Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )
Hi Louis, I know a user and machine account can be used and they work the same. What my concern is, is that many companies deploy password policies for users in AD. You would need to create exceptions for user accounts which have SPNs with associated keytabs as a password change will make the keytab invalid. Markus "L.P.H. van Belle" wrote in message news:vmime.57c3e5ca.28ab.73ab0c8662c33...@ms249-lin-003.rotterdam.bazuin.nl... Hello Markus, Thank you for the explanation, that helped a lot. I use the TLS_CACERTFILE in the init script now and that works for me . ( in debian the /etc/default/squid ) >>The helper tries to “authenticate” squid to AD as a user with the found SPN >>name, so the UPN must be the same as the SPN. There is no easy way to query >>what the UPN for the SPN is. Ah, this helped identify-ing so other small things to. >>msktutil (my preferred tool) Since i try to use only debian packages the msktutil is not available for me. >>Also msktutil (my preferred tool) creates a machine account not a user >>account in AD. >>The reason I prefer this is that often user accounts have a global password >>policy e.g. change every 60 days otherwise it will be locked. >>machine accounts do not have that limitation. But as I said it is just my >>preference. Thats not correct in my optionion. A the computer account, works the (almost) same an user account. Like a computer account = a user account. some pointers : https://technet.microsoft.com/en-us/library/cc731641(v=ws.11).aspx https://adsecurity.org/?p=280 I used a seperated user since i wanted to have 2 proxy on 1 service account, but due to the UPS/SPN thing, thats not options anymore, not thats a problem, I’ll change to add the computer to the samba domain and add the UPN/SPN on the computer account where needed. Which maybe even a better option. Thanks again for you replies. Best regards, Louis Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Markus Moeller Verzonden: zaterdag 27 augustus 2016 16:52 Aan: squid-users@lists.squid-cache.org Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe ) Hi, I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is. Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference. Regarding the certifcate check I do not use any ldap.conf settings. I require an export TLS_CACERTFILE=/mydir/myfile.pem in the squid startup file. Maybe in the next version I see how I can determine the right ldap.conf file and check if the CACERTFILE variable is already set. Kind regards Markus "L.P.H. van Belle" wrote in message news:vmime.57bdb617.37c8.575130a1134f9...@ms249-lin-003.rotterdam.bazuin.nl... Ok reply to myself so other users know this also. if you create a user for the HTTP services and you dont use msktutil but like me samba-tool or something else. Read : http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. and the clue was this line for me. Squid "login" to Windows Active Directory or Unix kdc as user @DOMAIN.COM>. This requires Active Directory to have an attribute userPrincipalname set to @DOMAIN.COM> for the associated acount. This is usaully done by using msktutil. But this is not done by samba-tools samba-tool setup fro squid i used, was as followed. samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password samba-tool user setexpiry squid1-service –noexpiry samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service Now this results in : My UPN was set to the usern...@internal.domain.tld ( as it should ). My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should ) samba-tool spn list squid1-service squid1-service User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has the following servicePrincipalName: HTTP/proxy.internal.domain.tld HTTP/proxy.internal.domain.tld@YOUR.REALM.T Now i changed my UPN from usern...@internal.domain.tld to the (SPN name) HTTP/proxyserver.internal.domain.t
Re: [squid-users] ext_kerberos_ldap_group_acl problem
Hello Markus, No, im not useing the latest from trunk Atm i use the ( by debian testing ) supplied 3.5.19. If you want me test test something, im happy to do that for you. Best regards, Louis Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Markus Moeller Verzonden: zaterdag 27 augustus 2016 16:38 Aan: squid-users@lists.squid-cache.org Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem Hi Louis, I made lately a change in how the SSL certifcate verification is done. Did you use the latest version from trunk ? Also set the variable TLS_CACERTFILE in your startup script (e.g. export TLS_CACERTFILE=/etc/mydir/cas.pem ). I do not read any ldap.conf file for this yet. Markus "L.P.H. van Belle" wrote in message news:vmime.57beabe1.6a01.3a47ad2737b8d...