Squid3 mit LDAP und Kerberos

Serverdienste ohne eigene Kategorie
checknix
Posts: 1
Joined: 2010-01-24 18:41

Squid3 mit LDAP und Kerberos

Post by checknix »

Servus,

mein erster Post hier und schon ein Problem ;)

Ich habe hier ein installiertes Debian Lenny und einen Windows Server 2008. Nun möchte ich gerne die
Authentifizierung über LDAP/Kerberos auf die Windows Domäne benutzen. Hierfür habe ich das folgende
HowTo benutzt:

http://serverfault.com/questions/66556/ ... 857#105857

Bin alles Schritt für Schritt durchgegangen, habe allerdings derzeit das Problem, dass der Squid-
Daemon nicht starten möchte. Im cache.log File schreibt er, dass dem squid User eine Berechtigung
auf squid_kerb_ldap fehlt, der User squid und die Gruppe squid haben aber alle Rechte.
Jetzt weiß ich nicht, woran's hakt. Hier die Berechtigung auf den eben genannten Ordner:

Code: Select all

squid:/opt/squid-3.0/sbin# la
insgesamt 9,2M
drwxr-xr-x 3 squid squid 1,0K  7. Jan 21:02 .
drwxr-xr-x 8 squid squid 1,0K 20. Jan 21:02 ..
-rwxr-xr-x 1 squid squid 9,2M  3. Nov 23:16 squid
-rwxr-xr-x 1 squid squid  31K  7. Jan 21:02 squid_kerb_auth
drwxrwxrwx 5 squid squid 1,0K  3. Nov 23:56 squid_kerb_ldap
squid:/opt/squid-3.0/sbin#
Hier das Logfile der cache.log:

Code: Select all

2010/01/24 18:09:37| Starting Squid Cache version 3.0.STABLE18 for i686-pc-linux-gnu...
2010/01/24 18:09:37| Process ID 2793
2010/01/24 18:09:37| With 1024 file descriptors available
2010/01/24 18:09:37| DNS Socket created at 0.0.0.0, port 37955, FD 7
2010/01/24 18:09:37| Adding domain homebase.local from /etc/resolv.conf
2010/01/24 18:09:37| Adding domain homebase.local from /etc/resolv.conf
2010/01/24 18:09:37| Adding nameserver 192.168.100.1 from /etc/resolv.conf
2010/01/24 18:09:37| Adding nameserver 192.168.100.254 from /etc/resolv.conf
2010/01/24 18:09:37| helperOpenServers: Starting 10/10 'squid_kerb_auth' processes
2010/01/24 18:09:38| helperOpenServers: Starting 5/5 'squid_kerb_ldap' processes
2010/01/24 18:09:38| ipcCreate: /opt/squid-3.0/sbin/squid_kerb_ldap: (13) Permission denied
2010/01/24 18:09:38| ipcCreate: /opt/squid-3.0/sbin/squid_kerb_ldap: (13) Permission denied
2010/01/24 18:09:38| ipcCreate: /opt/squid-3.0/sbin/squid_kerb_ldap: (13) Permission denied
2010/01/24 18:09:38| ipcCreate: /opt/squid-3.0/sbin/squid_kerb_ldap: (13) Permission denied
2010/01/24 18:09:38| ipcCreate: /opt/squid-3.0/sbin/squid_kerb_ldap: (13) Permission denied
2010/01/24 18:09:38| Unlinkd pipe opened on FD 27
2010/01/24 18:09:38| Swap maxSize 102400 + 8192 KB, estimated 8507 objects
2010/01/24 18:09:38| Target number of buckets: 425
2010/01/24 18:09:38| Using 8192 Store buckets
2010/01/24 18:09:38| Max Mem  size: 8192 KB
2010/01/24 18:09:38| Max Swap size: 102400 KB
2010/01/24 18:09:38| Rebuilding storage in /var/cache/squid-3.0 (DIRTY)
2010/01/24 18:09:38| Using Least Load store dir selection
2010/01/24 18:09:38| chdir: /opt/squid-3.0/var/cache: (2) No such file or directory
2010/01/24 18:09:38| Current Directory is /
2010/01/24 18:09:38| Loaded Icons.
2010/01/24 18:09:38| Accepting  HTTP connections at 0.0.0.0, port 3128, FD 28.
2010/01/24 18:09:38| Accepting ICP messages at 0.0.0.0, port 3130, FD 29.
2010/01/24 18:09:38| HTCP Disabled.
2010/01/24 18:09:38| Ready to serve requests.
2010/01/24 18:09:38| WARNING: SQUID_KERB_LDAP #1 (FD 19) exited
2010/01/24 18:09:38| WARNING: SQUID_KERB_LDAP #2 (FD 20) exited
2010/01/24 18:09:38| WARNING: SQUID_KERB_LDAP #3 (FD 21) exited
2010/01/24 18:09:38| WARNING: SQUID_KERB_LDAP #4 (FD 22) exited
2010/01/24 18:09:38| Too few SQUID_KERB_LDAP processes are running
FATAL: The SQUID_KERB_LDAP helpers are crashing too rapidly, need help!

Squid Cache (Version 3.0.STABLE18): Terminated abnormally.
CPU Usage: 0.452 seconds = 0.024 user + 0.428 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
        total space in arena:    2984 KB
        Ordinary blocks:         2970 KB      3 blks
        Small blocks:               0 KB      0 blks
        Holding blocks:          1508 KB      7 blks
        Free Small blocks:          0 KB
        Free Ordinary blocks:      13 KB
        Total in use:            4478 KB 150%
        Total free:                13 KB 0%
Hier noch meine squid.conf:

Code: Select all

auth_param negotiate program /opt/squid-3.0/sbin/squid_kerb_auth -d -s HTTP/squid.homebase.local
auth_param negotiate children 10
auth_param negotiate keep_alive on

external_acl_type SQUID_KERB_LDAP ttl=3600  negative_ttl=3600  %LOGIN /opt/squid-3.0/sbin/squid_kerb_ldap -d -g SQUID_USERS
acl AUTHENTICATED proxy_auth REQUIRED
acl LDAP_GROUP_CHECK external SQUID_KERB_LDAP
acl localnet src 192.168.100.0/24        # RFC1918 possible internal network

http_access allow LDAP_GROUP_CHECK


acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports
http_access deny all

icp_access allow localnet
icp_access deny all

htcp_access allow localnet
htcp_access deny all


http_port 3128

cache_dir ufs /var/cache/squid-3.0 100 16 256
access_log /var/log/squid-3.0/access.log squid
cache_log /var/log/squid-3.0/cache.log
cache_store_log /var/log/squid-3.0/store.log

pid_filename /var/run/squid-3.0.pid

refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern (cgi-bin|\?)	0	0%	0
refresh_pattern .		0	20%	4320

cache_effective_user squid
cache_effective_group squid
Kommentare hab ich alle mal entfernt, damit's übersichtlicher wird.

Meine Windows 2008 Domäne heißt: homebase.local
Der squid Server heißt: squid

Wenn ich den Deamon starte und mit htop mal schnell schaue, was passiert, versucht er ca.
3 mal, squid zu starten und dann bricht er ab. Hier ein Screenshot während des Versuches:

http://foto.arcor-online.net/palb/alben ... 376538.jpg

Jemand eine Idee dazu?


Gruß
Checknix