[squid-users] Kerberos Ne
erdosain9
erdosain9 at gmail.com
Thu Sep 29 21:02:46 UTC 2016
Hi.
yes, i see this now.
it's strange... authentication is working fine... i can surf the web... but
im having some error in cache.log...
tail -f /var/log/squid/cache.log
2016/09/29 15:43:37 kid1| Adding nameserver 192.168.1.10 from squid.conf
2016/09/29 15:43:37 kid1| Adding nameserver 192.168.1.6 from squid.conf
2016/09/29 15:43:37 kid1| helperOpenServers: Starting 5/32 'ssl_crtd'
processes
2016/09/29 15:43:37 kid1| helperOpenServers: Starting 0/10
'negotiate_kerberos_auth' processes
2016/09/29 15:43:37 kid1| helperStatefulOpenServers: No
'negotiate_kerberos_auth' processes needed.
2016/09/29 15:43:37 kid1| helperOpenServers: Starting 5/5
'ext_kerberos_ldap_group_acl' processes
2016/09/29 15:43:38 kid1| helperOpenServers: Starting 5/5
'ext_kerberos_ldap_group_acl' processes
2016/09/29 15:43:38 kid1| HTCP Disabled.
2016/09/29 15:43:38 kid1| Finished loading MIME types and icons.
2016/09/29 15:43:38 kid1| Accepting SSL bumped HTTP Socket connections at
local=192.168.1.12:3128 remote=[::] FD 49 flags=9
2016/09/29 15:44:15 kid1| Starting new negotiateauthenticator helpers...
2016/09/29 15:44:15 kid1| helperOpenServers: Starting 1/10
'negotiate_kerberos_auth' processes
support_krb5.cc(64): pid=11755 :2016/09/29 15:44:15| kerberos_ldap_group:
ERROR: Error while initialising credentials from keytab : Preauthentication
failed
support_krb5.cc(64): pid=11755 :2016/09/29 15:44:15| kerberos_ldap_group:
ERROR: Error while initialising credentials from keytab : Preauthentication
failed
support_krb5.cc(64): pid=11755 :2016/09/29 15:44:15| kerberos_ldap_group:
ERROR: Error while initialising credentials from keytab : Preauthentication
failed
2016/09/29 15:44:27 kid1| Starting new negotiateauthenticator helpers...
2016/09/29 15:44:27 kid1| helperOpenServers: Starting 1/10
'negotiate_kerberos_auth' processes
2016/09/29 15:44:27 kid1| Starting new negotiateauthenticator helpers...
2016/09/29 15:44:27 kid1| helperOpenServers: Starting 1/10
'negotiate_kerberos_auth' processes
2016/09/29 15:44:27 kid1| Starting new negotiateauthenticator helpers...
2016/09/29 15:44:27 kid1| helperOpenServers: Starting 1/10
'negotiate_kerberos_auth' processes
2016/09/29 15:44:27 kid1| Starting new negotiateauthenticator helpers...
2016/09/29 15:44:27 kid1| helperOpenServers: Starting 1/10
'negotiate_kerberos_auth' processes
2016/09/29 15:44:27 kid1| Starting new negotiateauthenticator helpers...
2016/09/29 15:44:27 kid1| helperOpenServers: Starting 1/10
'negotiate_kerberos_auth' processes
2016/09/29 15:44:27 kid1| Starting new negotiateauthenticator helpers...