@ms249-lin-003.rotterdam.bazuin.nl... Hai, I’ve added the needed upn, setup the _ldaps in the dns zones, thats ok now. The last part, here i need some help. support_ldap.cc(942): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Setting up connection to ldap server samba-dc1.internal.domain.tld:636 support_ldap.cc(786): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(531): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server. support_ldap.cc(544): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE) support_ldap.cc(800): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server support_ldap.cc(953): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(276): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server support_ldap.cc(957): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server support_ldap.cc(942): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Setting up connection to ldap server samba-dc2.internal.domain.tld:636 support_ldap.cc(786): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(531): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server. support_ldap.cc(544): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE) support_ldap.cc(800): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server support_ldap.cc(953): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(276): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server support_ldap.cc(957): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server I tried to set TLS_CACERTFILE in ldap.conf, didnt work, so dont know how to fix this or there to put these variables. I need a user to connect to the ldap. Hi have that one in place. I just can find how to put this in this line so i can test this out, but i can only authenticate if the TLS_CACERTFILE is set correctly. Any suggestions here? Greetz, Louis ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )
Hello Markus, Thank you for the explanation, that helped a lot. I use the TLS_CACERTFILE in the init script now and that works for me . ( in debian the /etc/default/squid ) >>The helper tries to “authenticate” squid to AD as a user with the found SPN >>name, so the UPN must be the same as the SPN. There is no easy way to query >>what the UPN for the SPN is. Ah, this helped identify-ing so other small things to. >>msktutil (my preferred tool) Since i try to use only debian packages the msktutil is not available for me. >>Also msktutil (my preferred tool) creates a machine account not a user >>account in AD. >>The reason I prefer this is that often user accounts have a global password >>policy e.g. change every 60 days otherwise it will be locked. >>machine accounts do not have that limitation. But as I said it is just my >>preference. Thats not correct in my optionion. A the computer account, works the (almost) same an user account. Like a computer account = a user account. some pointers : https://technet.microsoft.com/en-us/library/cc731641(v=ws.11).aspx https://adsecurity.org/?p=280 I used a seperated user since i wanted to have 2 proxy on 1 service account, but due to the UPS/SPN thing, thats not options anymore, not thats a problem, I’ll change to add the computer to the samba domain and add the UPN/SPN on the computer account where needed. Which maybe even a better option. Thanks again for you replies. Best regards, Louis Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Markus Moeller Verzonden: zaterdag 27 augustus 2016 16:52 Aan: squid-users@lists.squid-cache.org Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe ) Hi, I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is. Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference. Regarding the certifcate check I do not use any ldap.conf settings. I require an export TLS_CACERTFILE=/mydir/myfile.pem in the squid startup file. Maybe in the next version I see how I can determine the right ldap.conf file and check if the CACERTFILE variable is already set. Kind regards Markus "L.P.H. van Belle" wrote in message news:vmime.57bdb617.37c8.575130a1134f9...@ms249-lin-003.rotterdam.bazuin.nl... Ok reply to myself so other users know this also. if you create a user for the HTTP services and you dont use msktutil but like me samba-tool or something else. Read : http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. and the clue was this line for me. Squid "login" to Windows Active Directory or Unix kdc as user @DOMAIN.COM>. This requires Active Directory to have an attribute userPrincipalname set to @DOMAIN.COM> for the associated acount. This is usaully done by using msktutil. But this is not done by samba-tools samba-tool setup fro squid i used, was as followed. samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password samba-tool user setexpiry squid1-service –noexpiry samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service Now this results in : My UPN was set to the usern...@internal.domain.tld ( as it should ). My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should ) samba-tool spn list squid1-service squid1-service User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has the following servicePrincipalName: HTTP/proxy.internal.domain.tld HTTP/proxy.internal.domain.tld@YOUR.REALM.T Now i changed my UPN from usern...@internal.domain.tld to the (SPN name) HTTP/proxyserver.internal.domain.tld@REALM Solved my initial problem. This should be in my optionion be changed to search for the SPN in ext_kerberos_ldap_group. Now i have LDAPS messages, see below, im adding the _ldaps SRV records now ,but i dont get why im getting : Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE) Im already having : TLS_CACERT /etc/ssl/certs/ca-certificates.crt Which contains the needed certs. Did i find 2
Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )
