Encountering difficulties in resolving Active Directory via its FQDN and facing issues with setting up LDAP for Kerberos authentication. Any advice or step-by-step instructions to troubleshoot and resolve these challenges would be highly appreciated
During initial SafeSquid setup we generally face issue while integrating LDAP for Kerberos authentication/ when using LDAP Bind Method as NEGOTIATE_LDAP_AUTH.
The LDAP server entry has been made and now when you look for LDAP entries, you’ll see that there are no LDAP entries.
We will now look at what safesquid logs has noticed.
2022 07 15 13:12:17.453 [LDAP Cache Manager] ldap: debug: cache_update:1956 manual/configuration update
2022 07 15 13:12:17.453 [LDAP Cache Manager] network: debug: writing 734 bytes to /usr/local/safesquid/security/krb5.conf file
2022 07 15 13:12:17.453 [LDAP Cache Manager] ldap: debug: prepare_krb_unlocked:196 dns stub: conserved
2022 07 15 13:12:17.457 [LDAP Cache Manager] network: error: net_dns_p:3251 DNS: failed: ad.safesquid.lab
2022 07 15 13:12:17.457 [LDAP Cache Manager] network: error: net_dns: retry:0 host:[ad.safesquid.lab] getaddrinfo [-3:Temporary failure in name resolution]
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns_p:3251 DNS: failed: ad.safesquid.lab
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns: retry:1 host:[ad.safesquid.lab] getaddrinfo [-3:Temporary failure in name resolution]
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns_p:3251 DNS: failed: ad.safesquid.lab
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns: retry:2 host:[ad.safesquid.lab] getaddrinfo [-3:Temporary failure in name resolution]
2022 07 15 13:12:17.458 [LDAP Cache Manager] ldap: error: s_generate_keytab:410 dns failed: [ad.safesquid.lab]
2022 07 15 13:12:17.458 [LDAP Cache Manager] ldap: debug: init_routine_unlocked:264 connection not exists in pool for domain safesquid.lab
2022 07 15 13:12:17.458 [LDAP Cache Manager] ldap: debug: get_ld:1199 ad.safesquid.lab:389 max query limit:[0], 0 means no limit
2022 07 15 13:12:17.460 [LDAP Cache Manager] ldap: error: s_bind:2269 authentication failed for user:pratik@safesquid.lab [-1:Can't contact LDAP server]
I have attached complete logs to detailed analysis.
2022 07 15 13:11:18.160 [14] request: debug: http_send_body:1033 40 bytes -> 192.168.2.105
2022 07 15 13:11:18.160 [14] network: debug: process_entry:1532 14.2 transaction speed: 3.0009s
2022 07 15 13:11:19.160 [14] network: ClientPool::Add:145 idle client (192.168.2.105:51996) 192.168.2.130:8080
2022 07 15 13:11:24.176 [ClientPool Terminator] network: debug: client_close:593 idle connections: 1
2022 07 15 13:11:24.176 [14] network: Socket::client disconnecting: client (192.168.2.105:51996) 192.168.2.130:8080 [xacts:2] [read:767.000B] [write:541.000B]
2022 07 15 13:11:24.176 [14] network: debug: ~Socket:617 s_shut client (192.168.2.105:51996) 192.168.2.130:8080 [CLIENT|SSL|S_SSL_SHUT]
2022 07 15 13:11:24.176 [14] network: debug: ~Socket:656 s_shut client (192.168.2.105:51996) 192.168.2.130:8080 [CLIENT|SSL|READ_CLOSED|WRITE_CLOSED|S_SSL_SHUT]
2022 07 15 13:11:30.112 [DNS Cache Cleaner] cache: debug: DNS: removed 2 entries
2022 07 15 13:12:17.446 [15] network: accepted: client (192.168.2.105:51999) 192.168.2.130:8080 [fd:48]
2022 07 15 13:12:17.446 [15] header: debug: [request:1] header_get(client) client (192.168.2.105:51999) 192.168.2.130:8080:
CONNECT safesquid.cfg:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: safesquid.cfg:443
2022 07 15 13:12:17.450 [15] ssl: debug: ClientEncrypt:2744 192.168.2.105:ready
2022 07 15 13:12:17.450 [15] ssl: debug: CTXcacheIN::set_default_ctx: cache:hit size[1] ref[0]
2022 07 15 13:12:17.450 [15] ssl: debug: CertPool::GetKey:5629 size[1] cache:hit domain:.safesquid.cfg ret[1]
2022 07 15 13:12:17.451 [15] ssl: debug: session_ticket_cb_in:391 reused 192.168.2.105:51999
2022 07 15 13:12:17.452 [15] ssl: debug: Socket::EncryptC:1501 client (192.168.2.105:51999) 192.168.2.130:8080 [retry:1] [cache mode:770] [reused:yes] safesquid.cfg (TLS_AES_128_GCM_SHA256)
2022 07 15 13:12:17.452 [15] network: debug: process_entry:1532 15.1 transaction speed: 5.7400ms
2022 07 15 13:12:17.452 [15] network: debug: process_entry:1677 Pipelined Request: 15.1
2022 07 15 13:12:17.452 [15] header: debug: [request:2] header_get(client) client (192.168.2.105:51999) 192.168.2.130:8080:
POST / HTTP/1.1
Host: safesquid.cfg
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 25
Origin: https://safesquid.cfg
Connection: keep-alive
Referer: https://safesquid.cfg/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
2022 07 15 13:12:17.453 [15] request: warn: POSTDATA:25 > max_upload_buffer:0
2022 07 15 13:12:17.453 [15] interface: debug: handle_request:2400 [IP:192.168.2.105] []
