[squid-users] squid_kerb_group (again)

From: Eugene M. Zheganin <emz_at_norma.perm.ru>
Date: Mon, 23 Dec 2013 19:45:16 +0600

Hi.

squid 3.3.11
FreeBSD 10.x

I'm fighting squid_kerb_group, sometimes it may become tricky. Here's
where I'm stuck at:

I'm launching this:

===Cut===
KRB5_KTNAME=/usr/local/etc/squid/squid.keytab
export KRB5_KTNAME

/usr/local/libexec/squid/ext_kerberos_ldap_group_acl \
    -a \
    -m 16 \
    -i \
    -ddd \
    -D NORMA.COM \
    -b cn=Users,dc=norma,dc=com \
    -S hq-gc.norma.com_at_NORMA.COM \
    -u proxy2 \
    -p XXXXXXXXXXXXXXXXXXX \
    -N SOFTLAB_at_NORMA.COM \
    -g "Internet Users - Proxy2@"
===Cut===

and getting this:

===Cut===
./squid_kerb_group.sh
kerberos_ldap_group.cc(338): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: INFO: Starting version 1.3.0sq
support_group.cc(372): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: INFO: Group list Internet Users - Proxy2@
support_group.cc(437): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: INFO: Group Internet Users - Proxy2 Domain
support_netbios.cc(74): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: DEBUG: Netbios list SOFTLAB_at_NORMA.COM
support_netbios.cc(147): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: DEBUG: Netbios name SOFTLAB Domain NORMA.COM
support_lserver.cc(73): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: DEBUG: ldap server list hq-gc.norma.com_at_NORMA.COM
support_lserver.cc(137): pid=90134 :2013/12/24 01:32:25|
kerberos_ldap_group: DEBUG: ldap server hq-gc.norma.com Domain NORMA.COM
emz
kerberos_ldap_group.cc(430): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: INFO: Got User: emz set default domain: NORMA.COM
kerberos_ldap_group.cc(435): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: INFO: Got User: emz Domain: NORMA.COM
support_member.cc(55): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: User domain loop: group_at_domain Internet
Users - Proxy2@
support_member.cc(83): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Default domain loop: group_at_domain Internet
Users - Proxy2@
support_member.cc(85): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Found group_at_domain Internet Users - Proxy2@
support_ldap.cc(810): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
support_krb5.cc(91): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Get default keytab file name
support_krb5.cc(97): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Got default keytab file name
/usr/local/etc/squid/squid.keytab
support_krb5.cc(111): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Get principal name from keytab
/usr/local/etc/squid/squid.keytab
support_krb5.cc(119): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Keytab entry has realm name: NORMA.COM
support_krb5.cc(133): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Found principal name:
HTTP/proxy2.norma.com_at_NORMA.COM
support_krb5.cc(174): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_90134
support_krb5.cc(267): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Got principal name
HTTP/proxy2.norma.com_at_NORMA.COM
support_krb5.cc(311): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Stored credentials
support_ldap.cc(839): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Initialise ldap connection
support_ldap.cc(845): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain
NORMA.COM
support_resolv.cc(245): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Ldap server loop: lserver_at_domain
hq-gc.norma.com_at_NORMA.COM
support_resolv.cc(247): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Found lserver_at_domain hq-gc.norma.com_at_NORMA.COM
support_resolv.cc(441): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Sorted ldap server names for domain NORMA.COM:
support_resolv.cc(443): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Host: hq-gc.norma.com Port: -1 Priority: -2
Weight: -2
support_ldap.cc(854): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Setting up connection to ldap server
hq-gc.norma.com:389
support_ldap.cc(865): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_sasl.cc(274): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Local error
support_ldap.cc(869): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: ERROR: Error while binding to ldap server with
SASL/GSSAPI: Local error
support_ldap.cc(891): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Error during initialisation of ldap
connection: No error: 0
support_ldap.cc(951): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Error during initialisation of ldap
connection: No error: 0
support_member.cc(96): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: INFO: User emz is not member of group_at_domain
Internet Users - Proxy2@
support_member.cc(111): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: Default group loop: group_at_domain Internet
Users - Proxy2@
ERR
kerberos_ldap_group.cc(470): pid=90134 :2013/12/24 01:32:26|
kerberos_ldap_group: DEBUG: ERR
===Cut==

However, using this keytab and script everything is ok when launching
from another servers.

Some additional info: I can successfully use a ldapsearch with
SASL/GSSAPI bind with this keytab:

===Cut===
# kdestroy
# klist

klist: No ticket file: /tmp/krb5cc_0
# kinit --keytab=/usr/local/etc/squid/squid.keytab HTTP/proxy2.norma.com
# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: HTTP/proxy2.norma.com_at_NORMA.COM

  Issued Expires Principal
Dec 23 19:37:11 2013 Dec 24 04:37:11 2013 krbtgt/NORMA.COM_at_NORMA.COM
Dec 23 19:37:17 2013 Dec 24 04:37:11 2013 ldap/hq-gc.norma.com_at_NORMA.COM

# ldapsearch -H ldap://hq-gc.norma.com:389 -Y GSSAPI -O "maxssf=56" -b
"cn=Users,dc=nor .ma,dc=com" -W
"(&(sAMAccountname=emz)(memberOf=CN=Internet Users -
Proxy1,CN=Users,DC=norma,DC=com))"

Enter LDAP Password: [actually I press Enter here, and the password is
not null - so the keytab is used]
SASL/GSSAPI authentication started
SASL username: HTTP/proxy2.norma.com_at_NORMA.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=Users,dc=norma,dc=com> with scope subtree
# filter: (&(sAMAccountname=emz)(memberOf=CN=Internet Users -
Proxy1,CN=Users,DC=norma,DC=com))
# requesting: ALL
#

# \D0\96\D0\B5\D0\B3\D0\B0\D0\BD\D0\B8\D0\BD
\D0\95\D0\B2\D0\B3\D0\B5\D0\BD\D
 0\B8\D0\B9, Users, norma.com
dn::
Q0490JbQtdCz0LDQvdC40L0g0JXQstCz0LXQvdC40LksQ049VXNlcnMsREM9bm9ybWEsREM9Y
 29t
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
[some more data in LDIF format not showing]
===Cut===

Looks like it's really some local problem, but I cannot figure out which
exactly.

Thanks.
Eugene.
Received on Mon Dec 23 2013 - 13:45:27 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 23 2013 - 12:00:06 MST