Прошу знающих людей помочь разобраться в странном поведении хелпера ext_kerberos_ldap_group_acl.
Имеем установленный и настроенный SQIUD + Kerberos, при тестировании на двух-трех пользователях все было ОК, при вводе в эксплуатацию наблюдается следующая странность - не для каждого пользователя домена определяется принадлежность к группе AD.
Тестируем сам хелпер (берем двух пользователей из одного OU, входящих в одну группу "product_all"):
Код: Выделить всё
# /usr/lib/squid/ext_kerberos_ldap_group_acl -i -a -g product_all -D XXX.LOCAL -S DC01.XXX.LOCAL
roma
kerberos_ldap_group.cc(373): pid=4613 :2018/04/18 09:21:43| kerberos_ldap_group: INFO: Got User: roma set default domain: XXX.LOCAL
kerberos_ldap_group.cc(378): pid=4613 :2018/04/18 09:21:43| kerberos_ldap_group: INFO: Got User: roma Domain: XXX.LOCAL
support_member.cc(127): pid=4613 :2018/04/18 09:21:43| kerberos_ldap_group: INFO: User roma is member of group@domain product_all@NULL
OK
zaika
kerberos_ldap_group.cc(373): pid=4613 :2018/04/18 09:22:25| kerberos_ldap_group: INFO: Got User: zaika set default domain: XXX.LOCAL
kerberos_ldap_group.cc(378): pid=4613 :2018/04/18 09:22:25| kerberos_ldap_group: INFO: Got User: zaika Domain: XXX.LOCAL
support_member.cc(134): pid=4613 :2018/04/18 09:22:26| kerberos_ldap_group: INFO: User zaika is not member of group@domain product_all@NULL
ERR
Код: Выделить всё
# /usr/lib/squid/ext_kerberos_ldap_group_acl -d -a -g product_all -D XXX.LOCAL -S DC01.XXX.LOCAL
kerberos_ldap_group.cc(278): pid=4629 :2018/04/18 09:54:07| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=4629 :2018/04/18 09:54:07| kerberos_ldap_group: INFO: Group list product_all
support_group.cc(447): pid=4629 :2018/04/18 09:54:07| kerberos_ldap_group: INFO: Group product_all Domain NULL
support_netbios.cc(83): pid=4629 :2018/04/18 09:54:07| kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(87): pid=4629 :2018/04/18 09:54:07| kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(82): pid=4629 :2018/04/18 09:54:07| kerberos_ldap_group: DEBUG: ldap server list DC01.XXX.LOCAL
support_lserver.cc(146): pid=4629 :2018/04/18 09:54:07| kerberos_ldap_group: DEBUG: ldap server DC01.XXX.LOCAL Domain NULL
roma
...
support_ldap.cc(1080): pid=4629 :2018/04/18 09:54:11| kerberos_ldap_group: DEBUG: Search ldap server with bind path dc=XXX,dc=LOCAL and filter : (samaccountname=roma)
support_ldap.cc(1093): pid=4629 :2018/04/18 09:54:11| kerberos_ldap_group: DEBUG: Found 1 ldap entry
support_ldap.cc(602): pid=4629 :2018/04/18 09:54:11| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : memberof
support_ldap.cc(645): pid=4629 :2018/04/18 09:54:11| kerberos_ldap_group: DEBUG: 19 ldap entries found with attribute : memberof
...
support_ldap.cc(1120): pid=4629 :2018/04/18 09:54:11| kerberos_ldap_group: DEBUG: Entry 7 "product_all" in hex UTF-8 is 70726f647563745f616c6c
support_ldap.cc(1128): pid=4629 :2018/04/18 09:54:11| kerberos_ldap_group: DEBUG: Entry 7 "product_all" matches group name "product_all"
...
support_member.cc(125): pid=4629 :2018/04/18 09:54:11| kerberos_ldap_group: INFO: User roma is member of group@domain product_all@NULL
OK
kerberos_ldap_group.cc(408): pid=4629 :2018/04/18 09:54:11| kerberos_ldap_group: DEBUG: OK
# /usr/lib/squid/ext_kerberos_ldap_group_acl -d -a -g product_all -D XXX.LOCAL -S DC01.XXX.LOCAL
kerberos_ldap_group.cc(278): pid=4633 :2018/04/18 09:59:30| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=4633 :2018/04/18 09:59:30| kerberos_ldap_group: INFO: Group list product_all
support_group.cc(447): pid=4633 :2018/04/18 09:59:30| kerberos_ldap_group: INFO: Group product_all Domain NULL
support_netbios.cc(83): pid=4633 :2018/04/18 09:59:30| kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(87): pid=4633 :2018/04/18 09:59:30| kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(82): pid=4633 :2018/04/18 09:59:30| kerberos_ldap_group: DEBUG: ldap server list DC01.XXX.LOCAL
support_lserver.cc(146): pid=4633 :2018/04/18 09:59:30| kerberos_ldap_group: DEBUG: ldap server DC01.XXX.LOCAL Domain NULL
zaika
...
support_ldap.cc(1080): pid=4633 :2018/04/18 09:59:34| kerberos_ldap_group: DEBUG: Search ldap server with bind path dc=XXX,dc=LOCAL and filter : (samaccountname=zaika)
support_ldap.cc(1093): pid=4633 :2018/04/18 09:59:34| kerberos_ldap_group: DEBUG: Found 1 ldap entry
support_ldap.cc(602): pid=4633 :2018/04/18 09:59:34| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : memberof
support_ldap.cc(645): pid=4633 :2018/04/18 09:59:34| kerberos_ldap_group: DEBUG: 0 ldap entries found with attribute : memberof
...
support_member.cc(132): pid=4633 :2018/04/18 09:59:34| kerberos_ldap_group: INFO: User zaika is not member of group@domain product_all@NULL
ERR
kerberos_ldap_group.cc(411): pid=4633 :2018/04/18 09:59:34| kerberos_ldap_group: DEBUG: ERR
Т.е:
для пользователя roma - 19 ldap entries found with attribute : memberof,
для пользователя zaika - 0 ldap entries found with attribute : memberof.
Учетки по параметрам ни чем не отличаются.