Hi Pavel,
Can you remove line 263 from support_krb5.cc and recompile ? It is fixed
in the trunk for 3.5.
The line is
safe_free(principal_name);
Regards
Markus
"Pavel Timofeev" wrote in message
news:CAAoTqfuJ2MGiPbV7fO4zR4SzKSWpy0Q=_ii8w8YeVMbub_QFrA_at_mail.gmail.com...
Hi Markus!
I can't because all problems that I described and all of that pieces
of logs I provided are from squid 3.4.
Squid 3.3 works good, squid 3.4 doesn't. That's the problem.
2014-08-24 18:14 GMT+04:00 Markus Moeller <huaraz_at_moeller.plus.com>:
> Hi Pavel,
>
> Can you use 3.4 then instead of 3.3 as it seems to have the problem
> fixed
> ?
>
> Markus
>
> "Pavel Timofeev" wrote in message
> news:CAAoTqftctS7GJfiS-k+RgN1uMkyujE_RdOFsZyBYFU1=Dd8n7w_at_mail.gmail.com...
>
>
> That's how squid's 3.4.6 helper works with username_at_example.org
>
> kerberos_ldap_group.cc(372): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: INFO: Got User: username Domain: EXAMPLE.ORG
> support_member.cc(55): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: User domain loop: group_at_domain
> OCS-DenyInternet-G_at_NULL
> support_member.cc(83): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: Default domain loop: group_at_domain
> OCS-DenyInternet-G_at_NULL
> support_member.cc(111): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: Default group loop: group_at_domain
> OCS-DenyInternet-G_at_NULL
> support_member.cc(113): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: Found group_at_domain OCS-DenyInternet-G_at_NULL
> support_ldap.cc(801): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
> support_krb5.cc(90): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: Get default keytab file name
> support_krb5.cc(96): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: Got default keytab file name
> /usr/local/etc/squid/squid.keytab
> support_krb5.cc(110): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: Get principal name from keytab
> /usr/local/etc/squid/squid.keytab
> support_krb5.cc(119): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
> support_krb5.cc(133): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: Found principal name:
> HTTP/proxy.example.org_at_EXAMPLE.ORG
> support_krb5.cc(174): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: Set credential cache to
> MEMORY:squid_ldap_45620
> support_krb5.cc(270): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: Got principal name
> HTTP/proxy.example.org_at_EXAMPLE.ORG
> support_krb5.cc(313): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: Stored credentials
> support_ldap.cc(830): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: Initialise ldap connection
> support_ldap.cc(836): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain
> EXAMPLE.ORG
> support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record
> to dc1.example.org
> support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30|
> kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record
> to dc2.example.org
>
> etc and no problems.
>
>
>
>
>
> 2014-08-21 14:54 GMT+04:00 Pavel Timofeev <timp87_at_gmail.com>:
>>
>> Group name in config is OCS-DenyInternet-G of course.
>>
>> 2014-08-21 14:48 GMT+04:00 Pavel Timofeev <timp87_at_gmail.com>:
>>>
>>> Hi!
>>> Please, help.
>>> I've been using squid 3.3.11 on FreeBSD 10 for a year.
>>> I have AD and kerberos authentification. Squid checks DenyInternet
>>> group membership through kerberos_ldap_group. My domain example.org
>>> has subdomains like south.example.org, west.example.org, etc. All
>>> users use proxy.example.org.
>>> Everything works fine. Here is config:
>>>
>>> auth_param negotiate program
>>> /usr/local/libexec/squid/negotiate_kerberos_auth -s
>>> HTTP/proxy.example.org_at_EXAMPLE.ORG
>>> auth_param negotiate children 100 startup=30 idle=5
>>> auth_param negotiate keep_alive
>>>
>>> external_acl_type no_inet_users ttl=3600 negative_ttl=3600
>>> children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN
>>> /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g
>>> DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass
>>>
>>> Now I'm tring to migrate to squid 3.4.6. Same config.
>>> I've encountered with problem that kerberos_ldap_group stopped working
>>> with subdomain users like user_at_south.example.org while it still works
>>> with user_at_example.org.
>>> In general it started to complain "ERROR: Error during setup of
>>> Kerberos credential cache" in cache.log.
>>> When I turn on the debug I'm getting this:
>>>
>>>
>>> kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: INFO: Got User: ptimofeev Domain:
>>> SOUTH.EXAMPLE.ORG
>>> support_member.cc(55): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: User domain loop: group_at_domain
>>> OCS-DenyInternet-G_at_NULL
>>> support_member.cc(83): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Default domain loop: group_at_domain
>>> OCS-DenyInternet-G_at_NULL
>>> support_member.cc(111): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Default group loop: group_at_domain
>>> OCS-DenyInternet-G_at_NULL
>>> support_member.cc(113): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Found group_at_domain OCS-DenyInternet-G_at_NULL
>>> support_ldap.cc(801): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
>>> support_krb5.cc(90): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Get default keytab file name
>>> support_krb5.cc(96): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Got default keytab file name
>>> /usr/local/etc/squid/squid.keytab
>>> support_krb5.cc(110): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Get principal name from keytab
>>> /usr/local/etc/squid/squid.keytab
>>> support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
>>> support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
>>> support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
>>> support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
>>> support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
>>> support_krb5.cc(174): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Set credential cache to
>>> MEMORY:squid_ldap_13729
>>> support_krb5.cc(186): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Did not find a principal in keytab for
>>> domain SOUTH.EXAMPLE.ORG.
>>> support_krb5.cc(187): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Try to get principal of trusted domain.
>>> support_krb5.cc(201): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Keytab entry has principal:
>>> HTTP/proxy.example.org_at_EXAMPLE.ORG
>>> support_krb5.cc(247): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Found trusted principal name:
>>> HTTP/proxy.example.org_at_EXAMPLE.ORG
>>> support_krb5.cc(315): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: Got no principal name
>>> support_ldap.cc(806): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: ERROR: Error during setup of Kerberos credential
>>> cache
>>> support_member.cc(124): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: INFO: User ptimofeev is not member of
>>> group_at_domain OCS-DenyInternet-G_at_NULL
>>> kerberos_ldap_group.cc(407): pid=13729 :2014/08/21 13:58:53|
>>> kerberos_ldap_group: DEBUG: ERR
>
>
>
Received on Mon Aug 25 2014 - 19:45:14 MDT
This archive was generated by hypermail 2.2.0 : Wed Aug 27 2014 - 12:00:12 MDT