Re: [squid-users] Re: squid_kerb_ldap - Squid and AD integration

From: Essad Korkic <essad.korkic_at_gmail.com>
Date: Thu, 3 Mar 2011 09:26:47 +0100

Hi Markus,

Thanks for the reply..

I don't know why it's not able to authenticate against some servers,
if I run it a few times, it authenticates often with a different
server, so it's not just one.

I really don't want to run a caching DNS server, mainly because the
resolving that goes well is pretty fast, but I'm guessing that not all
entry's can be reverse resolved. I could get this straightened out by
our Networks department, but as you can see, they are doing a lousy
job at this, so I don't want to be dependent on their work.

I wasn't able to find a newer version on sourceforge, or did you mean
the CVS?, although I didn't see any references to specifying a single
LDAP server other than the failover option (-l).

Thanks again.

Regards,
Essad

On Thu, Mar 3, 2011 at 7:22 AM, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>
> "Essad Korkic" <essad.korkic_at_gmail.com> wrote in message
> news:AANLkTikwqMAScByN1EEcP1tf7qEx14uHES7-ibgvSySY_at_mail.gmail.com...
>>
>> Hi there,
>>
>> We would like to implement Squid instead of MS-ISA for our company,
>> for now the Squid server is running fine, however I'm having some
>> issues with getting AD authentication working.
>>
>> I've set my eyes on squid_kerb_ldap to do the job, and if I run it
>> manually it works, however it takes a long time to get the result.
>> It appears that the helper is trying to (reverse)resolve all the LDAP
>> servers.
>>
>
> That is intention as I wanted to have it as automated as possible in the way
> the AD servers are detected. Since I authenticate with Kerberos against AD I
> need to check the DNS name is correct why I require reverse DNS too. You
> could run a local caching DNS server to improve performance on this if you
> have a long list of DCs.
>
>> For example:
>>
>> I'll run this:
>> /usr/lib64/squid/squid_kerb_ldap -d -g "InternetGroup"@ -N
>> host/squidproxy001.realm.com_at_REALM.COM -b  "ou=LD,dc=ad,dc=min,dc=nl"
>> -D REALM.COM
>> It then gives this:
>>
>> 2011/03/02 17:09:15| squid_kerb_ldap: Starting version 1.2.1a
>> 2011/03/02 17:09:15| squid_kerb_ldap: Group list InternetGroup@
>> 2011/03/02 17:09:15| squid_kerb_ldap: Group InternetGroup  Domain
>> 2011/03/02 17:09:15| squid_kerb_ldap: Netbios list
>> host/squidproxy001.realm.com_at_REALM.COM
>> 2011/03/02 17:09:15| squid_kerb_ldap: Netbios name
>> host/squidproxy001.realm.com  Domain REALM.COM
>>
>> I then enter a username which belongs to that Group.
>>
>> normaluser
>>
>> Then it continues with the following:
>>
>>
>> 2011/03/02 17:09:18| squid_kerb_ldap: Got User: normaluser set default
>> domain: REALM.COM
>> 2011/03/02 17:09:18| squid_kerb_ldap: Got User: normaluser Domain:
>> REALM.COM
>> 2011/03/02 17:09:18| squid_kerb_ldap: User domain loop: group_at_domain
>> InternetGroup@
>> 2011/03/02 17:09:18| squid_kerb_ldap: Default domain loop:
>> group_at_domain InternetGroup@
>> 2011/03/02 17:09:18| squid_kerb_ldap: Found group_at_domain InternetGroup@
>> 2011/03/02 17:09:18| squid_kerb_ldap: Setup Kerberos credential cache
>> 2011/03/02 17:09:18| squid_kerb_ldap: Get default keytab file name
>> 2011/03/02 17:09:18| squid_kerb_ldap: Got default keytab file name
>> /etc/squid/squid.keytab
>> 2011/03/02 17:09:18| squid_kerb_ldap: Get principal name from keytab
>> /etc/squid/squid.keytab
>> 2011/03/02 17:09:18| squid_kerb_ldap: Keytab entry has realm name:
>> REALM.COM
>> 2011/03/02 17:09:18| squid_kerb_ldap: Found principal name:
>> host/squidproxy001.realm.com_at_REALM.COM
>> 2011/03/02 17:09:18| squid_kerb_ldap: Set credential cache to
>> MEMORY:squid_ldap_9552
>> 2011/03/02 17:09:18| squid_kerb_ldap: Got principal name
>> host/squidproxy001.realm.com_at_REALM.COM
>> 2011/03/02 17:09:19| squid_kerb_ldap: Stored credentials
>> 2011/03/02 17:09:19| squid_kerb_ldap: Initialise ldap connection
>> 2011/03/02 17:09:19| squid_kerb_ldap: Canonicalise ldap server name
>> for domain REALM.COM
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl446.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl331.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl329.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl327.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl325.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl473.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl323.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl417.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl456.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl467.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl416.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl443.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl371.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl407.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl444.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl317.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl437.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl453.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl391.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl389.