Hello Dia,
Thank you for the reply, So, can this be a “MIT” kerberos of HEIMDAL thing. Im use Samba4 for ADDC and that uses heimdal. Even that the logs says : "Client 'HTTP/hostname.internet.domain....@your.realm.tld' not found in Kerberos database". Im using NFSv4 over kerberos, ssh over kerberos, squid user auth already and that is working fine. ( on the same server ) I dont have/use kadmin, since samba is my KDC. The only thing i can think of besides MIT or HEIMDAL is that i use a dedicated user, which is having the SPN for my proxy server. A snip from my krb5.conf [libdefaults] default_realm = YOUR.REALM.TLD dns_lookup_kdc = true dns_lookup_realm = false Best regards, Louis Van: Diogenes S. Jesus [mailto:spl...@gmail.com] Verzonden: woensdag 24 augustus 2016 13:29 Aan: L.P.H. van Belle CC: squid-us...@squid-cache.org Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem Hi there. Well, the log says "Client 'HTTP/hostname.internet.domain....@your.realm.tld' not found in Kerberos database". Check your krb5.conf on the squid host if you're pointing to the right KDC and make sure the principal exists in the Kerberos database. kadmin.local and "getprinc HTTP/hostname.internet.domain....@your.realm.tld" should yield the same error if the principal doesn't exist. Dio On Wed, Aug 24, 2016 at 1:03 PM, L.P.H. van Belle <be...@bazuin.nl> wrote: Hai, Im having trouble to get the ext_kerberos_ldap_group_acl working. I’ve read : http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_kerberos_ldap_group_acl.html Here is what i have checked / done already. My keytab file : klist -ekt /etc/squid/keytab.PROXYSERVER-HTTP Keytab name: FILE:/etc/squid/keytab.PROXYSERVER-HTTP KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 06/08/2015 15:28:03 HTTP/hostname.internet.domain....@your.realm.tld (des-cbc-crc) 1 06/08/2015 15:28:03 HTTP/hostname.internet.domain....@your.realm.tld (des-cbc-md5) 1 06/08/2015 15:28:03 HTTP/hostname.internet.domain....@your.realm.tld (arcfour-hmac) The auth im using ( which is working fine ) auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.internet.domain....@your.realm.tld \ --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN For testing im starting on commandline the group acl: /usr/lib/squid3/ext_kerberos_ldap_group_acl -D YOUR.REALM.TLD -N internet-mail@NTDOMAIN -m 4 -s -i –d kerberos_ldap_group.cc(278): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Group list internet-m...@your.realm.tld support_group.cc(447): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: INFO: Group internet-mail Domain YOUR.REALM.TLD support_netbios.cc(83): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: Netbios list internet-mail@NTDOMAIN support_netbios.cc(156): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: Netbios name internet-mail Domain NTDOMAIN support_lserver.cc(82): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: DEBUG: No ldap servers defined. when i test with the user group now. testuser internet-mail kerberos_ldap_group.cc(371): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD kerberos_ldap_group.cc(376): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD support_member.cc(63): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: User domain loop: group@domain internet-m...@your.realm.tld support_member.cc(65): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found group@domain internet-m...@your.realm.tld support_ldap.cc(898): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(127): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_21722 support_krb5.cc(138): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(144): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP support_krb5.cc(158): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal name: HTTP/hostname.internet.domain....@your.realm.tld support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name HTTP/hostname.internet.domain....@your.realm.tld support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'HTTP/hostname.internet.domain....@your.realm.tld' not found in Kerberos database support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal name: HTTP/hostname.internet.domain....@your.realm.tld support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name HTTP/hostname.internet.domain....@your.realm.tld support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'HTTP/hostname.internet.domain....@your.realm.tld' not found in Kerberos database support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Found principal name: HTTP/hostname.internet.domain....@your.realm.tld support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got principal name HTTP/hostname.internet.domain....@your.realm.tld support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'HTTP/hostname.internet.domain....@your.realm.tld' not found in Kerberos database support_krb5.cc(282): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Did not find a principal in keytab for domain YOUR.REALM.TLD. support_krb5.cc(283): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Try to get principal of trusted domain. support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain....@your.realm.tld support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initializing credentials from keytab : Client 'HTTP/hostname.internet.domain....@your.realm.tld' not found in Kerberos database support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain....@your.realm.tld support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initializing credentials from keytab : Client 'HTTP/hostname.internet.domain....@your.realm.tld' not found in Kerberos database support_krb5.cc(297): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/hostname.internet.domain....@your.realm.tld support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error while initializing credentials from keytab : Client 'HTTP/hostname.internet.domain....@your.realm.tld' not found in Kerberos database support_krb5.cc(366): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Got no principal name support_ldap.cc(903): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: ERROR: Error during setup of Kerberos credential cache support_member.cc(76): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: INFO: User testuser is not member of group@domain internet-m...@your.realm.tld support_member.cc(91): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Default domain loop: group@domain internet-m...@your.realm.tld support_member.cc(119): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: Default group loop: group@domain internet-m...@your.realm.tld ERR kerberos_ldap_group.cc(411): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: DEBUG: ERR I dont see what im missing here. I’m running Debian Jessie, ldap is setup for SSL, samba 4.4.5 and squid 3.5.19. I did see something about kerberos and groups but i can find that post. So anyone any suggestion/tip howto debug this or why im getting “Error while initializing credentials from keytab” Greetz, Louis _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -- -------- Diogenes S. de Jesus
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