2016/09/29 15:44:27 kid1| helperOpenServers: Starting 1/10
'negotiate_kerberos_auth' processes
support_krb5.cc(64): pid=11760 :2016/09/29 15:45:03| kerberos_ldap_group:
ERROR: Error while initialising credentials from keytab : Preauthentication
failed
support_krb5.cc(64): pid=11760 :2016/09/29 15:45:03| kerberos_ldap_group:
ERROR: Error while initialising credentials from keytab : Preauthentication
failed
support_krb5.cc(64): pid=11760 :2016/09/29 15:45:03| kerberos_ldap_group:
ERROR: Error while initialising credentials from keytab : Preauthentication
failed
This is access.log
1475174886.981 23 192.168.1.121 TCP_MEM_HIT/200 3993 GET
http://images.clarin.com/deportes/Boca-Lanus_CLAVID20160928_0082_32.jpg
user1 at EXAMPLE.LAN HIER_NONE/- image/jpeg
1475174886.994 41 192.168.1.121 TCP_MEM_HIT/200 4601 GET
http://images.clarin.com/deportes/penales-dieron-triunfo-Boca_CLAVID20160928_0085_32.jpg
user1 at EXAMPLE.LAN HIER_NONE/- image/jpeg
1475174887.124 148 192.168.1.121 TCP_MISS/200 19321 GET
http://images.clarin.com/politica/Bonafini-Cesar-Milani-Asociacon-Madres_CLAIMA20160622_0266_47.jpg
user1 at EXAMPLE.LAN HIER_DIRECT/200.42.136.212 image/jpeg
1475174887.139 182 192.168.1.121 TCP_MISS/200 4389 GET
http://images.clarin.com/extrashow/Cristian-Castro-winner_CLAVID20160929_0011_32.jpg
user1 at EXAMPLE.LAN HIER_DIRECT/200.42.136.212 image/jpeg
1475174887.280 288 192.168.1.121 TCP_MISS/200 20143 GET
http://images.clarin.com/politica/Macri-Tecnopolis-presentar-proyectos-emprendedores_CLAIMA20160821_0007_44.jpg
user1 at EXAMPLE.LAN HIER_DIRECT/200.42.136.212 image/jpeg
1475174887.340 163 192.168.1.121 TCP_MISS/200 5715 GET
http://images.clarin.com/mundo/herida-choque-Nueva-Jersey-AFP_CLAIMA20160929_0106_44.jpg
user1 at EXAMPLE.LAN HIER_DIRECT/200.42.136.212 image/jpeg
1475174887.369 411 192.168.1.121 TCP_MISS/200 29566 GET
http://images.clarin.com/policiales/jefatura-departamental-frente-edificios-publicos_CLAIMA20160408_0426_50.jpg
user1 at EXAMPLE.LAN HIER_DIRECT/200.42.136.212 image/jpeg
1475174887.388 95 192.168.1.121 TCP_MISS/200 5185 GET
http://images.clarin.com/mundo/Hoboken-edificios-Nueva-York-AP_CLAIMA20160929_0127_45.jpg
user1 at EXAMPLE.LAN HIER_DIRECT/200.42.136.212 image/jpeg
1475174888.099 1141 192.168.1.121 TCP_MISS/200 20771 GET
http://images.clarin.com/politica/Reunion-CGT-Gobierno-Foto-DyN_CLAIMA20160929_0102_43.jpg
user1 at EXAMPLE.LAN HIER_DIRECT/200.42.136.212 image/jpeg
1475174888.099 963 192.168.1.121 TCP_MISS/200 4238 GET
http://images.clarin.com/politica/Sanfelice-Cristobal-Kirchner-Gallegos-OPI_CLAIMA20160211_0039_49.jpg
user1 at EXAMPLE.LAN HIER_DIRECT/200.42.136.212 image/jpeg
1475174888.099 682 192.168.1.121 TCP_MISS/200 5958 GET
http://images.clarin.com/politica/Camano-Diputados-Guillermo-Rodriguez-Adami_CLAIMA20160929_0033_44.jpg
user1 at EXAMPLE.LAN HIER_DIRECT/200.42.136.212 image/jpeg
1475174888.099 722 192.168.1.121 TCP_MISS/200 16558 GET
http://images.clarin.com/politica/Amado-Boudou-clase-magistral-Plata_CLAIMA20160929_0153_43.jpg
user1 at EXAMPLE.LAN HIER_DIRECT/200.42.136.212 image/jpeg
1475174888.099 1141 192.168.1.121 TCP_MISS/200 16419 GET
http://www.googletagmanager.com/gtm.js? user1 at EXAMPLE.LAN
HIER_DIRECT/216.58.222.136 application/javascript
1475174888.099 740 192.168.1.121 TCP_MISS/200 25190 GET
http://images.clarin.com/mundo/Nueva-Jersey-Tren-estacion-AFP_CLAIMA20160929_0074_46.jpg
user1 at EXAMPLE.LAN HIER_DIRECT/200.42.136.212 image/jpeg
1475174888.247 0 192.168.1.121 TCP_DENIED/407 4159 CONNECT
connect.facebook.net:443 - HIER_NONE/- text/html
1475174888.247 0 192.168.1.121 TCP_DENIED/403 4347 GET
http://www.googleadservices.com/pagead/conversion_async.js - HIER_NONE/-
text/html
1475174888.333 2428 192.168.1.121 TCP_MISS/200 46659 GET
https://cdns.gigya.com/JS/socialize.js? user1 at EXAMPLE.LAN
HIER_DIRECT/23.7.114.199 text/javascript
1475174888.461 0 192.168.1.121 TCP_DENIED/407 4135 CONNECT
api.cxense.com:443 - HIER_NONE/- text/html
1475174888.462 0 192.168.1.121 TCP_DENIED/407 4798 GET
http://fonts.gstatic.com/s/roboto/v15/d-6IYplOFocCacKzxwXSOFtXRa8TVwTICgirnJhmVJw.woff2
- HIER_NONE/- text/html
1475174888.462 1 192.168.1.121 TCP_MEM_HIT/200 20022 GET
http://www.clarin.com/static/CLAClarinV3/images/spriteHeaderFooter.png
user1 at EXAMPLE.LAN HIER_NONE/- image/png
1475174888.475 6 192.168.1.121 TCP_HIT/200 15166 GET
http://fonts.gstatic.com/s/roboto/v15/d-6IYplOFocCacKzxwXSOFtXRa8TVwTICgirnJhmVJw.woff2
user1 at EXAMPLE.LAN HIER_NONE/- font/woff2
1475174888.514 0 192.168.1.121 TCP_DENIED/407 4135 CONNECT
cdns.gigya.com:443 - HIER_NONE/- text/html
1475174888.551 0 192.168.1.121 TCP_MEM_HIT/200 1555 GET
http://www.clarin.com/static/CLAClarinV3/images/nav-buscador.png
user1 at EXAMPLE.LAN HIER_NONE/- image/png
1475174888.554 0 192.168.1.121 TCP_MEM_HIT/200 1623 GET
http://www.clarin.com/static/CLAClarinV3/images/nav-str.png
user1 at EXAMPLE.LAN HIER_NONE/- image/png
1475174888.604 0 192.168.1.121 TCP_DENIED/407 4810 GET
http://fonts.gstatic.com/s/droidserif/v6/QQt14e8dY39u-eYBZmppwYlIZu-HDpmDIZMigmsroc4.woff2
- HIER_NONE/- text/html
1475174888.611 0 192.168.1.121 TCP_MEM_HIT/200 764 GET
http://www.clarin.com/static/CLAClarinV3/images/flash-list.png
user1 at EXAMPLE.LAN HIER_NONE/- image/png
1475174888.613 7 192.168.1.121 TCP_HIT/200 26762 GET
http://fonts.gstatic.com/s/droidserif/v6/QQt14e8dY39u-eYBZmppwYlIZu-HDpmDIZMigmsroc4.woff2
user1 at EXAMPLE.LAN HIER_NONE/- font/woff2
1475174888.615 0 192.168.1.121 TCP_MEM_HIT/200 20344 GET
http://www.clarin.com/static/CLAClarinV3/images/spriteNoticias.png
user1 at EXAMPLE.LAN HIER_NONE/- image/png
1475174888.686 0 192.168.1.121 TCP_HIT/200 706 GET
http://www.clarin.com/static/CLAClarinV3/images/colR.gif user1 at EXAMPLE.LAN
HIER_NONE/- image/gif
1475174888.687 0 192.168.1.121 TCP_HIT/200 23254 GET
http://fonts.gstatic.com/s/droidserif/v6/0AKsP294HTD-nvJgucYTaI4P5ICox8Kq3LLUNMylGO4.woff2
user1 at EXAMPLE.LAN HIER_NONE/- font/woff2
1475174888.696 0 192.168.1.121 TCP_HIT/200 15153 GET
http://fonts.gstatic.com/s/roboto/v15/mnpfi9pxYH-Go5UiibESIltXRa8TVwTICgirnJhmVJw.woff2
user1 at EXAMPLE.LAN HIER_NONE/- font/woff2
Myconfig
------------------------
###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
HTTP/squid.example.lan at EXAMPLE.LAN
auth_param negotiate children 10
auth_param negotiate keep_alive on
external_acl_type i-limitado ttl=300 negative_ttl=60 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-limitado at EXAMPLE.LAN
external_acl_type i-full ttl=300 negative_ttl=60 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-full at EXAMPLE.LAN
#GRUPOS
acl i-limitado external i-limitado
acl i-full external i-full
i dont understand... why "kerberos_ldap_group: ERROR: Error while
initialising credentials from keytab : Preauthentication failed", if i can
surf the web, SSO is working, and in access.log i can see the user, etc.
then, in practice, no error is perceived.
but I have this log ...
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-appropriate-log-file-tp4679740p4679774.html
Sent from the Squid - Users mailing list archive at Nabble.com.
More information about the squid-users
mailing list