[squid-users] Re: Re: Problem with SQUID_KERB_LDAP
"DmitrySh" wrote in message news:1288100124027-3013710.p...@n4.nabble.com... Hi all again. I think we can close this threat couse i localize the problem. It's the same problem as in this threat - http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-using-squid-kerb-auth-with-Internet-Explorer-8-on-Windows-Server-2008-R2-td3013070.html#a3013070 I check all on Windows XP with IE7 client machine and all works fine even with squid_kerb_ldap helper By the words, squid_kerb_ldap helper didn't start untill i give him -i key on the end of string The -i is not required. What do you get when you execute it as follows: export KRB5_KTNAME= /usr/local/squid/libexec/squid_kerb_ldap -g usergr...@domain.com u...@domain.com You should just get a reply OK .e.g. mar...@opensuse11:~/mysources/squid_kerb_ldap> export KRB5_KTNAME=./squid.keytab mar...@opensuse11:~/mysources/squid_kerb_ldap> /usr/sbin/squid_kerb_ldap -g socks_al...@suse.home mar...@suse.home OK With -i you get informational messages and -d debug messages. /usr/sbin/squid_kerb_ldap -d -g socks_al...@suse.home 2010/10/26 19:26:21| squid_kerb_ldap: Starting version 1.2.1a 2010/10/26 19:26:21| squid_kerb_ldap: Group list socks_al...@suse.home 2010/10/26 19:26:21| squid_kerb_ldap: Group SOCKS_ALLOW Domain SUSE.HOME 2010/10/26 19:26:21| squid_kerb_ldap: Netbios list NULL 2010/10/26 19:26:21| squid_kerb_ldap: No netbios names defined. external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 ipv4 %LOGIN /usr/local/squid/libexec/squid_kerb_ldap -g usergr...@domain.com -i Maybe it will be usefull for someone else. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-with-SQUID-KERB-LDAP-tp1468788p3013710.html Sent from the Squid - Users mailing list archive at Nabble.com. Regards Markus
[squid-users] Re: Re: Problem with SQUID_KERB_LDAP
Hi all again. I think we can close this threat couse i localize the problem. It's the same problem as in this threat - http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-using-squid-kerb-auth-with-Internet-Explorer-8-on-Windows-Server-2008-R2-td3013070.html#a3013070 I check all on Windows XP with IE7 client machine and all works fine even with squid_kerb_ldap helper By the words, squid_kerb_ldap helper didn't start untill i give him -i key on the end of string external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 ipv4 %LOGIN /usr/local/squid/libexec/squid_kerb_ldap -g usergr...@domain.com -i Maybe it will be usefull for someone else. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-with-SQUID-KERB-LDAP-tp1468788p3013710.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Re: Problem with SQUID_KERB_LDAP
Thanks Nick and Markus You were right about permissions. Before check it for helper but forgot do this for keytab file. Now for helper is 0755 and for keytab 0666 (for testing period). One step forward, but now i have another error in cache.log ... glrUbv5/nTtm0eRDjSLMllQnILqhEV+fsjinx+HOHYQ= =' (decoded length: 1642). 2010/10/26 10:47:13.119| commio_finish_callback: called for FD 10 (0, 0) 2010/10/26 10:47:13| squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. 2010/10/26 10:47:13.144| comm_read_try: FD 10, size 8191, retval 104, errno 0 2010/10/26 10:47:13.144| commio_finish_callback: called for FD 10 (0, 0) 2010/10/26 10:47:13.144| comm.cc(165) will call SomeCommReadHandler(FD 10, data=0x83aaf30, size=104, buf=0x83ab140) [call4] 2010/10/26 10:47:13.145| entering SomeCommReadHandler(FD 10, data=0x83aaf30, size=104, buf=0x83ab140) 2010/10/26 10:47:13.145| AsyncCall.cc(32) make: make call SomeCommReadHandler [call4] 2010/10/26 10:47:13.145| helperStatefulHandleRead: end of reply found 2010/10/26 10:47:13.145| helper.cc(375) helperStatefulReleaseServer: srv-0 flags.reserved = 1 2010/10/26 10:47:13.145| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_accept_sec_co ntext() failed: Unspecified GSS failure. Minor code may provide more information. ' Thanks for your help!!! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-with-SQUID-KERB-LDAP-tp1468788p3013270.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Re: Problem with SQUID_KERB_LDAP
Also check that squid_kerb_ldap is executable by the squid user Regards Markus "Nick Cairncross" wrote in message news:c8eb5040.193f2%nick.cairncr...@condenast.co.uk... . fpGHRVhvZk/kda8Vtvd618615TAA7y7E7ZN3DeUAEVD+fRErTlSbBlY/3uRdUzk6z+y3XhEBX1 9jNqd5CBe72CHRAh5CBC4GPkSyzbjWql5x9kfsBnoEK8Gc5VDXQPAVfAg= =' (decoded length: 1642). 2010/10/25 14:43:36| squid_kerb_auth: ERROR: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more inform ation. Permission denied Linux permissions correct for your helper and/or to your keytab? The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU