[squid-users] Re: Fwd: squid_kerb_ldap trabl

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 3 Jun 2014 19:22:21 +0100

Hi Valentin,

I think the problem is here:

2014/06/03 15:52:59| squid_kerb_ldap: Search ldap server with bind path
CN=Schema,CN=Configuration,DC=dominion,DC=local and filter:
(ldapdisplayname=samaccountname)
2014/06/03 15:52:59| squid_kerb_ldap: Found 0 ldap entries
2014/06/03 15:52:59| squid_kerb_ldap: Determined ldap server not as an
Active Directory server
2014/06/03 15:52:59| squid_kerb_ldap: Error determining ldap server type:
Operations error

Do you know if everyone can access the schema of your ldap server ( I assume
it is a MS Active Directory server) ?

Markus

"Valentin G" wrote in message news:1857521401801103_at_web29m.yandex.ru...

Hi, help me solve my problem in configuring squid.......

DOMINION.LOCAL - win domain (2003+2008 forest 2003)
3 inet group in AD

user vvgulimov in group Internet_all

squid_kerb_ldap ver 1.2.2

cash.log

2014/06/03 15:52:59| squid_kerb_ldap: Got User: vvgulimov Domain:
DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: User domain loop: group_at_domain
Internet_all_at_NULL
2014/06/03 15:52:59| squid_kerb_ldap: Default domain loop: group_at_domain
Internet_all_at_NULL
2014/06/03 15:52:59| squid_kerb_ldap: Default group loop: group_at_domain
Internet_all_at_NULL
2014/06/03 15:52:59| squid_kerb_ldap: Found group_at_domain Internet_all_at_NULL
2014/06/03 15:52:59| squid_kerb_ldap: Setup Kerberos credential cache
2014/06/03 15:52:59| squid_kerb_ldap: Get default keytab file name
2014/06/03 15:52:59| squid_kerb_ldap: Got default keytab file name
/etc/squid/Proxy.keytab
2014/06/03 15:52:59| squid_kerb_ldap: Get principal name from keytab
/etc/squid/Proxy.keytab
2014/06/03 15:52:59| squid_kerb_ldap: Keytab entry has realm name:
DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Found principal name:
HTTP/proxy.dominion.local_at_DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Set credential cache to
MEMORY:squid_ldap_3062
2014/06/03 15:52:59| squid_kerb_ldap: Got principal name
HTTP/proxy.dominion.local_at_DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Stored credentials
2014/06/03 15:52:59| squid_kerb_ldap: Initialise ldap connection
2014/06/03 15:52:59| squid_kerb_ldap: Canonicalise ldap server name for
domain DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Resolved SRV _ldap._tcp.DOMINION.LOCAL
record to ruspb-a-sdc-1.dominion.local
2014/06/03 15:52:59| squid_kerb_ldap: Resolved SRV _ldap._tcp.DOMINION.LOCAL
record to ruspb-a-sdc-2.dominion.local
2014/06/03 15:52:59| squid_kerb_ldap: Resolved address 1 of DOMINION.LOCAL
to DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Resolved address 2 of DOMINION.LOCAL
to DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Resolved address 3 of DOMINION.LOCAL
to DOMINION.LOCAL
2014/06/03 15:52:59| squid_kerb_ldap: Adding DOMINION.LOCAL to list
2014/06/03 15:52:59| squid_kerb_ldap: Sorted ldap server names for domain
DOMINION.LOCAL:
2014/06/03 15:52:59| squid_kerb_ldap: Host: ruspb-a-sdc-2.dominion.local
Port: 389 Priority: 0 Weight: 100
2014/06/03 15:52:59| squid_kerb_ldap: Host: ruspb-a-sdc-1.dominion.local
Port: 389 Priority: 0 Weight: 100
2014/06/03 15:52:59| squid_kerb_ldap: Host: DOMINION.LOCAL Port: -1
Priority: -1 Weight: -1
2014/06/03 15:52:59| squid_kerb_ldap: Setting up connection to ldap server
ruspb-a-sdc-2.dominion.local:389
2014/06/03 15:52:59| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2014/06/03 15:52:59| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
Local error
2014/06/03 15:52:59| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2014/06/03 15:52:59| squid_kerb_ldap: Setting up connection to ldap server
ruspb-a-sdc-1.dominion.local:389
2014/06/03 15:52:59| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2014/06/03 15:52:59| squid_kerb_ldap: Successfully initialised connection to
ldap server ruspb-a-sdc-1.dominion.local:389
2014/06/03 15:52:59| squid_kerb_ldap: Search ldap server with bind path ""
and filter: (objectclass=*)
2014/06/03 15:52:59| squid_kerb_ldap: Search ldap entries for attribute :
schemaNamingContext
2014/06/03 15:52:59| squid_kerb_ldap: 1 ldap entry found with attribute :
schemaNamingContext
2014/06/03 15:52:59| squid_kerb_ldap: Search ldap server with bind path
CN=Schema,CN=Configuration,DC=dominion,DC=local and filter:
(ldapdisplayname=samaccountname)
2014/06/03 15:52:59| squid_kerb_ldap: Found 0 ldap entries
2014/06/03 15:52:59| squid_kerb_ldap: Determined ldap server not as an
Active Directory server
2014/06/03 15:52:59| squid_kerb_ldap: Error determining ldap server type:
Operations error
2014/06/03 15:52:59| squid_kerb_ldap: User vvgulimov is not member of
group_at_domain Internet_all_at_NULL
2014/06/03 15:52:59| squid_kerb_ldap: ERR

