What Amos is saying and :
Try. Remove this line from krb5.conf default_keytab_name = /etc/squid3/PROXY.keytab and add/create: /etc/default/squid KRB5_KTNAME=/etc/squid3/PROXY.keytab export KRB5_KTNAME chown root:proxy /etc/squid3/PROXY.keytab chmod 440 /etc/squid3/PROXY.keytab Greetz, Louis Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Alessandro Sironi Verzonden: maandag 1 februari 2016 11:40 Aan: squid-users@lists.squid-cache.org Onderwerp: [squid-users] ext_ldap_group_acl not working Hello everyone I'm a newbie regarding SQUID and in general on Linux. I have an Active Directory environment (Windows Server 2012 R2) and a Linux Debian 8 Jessie configured in the same network. My goal is to install SQUID on Debian, integrate with Active Directory using Kerberos and autohise users to use SQUID based on Active Directory asecurity group membership lookup. Long story short, I followed the instructions here http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy#Configure_Squid My test environment: Active Directory domain: KIDANEMEHRET.LOCAL test user: KIDANEMEHRET\test-full Security groups which is member of: "Internet Users Full", "Internet Users Standard" Test done After having properly configured my test client (Windows 7 joined to the domain), logged on with the test user KIDANEMEHRET\test-full, configured internet explorer to use the proxy, what I get everytime I try to browse the internet is a SQUID page telling me Access Denied. Quick Analisys Having a look at access.log and cache.log (see attached), I understand that user is properly authenticated (I see KIDANEMEHRET\test-full properly written in each log). For this reason I suspect the problem is in the authorisation part. I try then to run from terminal the program used in SQUID.CONF to check authorisation (based on the wiki too); note that I'm running with sudo otherwise with standard use I get no access to password file: sudo /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "dc=kidanemehret,dc=local" -D squid@kidanemehret.local -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" -h domcon.kidanemehret.local test-full Internet%20Users%20Full Do not get any result: waiting for minutes... Try to use KIDANEMEHRET\test-full instead of test-full without success. Most likely the problem is here. Do you have any suggestion on how to proceed next? Here you can find ACCESS.LOG, CACHE.LOG, KRB5.CONF and SQUID.CONF MailScanner has detected definite fraud in the website at "1drv.ms". Do not trust this website: http://1drv.ms/1nHDRXH Thanks in advance
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