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl408.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl478.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl438.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl474.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl359.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl472.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl314.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl334.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl315.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl318.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl479.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl406.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl399.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl486.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl321.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl481.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl482.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl484.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl319.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl410.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl332.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl330.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl380.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl382.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl313.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl483.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl322.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl454.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl457.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl477.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl312.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl352.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl387.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl445.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl328.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl358.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl374.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl424.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl350.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl311.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl384.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl381.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl369.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl436.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl333.realm.com
>> 2011/03/02 17:09:19| squid_kerb_ldap: Resolved SRV
>> _ldap._tcp.REALM.COM record to domctrl335.realm.com
>> 2011/03/02 17:09:42| squid_kerb_ldap: Error while resolving ip address
>> with getnameinfo: Temporary failure in name resolution
>> 2011/03/02 17:09:42| squid_kerb_ldap: Sorted ldap server names for
>> domain REALM.COM:
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl331.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl329.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl327.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl325.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl473.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl323.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl417.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl456.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl467.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl416.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl443.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl371.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl407.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl444.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl317.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl437.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl453.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl391.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl389.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl408.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl478.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl438.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl474.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl359.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl472.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl314.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl334.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl315.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl318.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl479.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl406.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl399.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl486.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl321.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl481.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl482.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl484.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl319.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl410.