[squid-users] Re: Re: Squid authenticate via squid_kerb_ldap

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 5 Oct 2011 21:30:50 +0100

Hi Ricardo,

  That looks basically all correct. Can you capture the traffic on port 88
( Kerberos ) with wireshark ? At this point

2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap server
srvarq.domain.local:389
2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
Local error
2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error

you should see a Kerberos authentication request (AS-REQ ) for
HTTP/Firewall.domain.local followed by a successful reply (AS-REP). After
that you should see a TGS-REQ for ldap/server srvarq.domain.local with a
successful reply.

 I think one of these requests is failing. Could you let me know the error
message ?

 If it does not fail can you capture the traffic on port 389 ? It should
show a SASL/GSSAPI authentication of the ldap connection. Could you let me
know if that succeeded ?

Markus

"spiderslack" <spiderslack_at_yahoo.com.br> wrote in message
news:4E8BBB28.1030009_at_yahoo.com.br...
Hi Markus.

I setting the flag -d the follow output

root_at_Firewall:~/squid_kerb_ldap# ./squid_kerb_ldap -d -g
G_Internet_RH_at_DOMAIN.LOCAL
2011/10/04 20:52:43| squid_kerb_ldap: Starting version 1.2.2
2011/10/04 20:52:43| squid_kerb_ldap: Group list G_Internet_RH_at_DOMAIN.LOCAL
2011/10/04 20:52:43| squid_kerb_ldap: Group G_Internet_RH Domain
DOMAIN.LOCAL
2011/10/04 20:52:43| squid_kerb_ldap: Netbios list NULL
2011/10/04 20:52:43| squid_kerb_ldap: No netbios names defined.
2011/10/04 20:52:43| squid_kerb_ldap: ldap server list NULL
2011/10/04 20:52:43| squid_kerb_ldap: No ldap servers defined.
rodrigo.lopes_at_DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Got User: rodrigo.lopes Domain:
DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: User domain loop: group_at_domain
G_Internet_RH_at_DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Found group_at_domain
G_Internet_RH_at_DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Setup Kerberos credential cache
2011/10/04 20:52:53| squid_kerb_ldap: Get default keytab file name
2011/10/04 20:52:53| squid_kerb_ldap: Got default keytab file name
/etc/krb5.keytab
2011/10/04 20:52:53| squid_kerb_ldap: Get principal name from keytab
/etc/krb5.keytab
2011/10/04 20:52:53| squid_kerb_ldap: Keytab entry has realm name:
DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Found principal name:
HTTP/Firewall.domain.local_at_DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Set credential cache to
MEMORY:squid_ldap_15365
2011/10/04 20:52:53| squid_kerb_ldap: Got principal name
HTTP/Firewall.domain.local_at_DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Stored credentials
2011/10/04 20:52:53| squid_kerb_ldap: Initialise ldap connection
2011/10/04 20:52:53| squid_kerb_ldap: Canonicalise ldap server name for
domain DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Resolved SRV
_ldap._tcp.DOMAIN.LOCAL record to srvdc.lmvidros.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved SRV
_ldap._tcp.DOMAIN.LOCAL record to srvarq.lmvidros.loca
l
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 1 of DOMAIN.LOCAL
to srvdc.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 2 of DOMAIN.LOCAL
to srvdc.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 3 of DOMAIN.LOCAL
to srvdc.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 4 of DOMAIN.LOCAL
to srvarq.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 5 of DOMAIN.LOCAL
to srvarq.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Resolved address 6 of DOMAIN.LOCAL
to srvarq.domain.local
2011/10/04 20:52:53| squid_kerb_ldap: Adding DOMAIN.LOCAL to list
2011/10/04 20:52:53| squid_kerb_ldap: Sorted ldap server names for
domain DOMAIN.LOCAL:
2011/10/04 20:52:53| squid_kerb_ldap: Host: srvarq.domain.local Port:
389 Priority: 0 Weight: 100
2011/10/04 20:52:53| squid_kerb_ldap: Host: srvdc.domain.local Port: 389
Priority: 0 Weight: 100
2011/10/04 20:52:53| squid_kerb_ldap: Host: DOMAIN.LOCAL Port: -1
Priority: -2 Weight: -2
2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap
server srvarq.domain.local:389
2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap
server srvdc.domain.local:389
2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Setting up connection to ldap
server DOMAIN.LOCAL:389
2011/10/04 20:52:53| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2011/10/04 20:52:53| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2011/10/04 20:52:53| squid_kerb_ldap: Error during initialisation of
ldap connection: Bad file descriptor
2011/10/04 20:52:53| squid_kerb_ldap: Error during initialisation of
ldap connection: Bad file descriptor
2011/10/04 20:52:53| squid_kerb_ldap: User rodrigo.lopes is not member
of group_at_domain G_Internet_RH_at_DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Default domain loop: group_at_domain
G_Internet_RH_at_DOMAIN.LOCAL
2011/10/04 20:52:53| squid_kerb_ldap: Default group loop: group_at_domain
G_Internet_RH_at_DOMAIN.LOCAL
ERR
2011/10/04 20:52:53| squid_kerb_ldap: ERR

