T
T
t1n0x2018-11-29 11:31:26
Squid
t1n0x, 2018-11-29 11:31:26

Squid3.5.20 + Kerberos + AD authorization error via ext_kerberos_ldap_group_acl?

Good day! The management set the task of raising a proxy server to launch employees and monitor visits through authorization on AD. The choice fell on squid3 + Kerberos + group blocking via AD (ext_kerberos_ldap_group_acl). It turned out to do the first two, i.e. raise squid + authorization via Kerberos on AD, however, blocking access via ext_kerberos_ldap_group_acl does not work, I found out from Google sources (in particular, on your forum) that this may be a problem with the reverse zone for the domain or with the cyrus-sasl-gssapi libraries, however I installed everything, made a reverse zone on the domain (ptr resolves on the proxy server without problems).
[b]Initial data:[/b]
[b]OS [/b]- CentOS 7 x86_64 minimal
[b]Squid[/b] - v3.5.20
Here is what ext_kerberos_ldap_group_acl says when checking a user in a group:
[[email protected] squid]# ./ext_kerberos_ldap_group_acl -d -a -i -g [email protected]
kerberos_ldap_group.cc(278): pid=2055 :2018/ 11/29 10:44:41| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2055 :2018/11/29 10:44:41| kerberos_ldap_group: INFO: Group list [email protected]
support_group.cc(447): pid=2055 :2018/11/29 10:44:41| kerberos_ldap_group: INFO: Group proxy_on Domain EXAMPLE.COM
support_netbios.cc(83): pid=2055 :2018/11/29 10:44:41| kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2055 :2018/11/29 10:44:41| kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2055 :2018/11/29 10:44:41| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2055 :2018/11/29 10:44:41| kerberos_ldap_group: DEBUG: No ldap servers defined.
[b][email protected][/b] --Here I enter a user in the group proxy_on
kerberos_ldap_group.cc(376): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: INFO: Got User: test Domain: EXAMPLE.COM
support_member.cc(63): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: User domain loop: [email protected] [email protected]
support_member.cc(65): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Found [email protected] [email protected]
support_ldap.cc(898): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
support_krb5.cc(127): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_2 055
support_krb5.cc(138): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Get default keytab file name
support_krb5.cc(144): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/squid/proxy.keytab
support_krb5.cc(158): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/squid/proxy.keytab
support_krb5.cc(169): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.COM
support_krb5.cc(181): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Found principal name: HTTP/[email protected]
support_krb5.cc(196): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Got principal name HTTP/[email protected]
support_krb5.cc(260): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Stored credentials
support_ldap.cc(927): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Initialise ldap connection
support_ldap.cc(933): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain EXAMPLE.COM
support_resolv.cc(379): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.COM record to dc.example.com
support_resolv.cc(183): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: ERROR: Error while resolving hostname with getaddrinfo: Name or service not known
support_resolv.cc(407): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Adding EXAMPLE.COM to list
support_resolv.cc(443): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain EXAMPLE.COM:
support_resolv.cc(445): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Host: dc.example.com Port: 389 Priority: 0 Weight: 100
support_resolv.cc(445): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Host: EXAMPLE.COM Port: -1 Priority: -2 Weight: -2
support_ldap.cc(942): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Setting up connection to ldap server dc.example.com:389
support_ldap.cc(953): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_sasl.cc(276): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Local error
support_ldap.cc(957): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Local error
support_ldap.cc(942): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Setting up connection to ldap server EXAMPLE.COM:389
support_ldap.cc(953): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_sasl.cc(276): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server
support_ldap.cc(979): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Error during initialization of ldap connection: Success
support_ldap.cc(1048): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Error during initialisation of ldap connection: Success
support_member.cc(76): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: INFO: User test is not member of [email protected] [email protected]
support_member.cc(91): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Default domain loop: [email protected] [email protected]
support_member.cc(119): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Default group loop: [email protected] [b]proxy_on[/b]@EXAMPLE.COM
ERR
kerberos_ldap_group.cc(411): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: ERR ps KRB5_KTNAME=/etc/squid/proxy.keytab
is also set in /etc/default/squid
export KRB5_KTNAME Authorization and locks work (this can be seen in the
squidanalyzer statistics), but for some reason the squid completely refuses to work with
ext_kerberos_ldap_acl_group
Have not found.

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question