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl332.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl330.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl380.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl382.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl313.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl483.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl322.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl454.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl457.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl477.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl312.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl352.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl387.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl445.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl328.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl358.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl374.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl424.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl350.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl311.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl384.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl381.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl369.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl436.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl333.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl446.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Host: domctrl335.realm.com Port:
>> 389 Priority: 0 Weight: 100
>> 2011/03/02 17:09:42| squid_kerb_ldap: Setting up connection to ldap
>> server domctrl331.realm.com:389
>> 2011/03/02 17:09:42| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
>> 2011/03/02 17:10:05| squid_kerb_ldap: ldap_sasl_interactive_bind_s
>> error: Local error
>
>
> I wonder why it is not possible to authenticate to all AD servers ?
>
> I see below it works against domctrl317.realm.com.
>
>> 2011/03/02 17:10:05| squid_kerb_ldap: Error while binding to ldap
>> server with SASL/GSSAPI: Local error
>> 2011/03/02 17:10:05| squid_kerb_ldap: Setting up connection to ldap
>> server domctrl329.realm.com:389
>> 2011/03/02 17:10:05| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
>> 2011/03/02 17:10:28| squid_kerb_ldap: ldap_sasl_interactive_bind_s
>> error: Local error
>> 2011/03/02 17:10:28| squid_kerb_ldap: Error while binding to ldap
>> server with SASL/GSSAPI: Local error
>> 2011/03/02 17:10:28| squid_kerb_ldap: Setting up connection to ldap
>> server domctrl327.realm.com:389
>> 2011/03/02 17:10:28| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
>> 2011/03/02 17:10:51| squid_kerb_ldap: ldap_sasl_interactive_bind_s
>> error: Local error
>> 2011/03/02 17:10:51| squid_kerb_ldap: Error while binding to ldap
>> server with SASL/GSSAPI: Local error
>> 2011/03/02 17:10:51| squid_kerb_ldap: Setting up connection to ldap
>> server domctrl325.realm.com:389
>> 2011/03/02 17:10:51| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
>> 2011/03/02 17:11:14| squid_kerb_ldap: ldap_sasl_interactive_bind_s
>> error: Local error
>> 2011/03/02 17:11:14| squid_kerb_ldap: Error while binding to ldap
>> server with SASL/GSSAPI: Local error
>> 2011/03/02 17:11:14| squid_kerb_ldap: Setting up connection to ldap
>> server domctrl473.realm.com:389
>> 2011/03/02 17:11:14| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
>> 2011/03/02 17:11:14| squid_kerb_ldap: ldap_sasl_interactive_bind_s
>> error: Local error
>> 2011/03/02 17:11:14| squid_kerb_ldap: Error while binding to ldap
>> server with SASL/GSSAPI: Local error
>> 2011/03/02 17:11:14| squid_kerb_ldap: Setting up connection to ldap
>> server domctrl323.realm.com:389
>> 2011/03/02 17:11:14| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
>> 2011/03/02 17:11:14| squid_kerb_ldap: ldap_sasl_interactive_bind_s
>> error: Local error
>> 2011/03/02 17:11:14| squid_kerb_ldap: Error while binding to ldap
>> server with SASL/GSSAPI: Local error
>> 2011/03/02 17:11:14| squid_kerb_ldap: Setting up connection to ldap
>> server domctrl417.realm.com:389
>> 2011/03/02 17:11:14| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
>> 2011/03/02 17:11:37| squid_kerb_ldap: ldap_sasl_interactive_bind_s
>> error: Local error
>> 2011/03/02 17:11:37| squid_kerb_ldap: Error while binding to ldap
>> server with SASL/GSSAPI: Local error
>> 2011/03/02 17:11:37| squid_kerb_ldap: Setting up connection to ldap
>> server domctrl456.realm.com:389
>> 2011/03/02 17:11:37| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
>> 2011/03/02 17:11:37| squid_kerb_ldap: ldap_sasl_interactive_bind_s
>> error: Local error
>> 2011/03/02 17:11:37| squid_kerb_ldap: Error while binding to ldap
>> server with SASL/GSSAPI: Local error
>> 2011/03/02 17:11:37| squid_kerb_ldap: Setting up connection to ldap
>> server domctrl467.realm.com:389
>> 2011/03/02 17:11:37| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
>> 2011/03/02 17:11:37| squid_kerb_ldap: ldap_sasl_interactive_bind_s
>> error: Local error
>> 2011/03/02 17:11:37| squid_kerb_ldap: Error while binding to ldap
>> server with SASL/GSSAPI: Local error
>> 2011/03/02 17:11:37| squid_kerb_ldap: Setting up connection to ldap