Hi, I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is. Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference. Regarding the certifcate check I do not use any ldap.conf settings. I require an export TLS_CACERTFILE=/mydir/myfile.pem in the squid startup file. Maybe in the next version I see how I can determine the right ldap.conf file and check if the CACERTFILE variable is already set. Kind regards Markus "L.P.H. van Belle" wrote in message news:vmime.57bdb617.37c8.575130a1134f9...@ms249-lin-003.rotterdam.bazuin.nl... Ok reply to myself so other users know this also. if you create a user for the HTTP services and you dont use msktutil but like me samba-tool or something else. Read : http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. and the clue was this line for me. Squid "login" to Windows Active Directory or Unix kdc as user @DOMAIN.COM>. This requires Active Directory to have an attribute userPrincipalname set to @DOMAIN.COM> for the associated acount. This is usaully done by using msktutil. But this is not done by samba-tools samba-tool setup fro squid i used, was as followed. samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password samba-tool user setexpiry squid1-service –noexpiry samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service Now this results in : My UPN was set to the usern...@internal.domain.tld ( as it should ). My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should ) samba-tool spn list squid1-service squid1-service User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has the following servicePrincipalName: HTTP/proxy.internal.domain.tld HTTP/proxy.internal.domain.tld@YOUR.REALM.T Now i changed my UPN from usern...@internal.domain.tld to the (SPN name) HTTP/proxyserver.internal.domain.tld@REALM Solved my initial problem. This should be in my optionion be changed to search for the SPN in ext_kerberos_ldap_group. Now i have LDAPS messages, see below, im adding the _ldaps SRV records now ,but i dont get why im getting : Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE) Im already having : TLS_CACERT /etc/ssl/certs/ca-certificates.crt Which contains the needed certs. Did i find 2 small bugs here? Or is this a “Debian” related thing? Debug output. /usr/lib/squid3/ext_kerberos_ldap_group_acl -g internet-m...@your.realm.tld -D YOUR.REALM.TLD -N internet-mail@NTDOMAIN -s -i -d kerberos_ldap_group.cc(278): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group list internet-m...@your.realm.tld support_group.cc(447): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group internet-mail Domain YOUR.REALM.TLD support_netbios.cc(83): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios list internet-mail@NTDOMAIN support_netbios.cc(156): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios name internet-mail Domain NTDOMAIN support_lserver.cc(82): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: No ldap servers defined. testuser internet-mail kerberos_ldap_group.cc(371): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD kerberos_ldap_group.cc(376): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD support_member.cc(63): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: User domain loop: group@domain internet-m...@your.realm.tld support_member.cc(65): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found group@domain internet-m...@your.realm.tld support_ldap.cc(898): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(127): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_6902 support_krb5.cc(138): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Get default keytab
Re: [squid-users] ext_kerberos_ldap_group_acl problem
Hi Louis, I made lately a change in how the SSL certifcate verification is done. Did you use the latest version from trunk ? Also set the variable TLS_CACERTFILE in your startup script (e.g. export TLS_CACERTFILE=/etc/mydir/cas.pem ). I do not read any ldap.conf file for this yet. Markus "L.P.H. van Belle" wrote in message news:vmime.57beabe1.6a01.3a47ad2737b8d...@ms249-lin-003.rotterdam.bazuin.nl... Hai, I’ve added the needed upn, setup the _ldaps in the dns zones, thats ok now. The last part, here i need some help. support_ldap.cc(942): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Setting up connection to ldap server samba-dc1.internal.domain.tld:636 support_ldap.cc(786): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(531): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server. support_ldap.cc(544): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE) support_ldap.cc(800): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server support_ldap.cc(953): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(276): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server support_ldap.cc(957): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server support_ldap.cc(942): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Setting up connection to ldap server samba-dc2.internal.domain.tld:636 support_ldap.cc(786): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(531): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server. support_ldap.cc(544): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE) support_ldap.cc(800): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server support_ldap.cc(953): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(276): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server support_ldap.cc(957): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server I tried to set TLS_CACERTFILE in ldap.conf, didnt work, so dont know how to fix this or there to put these variables. I need a user to connect to the ldap. Hi have that one in place. I just can find how to put this in this line so i can test this out, but i can only authenticate if the TLS_CACERTFILE is set correctly. Any suggestions here? Greetz, Louis ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ext_kerberos_ldap_group_acl problem (Solved for me for now)