____________________________________________

squid.config

auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -s
HTTP/proxy.dominion.local_at_DOMINION.LOCAL
auth_param negotiate children 20
auth_param negotiate keep_alive on

external_acl_type SQUID_KERB_LDAP1 ttl=1200 negative_ttl=3600 %LOGIN
/usr/lib/squid/squid_kerb_ldap -d -g Internet_all
external_acl_type SQUID_KERB_LDAP2 ttl=1200 negative_ttl=3600 %LOGIN
/usr/lib/squid/squid_kerb_ldap -d -g Internet_blacklist
external_acl_type SQUID_KERB_LDAP3 ttl=1200 negative_ttl=3600 %LOGIN
/usr/lib/squid/squid_kerb_ldap -d -g Internet_whitelist

acl AUTHENTICATED proxy_auth REQUIRED

acl Internet_all external SQUID_KERB_LDAP1
acl Internet_blacklist external SQUID_KERB_LDAP2
acl Internet_whitelist external SQUID_KERB_LDAP3

acl white_list url_regex -i "/etc/squid/white_list"
acl black_list url_regex -i "/etc/squid/black_list"

http_access allow Internet_whitelist white_list
http_access deny Internet_blacklist black_list
http_access allow Internet_all

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# http_access allow localhost
http_access allow AUTHENTICATED
http_access deny all

_______________________________________
krb5.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 24h
renew_lifetime = 24h
forwardable = true
krb4_convert = false
}

[libdefaults]
default_realm = DOMINION.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
# proxiable = true

# For Windows 2007:
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
forwardable = yes

[realms]
DOMINION.LOCAL = {
# kdc = 192.168.235.4:88
kdc = 192.168.234.2:88
# admin_server = 192.168.235.4:749
admin_server = 192.168.234.2:749
default_domain = DOMINION.LOCAL
}

[domain_realm]
.dominion.local = DOMINION.LOCAL
dominion.local = DOMINION.LOCAL
[logging]
default = FILE:/var/log/krb5lib.log
kdc = FILE:/var/log/krb5kdc.log
kdc = SYSLOG:INFO AEMON
admin_server = FILE:/var/log/kadmin.log

____________________________________________________

thank you

ps. configure your mail ezm is very strong ..)
Received on Tue Jun 03 2014 - 18:22:46 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 04 2014 - 12:00:06 MDT