[squid-users] Re: Re: Squid authenticate via squid_kerb_ldap

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Thu, 6 Oct 2011 20:57:13 +0100

> Hi Markus.
>
>
> On 10/05/2011 04:30 PM, Markus Moeller wrote:
>> Hi Ricardo,
>>
>> That looks basically all correct. Can you capture the traffic on port 88
>> ( Kerberos ) with wireshark ? At this point
>>
>> 2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap
>> server srvarq.domain.local:389
>> 2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with
>> SASL/GSSAPI
>> 2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
>> Local error
>> 2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server
>> with SASL/GSSAPI: Local error
>>
>> you should see a Kerberos authentication request (AS-REQ ) for
>> HTTP/Firewall.domain.local followed by a successful reply (AS-REP).
>> After that you should see a TGS-REQ for ldap/server srvarq.domain.local
>> with a successful reply.
>>
> yes i see AS-REQ and AS-REP
>
> ------------------------------------
> Kerberos AS-REQ
> Pvno: 5
> MSG Type: AS-REQ (10)
>
> Client Name (Principal): HTTP/Firewall.domain.local
> Name-type: Principal (1)
> Name: HTTP
> Name: Firewall.domain.local
> Realm: DOMAIN.LOCAL
> ----------------------------
> Kerberos AS-REP
> Pvno: 5
> MSG Type: AS-REP (11)
> Client Realm: DOMAIN.LOCAL
> Client Name (Principal): HTTP/Firewall.domain.local
> Name-type: Principal (1)
> Name: HTTP
> Name: Firewall.domain.local
> Ticket
> Tkt-vno: 5
> Realm: DOMAIN.LOCAL
> -------------------------------
> but not see TGS-REQ
>
> After AS-REP then immediately got the tree-way handshake to port 389 and
> then the following payload ldap
>
> --------------------------------
>
> Lightweight-Directory-Access-Protocol
> LDAPMessage searchRequest(1) "<ROOT>" baseObject
> messageID: 1
> protocolOp: searchRequest (3)
> searchRequest
> baseObject:
> scope: baseObject (0)
> derefAliases: neverDerefAliases (0)
> sizeLimit: 0
> timeLimit: 0
> typesOnly: False
> Filter: (objectclass=*)
> filter: present (7)
> present: objectclass
> attributes: 1 item
> AttributeDescription: supportedSASLMechanisms
> -----------------------------------------
> and the answer I'd say something back but it does not show
>
> Lightweight-Directory-Access-Protocol
> LDAPMessage searchResEntry(1) "<ROOT>" [1 result]
> messageID: 1
> protocolOp: searchResEntry (4)
> searchResEntry
> objectName:
> attributes: 1 item
> PartialAttributeList item supportedSASLMechanisms
> type: supportedSASLMechanisms
> vals: 4 items
> GSSAPI
> GSS-SPNEGO
> EXTERNAL
> DIGEST-MD5
> [Response To: 8]
> [Time: 0.000462000 seconds]
> Lightweight-Directory-Access-Protocol
> LDAPMessage searchResDone(1) success [1 result]
> messageID: 1
> protocolOp: searchResDone (5)
> searchResDone
> resultCode: success (0)
> matchedDN:
> errorMessage:
> [Response To: 8]
> [Time: 0.000462000 seconds]
> ---------------------------------------------
>
>> I think one of these requests is failing. Could you let me know the error
>> message ?
>>
>> If it does not fail can you capture the traffic on port 389 ? It should
>> show a SASL/GSSAPI authentication of the ldap connection. Could you let
>> me know if that succeeded ?
>>
> No, connection to SASL/GSSAPI would not occur because a set is missing
> some step??
>

Can you try the following on your squid box:

kinit -kt <squid.keytab> HTTP/Firewall.domain.local_at_DOMAIN.LOCAL
ldapsearch -H ldap://srvarq.domain.local -s sub -b DC=DOMAIN,DC=LOACL
serviceprincipalname=ldap/srvarq.domain.local

You should get something like:

ldapsearch -H ldap://w2k3r2.win2003r2.home -s sub -b DC=WIN2003R2,DC=HOME
serviceprincipalname=ldap/w2k3r2.win2003r2.home
SASL/GSSAPI authentication started
SASL username: HTTP/squid.win2003r2.home_at_WIN2003R2.HOME
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <DC=WIN2003R2,DC=HOME> with scope subtree
# filter: serviceprincipalname=ldap/w2k3r2.win2003r2.home
# requesting: ALL
#

# W2K3R2, Domain Controllers, win2003r2.home
dn: CN=W2K3R2,OU=Domain Controllers,DC=win2003r2,DC=home
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: W2K3R2
.....

If that fails you maybe missing cyrus-sasl-gssapi

> Thanks for helpme
>
> Regards
>

Regards
Markus
Received on Thu Oct 06 2011 - 19:57:38 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 07 2011 - 12:00:03 MDT