I trying settings the sasl. I installed libsasl-dev and recompile
squid_kerb_ldap. I setting the file /etc/default/saslauthd and
/etc/saslauthd.conf

root_at_Firewall:~/squid_kerb_ldap# cat /etc/default/saslauthd | egrep -v
-r '(^#|^$)'
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-d -c -m /var/run/saslauthd"
root_at_Firewall:~/squid_kerb_ldap#

root_at_Firewall:~/squid_kerb_ldap# cat /etc/saslauthd.conf
ldap_servers: ldap://192.168.0.8/
ldap_search_base: DC=domain,DC=local
ldap_base_dn: DC=domain,DC=local
ldap_auth_method: bind
ldap_bind_dn: CN=Ricardo,OU=NOC,DC=domain,DC=local
ldap_bind_pw: 123456
ldap_filter: (sAMAccountName=%u)
ldap_use_sasl: no
root_at_Firewall:~/squid_kerb_ldap#

Via testsaslauthd the authentication work with username and password of
Active Directory

root_at_Firewall:~/squid_kerb_ldap# testsaslauthd -u ricardo.dias -p 123456
0: OK "Success."
root_at_Firewall:~/squid_kerb_ldap#

Any Idea

Regards

On 10/04/2011 05:56 PM, Markus Moeller wrote:
> Hi Ricardo,
>
> Can you add a -d option for debug out put to squid_kerb_ldap ? It should
> help to pin point the problem. squid_kerb_ldap uses the kerberos keytab
> entry to authenticate to Active directory which fails. Can you also
> capture with tcpdump the kerberos traffic on port 88 and ldap on port
> 389.
>
> Markus
>
>
> "Ricardo Barbosa" <spiderslack_at_yahoo.com.br> wrote in message
> news:1317680715.75499.YahooMailNeo_at_web161310.mail.bf1.yahoo.com...
> Hi all,
>
> I'm riding squid authenticating via kerberos helper squid_kerb_auth works
> perfectly but not squid_kerb_ldap. Initially collect messages in the logs
> of the SASL support and as well the history list.
>
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-auth-with-Active-Directory-td3023076.html
>
> But the squid_kerb_ldap recompiled with support for SASL and the message
> changed.
>
>
> ==> /var/log/squid/access.log <==
> 1317680370.168 0 192.168.0.10 TCP_DENIED/407 1695 GET
> http://www.google.com.br/ - NONE/- text/html
> 1317680370.380 210 192.168.0.10 TCP_DENIED/403 1817 GET
> http://www.google.com.br/ [email protected] NONE/- text/html
>
> ==> /var/log/squid/cache.log <==
> 2011/10/03 18:19:30| squid_kerb_auth: Got 'YR
> YIIFmgYGKwYBBQUCoIIFjjCCBYqgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBWAEggVcYIIFWAYJKoZIhvcSAQICAQBuggVHMIIFQ6ADAgEFoQMCAQ6iBwMFACAAAACjggQ+YYIEOjCCBDagAwIBBaEQGw5MTVZJRFJPUy5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF2ZpcmV3YWxsLmxtdmlkcm9zLmxvY2Fso4ID7zCCA+ugAwIBF6EDAgEDooID3QSCA9k4YTrWFqDYgDafBFV3i+4wautEM5eF4SzW1YbJTkymx5HXyCY5QS0dE7Ze7HpQ1K1T6sGOevwQu6whLKJATjsSgk5wVInA2xg13XqF8quGZ8VKzdpiY/Avuuw0YNntBO5bLwaLQcIv/h0/VpjlCKuMBArCsePv1wbPPFW84gmFUDv/mmH1dvDdgYmP4uzQGCbIdG9xWHyRIg+KMszGme5p8RUtX9LNccStkp22RFIapXLIV0/OH0LhfZP3HMtgvNEPJZMMw8ITCsYJSw/MowTaaAPZWr4c7GcndBloEEskuxURpZaI4UenfUf6jUdpzdhA+pBtUk4saNUQeNghyrVJw79o1D9y27UI4bEee4/XYCCK1qFu0y2kpvdFeAhHDYbQ8av3MfX2Q988RrFhTPDNyUzynC4v4aQ7JdUvMf/RtsQ5uZb2yVMCyh0dPzP0TGosmSIQf5g9wgxN/oXf3l8S1sBD/BGBhs+iJcWaemKQkii4aUuxpMMhTBftQE0qTnnR8F0II/EJJWFC/n9AHp/H2ufxWbgWGk2METW3zsCeMS1COGiHXrgmTvxD0IZEVxg+QASw/9wr0vHMmaq3AZdrXgi/D0thiZQvsRiJX7VoIy7X2iG2k/sfHqjrIWcGdTWE3tQhkU6LfcI5uMGGQrzvs+i4nXCaQfBO7orvaET
