[squid-users] ext_kerberos_ldap_group_acl problem ( 2 minor bugsmaybe )

L.P.H. van Belle belle at bazuin.nl
Wed Aug 24 14:58:31 UTC 2016


Ok reply to myself so other users know this also.

 

if you create a user for the HTTP services and you dont use msktutil but like me samba-tool or something else. 

 

Read : 

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. 

and the clue was this line for me.  

 

Squid "login" to Windows Active Directory or Unix kdc as user <HTTP/<fqdn-squid>@DOMAIN.COM>. 

This requires Active Directory to have an attribute userPrincipalname set to <HTTP/<fqdn-squid>@DOMAIN.COM>

 for the associated acount. This is usaully done by using msktutil. 

 

But this is not done by samba-tools  

 

samba-tool setup fro squid i used, was as followed. 

samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password 

samba-tool user setexpiry squid1-service –noexpiry

samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service

 

 

Now this results in : 

My UPN was set to the username at internal.domain.tld  ( as it should ). 

My SPN was set to HTTP/proxyserver.internal.domain.tld at REALM ( as is should )  

 

samba-tool spn list squid1-service 

squid1-service

User CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX has the following servicePrincipalName:

         HTTP/proxy.internal.domain.tld

         HTTP/proxy.internal.domain.tld at YOUR.REALM.T

 

 

Now i changed my UPN from username at internal.domain.tld  to the (SPN name)   HTTP/proxyserver.internal.domain.tld at REALM 

Solved my initial problem. 

This should be in my optionion be changed to search for the SPN in ext_kerberos_ldap_group.

 

Now i have LDAPS messages, see below, im adding the _ldaps SRV records now ,but i dont get why im getting : 

Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE)

 

Im already having : TLS_CACERT      /etc/ssl/certs/ca-certificates.crt 

Which contains the needed certs.

 

Did i find 2 small bugs here?  

Or is this a “Debian” related thing? 

 

 

Debug output. 

/usr/lib/squid3/ext_kerberos_ldap_group_acl -g internet-mail at YOUR.REALM.TLD -D YOUR.REALM.TLD -N internet-mail at NTDOMAIN -s -i -d

kerberos_ldap_group.cc(278): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Starting version 1.3.1sq

support_group.cc(382): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group list internet-mail at YOUR.REALM.TLD

support_group.cc(447): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group internet-mail  Domain YOUR.REALM.TLD

support_netbios.cc(83): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios list internet-mail at NTDOMAIN

support_netbios.cc(156): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios name internet-mail  Domain NTDOMAIN

support_lserver.cc(82): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: ldap server list NULL

support_lserver.cc(86): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: No ldap servers defined.

testuser internet-mail

kerberos_ldap_group.cc(371): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD

kerberos_ldap_group.cc(376): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD

support_member.cc(63): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: User domain loop: group at domain internet-mail at YOUR.REALM.TLD

support_member.cc(65): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found group at domain internet-mail at YOUR.REALM.TLD

support_ldap.cc(898): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache

support_krb5.cc(127): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_6902

support_krb5.cc(138): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Get default keytab file name

support_krb5.cc(144): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP

support_krb5.cc(158): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP

support_krb5.cc(169): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD

support_krb5.cc(181): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found principal name: HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD

support_krb5.cc(196): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Got principal name HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD

support_krb5.cc(260): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Stored credentials

support_ldap.cc(927): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Initialise ldap connection

support_ldap.cc(931): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable SSL to ldap servers

support_ldap.cc(933): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain YOUR.REALM.TLD

support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resolving service record _ldaps._tcp.YOUR.REALM.TLD with res_search

support_resolv.cc(71): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: res_search: Unknown service record: _ldaps._tcp.YOUR.REALM.TLD

support_resolv.cc(379): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YOUR.REALM.TLD record to samba-dc2.internal.domain.tld

support_resolv.cc(379): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YOUR.REALM.TLD record to samba-dc1.internal.domain.tld

support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 1 of YOUR.REALM.TLD to samba-dc1.internal.domain.tld

support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 2 of YOUR.REALM.TLD to samba-dc1.internal.domain.tld

support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 3 of YOUR.REALM.TLD to samba-dc1.internal.domain.tld

support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 4 of YOUR.REALM.TLD to samba-dc2.internal.domain.tld

support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 5 of YOUR.REALM.TLD to samba-dc2.internal.domain.tld

support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 6 of YOUR.REALM.TLD to samba-dc2.internal.domain.tld

support_resolv.cc(407): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Adding YOUR.REALM.TLD to list

support_resolv.cc(443): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain YOUR.REALM.TLD:

support_resolv.cc(445): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host: samba-dc1.internal.domain.tld Port: 389 Priority: 0 Weight: 100

support_resolv.cc(445): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host: samba-dc2.internal.domain.tld Port: 389 Priority: 0 Weight: 100

support_resolv.cc(445): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host: YOUR.REALM.TLD Port: -1 Priority: -2 Weight: -2

support_ldap.cc(942): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection to ldap server samba-dc1.internal.domain.tld:389

support_ldap.cc(786): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL defaults

support_ldap.cc(531): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server.

support_ldap.cc(544): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE)

support_ldap.cc(800): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server

support_ldap.cc(953): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI

support_sasl.cc(276): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

support_ldap.cc(957): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server

support_ldap.cc(942): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection to ldap server samba-dc2.internal.domain.tld:389

support_ldap.cc(786): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL defaults

support_ldap.cc(531): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server.

support_ldap.cc(544): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE)

support_ldap.cc(800): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server

support_ldap.cc(953): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI

support_sasl.cc(276): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

support_ldap.cc(957): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server

support_ldap.cc(942): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection to ldap server YOUR.REALM.TLD:389

support_ldap.cc(786): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL defaults

support_ldap.cc(531): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server.

support_ldap.cc(544): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE)

support_ldap.cc(800): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server

support_ldap.cc(953): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI

support_sasl.cc(276): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

support_ldap.cc(957): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server

support_ldap.cc(979): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Error during initialisation of ldap connection: No such file or directory

support_ldap.cc(1048): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Error during initialisation of ldap connection: No such file or directory

support_member.cc(76): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: User testuser is not member of group at domain internet-mail at YOUR.REALM.TLD

support_member.cc(91): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Default domain loop: group at domain internet-mail at YOUR.REALM.TLD

support_member.cc(119): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Default group loop: group at domain internet-mail at YOUR.REALM.TLD

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160824/1ceddf1c/attachment-0001.html>


More information about the squid-users mailing list