2022 07 15 13:12:17.453 [15] interface: debug: interface_handle_request:914 connection->header->file:(/) connection->header->host_header(safesquid.cfg)
2022 07 15 13:12:17.453 [15] network: debug: net_filebuf_read:2049 [timeout:60] start [bytes:25] client (192.168.2.105:51999) 192.168.2.130:8080
2022 07 15 13:12:17.453 [15] network: debug: net_filebuf_read: client (192.168.2.105:51999) 192.168.2.130:8080 [25.000B in 0.0080ms] [speed: 3.1250MBps] loops:1 BPR:25
2022 07 15 13:12:17.453 [15] interface: debug: invoke_handler:89 [ldap]
2022 07 15 13:12:17.453 [LDAP Cache Manager] ldap: debug: cache_update:1956 manual/configuration update
2022 07 15 13:12:17.453 [LDAP Cache Manager] network: debug: writing 734 bytes to /usr/local/safesquid/security/krb5.conf file
2022 07 15 13:12:17.453 [LDAP Cache Manager] ldap: debug: prepare_krb_unlocked:196 dns stub: conserved
2022 07 15 13:12:17.457 [LDAP Cache Manager] network: error: net_dns_p:3251 DNS: failed: ad.safesquid.lab
2022 07 15 13:12:17.457 [LDAP Cache Manager] network: error: net_dns: retry:0 host:[ad.safesquid.lab] getaddrinfo [-3:Temporary failure in name resolution]
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns_p:3251 DNS: failed: ad.safesquid.lab
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns: retry:1 host:[ad.safesquid.lab] getaddrinfo [-3:Temporary failure in name resolution]
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns_p:3251 DNS: failed: ad.safesquid.lab
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns: retry:2 host:[ad.safesquid.lab] getaddrinfo [-3:Temporary failure in name resolution]
2022 07 15 13:12:17.458 [LDAP Cache Manager] ldap: error: s_generate_keytab:410 dns failed: [ad.safesquid.lab]
2022 07 15 13:12:17.458 [LDAP Cache Manager] ldap: debug: init_routine_unlocked:264 connection not exists in pool for domain safesquid.lab
2022 07 15 13:12:17.458 [LDAP Cache Manager] ldap: debug: get_ld:1199 ad.safesquid.lab:389 max query limit:[0], 0 means no limit
2022 07 15 13:12:17.460 [LDAP Cache Manager] ldap: error: s_bind:2269 authentication failed for user:pratik@safesquid.lab [-1:Can't contact LDAP server]
2022 07 15 13:12:20.453 [15] header: debug: header_send: client (192.168.2.105:51999) 192.168.2.130:8080
HTTP/1.1 200 OK
Date: Fri, 15 Jul 2022 07:42:20 GMT
Content-Type: text/xml
Content-Length: 40
Cache-Control: no-cache
Connection: keep-alive
Keep-Alive: timeout=6
X-Powered-By: safesquid-2022.0319.1457.3-swg-standard
X-SafeSquid-Client-ID: 15.2
X-SafeSquid-User-Groups: Master Users
X-SafeSquid-Instance: R6Vue5amUSZBTLrY
X-Registered-Domain: safesquid.cfg
2022 07 15 13:12:20.453 [15] request: debug: http_send_body:1033 40 bytes -> 192.168.2.105
2022 07 15 13:12:20.453 [15] network: debug: process_entry:1532 15.2 transaction speed: 3.0009s
2022 07 15 13:12:21.453 [15] network: ClientPool::Add:145 idle client (192.168.2.105:51999) 192.168.2.130:8080
2022 07 15 13:12:26.462 [ClientPool Terminator] network: debug: client_close:593 idle connections: 1
2022 07 15 13:12:26.462 [15] network: Socket::client disconnecting: client (192.168.2.105:51999) 192.168.2.130:8080 [xacts:2] [read:767.000B] [write:541.000B]
2022 07 15 13:12:26.462 [15] network: debug: ~Socket:617 s_shut client (192.168.2.105:51999) 192.168.2.130:8080 [CLIENT|SSL|S_SSL_SHUT]
2022 07 15 13:12:26.462 [15] network: debug: ~Socket:656 s_shut client (192.168.2.105:51999) 192.168.2.130:8080 [CLIENT|SSL|READ_CLOSED|WRITE_CLOSED|S_SSL_SHUT]
As per the logs safesquid is unable to contact LDAP using its FQDN in our case it is ad.safesquid.lab
If you try to ping your active directory using FQDN you’ll get Temporary failure in name resolution
And similarly, if try nslookup active directory’s FQDN it fails to resolve the IP address.
But if try to resolve using the active director’s IP address it succeeds
(Note: Make sure the default server address is 127.0.0.1)
In case if you have the default nameserver as 127.0.0.53 which can be when installing SafeSquid using tarball
Update the nameserver by editing /etc/resolv.conf file
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
#nameserver 127.0.0.53
nameserver 127.0.0.1
search safesquid.lab
To resolve active directory using its FQDN you are required to make change in /etc/bind/named.conf.options file.
Below is the default named.conf.options configuration file.
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
max-cache-ttl 300;
max-ncache-ttl 300;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Update dnssec-validation value from auto to no
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
max-cache-ttl 300;
max-ncache-ttl 300;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Save the configuration file and restart bind9.serverice
systemctl restart bind9.service.
Now ping your active directory using it’s FQDN
In your LDAP entry section, you’ll now be able to view all your LDAP entries.
