[squid-users] ext_kerberos_ldap_group_acl problem
L.P.H. van Belle
belle at bazuin.nl
Wed Aug 24 13:02:35 UTC 2016
Hello Dia,
Thank you for the reply,
So, can this be a “MIT” kerberos of HEIMDAL thing.
Im use Samba4 for ADDC and that uses heimdal.
Even that the logs says :
"Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database".
Im using NFSv4 over kerberos, ssh over kerberos, squid user auth already and that is working fine. ( on the same server )
I dont have/use kadmin, since samba is my KDC.
The only thing i can think of besides MIT or HEIMDAL is that i use a dedicated user, which is having the SPN for my proxy server.
A snip from my krb5.conf
[libdefaults]
default_realm = YOUR.REALM.TLD
dns_lookup_kdc = true
dns_lookup_realm = false
Best regards,
Louis
Van: Diogenes S. Jesus [mailto:splash at gmail.com]
Verzonden: woensdag 24 augustus 2016 13:29
Aan: L.P.H. van Belle
CC: squid-users at squid-cache.org
Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem
Hi there.
Well, the log says "Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database".
Check your krb5.conf on the squid host if you're pointing to the right KDC and make sure the principal exists in the Kerberos database.
kadmin.local and "getprinc HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD" should yield the same error if the principal doesn't exist.
Dio
On Wed, Aug 24, 2016 at 1:03 PM, L.P.H. van Belle <belle at bazuin.nl> wrote:
Hai,
Im having trouble to get the ext_kerberos_ldap_group_acl working.
I’ve read : http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_kerberos_ldap_group_acl.html
Here is what i have checked / done already.
My keytab file :
klist -ekt /etc/squid/keytab.PROXYSERVER-HTTP
Keytab name: FILE:/etc/squid/keytab.PROXYSERVER-HTTP
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD (des-cbc-crc)
1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD (des-cbc-md5)
1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD (arcfour-hmac)
The auth im using ( which is working fine )
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN
For testing im starting on commandline the group acl:
/usr/lib/squid3/ext_kerberos_ldap_group_acl -D YOUR.REALM.TLD -N internet-mail at NTDOMAIN -m 4 -s -i –d
kerberos_ldap_group.cc(278): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Group list internet-mail at YOUR.REALM.TLD
support_group.cc(447): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Group internet-mail Domain YOUR.REALM.TLD
support_netbios.cc(83): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: Netbios list internet-mail at NTDOMAIN
support_netbios.cc(156): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: Netbios name internet-mail Domain NTDOMAIN
support_lserver.cc(82): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: No ldap servers defined.
when i test with the user group now.
testuser internet-mail
kerberos_ldap_group.cc(371): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD
kerberos_ldap_group.cc(376): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD
support_member.cc(63): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: User domain loop: group at domain internet-mail at YOUR.REALM.TLD
support_member.cc(65): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found group at domain internet-mail at YOUR.REALM.TLD
support_ldap.cc(898): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
support_krb5.cc(127): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_21722
support_krb5.cc(138): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Get default keytab file name
support_krb5.cc(144): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP
support_krb5.cc(158): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP
support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD
support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal name: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database
support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD
support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal name: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database
support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD
support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal name: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database
support_krb5.cc(282): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Did not find a principal in keytab for domain YOUR.REALM.TLD.
support_krb5.cc(283): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Try to get principal of trusted domain.
support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initializing credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database
support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initializing credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database
support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD
support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initializing credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database
support_krb5.cc(366): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got no principal name
support_ldap.cc(903): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error during setup of Kerberos credential cache
support_member.cc(76): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: User testuser is not member of group at domain internet-mail at YOUR.REALM.TLD
support_member.cc(91): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Default domain loop: group at domain internet-mail at YOUR.REALM.TLD
support_member.cc(119): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Default group loop: group at domain internet-mail at YOUR.REALM.TLD
ERR
kerberos_ldap_group.cc(411): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: ERR
I dont see what im missing here.
I’m running Debian Jessie, ldap is setup for SSL, samba 4.4.5 and squid 3.5.19.
I did see something about kerberos and groups but i can find that post.
So anyone any suggestion/tip howto debug this or why im getting “Error while initializing credentials from keytab”
Greetz,
Louis
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
--
--------
Diogenes S. de Jesus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160824/490795fc/attachment-0001.html>
More information about the squid-users
mailing list