[squid-users] kerberos authentication with kerberos groups

Jeroen Ruijter jeroen.ruijter at borsboomhamm.nl
Fri Feb 16 13:02:12 UTC 2018


I'm trying to replace my basic ldap authentication by kerberos single sign on.
The user can succesfully login with single sign on, but I have restriction on groups and that is where it goes wrong.
I would like to use -r to trim the domain name, but when I do so it seems to work even less.
Someone any ideas what to try, I believe the system is loking wrong in active directory but adding -b OU=Users,DC=yyy,DC=local does not help me further

=======

auth_param negotiate program /usr/sbin/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=yyy --kerberos /usr/sbin/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive off

external_acl_type XXX_InternetAllowed ttl=3600 negative_ttl=3600 %LOGIN /usr/sbin/ext_kerberos_ldap_group_acl -b OU=Users,OU=BenH,DC=yyy,DC=local -g AD_XXX_InternetAllowed at yyy.LOCAL -d
external_acl_type RestrictedAdult ttl=3600 negative_ttl=3600 %LOGIN /usr/sbin/ext_kerberos_ldap_group_acl -b OU=Users,OU=BenH,DC=yyy,DC=local -g ADGroupRestrictedAdult at yyy.LOCAL -d

acl XXX_InternetAllowed external XXX_InternetAllowed
acl XXX_Adult external XXX_Adult

acl XXX_AdultX dstdomain .alternate.com<http://alternate.com/> .brood.nl<http://brood.nl/> .broodnodig.nl<http://broodnodig.nl/>

acl localnet src xxx.xxx.xxx.0/24
acl CONNECT method CONNECT

acl auth proxy_auth REQUIRED

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny auth !XXX_InternetAllowed
http_access deny XXX_Adult XXX_AdultX
http_access allow localnet
http_access allow localhost
http_access deny all

========

support_member.cc(63): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: User domain loop: group at domain AD_XXX_InternetAllowed at YYY.LOCAL
support_member.cc(65): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Found group at domain AD_XXX_InternetAllowed at YYY.LOCAL
support_ldap.cc(898): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
support_krb5.cc(127): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_7612
support_krb5.cc(138): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Get default keytab file name
support_krb5.cc(144): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/krb5.keytab
support_krb5.cc(158): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/krb5.keytab
support_krb5.cc(169): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YYY.LOCAL
support_krb5.cc(189): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Found principal  name: hosts/lnx01.yyy.local at YYY.LOCAL
support_krb5.cc(205): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Got principal name hosts/lnx01.yyy.local at YYY.LOCAL
support_krb5.cc(64): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'hosts/lnx01.yyy.local at YYY.LOCAL' not found in Kerberos database
support_krb5.cc(169): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YYY.LOCAL
support_krb5.cc(189): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Found principal  name: HTTP/lnx01.yyy.local at YYY.LOCAL
support_krb5.cc(205): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Got principal name HTTP/lnx01.yyy.local at YYY.LOCAL
support_krb5.cc(269): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Stored credentials
support_ldap.cc(927): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Initialise ldap connection
support_ldap.cc(933): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain YYY.LOCAL
support_resolv.cc(379): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YYY.LOCAL record to ad02.yyy.local
support_resolv.cc(379): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YYY.LOCAL record to ad01.yyy.local
support_resolv.cc(379): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YYY.LOCAL record to ad02.yyy.local
support_resolv.cc(379): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YYY.LOCAL record to ad01.yyy.local
support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 1 of YYY.LOCAL to ad01.yyy.local
support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 2 of YYY.LOCAL to ad01.yyy.local
support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 3 of YYY.LOCAL to ad01.yyy.local
support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 4 of YYY.LOCAL to ad02.yyy.local
support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 5 of YYY.LOCAL to ad02.yyy.local
support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 6 of YYY.LOCAL to ad02.yyy.local
support_resolv.cc(407): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Adding YYY.LOCAL to list
support_resolv.cc(443): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain YYY.LOCAL:
support_resolv.cc(445): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Host: ad01.yyy.local Port: 389 Priority: 0 Weight: 100
support_resolv.cc(445): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Host: ad02.yyy.local Port: 389 Priority: 0 Weight: 100
support_resolv.cc(445): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Host: YYY.LOCAL Port: -1 Priority: -2 Weight: -2
support_ldap.cc(942): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Setting up connection to ldap server ad01.yyy.local:389
support_ldap.cc(953): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_ldap.cc(967): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Successfully initialised connection to ldap server ad01.yyy.local:389
support_ldap.cc(333): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Search ldap server with bind path "" and filter: (objectclass=*)
support_ldap.cc(602): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : schemaNamingContext
support_ldap.cc(645): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: 1 ldap entry found with attribute : schemaNamingContext
support_ldap.cc(342): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Search ldap server with bind path CN=Schema,CN=Configuration,DC=bnh,DC=local and filter: (ldapdisplayname=samaccountname)
support_ldap.cc(345): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Found 0 ldap entries
support_ldap.cc(350): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Determined ldap server not as an Active Directory server
support_ldap.cc(1061): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: ERROR: Error determining ldap server type: Operations error
support_member.cc(76): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: INFO: User Administrator is not member of group at domain AD_XXX_InternetAllowed at YYY.LOCAL
support_member.cc(91): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Default domain loop: group at domain AD_XXX_InternetAllowed at YYY.LOCAL
support_member.cc(119): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Default group loop: group at domain AD_XXX_InternetAllowed at YYY.LOCAL
kerberos_ldap_group.cc(416): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: ERR

regards Jeroen Ruijter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180216/4b340f74/attachment-0001.html>


More information about the squid-users mailing list