[squid-users] Re: Squid authenticate via squid_kerb_ldap

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 4 Oct 2011 22:56:15 +0100

Hi Ricardo,

  Can you add a -d option for debug out put to squid_kerb_ldap ? It should
help to pin point the problem. squid_kerb_ldap uses the kerberos keytab
entry to authenticate to Active directory which fails. Can you also capture
with tcpdump the kerberos traffic on port 88 and ldap on port 389.

Markus

"Ricardo Barbosa" <spiderslack_at_yahoo.com.br> wrote in message
news:1317680715.75499.YahooMailNeo_at_web161310.mail.bf1.yahoo.com...
Hi all,

I'm riding squid authenticating via kerberos helper squid_kerb_auth works
perfectly but not squid_kerb_ldap. Initially collect messages in the logs of
the SASL support and as well the history list.

http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-auth-with-Active-Directory-td3023076.html

But the squid_kerb_ldap recompiled with support for SASL and the message
changed.

==> /var/log/squid/access.log <==
1317680370.168 0 192.168.0.10 TCP_DENIED/407 1695 GET
http://www.google.com.br/ - NONE/- text/html
1317680370.380 210 192.168.0.10 TCP_DENIED/403 1817 GET
http://www.google.com.br/ ricardo.dias@DOMAIN.LOCAL NONE/- text/html

==> /var/log/squid/cache.log <==
2011/10/03 18:19:30| squid_kerb_auth: Got 'YR
YIIFmgYGKwYBBQUCoIIFjjCCBYqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBWAEggVcYIIFWAYJKoZIhvcSAQICAQBuggVHMIIFQ6ADAgEFoQMCAQ6iBwMFACAAAACjggQ+YYIEOjCCBDagAwIBBaEQGw5MTVZJRFJPUy5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF2ZpcmV3YWxsLmxtdmlkcm9zLmxvY2Fso4ID7zCCA+ugAwIBF6EDAgEDooID3QSCA9k4YTrWFqDYgDafBFV3i+4wautEM5eF4SzW1YbJTkymx5HXyCY5QS0dE7Ze7HpQ1K1T6sGOevwQu6whLKJATjsSgk5wVInA2xg13XqF8quGZ8VKzdpiY/Avuuw0YNntBO5bLwaLQcIv/h0/VpjlCKuMBArCsePv1wbPPFW84gmFUDv/mmH1dvDdgYmP4uzQGCbIdG9xWHyRIg+KMszGme5p8RUtX9LNccStkp22RFIapXLIV0/OH0LhfZP3HMtgvNEPJZMMw8ITCsYJSw/MowTaaAPZWr4c7GcndBloEEskuxURpZaI4UenfUf6jUdpzdhA+pBtUk4saNUQeNghyrVJw79o1D9y27UI4bEee4/XYCCK1qFu0y2kpvdFeAhHDYbQ8av3MfX2Q988RrFhTPDNyUzynC4v4aQ7JdUvMf/RtsQ5uZb2yVMCyh0dPzP0TGosmSIQf5g9wgxN/oXf3l8S1sBD/BGBhs+iJcWaemKQkii4aUuxpMMhTBftQE0qTnnR8F0II/EJJWFC/n9AHp/H2ufxWbgWGk2METW3zsCeMS1COGiHXrgmTvxD0IZEVxg+QASw/9wr0vHMmaq3AZdrXgi/D0thiZQvsRiJX7VoIy7X2iG2k/sfHqjrIWcGdTWE3tQhkU6LfcI5uMGGQrzvs+i4nXCaQfBO7orvaET
nD9OgdPdVqnJY7L1tkytnnwwG3NHACb3pHIIhfApEo1nLbcgtXR7hly2OH1TlMt/UHiWn0it99cTGttFPdigURZxTE3/QIRR+tzITd5QRKyI+9D0fOTVVU1WvreC1LvKTdsx0ch3zeUsiKiFkXQdGVSWNxdtbqzvJMxNhOFZUKVaujk6N3I3bCu4xiPUIX1jhLqagHBCH1bDvGH5x+bOp0bC3Lx/OLalepvo4iGBaGwL+zfd8LhtoPl3nyGx6r7F3D/LKJfSnl1prbeC0Ojopw2tFncunRmG9HxqVHHsnstrGGxB87MErgbUjwZvD3X5MJEiux+WuJUfs8/zLy+G7mjcnhz1AG4eFhV4ZHkQomvBmWSM8qMMCfj4GHxfvrenxcsH3rH7vogZttlx3FOIxaOlmda8rBXrEflq8Y+cFCLI8SNUHyRheR/lk3GDnNa3w29xgb9OgcfOWeuAT8yOyQx15iToQKsYlvDiUat6gOFIy+YOfusG87xGGrPsdS3WslgSC1O2HTPLQSOi+4tcPxvkCeuebB0tnNUJvX9aFbBmEL8bnos6zC9LwQ3dOjs6mXMg0qI3eqwMBK7+3CRcPOF5PSjN7n41TMxDISRPlAKfpGKl41YTbRuzepIHrMIHooAMCAReigeAEgd0mz28nEIjaYLg3I8EDbx027m0cI18PdsvZZlYkHazwIkp5S96YxpBEgXkIxULkv3RVa+LVNbYM6wGCClwAaql3NkhFTzyDvs8JcsuqBRl3pbPoRWA1EnAz66xMroPpfWwIMi0saH5+IJpdkZ+2nVW5CsKoyw+cblN0X42zLf68mpBxmM7JQhhksDfvPqKQy3A5T33LtnWz7xzEXpxrKHW3ivPlIrQr5uC4iQSDT4W7bMRun+mtipVdmdOLHp6W9VpIf/5od03KKRUUMu1xTh8rHw82nPc+kSFYVSVaYQ=='
 from squid (length: 1923).
2011/10/03 18:19:30| squid_kerb_auth: parseNegTokenInit failed with rc=101
2011/10/03 18:19:30| squid_kerb_auth: AF
oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqzbebthiHgCEREbPIvAB3Lbw65r75GC0zTez9tgTpso+5fXFhD6J1a0NvPb9m9e99huzEE1DpCgmZUPV4g8jAXU3QAqtsfze0UwMUFovlVJqy9V/r1mBNFse2RoO+R/x2aLJkOi1atZRx4g==
 ricardo.dias_at_DOMAIN.LOCAL

2011/10/03 18:22:44| squid_kerb_auth: AF
oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqdvBcdVow3J1ERn8EmDHGdq5zxXqQzUso3aEN8V7qnxE9iXPE4RKHzIDWBJdjtCu8x7Pop5k6fBc9X4+tK9s6B7o+xbIHj3N5BU5h1w3RtgbyyNokJ324XlZ5gWKFGfvfwTkKGJJ9Hw96gg==
ricardo.dias_at_DOMAIN.LOCAL
2011/10/03 18:22:44| squid_kerb_ldap: Got User: ricardo.dias Domain:
DOMAIN.LOCAL
2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
Local error
2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
Local error
2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
Local error
2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/03 18:22:44| squid_kerb_ldap: User ricardo.dias is not member of
group_at_domain G_Internet_RH_at_NULL

Anyone have any idea where I am wrong.
Received on Tue Oct 04 2011 - 21:56:48 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 05 2011 - 12:00:02 MDT