Hi there. Well, the log says "Client 'HTTP/hostname.internet.domain....@your.realm.tld' not found in Kerberos database".
Check your krb5.conf on the squid host if you're pointing to the right KDC and make sure the principal exists in the Kerberos database. kadmin.local and "getprinc HTTP/hostname.internet.domain....@your.realm.tld" should yield the same error if the principal doesn't exist. Dio On Wed, Aug 24, 2016 at 1:03 PM, L.P.H. van Belle <be...@bazuin.nl> wrote: > Hai, > > > > Im having trouble to get the *ext_kerberos_ldap_group_acl working. * > > > > I’ve read : http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_ > kerberos_ldap_group_acl.html > > > > Here is what i have checked / done already. > > > > My keytab file : > > klist -ekt /etc/squid/keytab.PROXYSERVER-HTTP > > Keytab name: FILE:/etc/squid/keytab.PROXYSERVER-HTTP > > KVNO Timestamp Principal > > ---- ------------------- ------------------------------ > ------------------------ > > 1 06/08/2015 15:28:03 HTTP/hostname.internet.domain....@your.realm.tld > (des-cbc-crc) > > 1 06/08/2015 15:28:03 HTTP/hostname.internet.domain....@your.realm.tld > (des-cbc-md5) > > 1 06/08/2015 15:28:03 HTTP/hostname.internet.domain....@your.realm.tld > (arcfour-hmac) > > > > > > The auth im using ( which is working fine ) > > auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ > > --kerberos /usr/lib/squid/negotiate_kerberos_auth -s > HTTP/hostname.internet.domain....@your.realm.tld \ > > --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN > > > > For testing im starting on commandline the group acl: > > /usr/lib/squid3/ext_kerberos_ldap_group_acl -D YOUR.REALM.TLD -N > internet-mail@NTDOMAIN -m 4 -s -i –d > > > > kerberos_ldap_group.cc(278): pid=20782 :2016/08/24 10:40:49| > kerberos_ldap_group: INFO: Starting version 1.3.1sq > > support_group.cc(382): pid=20782 :2016/08/24 10:40:49| > kerberos_ldap_group: INFO: Group list internet-m...@your.realm.tld > > support_group.cc(447): pid=20782 :2016/08/24 10:40:49| > kerberos_ldap_group: INFO: Group internet-mail Domain YOUR.REALM.TLD > > support_netbios.cc(83): pid=20782 :2016/08/24 10:40:49| > kerberos_ldap_group: DEBUG: Netbios list internet-mail@NTDOMAIN > > support_netbios.cc(156): pid=20782 :2016/08/24 10:40:49| > kerberos_ldap_group: DEBUG: Netbios name internet-mail Domain NTDOMAIN > > support_lserver.cc(82): pid=20782 :2016/08/24 10:40:49| > kerberos_ldap_group: DEBUG: ldap server list NULL > > support_lserver.cc(86): pid=20782 :2016/08/24 10:40:49| > kerberos_ldap_group: DEBUG: No ldap servers defined. > > > > when i test with the user group now. > > > > testuser internet-mail > > > > kerberos_ldap_group.cc(371): pid=21722 :2016/08/24 10:57:39| > kerberos_ldap_group: INFO: Got User: testuser set default domain: > YOUR.REALM.TLD > > kerberos_ldap_group.cc(376): pid=21722 :2016/08/24 10:57:39| > kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD > > support_member.cc(63): pid=21722 :2016/08/24 10:57:39| > kerberos_ldap_group: DEBUG: User domain loop: group@domain > internet-m...@your.realm.tld > > support_member.cc(65): pid=21722 :2016/08/24 10:57:39| > kerberos_ldap_group: DEBUG: Found group@domain > internet-m...@your.realm.tld > > support_ldap.cc(898): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Setup Kerberos credential cache > > support_krb5.cc(127): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Set credential cache to MEMORY:squid_ldap_21722 > > support_krb5.cc(138): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Get default keytab file name > > support_krb5.cc(144): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP > > support_krb5.cc(158): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP > > support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Keytab entry has realm name: YOUR.REALM.TLD > > support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Found principal name: HTTP/hostname.internet.domain. > t...@your.realm.tld > > support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Got principal name HTTP/hostname.internet.domain....@your.realm.tld > > support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > ERROR: Error while initialising credentials from keytab : Client > 'HTTP/hostname.internet.domain....@your.realm.tld' not found in Kerberos > database > > support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Keytab entry has realm name: YOUR.REALM.TLD > > support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Found principal name: HTTP/hostname.internet.domain. > t...@your.realm.tld > > support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Got principal name HTTP/hostname.internet.domain....@your.realm.tld > > support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > ERROR: Error while initialising credentials from keytab : Client > 'HTTP/hostname.internet.domain....@your.realm.tld' not found in Kerberos > database > > support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Keytab entry has realm name: YOUR.REALM.TLD > > support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Found principal name: HTTP/hostname.internet.domain. > t...@your.realm.tld > > support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Got principal name HTTP/hostname.internet.domain....@your.realm.tld > > support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > ERROR: Error while initialising credentials from keytab : Client > 'HTTP/hostname.internet.domain....@your.realm.tld' not found in Kerberos > database > > support_krb5.cc(282): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Did not find a principal in keytab for domain YOUR.REALM.TLD. > > support_krb5.cc(283): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Try to get principal of trusted domain. > > support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain. > t...@your.realm.tld > > support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > ERROR: Error while initializing credentials from keytab : Client > 'HTTP/hostname.internet.domain....@your.realm.tld' not found in Kerberos > database > > support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain. > t...@your.realm.tld > > support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > ERROR: Error while initializing credentials from keytab : Client > 'HTTP/hostname.internet.domain....@your.realm.tld' not found in Kerberos > database > > support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain. > t...@your.realm.tld > > support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > ERROR: Error while initializing credentials from keytab : Client > 'HTTP/hostname.internet.domain....@your.realm.tld' not found in Kerberos > database > > support_krb5.cc(366): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > DEBUG: Got no principal name > > support_ldap.cc(903): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: > ERROR: Error during setup of Kerberos credential cache > > support_member.cc(76): pid=21722 :2016/08/24 10:57:39| > kerberos_ldap_group: INFO: User testuser is not member of group@domain > internet-m...@your.realm.tld > > support_member.cc(91): pid=21722 :2016/08/24 10:57:39| > kerberos_ldap_group: DEBUG: Default domain loop: group@domain > internet-m...@your.realm.tld > > support_member.cc(119): pid=21722 :2016/08/24 10:57:39| > kerberos_ldap_group: DEBUG: Default group loop: group@domain > internet-m...@your.realm.tld > > ERR > > kerberos_ldap_group.cc(411): pid=21722 :2016/08/24 10:57:39| > kerberos_ldap_group: DEBUG: ERR > > > > > > I dont see what im missing here. > > I’m running Debian Jessie, ldap is setup for SSL, samba 4.4.5 and squid > 3.5.19. > > > > I did see something about kerberos and groups but i can find that post. > > So anyone any suggestion/tip howto debug this or why im getting “Error > while initializing credentials from keytab” > > > > Greetz, > > > > Louis > > > > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > -- -------- Diogenes S. de Jesus
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
