[squid-users] Fwd: squid_kerb_ldap trabl from Valentin G on 2014-06-03 (squid-users)

From: Valentin G <slot17_at_yandex.ru>
Date: Tue, 03 Jun 2014 17:11:43 +0400

Hi, help me solve my problem in configuring squid.......

DOMINION.LOCAL - win domain (2003+2008 forest 2003)
3 inet group in AD

user vvgulimov in group Internet_all

squid_kerb_ldap ver 1.2.2

cash.log

2014/06/03 15:52:59| squid_kerb_ldap: Got User: vvgulimov Domain: DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: User domain loop: group_at_domain Internet_all_at_NULL
2014/06/03 15:52:59| squid_kerb_ldap: Default domain loop: group_at_domain Internet_all_at_NULL
2014/06/03 15:52:59| squid_kerb_ldap: Default group loop: group_at_domain Internet_all_at_NULL
2014/06/03 15:52:59| squid_kerb_ldap: Found group_at_domain Internet_all_at_NULL
2014/06/03 15:52:59| squid_kerb_ldap: Setup Kerberos credential cache
2014/06/03 15:52:59| squid_kerb_ldap: Get default keytab file name
2014/06/03 15:52:59| squid_kerb_ldap: Got default keytab file name /etc/squid/Proxy.keytab
2014/06/03 15:52:59| squid_kerb_ldap: Get principal name from keytab /etc/squid/Proxy.keytab
2014/06/03 15:52:59| squid_kerb_ldap: Keytab entry has realm name: DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Found principal name: HTTP/proxy.dominion.local_at_DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Set credential cache to MEMORY:squid_ldap_3062
2014/06/03 15:52:59| squid_kerb_ldap: Got principal name HTTP/proxy.dominion.local_at_DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Stored credentials
2014/06/03 15:52:59| squid_kerb_ldap: Initialise ldap connection
2014/06/03 15:52:59| squid_kerb_ldap: Canonicalise ldap server name for domain DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Resolved SRV _ldap._tcp.DOMINION.LOCAL record to ruspb-a-sdc-1.dominion.local
2014/06/03 15:52:59| squid_kerb_ldap: Resolved SRV _ldap._tcp.DOMINION.LOCAL record to ruspb-a-sdc-2.dominion.local
2014/06/03 15:52:59| squid_kerb_ldap: Resolved address 1 of DOMINION.LOCAL to DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Resolved address 2 of DOMINION.LOCAL to DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Resolved address 3 of DOMINION.LOCAL to DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Adding DOMINION.LOCAL to list
2014/06/03 15:52:59| squid_kerb_ldap: Sorted ldap server names for domain DOMINION.LOCAL:
2014/06/03 15:52:59| squid_kerb_ldap: Host: ruspb-a-sdc-2.dominion.local Port: 389 Priority: 0 Weight: 100
2014/06/03 15:52:59| squid_kerb_ldap: Host: ruspb-a-sdc-1.dominion.local Port: 389 Priority: 0 Weight: 100
2014/06/03 15:52:59| squid_kerb_ldap: Host: DOMINION.LOCAL Port: -1 Priority: -1 Weight: -1
2014/06/03 15:52:59| squid_kerb_ldap: Setting up connection to ldap server ruspb-a-sdc-2.dominion.local:389
2014/06/03 15:52:59| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2014/06/03 15:52:59| squid_kerb_ldap: ldap_sasl_interactive_bind_s error: Local error
2014/06/03 15:52:59| squid_kerb_ldap: Error while binding to ldap server with SASL/GSSAPI: Local error
2014/06/03 15:52:59| squid_kerb_ldap: Setting up connection to ldap server ruspb-a-sdc-1.dominion.local:389
2014/06/03 15:52:59| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2014/06/03 15:52:59| squid_kerb_ldap: Successfully initialised connection to ldap server ruspb-a-sdc-1.dominion.local:389
2014/06/03 15:52:59| squid_kerb_ldap: Search ldap server with bind path "" and filter: (objectclass=*)
2014/06/03 15:52:59| squid_kerb_ldap: Search ldap entries for attribute : schemaNamingContext
2014/06/03 15:52:59| squid_kerb_ldap: 1 ldap entry found with attribute : schemaNamingContext
2014/06/03 15:52:59| squid_kerb_ldap: Search ldap server with bind path CN=Schema,CN=Configuration,DC=dominion,DC=local and filter: (ldapdisplayname=samaccountname)
2014/06/03 15:52:59| squid_kerb_ldap: Found 0 ldap entries
2014/06/03 15:52:59| squid_kerb_ldap: Determined ldap server not as an Active Directory server
2014/06/03 15:52:59| squid_kerb_ldap: Error determining ldap server type: Operations error
2014/06/03 15:52:59| squid_kerb_ldap: User vvgulimov is not member of group_at_domain Internet_all_at_NULL
2014/06/03 15:52:59| squid_kerb_ldap: ERR

____________________________________________

squid.config

auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -s HTTP/proxy.dominion.local_at_DOMINION.LOCAL
auth_param negotiate children 20
auth_param negotiate keep_alive on

external_acl_type SQUID_KERB_LDAP1 ttl=1200 negative_ttl=3600 %LOGIN /usr/lib/squid/squid_kerb_ldap -d -g Internet_all
external_acl_type SQUID_KERB_LDAP2 ttl=1200 negative_ttl=3600 %LOGIN /usr/lib/squid/squid_kerb_ldap -d -g Internet_blacklist
external_acl_type SQUID_KERB_LDAP3 ttl=1200 negative_ttl=3600 %LOGIN /usr/lib/squid/squid_kerb_ldap -d -g Internet_whitelist

acl AUTHENTICATED proxy_auth REQUIRED

acl Internet_all external SQUID_KERB_LDAP1
acl Internet_blacklist external SQUID_KERB_LDAP2
acl Internet_whitelist external SQUID_KERB_LDAP3

acl white_list url_regex -i "/etc/squid/white_list"
acl black_list url_regex -i "/etc/squid/black_list"

http_access allow Internet_whitelist white_list
http_access deny Internet_blacklist black_list
http_access allow Internet_all

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# http_access allow localhost
http_access allow AUTHENTICATED
http_access deny all

_______________________________________
krb5.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 24h
renew_lifetime = 24h
forwardable = true
krb4_convert = false
}

[libdefaults]
default_realm = DOMINION.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
# proxiable = true

# For Windows 2007:
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
forwardable = yes

[realms]
DOMINION.LOCAL = {
# kdc = 192.168.235.4:88
kdc = 192.168.234.2:88
# admin_server = 192.168.235.4:749
admin_server = 192.168.234.2:749
default_domain = DOMINION.LOCAL
}

[domain_realm]
.dominion.local = DOMINION.LOCAL
dominion.local = DOMINION.LOCAL
[logging]
default = FILE:/var/log/krb5lib.log
kdc = FILE:/var/log/krb5kdc.log
kdc = SYSLOG:INFO AEMON
admin_server = FILE:/var/log/kadmin.log

____________________________________________________

thank you

ps. configure your mail ezm is very strong ..)
Received on Tue Jun 03 2014 - 13:11:53 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 04 2014 - 12:00:06 MDT