> nD9OgdPdVqnJY7L1tkytnnwwG3NHACb3pHIIhfApEo1nLbcgtXR7hly2OH1TlMt/UHiWn0it99cTGttFPdigURZxTE3/QIRR+tzITd5QRKyI+9D0fOTVVU1WvreC1LvKTdsx0ch3zeUsiKiFkXQdGVSWNxdtbqzvJMxNhOFZUKVaujk6N3I3bCu4xiPUIX1jhLqagHBCH1bDvGH5x+bOp0bC3Lx/OLalepvo4iGBaGwL+zfd8LhtoPl3nyGx6r7F3D/LKJfSnl1prbeC0Ojopw2tFncunRmG9HxqVHHsnstrGGxB87MErgbUjwZvD3X5MJEiux+WuJUfs8/zLy+G7mjcnhz1AG4eFhV4ZHkQomvBmWSM8qMMCfj4GHxfvrenxcsH3rH7vogZttlx3FOIxaOlmda8rBXrEflq8Y+cFCLI8SNUHyRheR/lk3GDnNa3w29xgb9OgcfOWeuAT8yOyQx15iToQKsYlvDiUat6gOFIy+YOfusG87xGGrPsdS3WslgSC1O2HTPLQSOi+4tcPxvkCeuebB0tnNUJvX9aFbBmEL8bnos6zC9LwQ3dOjs6mXMg0qI3eqwMBK7+3CRcPOF5PSjN7n41TMxDISRPlAKfpGKl41YTbRuzepIHrMIHooAMCAReigeAEgd0mz28nEIjaYLg3I8EDbx027m0cI18PdsvZZlYkHazwIkp5S96YxpBEgXkIxULkv3RVa+LVNbYM6wGCClwAaql3NkhFTzyDvs8JcsuqBRl3pbPoRWA1EnAz66xMroPpfWwIMi0saH5+IJpdkZ+2nVW5CsKoyw+cblN0X42zLf68mpBxmM7JQhhksDfvPqKQy3A5T33LtnWz7xzEXpxrKHW3ivPlIrQr5uC4iQSDT4W7bMRun+mtipVdmdOLHp6W9VpIf/5od03KKRUUMu1xTh8rHw82nPc+kSFYVSVaYQ=='
> from squid (length: 1923).
> 2011/10/03 18:19:30| squid_kerb_auth: parseNegTokenInit failed with rc=101
> 2011/10/03 18:19:30| squid_kerb_auth: AF
> oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqzbebthiHgCEREbPIvAB3Lbw65r75GC0zTez9tgTpso+5fXFhD6J1a0NvPb9m9e99huzEE1DpCgmZUPV4g8jAXU3QAqtsfze0UwMUFovlVJqy9V/r1mBNFse2RoO+R/x2aLJkOi1atZRx4g==
> ricardo.dias_at_DOMAIN.LOCAL
>
> 2011/10/03 18:22:44| squid_kerb_auth: AF
> oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqdvBcdVow3J1ERn8EmDHGdq5zxXqQzUso3aEN8V7qnxE9iXPE4RKHzIDWBJdjtCu8x7Pop5k6fBc9X4+tK9s6B7o+xbIHj3N5BU5h1w3RtgbyyNokJ324XlZ5gWKFGfvfwTkKGJJ9Hw96gg==
> ricardo.dias_at_DOMAIN.LOCAL
> 2011/10/03 18:22:44| squid_kerb_ldap: Got User: ricardo.dias Domain:
> DOMAIN.LOCAL
> 2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
> Local error
> 2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server
> with SASL/GSSAPI: Local error
> 2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
> Local error
> 2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server
> with SASL/GSSAPI: Local error
> 2011/10/03 18:22:44| squid_kerb_ldap: ldap_sasl_interactive_bind_s error:
> Local error
> 2011/10/03 18:22:44| squid_kerb_ldap: Error while binding to ldap server
> with SASL/GSSAPI: Local error
> 2011/10/03 18:22:44| squid_kerb_ldap: User ricardo.dias is not member of
> group_at_domain G_Internet_RH_at_NULL
>
>
> Anyone have any idea where I am wrong.
>
>
Received on Wed Oct 05 2011 - 20:31:12 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 07 2011 - 12:00:03 MDT