Ok, found it. So a resume for a squid 3.5.19 + samba 4.4.5, kerberos auth and kerberos groups on debian jessie. By default the package libsasl2-modules-gssapi-mit was not installed. So i installed it: apt-get install libsasl2-modules-gssapi-mit I always install with, --no-install-recommends, here i missed this package. After installing it works fine, at least, .. This works : (SASL/GSSAPI over port 389) /usr/lib/squid3/ext_kerberos_ldap_group_acl -g group-mail@REALM -D REALM -N group-mail@REALM But with ssl enabled.. SASL/GSSAPI over port 636 (ldaps) /usr/lib/squid3/ext_kerberos_ldap_group_acl -g group-mail@REALM -D REALM -N group-mail@REALM –s Or .. SASL/GSSAPI over port 636 (ldaps) without cert checks. /usr/lib/squid3/ext_kerberos_ldap_group_acl -g group-mail@REALM -D REALM -N group-mail@REALM –s –a And with also tried adding this to the /etc/default/squid TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt export TLS_CACERTFILE And adding the _ldaps_._tcp records the samba4/bind_dlz dns didnt help. (samba-tool dns add ADDC.FQDN REALM _ldaps._tcp SRV 'host.internal.domain.tld 636 0 100') The log part of the remaining errors. But no need to fix this for me, im putting this here so people can find it as reference. DEBUG: Set SSL defaults DEBUG: Disable server certificate check for ldap server. ERROR: Error while setting start_tls for ldap server: Operations error DEBUG: Bind to ldap server with SASL/GSSAPI ERROR: ldap_sasl_interactive_bind_s error: Strong(er) authentication required ERROR: Error while binding to ldap server with SASL/GSSAPI: Strong(er) authentication required DEBUG: Setting up connection to ldap server hostname.internal.domain.tld:636 DEBUG: Set SSL defaults DEBUG: Disable server certificate check for ldap server. ERROR: Error while setting start_tls for ldap server: Operations error DEBUG: Bind to ldap server with SASL/GSSAPI ERROR: ldap_sasl_interactive_bind_s error: Strong(er) authentication required And if someone find the solution for this above, that would be nice to report here. Greetz, Louis ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ext_kerberos_ldap_group_acl problem
Hai, I’ve added the needed upn, setup the _ldaps in the dns zones, thats ok now. The last part, here i need some help. support_ldap.cc(942): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Setting up connection to ldap server samba-dc1.internal.domain.tld:636 support_ldap.cc(786): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(531): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server. support_ldap.cc(544): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE) support_ldap.cc(800): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server support_ldap.cc(953): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(276): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server support_ldap.cc(957): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server support_ldap.cc(942): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Setting up connection to ldap server samba-dc2.internal.domain.tld:636 support_ldap.cc(786): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(531): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server. support_ldap.cc(544): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE) support_ldap.cc(800): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server support_ldap.cc(953): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(276): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server support_ldap.cc(957): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server I tried to set TLS_CACERTFILE in ldap.conf, didnt work, so dont know how to fix this or there to put these variables. I need a user to connect to the ldap. Hi have that one in place. I just can find how to put this in this line so i can test this out, but i can only authenticate if the TLS_CACERTFILE is set correctly. Any suggestions here? Greetz, Louis ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minor bugsmaybe )
Ok reply to myself so other users know this also. if you create a user for the HTTP services and you dont use msktutil but like me samba-tool or something else. Read : http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. and the clue was this line for me. Squid "login" to Windows Active Directory or Unix kdc as user @DOMAIN.COM>. This requires Active Directory to have an attribute userPrincipalname set to @DOMAIN.COM> for the associated acount. This is usaully done by using msktutil. But this is not done by samba-tools samba-tool setup fro squid i used, was as followed. samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password samba-tool user setexpiry squid1-service –noexpiry samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service Now this results in : My UPN was set to the usern...@internal.domain.tld ( as it should ). My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should ) samba-tool spn list squid1-service squid1-service User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has the following servicePrincipalName: HTTP/proxy.internal.domain.tld HTTP/proxy.internal.domain.tld@YOUR.REALM.T Now i changed my UPN from usern...