[squid-users] Re: squid_kerb_group (again)
Hi Eugene, Most of the debug comes from my functions. Can you set the ldap debug in support_ldap.cc to -1 ? e.g. #ifndef HAVE_SUN_LDAP_SDK /* * Initialise ldap */ ldap_debug = 127 /* LDAP_DEBUG_TRACE */ ; ldap_debug = -1 /* LDAP_DEBUG_ANY */ ; /*ldap_debug = 0;*/ (void) ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, ldap_debug); #endif This will give you a full ldap debug trace and may provide more information. But as I said it is a complicated combination of Kerberos, SASL and OpenLDAP. Regards Markus Happy New Year Eugene M. Zheganin wrote in message news:52c0f9e8.7050...@norma.perm.ru... Hi. On 29.12.2013 18:59, Markus Moeller wrote: I setup a virtual machine with freebsd 10-RC3 $ uname -a FreeBSD freebsd 10.0-RC3 FreeBSD 10.0-RC3 #0 r259778: Mon Dec 23 23:27:58 UTC 2013 r...@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 the attached packages and compiled squid trunk. Although squid does not fully compiled (SQUID_BSDNET_INCLUDES needs to change include order) and fails in the base code with [...] ^ the helpers compile fine and when I run ext_kerberos_ldap_group_acl it works with the MEMORY cache. Yeah, I agree - I myself have a bunch of squids on FreeBSD 10.0-WHATEVER, and most of them work fine, except this one. I think openldap libraries lack the error handling output, basically they do two kinds of messages I did this and Oops, something has gone wrong. I spend serveral hours googling my problem and came to the conclusion above. I will ask in their mailing list. Thanks. Eugene.
[squid-users] Re: squid_kerb_group (again)
Hi Eugene, I setup a virtual machine with freebsd 10-RC3 $ uname -a FreeBSD freebsd 10.0-RC3 FreeBSD 10.0-RC3 #0 r259778: Mon Dec 23 23:27:58 UTC 2013 r...@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 the attached packages and compiled squid trunk. Although squid does not fully compiled (SQUID_BSDNET_INCLUDES needs to change include order) and fails in the base code with In file included from AsyncCall.cc:2: In file included from ./AsyncCall.h:6: In file included from ./RefCount.h:40: In file included from /usr/include/c++/v1/iostream:38: In file included from /usr/include/c++/v1/ios:216: In file included from /usr/include/c++/v1/__locale:15: In file included from /usr/include/c++/v1/string:432: /usr/include/c++/v1/cstdio:139:9: error: no member named 'ERROR_sprintf_UNSAFE_IN_SQUID' in the global namespace using ::sprintf; ~~^ ../../compat/unsafe.h:10:17: note: expanded from macro 'sprintf' #define sprintf ERROR_sprintf_UNSAFE_IN_SQUID ^ the helpers compile fine and when I run ext_kerberos_ldap_group_acl it works with the MEMORY cache. $ ./ext_kerberos_ldap_group_acl -d -g SQUID_ALLOW kerberos_ldap_group.cc(275): pid=60129 :2013/12/29 12:49:36| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(374): pid=60129 :2013/12/29 12:49:36| kerberos_ldap_group: INFO: Group list SQUID_ALLOW support_group.cc(439): pid=60129 :2013/12/29 12:49:36| kerberos_ldap_group: INFO: Group SQUID_ALLOW Domain NULL support_netbios.cc(75): pid=60129 :2013/12/29 12:49:36| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(79): pid=60129 :2013/12/29 12:49:36| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(74): pid=60129 :2013/12/29 12:49:36| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(78): pid=60129 :2013/12/29 12:49:36| kerberos_ldap_group: DEBUG: No ldap servers defined. m...@win2003r2.home kerberos_ldap_group.cc(372): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: INFO: Got User: mm Domain: WIN2003R2.HOME support_member.cc(55): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: User domain loop: group@domain SQUID_ALLOW@NULL support_member.cc(83): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Default domain loop: group@domain SQUID_ALLOW@NULL support_member.cc(111): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Default group loop: group@domain SQUID_ALLOW@NULL support_member.cc(113): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Found group@domain SQUID_ALLOW@NULL support_ldap.cc(801): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(90): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(96): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Got default keytab file name ./squid.keytab support_krb5.cc(110): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Get principal name from keytab ./squid.keytab support_krb5.cc(119): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Keytab entry has realm name: WIN2003R2.HOME support_krb5.cc(133): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Found principal name: HTTP/opensuse12.suse.h...