[squid-users] ext_kerberos_ldap_group_acl problem
L.P.H. van Belle
belle at bazuin.nl
Wed Aug 24 11:03:26 UTC 2016
Hai,
Im having trouble to get the ext_kerberos_ldap_group_acl working.
I’ve read : http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_kerberos_ldap_group_acl.html
Here is what i have checked / done already.
My keytab file :
klist -ekt /etc/squid/keytab.PROXYSERVER-HTTP
Keytab name: FILE:/etc/squid/keytab.PROXYSERVER-HTTP
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD (des-cbc-crc)
1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD (des-cbc-md5)
1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD (arcfour-hmac)
The auth im using ( which is working fine )
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN
For testing im starting on commandline the group acl:
/usr/lib/squid3/ext_kerberos_ldap_group_acl -D YOUR.REALM.TLD -N internet-mail at NTDOMAIN -m 4 -s -i –d
kerberos_ldap_group.cc(278): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Group list internet-mail at YOUR.REALM.TLD
support_group.cc(447): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Group internet-mail Domain YOUR.REALM.TLD
support_netbios.cc(83): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: Netbios list internet-mail at NTDOMAIN
support_netbios.cc(156): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: Netbios name internet-mail Domain NTDOMAIN
support_lserver.cc(82): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: No ldap servers defined.
when i test with the user group now.
testuser internet-mail
kerberos_ldap_group.cc(371): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD
kerberos_ldap_group.cc(376): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD
support_member.cc(63): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: User domain loop: group at domain internet-mail at YOUR.REALM.TLD
support_member.cc(65): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found group at domain internet-mail at YOUR.REALM.TLD
support_ldap.cc(898): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
support_krb5.cc(127): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_21722
support_krb5.cc(138): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Get default keytab file name
support_krb5.cc(144): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP
support_krb5.cc(158): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP
support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD
support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal name: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database
support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD
support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal name: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database
support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD
support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal name: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database
support_krb5.cc(282): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Did not find a principal in keytab for domain YOUR.REALM.TLD.
support_krb5.cc(283): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Try to get principal of trusted domain.
support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initializing credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database
support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initializing credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database
support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initializing credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database
support_krb5.cc(366): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got no principal name
support_ldap.cc(903): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error during setup of Kerberos credential cache
support_member.cc(76): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: User testuser is not member of group at domain internet-mail at YOUR.REALM.TLD
support_member.cc(91): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Default domain loop: group at domain internet-mail at YOUR.REALM.TLD
support_member.cc(119): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Default group loop: group at domain internet-mail at YOUR.REALM.TLD
ERR
kerberos_ldap_group.cc(411): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: ERR
I dont see what im missing here.
I’m running Debian Jessie, ldap is setup for SSL, samba 4.4.5 and squid 3.5.19.
I did see something about kerberos and groups but i can find that post.
So anyone any suggestion/tip howto debug this or why im getting “Error while initializing credentials from keytab”
Greetz,
Louis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160824/8c361e39/attachment-0001.html>
More information about the squid-users
mailing list