 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 12 of NORMA.COM to
> 192.168.180.3
> 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 13 of NORMA.COM to
> 192.168.0.9
> 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 14 of NORMA.COM to
> 192.168.173.3
> 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 15 of NORMA.COM to
> 192.168.180.3
> 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 16 of NORMA.COM to
> 192.168.0.9
> 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 17 of NORMA.COM to
> 192.168.173.3
> 2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 18 of NORMA.COM to
> 192.168.180.3
> 2010/11/13 14:26:27| squid_kerb_ldap: Sorted ldap server names for domain
> NORMA.COM:
> 2010/11/13 14:26:27| squid_kerb_ldap: Host: sad-srv.norma.com Port: 389
> Priority: 0 Weight: 100
> 2010/11/13 14:26:27| squid_kerb_ldap: Host: hq-gc.norma.com Port: 389
> Priority: 0 Weight: 100
> 2010/11/13 14:26:27| squid_kerb_ldap: Host: hq-dc.norma.com Port: 389
> Priority: 0 Weight: 100
> 2010/11/13 14:26:27| squid_kerb_ldap: Host: nb-dc.norma.com Port: 389
> Priority: 0 Weight: 100
> 2010/11/13 14:26:27| squid_kerb_ldap: Host: sam-dc.norma.com Port: 389
> Priority: 0 Weight: 100
> 2010/11/13 14:26:27| squid_kerb_ldap: Host: spb-dc.norma.com Port: 389
> Priority: 0 Weight: 100
> 2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.92.189 Port: -1
> Priority: -1 Weight: -1
> 2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.0.9 Port: -1
> Priority: -1 Weight: -1
> 2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.173.3 Port: -1
> Priority: -1 Weight: -1
> 2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.3.34 Port: -1
> Priority: -1 Weight: -1
> 2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.3.45 Port: -1
> Priority: -1 Weight: -1
> 2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.180.3 Port: -1
> Priority: -1 Weight: -1
> 2010/11/13 14:26:27| squid_kerb_ldap: Setting up connection to ldap server
> sad-srv.norma.com:389
> 2010/11/13 14:26:27| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
> 2010/11/13 14:26:28| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
> Local error
> 2010/11/13 14:26:28| squid_kerb_ldap: Error while binding to ldap server
> with SASL/GSSAPI: Local error
> 2010/11/13 14:26:28| squid_kerb_ldap: Setting up connection to ldap server
> hq-gc.norma.com:389
> 2010/11/13 14:26:28| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
> 2010/11/13 14:26:29| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
> Local error
> 2010/11/13 14:26:29| squid_kerb_ldap: Error while binding to ldap server
> with SASL/GSSAPI: Local error
> 2010/11/13 14:26:29| squid_kerb_ldap: Setting up connection to ldap server
> hq-dc.norma.com:389
> 2010/11/13 14:26:29| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
> 2010/11/13 14:26:29| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
> Local error
> 2010/11/13 14:26:29| squid_kerb_ldap: Error while binding to ldap server
> with SASL/GSSAPI: Local error
> 2010/11/13 14:26:29| squid_kerb_ldap: Setting up connection to ldap server
> nb-dc.norma.com:389
> 2010/11/13 14:26:29| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
> 2010/11/13 14:26:29| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
> Local error
> 2010/11/13 14:26:29| squid_kerb_ldap: Error while binding to ldap server
> with SASL/GSSAPI: Local error
> 2010/11/13 14:26:29| squid_kerb_ldap: Setting up connection to ldap server
> sam-dc.norma.com:389
> 2010/11/13 14:26:29| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
> 2010/11/13 14:26:30| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
> Local error
> 2010/11/13 14:26:30| squid_kerb_ldap: Error while binding to ldap server
> with SASL/GSSAPI: Local error
> 2010/11/13 14:26:30| squid_kerb_ldap: Setting up connection to ldap server
> spb-dc.norma.com:389
> 2010/11/13 14:26:30| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
> 2010/11/13 14:26:30| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
> Local error
> 2010/11/13 14:26:30| squid_kerb_ldap: Error while binding to ldap server
> with SASL/GSSAPI: Local error
> 2010/11/13 14:26:30| squid_kerb_ldap: Setting up connection to ldap server
> 192.168.92.189:389
> 2010/11/13 14:26:30| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
> 2010/11/13 14:26:31| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
> Local error
> 2010/11/13 14:26:31| squid_kerb_ldap: Error while binding to ldap server
> with SASL/GSSAPI: Local error
> 2010/11/13 14:26:31| squid_kerb_ldap: Setting up connection to ldap server
> 192.168.0.9:389
> 2010/11/13 14:26:31| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
> 2010/11/13 14:26:31| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
> Local error
> 2010/11/13 14:26:31| squid_kerb_ldap: Error while binding to ldap server
> with SASL/GSSAPI: Local error
> 2010/11/13 14:26:31| squid_kerb_ldap: Setting up connection to ldap server
> 192.168.173.3:389
> 2010/11/13 14:26:31| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
> 2010/11/13 14:26:32| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
> Local error
> 2010/11/13 14:26:32| squid_kerb_ldap: Error while binding to ldap server
> with SASL/GSSAPI: Local error
> 2010/11/13 14:26:32| squid_kerb_ldap: Setting up connection to ldap server
> 192.168.3.34:389
> 2010/11/13 14:26:32| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
> 2010/11/13 14:26:32| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
> Local error
> 2010/11/13 14:26:32| squid_kerb_ldap: Error while binding to ldap server
> with SASL/GSSAPI: Local error
> 2010/11/13 14:26:32| squid_kerb_ldap: Setting up connection to ldap server
> 192.168.3.45:389
> 2010/11/13 14:26:32| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
> 2010/11/13 14:26:33| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
> Local error
> 2010/11/13 14:26:33| squid_kerb_ldap: Error while binding to ldap server
> with SASL/GSSAPI: Local error
> 2010/11/13 14:26:33| squid_kerb_ldap: Setting up connection to ldap server
> 192.168.180.3:389
> 2010/11/13 14:26:33| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
> 2010/11/13 14:26:33| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
> Local error
> 2010/11/13 14:26:33| squid_kerb_ldap: Error while binding to ldap server
> with SASL/GSSAPI: Local error
> 2010/11/13 14:26:33| squid_kerb_ldap: Error during initialisation of ldap
> connection: Bad file descriptor
> 2010/11/13 14:26:33| squid_kerb_ldap: Error during initialisation of ldap
> connection: Bad file descriptor
> 2010/11/13 14:26:33| squid_kerb_ldap: User emz is not member of
> group_at_domain Internet%20Users%20-%20Proxy1@
> 2010/11/13 14:26:33| squid_kerb_ldap: Default group loop: group_at_domain
> Internet%20Users%20-%20Proxy1@
> ERR
> 2010/11/13 14:26:33| squid_kerb_ldap: ERR
> ===Cut===
>
>
> I'm using openldap-client built with sasl support too.
> Any thought on what I'm doing wrong ?
>
>
> Thanks.
>
> Eugene.
>
Received on Sat Nov 13 2010 - 17:07:39 MST

This archive was generated by hypermail 2.2.0 : Sun Nov 14 2010 - 12:00:01 MST