@win2003r2.home support_krb5.cc(174): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_60129 support_krb5.cc(270): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Got principal name HTTP/opensuse12.suse.h...@win2003r2.home support_krb5.cc(313): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Stored credentials support_ldap.cc(830): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Initialise ldap connection support_ldap.cc(836): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain WIN2003R2.HOME support_resolv.cc(373): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.WIN2003R2.HOME record to w2k3r2.win2003r2.home support_resolv.cc(201): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Resolved address 1 of WIN2003R2.HOME to w2k3r2.win2003r2.home support_resolv.cc(201): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Resolved address 2 of WIN2003R2.HOME to w2k3r2.win2003r2.home support_resolv.cc(201): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Resolved address 3 of WIN2003R2.HOME to w2k3r2.win2003r2.home support_resolv.cc(401): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Adding WIN2003R2.HOME to list support_resolv.cc(437): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain WIN2003R2.HOME: support_resolv.cc(439): pid=60129 :2013/12/29 12:49:41| kerberos_ldap_group: DEBUG: Host: w2k3r2.win2003r2.home Port: 389 Priority: 0 Weight: 0 support_resolv.cc(439): pid=60129
Re: [squid-users] Re: squid_kerb_group (again)
Hi. On 29.12.2013 18:59, Markus Moeller wrote: I setup a virtual machine with freebsd 10-RC3 $ uname -a FreeBSD freebsd 10.0-RC3 FreeBSD 10.0-RC3 #0 r259778: Mon Dec 23 23:27:58 UTC 2013 r...@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 the attached packages and compiled squid trunk. Although squid does not fully compiled (SQUID_BSDNET_INCLUDES needs to change include order) and fails in the base code with [...] ^ the helpers compile fine and when I run ext_kerberos_ldap_group_acl it works with the MEMORY cache. Yeah, I agree - I myself have a bunch of squids on FreeBSD 10.0-WHATEVER, and most of them work fine, except this one. I think openldap libraries lack the error handling output, basically they do two kinds of messages I did this and Oops, something has gone wrong. I spend serveral hours googling my problem and came to the conclusion above. I will ask in their mailing list. Thanks. Eugene.
Re: [squid-users] Re: squid_kerb_group (again)
Hi. On 24.12.2013 20:39, Markus Moeller wrote: Could you tell me which OS , kerberos, ldap and sasl version you use ? It's FreeBSD 10.0-BETA2 amd64 Heimdal Kerberos 1.5.2 cyrus-sasl 2.1.26 openldap-sasl-client-2.4.38 last two are from FreeBSD ports, -sasl- means it's compiled with --with-cyrus-sasl. Thanks. Eugene.
[squid-users] Re: squid_kerb_group (again)
Hi Eugene, I am not sure of the cause, but it must be somewhere deep in the ldap or kerberos library. I have seen this behaviour before on Solaris only. Markus Eugene M. Zheganin wrote in message news:52b91c8a.4080...@norma.perm.ru... Hi. On 23.12.2013 22:39, Markus Moeller wrote: Hi Eugene, I can only guess that the memory cache is not working. Can you change in include/autoconf.h /* Define if kerberos has MEMORY: cache support */ #define HAVE_KRB5_MEMORY_CACHE 1 to #undef HAVE_KRB5_MEMORY_CACHE and recompile ? Wow, it started to work, thanks. Will I have some performance penalties from this ? What could I do to investigate this issue and probably fix it ? Thanks. Eugene.
[squid-users] Re: squid_kerb_group (again)
Hi Eugene, Could you tell me which OS , kerberos, ldap and sasl version you use ? Markus Eugene M. Zheganin wrote in message news:52b91c8a.4080...@norma.perm.ru... Hi. On 23.12.2013 22:39, Markus Moeller wrote: Hi Eugene, I can only guess that the memory cache is not working. Can you change in include/autoconf.h /* Define if kerberos has MEMORY: cache support */ #define HAVE_KRB5_MEMORY_CACHE 1 to #undef HAVE_KRB5_MEMORY_CACHE and recompile ? Wow, it started to work, thanks. Will I have some performance penalties from this ? What could I do to investigate this issue and probably fix it ? Thanks. Eugene.
