[squid-users] ext_kerberos_ldap_group_acl problem

L.P.H. van Belle belle at bazuin.nl
Wed Aug 24 11:03:26 UTC 2016


Hai, 

 

Im having trouble to get the ext_kerberos_ldap_group_acl  working. 

 

I’ve read : http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_kerberos_ldap_group_acl.html

 

Here is what i have checked / done already. 

 

My keytab file : 

klist -ekt /etc/squid/keytab.PROXYSERVER-HTTP

Keytab name: FILE:/etc/squid/keytab.PROXYSERVER-HTTP

KVNO Timestamp           Principal

---- ------------------- ------------------------------------------------------

   1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD (des-cbc-crc)

   1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD (des-cbc-md5)

   1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD (arcfour-hmac)

   

 

The auth im using ( which is working fine )

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \

--kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD \

--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN

 

For testing im starting on commandline the group acl: 

/usr/lib/squid3/ext_kerberos_ldap_group_acl -D YOUR.REALM.TLD -N internet-mail at NTDOMAIN -m 4 -s -i –d

 

kerberos_ldap_group.cc(278): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Starting version 1.3.1sq

support_group.cc(382): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Group list internet-mail at YOUR.REALM.TLD

support_group.cc(447): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Group internet-mail  Domain YOUR.REALM.TLD

support_netbios.cc(83): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: Netbios list internet-mail at NTDOMAIN

support_netbios.cc(156): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: Netbios name internet-mail  Domain NTDOMAIN

support_lserver.cc(82): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: ldap server list NULL

support_lserver.cc(86): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: No ldap servers defined.

 

when i test with the user group now. 

 

testuser internet-mail

 

kerberos_ldap_group.cc(371): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD

kerberos_ldap_group.cc(376): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD

support_member.cc(63): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: User domain loop: group at domain internet-mail at YOUR.REALM.TLD

support_member.cc(65): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found group at domain internet-mail at YOUR.REALM.TLD

support_ldap.cc(898): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache

support_krb5.cc(127): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_21722

support_krb5.cc(138): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Get default keytab file name

support_krb5.cc(144): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP

support_krb5.cc(158): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP

support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD

support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal name: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database

support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD

support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal name: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database

support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD

support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal name: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database

support_krb5.cc(282): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Did not find a principal in keytab for domain YOUR.REALM.TLD.

support_krb5.cc(283): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Try to get principal of trusted domain.

support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initializing credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database

support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initializing credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database

support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initializing credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database

support_krb5.cc(366): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got no principal name

support_ldap.cc(903): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error during setup of Kerberos credential cache

support_member.cc(76): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: User testuser is not member of group at domain internet-mail at YOUR.REALM.TLD

support_member.cc(91): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Default domain loop: group at domain internet-mail at YOUR.REALM.TLD

support_member.cc(119): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Default group loop: group at domain internet-mail at YOUR.REALM.TLD

ERR

kerberos_ldap_group.cc(411): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: ERR

 

 

I dont see what im missing here. 

I’m running Debian Jessie, ldap is setup for SSL, samba 4.4.5 and squid 3.5.19. 

 

I did see something about kerberos and groups but i can find that post. 

So anyone any suggestion/tip howto debug this or why im getting “Error while initializing credentials from keytab”

 

Greetz, 

 

Louis

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160824/8c361e39/attachment-0001.html>


More information about the squid-users mailing list