<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word"><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=Generator content="Microsoft Word 11 (filtered medium)">
<STYLE>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
span.E-mailStijl17
{mso-style-type:personal;
font-family:Arial;
color:navy;}
span.E-mailStijl18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:595.3pt 841.9pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.Section1
{page:Section1;}
-->
</STYLE>
</HEAD>
<BODY lang=NL dir=ltr vLink=blue link=blue>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial'; COLOR: #000000">
<DIV>Hi,</DIV>
<DIV> </DIV>
<DIV> I would say they are bugs. The first “issue” is as you say
more about understanding the difference between UPN and SPN and how the tools
use them. The helper tries to “authenticate” squid to AD as a user with
the found SPN name, so the UPN must be the same as the SPN. There is no
easy way to query what the UPN for the SPN is. </DIV>
<DIV> </DIV>
<DIV> Also msktutil (my preferred tool) creates a machine account not a
user account in AD. The reason I prefer this is that often user accounts have a
global password policy e.g. change every 60 days otherwise it will be locked.
machine accounts do not have that limitation. But as I said it is just my
preference. </DIV>
<DIV> </DIV>
<DIV> Regarding the certifcate check I do not use any ldap.conf
settings. I require an <FONT color=#000000>export
TLS_CACERTFILE=/mydir/myfile.pem in the squid startup file.
Maybe in the next version I see how I can determine the right ldap.conf file and
check if the CACERTFILE variable is already set.</FONT></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Kind regards</DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV>"L.P.H. van Belle" <belle@bazuin.nl> wrote in message
news:vmime.57bdb617.37c8.575130a1134f9a07@ms249-lin-003.rotterdam.bazuin.nl...</DIV></DIV></DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV class=Section1>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Ok reply to myself so
other users know this also.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">if you create a user
for the HTTP services and you dont use </SPAN></FONT><FONT color=black><SPAN
lang=EN style="COLOR: black">msktutil but like me samba-tool or something else.
</SPAN></FONT><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Read :
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><A
href="http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos">http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos</A>
carefully. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">and the clue was this
line for me. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN lang=EN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">Squid "login" to
Windows Active Directory or Unix kdc as user
<HTTP/<fqdn-squid>@DOMAIN.COM>. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN lang=EN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">This requires Active
Directory to have an <U>attribute userPrincipalname</U> set to
<HTTP/<fqdn-squid>@DOMAIN.COM><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN lang=EN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">for the associated
acount. This is usaully done by using msktutil. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">But this is not done by
samba-tools <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">samba-tool setup fro
squid i used, was as followed. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">samba-tool user create
squid1-service --description="Unprivileged user for SQUID1-Proxy Services"
--random-password <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">samba-tool user
setexpiry squid1-service –noexpiry<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">samba-tool spn add
HTTP/proxy.internal.domain.tld squid1-service<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Now this results in :
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">My UPN was set to the
<A>username@internal.domain.tld</A> ( as it should ).
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">My SPN was set to
<A>HTTP/proxyserver.internal.domain.tld@REALM</A> ( as is should )
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">samba-tool spn list
squid1-service <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">squid1-service<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">User
CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX has the
following servicePrincipalName:<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">
HTTP/proxy.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">
<A>HTTP/proxy.internal.domain.tld@YOUR.REALM.T</A><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Now i changed my UPN
from username@internal.domain.tld to the (SPN name)
<A>HTTP/proxyserver.internal.domain.tld@REALM</A> <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Solved my initial
problem. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">This should be in my
optionion be changed to search for the SPN in
ext_kerberos_ldap_group.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Now i have LDAPS
messages, see below, im adding the _ldaps SRV records now ,but i dont get why im
getting : <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Set certificate file
for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting
environment variable TLS_CACERTFILE)<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Im already having :
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Which contains the
needed certs.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Did i find 2 small bugs
here? <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Or is this a “Debian”
related thing? <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Debug output.
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">/usr/lib/squid3/ext_kerberos_ldap_group_acl
-g internet-mail@YOUR.REALM.TLD -D YOUR.REALM.TLD -N internet-mail@NTDOMAIN -s
-i -d<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">kerberos_ldap_group.cc(278):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Starting version
1.3.1sq<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_group.cc(382):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group list
internet-mail@YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_group.cc(447):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group
internet-mail Domain YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_netbios.cc(83):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios list
internet-mail@NTDOMAIN<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_netbios.cc(156):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios name
internet-mail Domain NTDOMAIN<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_lserver.cc(82):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: ldap server list
NULL<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_lserver.cc(86):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: No ldap servers
defined.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">testuser
internet-mail<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">kerberos_ldap_group.cc(371):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser set
default domain: YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">kerberos_ldap_group.cc(376):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser
Domain: YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_member.cc(63):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: User domain loop:
group@domain internet-mail@YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_member.cc(65):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found group@domain
internet-mail@YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(898):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setup Kerberos
credential cache<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_krb5.cc(127):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set credential cache
to MEMORY:squid_ldap_6902<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_krb5.cc(138):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Get default keytab
file name<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_krb5.cc(144):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Got default keytab
file name /etc/squid/keytab.PROXYSERVER-HTTP<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_krb5.cc(158):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Get principal name
from keytab /etc/squid/keytab.PROXYSERVER-HTTP<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_krb5.cc(169):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Keytab entry has
realm name: YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_krb5.cc(181):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found principal name:
HTTP/proxy.internal.domain.tld@YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_krb5.cc(196):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Got principal name
HTTP/proxy.internal.domain.tld@YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_krb5.cc(260):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Stored
credentials<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(927):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Initialise ldap
connection<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(931):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable SSL to ldap
servers<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(933):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Canonicalise ldap
server name for domain YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(289):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resolving
service record _ldaps._tcp.YOUR.REALM.TLD with
res_search<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(71):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: res_search: Unknown
service record: _ldaps._tcp.YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(379):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved SRV
_ldap._tcp.YOUR.REALM.TLD record to
samba-dc2.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(379):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved SRV
_ldap._tcp.YOUR.REALM.TLD record to
samba-dc1.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 1 of
YOUR.REALM.TLD to samba-dc1.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 2 of
YOUR.REALM.TLD to samba-dc1.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 3 of
YOUR.REALM.TLD to samba-dc1.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 4 of
YOUR.REALM.TLD to samba-dc2.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 5 of
YOUR.REALM.TLD to samba-dc2.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 6 of
YOUR.REALM.TLD to samba-dc2.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(407):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Adding YOUR.REALM.TLD
to list<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(443):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Sorted ldap server
names for domain YOUR.REALM.TLD:<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(445):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host:
samba-dc1.internal.domain.tld Port: 389 Priority: 0 Weight:
100<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(445):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host:
samba-dc2.internal.domain.tld Port: 389 Priority: 0 Weight:
100<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(445):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host: YOUR.REALM.TLD
Port: -1 Priority: -2 Weight: -2<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(942):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection
to ldap server samba-dc1.internal.domain.tld:389<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(786):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL
defaults<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(531):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server
certificate check for ldap server.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(544):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file
for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting
environment variable TLS_CACERTFILE)<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(800):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting
start_tls for ldap server: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(953):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server
with SASL/GSSAPI<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_sasl.cc(276):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR:
ldap_sasl_interactive_bind_s error: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(957):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding
to ldap server with SASL/GSSAPI: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(942):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection
to ldap server samba-dc2.internal.domain.tld:389<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(786):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL
defaults<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(531):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server
certificate check for ldap server.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(544):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file
for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting
environment variable TLS_CACERTFILE)<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(800):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting
start_tls for ldap server: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(953):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server
with SASL/GSSAPI<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_sasl.cc(276):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR:
ldap_sasl_interactive_bind_s error: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(957):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding
to ldap server with SASL/GSSAPI: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(942):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection
to ldap server YOUR.REALM.TLD:389<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(786):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL
defaults<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(531):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server
certificate check for ldap server.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(544):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file
for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting
environment variable TLS_CACERTFILE)<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(800):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting
start_tls for ldap server: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(953):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server
with SASL/GSSAPI<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_sasl.cc(276):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR:
ldap_sasl_interactive_bind_s error: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(957):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding
to ldap server with SASL/GSSAPI: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(979):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Error during
initialisation of ldap connection: No such file or
directory<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(1048):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Error during
initialisation of ldap connection: No such file or
directory<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_member.cc(76):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: User testuser is not
member of group@domain internet-mail@YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_member.cc(91):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Default domain loop:
group@domain internet-mail@YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_member.cc(119):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Default group loop:
group@domain <A>internet-mail@YOUR.REALM.TLD</A><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P></DIV>
<P>
<HR>
_______________________________________________<BR>squid-users mailing
list<BR>squid-users@lists.squid-cache.org<BR>http://lists.squid-cache.org/listinfo/squid-users<BR></DIV></DIV></DIV></DIV></BODY></HTML>