[squid-users] Re: squid_kerb_group (again)
Hi Eugene, I can only guess that the memory cache is not working. Can you change in include/autoconf.h /* Define if kerberos has MEMORY: cache support */ #define HAVE_KRB5_MEMORY_CACHE 1 to #undef HAVE_KRB5_MEMORY_CACHE and recompile ? Markus Eugene M. Zheganin wrote in message news:52b83e6c.8040...@norma.perm.ru... Hi. squid 3.3.11 FreeBSD 10.x I'm fighting squid_kerb_group, sometimes it may become tricky. Here's where I'm stuck at: I'm launching this: ===Cut=== KRB5_KTNAME=/usr/local/etc/squid/squid.keytab export KRB5_KTNAME /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \ -a \ -m 16 \ -i \ -ddd \ -D NORMA.COM \ -b cn=Users,dc=norma,dc=com \ -S hq-gc.norma@norma.com \ -u proxy2 \ -p XXX \ -N soft...@norma.com \ -g Internet Users - Proxy2@ ===Cut=== and getting this: ===Cut=== ./squid_kerb_group.sh kerberos_ldap_group.cc(338): pid=90134 :2013/12/24 01:32:25| kerberos_ldap_group: INFO: Starting version 1.3.0sq support_group.cc(372): pid=90134 :2013/12/24 01:32:25| kerberos_ldap_group: INFO: Group list Internet Users - Proxy2@ support_group.cc(437): pid=90134 :2013/12/24 01:32:25| kerberos_ldap_group: INFO: Group Internet Users - Proxy2 Domain support_netbios.cc(74): pid=90134 :2013/12/24 01:32:25| kerberos_ldap_group: DEBUG: Netbios list soft...@norma.com support_netbios.cc(147): pid=90134 :2013/12/24 01:32:25| kerberos_ldap_group: DEBUG: Netbios name SOFTLAB Domain NORMA.COM support_lserver.cc(73): pid=90134 :2013/12/24 01:32:25| kerberos_ldap_group: DEBUG: ldap server list hq-gc.norma@norma.com support_lserver.cc(137): pid=90134 :2013/12/24 01:32:25| kerberos_ldap_group: DEBUG: ldap server hq-gc.norma.com Domain NORMA.COM emz kerberos_ldap_group.cc(430): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: INFO: Got User: emz set default domain: NORMA.COM kerberos_ldap_group.cc(435): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: INFO: Got User: emz Domain: NORMA.COM support_member.cc(55): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: User domain loop: group@domain Internet Users - Proxy2@ support_member.cc(83): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Default domain loop: group@domain Internet Users - Proxy2@ support_member.cc(85): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Found group@domain Internet Users - Proxy2@ support_ldap.cc(810): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(91): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(97): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Got default keytab file name /usr/local/etc/squid/squid.keytab support_krb5.cc(111): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Get principal name from keytab /usr/local/etc/squid/squid.keytab support_krb5.cc(119): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Keytab entry has realm name: NORMA.COM support_krb5.cc(133): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Found principal name: HTTP/proxy2.norma@norma.com support_krb5.cc(174): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_90134 support_krb5.cc(267): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Got principal name HTTP/proxy2.norma@norma.com support_krb5.cc(311): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Stored credentials support_ldap.cc(839): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Initialise ldap connection support_ldap.cc(845): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain NORMA.COM support_resolv.cc(245): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Ldap server loop: lserver@domain hq-gc.norma@norma.com support_resolv.cc(247): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Found lserver@domain hq-gc.norma@norma.com support_resolv.cc(441): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain NORMA.COM: support_resolv.cc(443): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Host: hq-gc.norma.com Port: -1 Priority: -2 Weight: -2 support_ldap.cc(854): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Setting up connection to ldap server hq-gc.norma.com:389 support_ldap.cc(865): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(274): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Local error support_ldap.cc(869): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Local error support_ldap.cc(891): pid=90134 :2013/12/24 01:32:26| kerberos_ldap_group: DEBUG: Error during initialisation of ldap connection: No
Re: [squid-users] Re: squid_kerb_group (again)
Hi. On 23.12.2013 22:39, Markus Moeller wrote: Hi Eugene, I can only guess that the memory cache is not working. Can you change in include/autoconf.h /* Define if kerberos has MEMORY: cache support */ #define HAVE_KRB5_MEMORY_CACHE 1 to #undef HAVE_KRB5_MEMORY_CACHE and recompile ? Wow, it started to work, thanks. Will I have some performance penalties from this ? What could I do to investigate this issue and probably fix it ? Thanks. Eugene.