>> server domctrl416.realm.com:389
>> 2011/03/02 17:11:37| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
>> 2011/03/02 17:11:37| squid_kerb_ldap: ldap_sasl_interactive_bind_s
>> error: Local error
>> 2011/03/02 17:11:37| squid_kerb_ldap: Error while binding to ldap
>> server with SASL/GSSAPI: Local error
>> 2011/03/02 17:11:37| squid_kerb_ldap: Setting up connection to ldap
>> server domctrl443.realm.com:389
>> 2011/03/02 17:11:37| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
>> 2011/03/02 17:11:37| squid_kerb_ldap: ldap_sasl_interactive_bind_s
>> error: Local error
>> 2011/03/02 17:11:37| squid_kerb_ldap: Error while binding to ldap
>> server with SASL/GSSAPI: Local error
>> 2011/03/02 17:11:37| squid_kerb_ldap: Setting up connection to ldap
>> server domctrl371.realm.com:389
>> 2011/03/02 17:11:37| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
>> 2011/03/02 17:12:00| squid_kerb_ldap: ldap_sasl_interactive_bind_s
>> error: Local error
>> 2011/03/02 17:12:00| squid_kerb_ldap: Error while binding to ldap
>> server with SASL/GSSAPI: Local error
>> 2011/03/02 17:12:00| squid_kerb_ldap: Setting up connection to ldap
>> server domctrl407.realm.com:389
>> 2011/03/02 17:12:00| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
>> 2011/03/02 17:12:23| squid_kerb_ldap: ldap_sasl_interactive_bind_s
>> error: Local error
>> 2011/03/02 17:12:23| squid_kerb_ldap: Error while binding to ldap
>> server with SASL/GSSAPI: Local error
>> 2011/03/02 17:12:23| squid_kerb_ldap: Setting up connection to ldap
>> server domctrl444.realm.com:389
>> 2011/03/02 17:12:23| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
>> 2011/03/02 17:12:23| squid_kerb_ldap: ldap_sasl_interactive_bind_s
>> error: Local error
>> 2011/03/02 17:12:23| squid_kerb_ldap: Error while binding to ldap
>> server with SASL/GSSAPI: Local error
>> 2011/03/02 17:12:23| squid_kerb_ldap: Setting up connection to ldap
>> server domctrl317.realm.com:389
>> 2011/03/02 17:12:23| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
>> 2011/03/02 17:12:23| squid_kerb_ldap: Successfully initialised
>> connection to ldap server domctrl317.realm.com:389
>> 2011/03/02 17:12:23| squid_kerb_ldap: Search ldap server with bind
>> path "" and filter: (objectclass=*)
>> 2011/03/02 17:12:23| squid_kerb_ldap: Search ldap entries for
>> attribute : schemaNamingContext
>> 2011/03/02 17:12:23| squid_kerb_ldap: 1 ldap entry found with
>> attribute : schemaNamingContext
>> 2011/03/02 17:12:23| squid_kerb_ldap: Search ldap server with bind
>> path CN=Schema,CN=Configuration,DC=forest,DC=domain,DC=nl and filter:
>> (ldapdisplayname=samaccountname)
>> 2011/03/02 17:12:23| squid_kerb_ldap: Found 1 ldap entry
>> 2011/03/02 17:12:23| squid_kerb_ldap: Determined ldap server as an
>> Active Directory server
>> 2011/03/02 17:12:23| squid_kerb_ldap: Search ldap server with bind
>> path dc=DOMAIN,dc=MIN,dc=NL and filter : (samaccountname=normaluser)
>> 2011/03/02 17:12:23| squid_kerb_ldap: Found 1 ldap entry
>> 2011/03/02 17:12:23| squid_kerb_ldap: Search ldap entries for
>> attribute : memberof
>> 2011/03/02 17:12:23| squid_kerb_ldap: 16 ldap entries found with
>> attribute : memberof
>> 2011/03/02 17:12:23| squid_kerb_ldap: Entry 1 "InternetGroup" in hex
>> UTF-8 is 474f555052656769656b616d6572
>> 2011/03/02 17:12:23| squid_kerb_ldap: Unbind ldap server
>> 2011/03/02 17:12:23| squid_kerb_ldap: User normaluser is member of
>> group_at_domain InternetGroup@
>> OK
>> 2011/03/02 17:12:23| squid_kerb_ldap: OK
>>
>> So the setup is working, but due to the fact that everything is
>> resolved it takes a lot of time, not something you want in a
>> production environment.
>>
>> Is there a way I can force the helper to use just one domain
>> controller? Perhaps there are other helpers that can do this, but I
>> only found this one...
>> Once this is fixed, I can add this to the squid.conf, and it should work.
>>
>
> I have a newer Version in sourceforge with an option to specify ldap servers
> instead of automated SRV record detection.
>
>> Apparently not all the domain controllers have a reverse resolving
>> address. (I'm guessing that the "Networks Department" has forgotten to
>> put that one in once in a while).
>>
>> My krb5.conf file looks like this:
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = REALM.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>>
>> [realms]
>> REALM.COM = {
>>  kdc = 10.20.152.30:88
>>  admin_server = 10.20.32.13:749
>>  default_domain = realm.com
>> }
>>
>> [domain_realm]
>> .realm.com = REALM.COM
>> realm.com = REALM.COM
>>
>> [appdefaults]
>> pam = {
>>  debug = false
>>  ticket_lifetime = 36000
>>  renew_lifetime = 36000
>>  forwardable = true
>>  krb4_convert = false
>>  validate = true
>> }
>>
>>
>> I can log in using ldap authentication via ssh, thus the machine is
>> fully integrated in AD.
>>
>>
>> Backrgound info:
>> RHEL6 -  2.6.32-71.el6.x86_64
>> squid.x86_64  -  7:3.1.4-1.el6
>> squid_kerb_ldap.x86_64  -  1.2.1a-1.fc13
>>
>> Thanks in advance.
>>
>> Essad Korkic
>>
>
>
> Regards
> Markus
>
>
Received on Thu Mar 03 2011 - 08:26:54 MST

This archive was generated by hypermail 2.2.0 : Thu Mar 03 2011 - 12:00:02 MST