@internal.domain.tld to the (SPN name) HTTP/proxyserver.internal.domain.tld@REALM Solved my initial problem. This should be in my optionion be changed to search for the SPN in ext_kerberos_ldap_group. Now i have LDAPS messages, see below, im adding the _ldaps SRV records now ,but i dont get why im getting : Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE) Im already having : TLS_CACERT /etc/ssl/certs/ca-certificates.crt Which contains the needed certs. Did i find 2 small bugs here? Or is this a “Debian” related thing? Debug output. /usr/lib/squid3/ext_kerberos_ldap_group_acl -g internet-m...@your.realm.tld -D YOUR.REALM.TLD -N internet-mail@NTDOMAIN -s -i -d kerberos_ldap_group.cc(278): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group list internet-m...@your.realm.tld support_group.cc(447): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group internet-mail Domain YOUR.REALM.TLD support_netbios.cc(83): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios list internet-mail@NTDOMAIN support_netbios.cc(156): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios name internet-mail Domain NTDOMAIN support_lserver.cc(82): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: No ldap servers defined. testuser internet-mail kerberos_ldap_group.cc(371): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD kerberos_ldap_group.cc(376): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD support_member.cc(63): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: User domain loop: group@domain internet-m...@your.realm.tld support_member.cc(65): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found group@domain internet-m...@your.realm.tld support_ldap.cc(898): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(127): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_6902 support_krb5.cc(138): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(144): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP support_krb5.cc(158): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP support_krb5.cc(169): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD support_krb5.cc(181): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found principal name: HTTP/proxy.internal.domain@your.realm.tld support_krb5.cc(196): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Got principal name HTTP/proxy.internal.domain@your.realm.tld support_krb5.cc(260): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Stored credentials support_ldap.cc(927): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Initialise ldap connection support_ldap.cc(931): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable SSL to ldap servers support_ldap.cc(933): pid=6902 :2
Re: [squid-users] ext_kerberos_ldap_group_acl problem
Hello Dia, Thank you for the reply, So, can this be a “MIT” kerberos of HEIMDAL thing. Im use Samba4 for ADDC and that uses heimdal. Even that the logs says : "Client 'HTTP/hostname.internet.domain@your.realm.tld' not found in Kerberos database". Im using NFSv4 over kerberos, ssh over kerberos, squid user auth already and that is working fine. ( on the same server ) I dont have/use kadmin, since samba is my KDC. The only thing i can think of besides MIT or HEIMDAL is that i use a dedicated user, which is having the SPN for my proxy server. A snip from my krb5.conf [libdefaults] default_realm = YOUR.REALM.TLD dns_lookup_kdc = true dns_lookup_realm = false Best regards, Louis Van: Diogenes S. Jesus [mailto:spl...@gmail.com] Verzonden: woensdag 24 augustus 2016 13:29 Aan: L.P.H. van Belle CC: squid-us...@squid-cache.org Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem Hi there. Well, the log says "Client 'HTTP/hostname.internet.domain@your.realm.tld' not found in Kerberos database". Check your krb5.conf on the squid host if you're pointing to the right KDC and make sure the principal exists in the Kerberos database. kadmin.local and "getprinc HTTP/hostname.internet.domain@your.realm.tld" should yield the same error if the principal doesn't exist. Dio On Wed, Aug 24, 2016 at 1:03 PM, L.P.H. van Belle wrote: Hai, Im having trouble to get the ext_kerberos_ldap_group_acl working. I’ve read : http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_kerberos_ldap_group_acl.html Here is what i have checked / done already. My keytab file : klist -ekt /etc/squid/keytab.PROXYSERVER-HTTP Keytab name: FILE:/etc/squid/keytab.PROXYSERVER-HTTP KVNO Timestamp Principal --- -- 1 06/08/2015 15:28:03 HTTP/hostname.internet.domain@your.realm.tld (des-cbc-crc) 1 06/08/2015 15:28:03 HTTP/hostname.internet.domain@your.realm.tld (des-cbc-md5) 1 06/08/2015 15:28:03 HTTP/hostname.internet.domain@your.realm.tld (arcfour-hmac) The auth im using ( which is working fine ) auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.internet.domain@your.realm.tld \ --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN For testing im starting on commandline the group acl: /usr/lib/squid3/ext_kerberos_ldap_group_acl -D YOUR.REALM.TLD -N internet-mail@NTDOMAIN -m 4 -s -i –d kerberos_ldap_group.cc(278): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Group list internet-m...