[squid-users] ext_kerberos_ldap_group_acl problem

L.P.H. van Belle belle at bazuin.nl
Wed Aug 24 13:02:35 UTC 2016 

Hello Dia, 

 

Thank you for the reply,  

 

So, can this be a “MIT” kerberos of HEIMDAL thing. 

Im use Samba4 for ADDC and that uses heimdal. 

 

Even that the logs says : 

"Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database". 

 

Im using NFSv4 over kerberos, ssh over kerberos, squid user auth already and that is working fine. ( on the same server ) 

I dont have/use kadmin, since samba is my KDC. 

 

The only thing i can think of besides MIT or HEIMDAL is that i use a dedicated user, which is having the SPN for my proxy server. 

 

A snip from my krb5.conf 

[libdefaults]

    default_realm = YOUR.REALM.TLD

    dns_lookup_kdc = true

    dns_lookup_realm = false

 

 

Best regards, 

 

Louis

 

 

 

 


Van: Diogenes S. Jesus [mailto:splash at gmail.com] 
Verzonden: woensdag 24 augustus 2016 13:29
Aan: L.P.H. van Belle
CC: squid-users at squid-cache.org
Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem


 

Hi there.

 


Well, the log says "Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database". 

 


Check your krb5.conf on the squid host if you're pointing to the right KDC and make sure the principal exists in the Kerberos database.


kadmin.local and "getprinc HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD" should yield the same error if the principal doesn't exist.


 


Dio




 

On Wed, Aug 24, 2016 at 1:03 PM, L.P.H. van Belle <belle at bazuin.nl> wrote:

Hai, 

 

Im having trouble to get the ext_kerberos_ldap_group_acl  working. 

 

I’ve read : http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_kerberos_ldap_group_acl.html

 

Here is what i have checked / done already. 

 

My keytab file : 

klist -ekt /etc/squid/keytab.PROXYSERVER-HTTP

Keytab name: FILE:/etc/squid/keytab.PROXYSERVER-HTTP

KVNO Timestamp           Principal

---- ------------------- ------------------------------------------------------

   1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD (des-cbc-crc)

   1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD (des-cbc-md5)

   1 06/08/2015 15:28:03 HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD (arcfour-hmac)

   

 

The auth im using ( which is working fine )

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \

--kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD \

--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN

 

For testing im starting on commandline the group acl: 

/usr/lib/squid3/ext_kerberos_ldap_group_acl -D YOUR.REALM.TLD -N internet-mail at NTDOMAIN -m 4 -s -i –d

 

kerberos_ldap_group.cc(278): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Starting version 1.3.1sq

support_group.cc(382): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Group list internet-mail at YOUR.REALM.TLD

support_group.cc(447): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Group internet-mail  Domain YOUR.REALM.TLD

support_netbios.cc(83): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: Netbios list internet-mail at NTDOMAIN

support_netbios.cc(156): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: Netbios name internet-mail  Domain NTDOMAIN

support_lserver.cc(82): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: ldap server list NULL

support_lserver.cc(86): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: No ldap servers defined.

 

when i test with the user group now. 

 

testuser internet-mail

 

kerberos_ldap_group.cc(371): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD

kerberos_ldap_group.cc(376): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD

support_member.cc(63): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: User domain loop: group at domain internet-mail at YOUR.REALM.TLD

support_member.cc(65): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found group at domain internet-mail at YOUR.REALM.TLD

support_ldap.cc(898): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache

support_krb5.cc(127): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_21722

support_krb5.cc(138): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Get default keytab file name

support_krb5.cc(144): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP

support_krb5.cc(158): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP

support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD

support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal name: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database

support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD

support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal name: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database

support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD

support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal name: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database

support_krb5.cc(282): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Did not find a principal in keytab for domain YOUR.REALM.TLD.

support_krb5.cc(283): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Try to get principal of trusted domain.

support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initializing credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database

support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initializing credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database

support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD

support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initializing credentials from keytab : Client 'HTTP/hostname.internet.domain.tld at YOUR.REALM.TLD' not found in Kerberos database

support_krb5.cc(366): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got no principal name

support_ldap.cc(903): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error during setup of Kerberos credential cache

support_member.cc(76): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: User testuser is not member of group at domain internet-mail at YOUR.REALM.TLD

support_member.cc(91): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Default domain loop: group at domain internet-mail at YOUR.REALM.TLD

support_member.cc(119): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Default group loop: group at domain internet-mail at YOUR.REALM.TLD

ERR

kerberos_ldap_group.cc(411): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: ERR

 

 

I dont see what im missing here. 

I’m running Debian Jessie, ldap is setup for SSL, samba 4.4.5 and squid 3.5.19. 

 

I did see something about kerberos and groups but i can find that post. 

So anyone any suggestion/tip howto debug this or why im getting “Error while initializing credentials from keytab”

 

Greetz, 

 

Louis

 

 




_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users






 


-- 


--------

Diogenes S. de Jesus






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160824/490795fc/attachment-0001.html>

More information about the squid-users mailing list