ext_kerberos_ldap_group_acl не хочет работать

Ответить
Аватара пользователя
Steven Swanson
Сообщения: 1
Зарегистрирован: 24 май 2018 05:40
Контактная информация:

ext_kerberos_ldap_group_acl не хочет работать

Сообщение Steven Swanson » 24 май 2018 06:05

Добрый день, прошу помощи в решении следующей проблеме. Пытаюсь запустить новый сквид с керберос аутентификацией и авторизацией с помощью ext_kerberos_ldap_group_acl хелпера. Аутетификация проходит успешно, но авторицация не хочет работать:

/usr/sbin/ext_kerberos_ldap_group_acl -d -a -g Internet-Standard@MYDOM.COM -D MYDOM.COM
kerberos_ldap_group.cc(283): pid=17841 :2018/05/24 08:56:52| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=17841 :2018/05/24 08:56:52| kerberos_ldap_group: INFO: Group list Internet-Standard@MYDOM.COM
support_group.cc(447): pid=17841 :2018/05/24 08:56:52| kerberos_ldap_group: INFO: Group Internet-Standard Domain MYDOM.COM
support_netbios.cc(83): pid=17841 :2018/05/24 08:56:52| kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(87): pid=17841 :2018/05/24 08:56:52| kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(82): pid=17841 :2018/05/24 08:56:52| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=17841 :2018/05/24 08:56:52| kerberos_ldap_group: DEBUG: No ldap servers defined.
aduser
kerberos_ldap_group.cc(376): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: INFO: Got User: aduser set default domain: MYDOM.COM
kerberos_ldap_group.cc(381): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: INFO: Got User: aduser Domain: MYDOM.COM
support_member.cc(63): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: User domain loop: group@domain Internet-Standard@MYDOM.COM
support_member.cc(65): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Found group@domain Internet-Standard@MYDOM.COM
support_ldap.cc(898): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
support_krb5.cc(127): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_17841
support_krb5.cc(138): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Get default keytab file name
support_krb5.cc(144): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/krb5.keytab
support_krb5.cc(158): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/krb5.keytab
support_krb5.cc(169): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Keytab entry has realm name: MYDOM.COM
support_krb5.cc(189): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Found principal name: HTTP/squid-5.mydom.com@MYDOM.COM
support_krb5.cc(205): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Got principal name HTTP/squid-5.mydom.com@MYDOM.COM
support_krb5.cc(269): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Stored credentials
support_ldap.cc(927): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Initialise ldap connection
support_ldap.cc(933): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain MYDOM.COM
support_resolv.cc(379): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.MYDOM.COM record to adc1.mydom.com
support_resolv.cc(379): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.MYDOM.COM record to adc4.mydom.com
support_resolv.cc(379): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.MYDOM.COM record to adc3.mydom.com
support_resolv.cc(379): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.MYDOM.COM record to adc2.mydom.com
support_resolv.cc(207): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Resolved address 1 of MYDOM.COM to adc3.mydom.com
support_resolv.cc(207): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Resolved address 2 of MYDOM.COM to adc3.mydom.com
support_resolv.cc(207): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Resolved address 3 of MYDOM.COM to adc3.mydom.com
support_resolv.cc(207): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Resolved address 4 of MYDOM.COM to adc1.mydom.com
support_resolv.cc(207): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Resolved address 5 of MYDOM.COM to adc1.mydom.com
support_resolv.cc(207): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Resolved address 6 of MYDOM.COM to adc1.mydom.com
support_resolv.cc(207): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Resolved address 7 of MYDOM.COM to adc4.mydom.com
support_resolv.cc(207): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Resolved address 8 of MYDOM.COM to adc4.mydom.com
support_resolv.cc(207): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Resolved address 9 of MYDOM.COM to adc4.mydom.com
support_resolv.cc(207): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Resolved address 10 of MYDOM.COM to adc2.mydom.com
support_resolv.cc(207): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Resolved address 11 of MYDOM.COM to adc2.mydom.com
support_resolv.cc(207): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Resolved address 12 of MYDOM.COM to adc2.mydom.com
support_resolv.cc(407): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Adding MYDOM.COM to list
support_resolv.cc(443): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain MYDOM.COM:
support_resolv.cc(445): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Host: adc4.mydom.com Port: 389 Priority: 0 Weight: 100
support_resolv.cc(445): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Host: adc3.mydom.com Port: 389 Priority: 0 Weight: 100
support_resolv.cc(445): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Host: adc2.mydom.com Port: 389 Priority: 0 Weight: 100
support_resolv.cc(445): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Host: adc1.mydom.com Port: 389 Priority: 0 Weight: 100
support_resolv.cc(445): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Host: MYDOM.COM Port: -1 Priority: -2 Weight: -2
support_ldap.cc(942): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Setting up connection to ldap server adc4.mydom.com:389
support_ldap.cc(953): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_ldap.cc(967): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Successfully initialised connection to ldap server adc4.mydom.com:389
support_ldap.cc(333): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Search ldap server with bind path "" and filter: (objectclass=*)
support_ldap.cc(602): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : schemaNamingContext
support_ldap.cc(645): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: 1 ldap entry found with attribute : schemaNamingContext
support_ldap.cc(342): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Search ldap server with bind path CN=Schema,CN=Configuration,DC=mydom,DC=com and filter: (ldapdisplayname=samaccountname)
support_ldap.cc(345): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Found 0 ldap entries
support_ldap.cc(350): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Determined ldap server not as an Active Directory server
support_ldap.cc(1061): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: ERROR: Error determining ldap server type: Operations error
support_member.cc(76): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: INFO: User aduser is not member of group@domain Internet-Standard@MYDOM.COM
support_member.cc(91): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Default domain loop: group@domain Internet-Standard@MYDOM.COM
support_member.cc(119): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: Default group loop: group@domain Internet-Standard@MYDOM.COM
ERR
kerberos_ldap_group.cc(416): pid=17841 :2018/05/24 08:57:01| kerberos_ldap_group: DEBUG: ERR

Юзер aduser есть в группе Internet-Standard.
При проверки его со старой прокси (там исп-ся другой хелпер ext_wbinfo_group_acl) получаю
echo "aduser Internet-Standard"|ext_wbinfo_group_acl -d
Debugging mode ON.
Got krasnaya Internet-Standard from squid
User: -krasnaya-
Group: -Internet-Standard-
SID: -S-1-5-21-2500383271-203816113-1867442486-22647-
GID: -10004-
Sending OK to squid
OK

Аватара пользователя
Алексей Максимов
Администратор сайта
Сообщения: 499
Зарегистрирован: 14 сен 2012 06:50
Откуда: г.Сыктывкар
Контактная информация:

Re: ext_kerberos_ldap_group_acl не хочет работать

Сообщение Алексей Максимов » 08 сен 2018 19:07

Здравствуйте.
Решили ли Вы свою проблему?

Ответить

Вернуться в «Прокси-сервер Squid»