@your.realm.tld support_group.cc(447): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Group internet-mail Domain YOUR.REALM.TLD support_netbios.cc(83): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: Netbios list internet-mail@NTDOMAIN support_netbios.cc(156): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: Netbios name internet-mail Domain NTDOMAIN support_lserver.cc(82): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: No ldap servers defined. when i test with the user group now. testuser internet-mail kerberos_ldap_group.cc(371): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD kerberos_ldap_group.cc(376): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD support_member.cc(63): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: User domain loop: group@domain internet-m...@your.realm.tld support_member.cc(65): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found group@domain internet-m...@your.realm.tld support_ldap.cc(898): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(127): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_21722 support_krb5.cc(138): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(144): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP support_krb5.cc(158): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REA
Re: [squid-users] ext_kerberos_ldap_group_acl problem
Hi there. Well, the log says "Client 'HTTP/hostname.internet.domain@your.realm.tld' not found in Kerberos database". Check your krb5.conf on the squid host if you're pointing to the right KDC and make sure the principal exists in the Kerberos database. kadmin.local and "getprinc HTTP/hostname.internet.domain@your.realm.tld" should yield the same error if the principal doesn't exist. Dio On Wed, Aug 24, 2016 at 1:03 PM, L.P.H. van Belle wrote: > Hai, > > > > Im having trouble to get the *ext_kerberos_ldap_group_acl working. * > > > > I’ve read : http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_ > kerberos_ldap_group_acl.html > > > > Here is what i have checked / done already. > > > > My keytab file : > > klist -ekt /etc/squid/keytab.PROXYSERVER-HTTP > > Keytab name: FILE:/etc/squid/keytab.PROXYSERVER-HTTP > > KVNO Timestamp Principal > > --- -- > > >1 06/08/2015 15:28:03 HTTP/hostname.internet.domain@your.realm.tld > (des-cbc-crc) > >1 06/08/2015 15:28:03 HTTP/hostname.internet.domain@your.realm.tld > (des-cbc-md5) > >1 06/08/2015 15:28:03 HTTP/hostname.internet.domain@your.realm.tld > (arcfour-hmac) > > > > > > The auth im using ( which is working fine ) > > auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ > > --kerberos /usr/lib/squid/negotiate_kerberos_auth -s > HTTP/hostname.internet.domain@your.realm.tld \ > > --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN > > > > For testing im starting on commandline the group acl: > > /usr/lib/squid3/ext_kerberos_ldap_group_acl -D YOUR.REALM.TLD -N > internet-mail@NTDOMAIN -m 4 -s -i –d > > > > kerberos_ldap_group.cc(278): pid=20782 :2016/08/24 10:40:49| > kerberos_ldap_group: INFO: Starting version 1.3.1sq > > support_group.cc(382): pid=20782 :2016/08/24 10:40:49| > kerberos_ldap_group: INFO: Group list internet-m...@your.realm.tld > > support_group.cc(447): pid=20782 :2016/08/24 10:40:49| > kerberos_ldap_group: INFO: Group internet-mail Domain YOUR.REALM.TLD > > support_netbios.cc(83): pid=20782 :2016/08/24 10:40:49| > kerberos_ldap_group: DEBUG: Netbios list internet-mail@NTDOMAIN > > support_netbios.cc(156): pid=20782 :2016/08/24 10:40:49| > kerberos_ldap_group: DEBUG: Netbios name internet-mail Domain NTDOMAIN > > support_lserver.cc(82): pid=20782 :2016/08/24 10:40:49| > kerberos_ldap_group: DEBUG: ldap server list NULL > > support_lserver.cc(86): pid=20782 :2016/08/24 10:40:49| > kerberos_ldap_group: DEBUG: No ldap servers defined. > > > > when i test with the user group now. > > > > testuser internet-mail > > > > kerberos_ldap_group.cc(371): pid=21722 :2016/08/24 10:57:39| > kerberos_ldap_group: INFO: Got User: testuser set default domain: > YOUR.REALM.TLD > > kerberos_ldap_group.cc(376): pid=21722 :2016/08/24 10:57:39| > kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD > > support_member.cc(63): pid=21722 :2016/08/24 10:57:39| > kerberos_ldap_group: DEBUG: User domain loop: group@domain > internet-m...@your.realm.tld > > support_member.cc(65): pid=21722 :2016/08/24 10:57:39| > kerberos_ldap_group: DEBUG: Found group@domain > internet-m...@your.realm.tld > > support_ldap.cc(898): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Setup Kerberos credential cache > > support_krb5.cc(127): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Set credential cache to MEMORY:squid_ldap_21722 > > support_krb5.cc(138): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Get default keytab file name > > support_krb5.cc(144): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP > > support_krb5.cc(158): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP > > support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Keytab entry has realm name: YOUR.REALM.TLD > > support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Found principal name: HTTP/hostname.internet.domain. > t...@your.realm.tld > > support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Got principal name HTTP/hostname.internet.domain@your.realm.tld > > support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > ERROR: Error while initialising credentials from keytab : Client > 'HTTP/hostname.internet.domain@your.realm.tld' not found in Kerberos > database > > support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Keytab entry has realm name: YOUR.REALM.TLD > > support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Found principal name: HTTP/hostname.internet.domain. > t...@your.realm.tld > > support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBU