Well thats strange.
No i cant speak about openBSD, but below is pretty general.
When you test, did you set this before the test.
KRB5_KTNAME=/etc/squid/proxy.keytab
And does that keytab contain the HTTP/SPN
And test/check if you see http/SPN in the UPN, if not try that also.
After that change the
I just tested again to make my groups more flexible.
/usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4 \
-D YOUR.REALM.TLD \
-N [email protected] \
- S [email protected] \
-i -d
This one is without the -g so we can use more group names,
but test with -g first.
from this example like. But i change the ldap group to kerberos group here.
http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
When i now put in "username groupname" after staring with the line above to
testout im getting.
support_member.cc(69): pid=23472 :2016/09/19 13:55:39| kerberos_ldap_group:
INFO: User username is member of group@domain [email protected]
OK
kerberos_ldap_group.cc(408): pid=23472 :2016/09/19 13:55:39|
kerberos_ldap_group: DEBUG: OK
this is all i have in krb5.conf
[libdefaults]
default_keytab_name = /etc/krb5.keytab
default_realm = YOUR.REALM.TLD
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 24h
ccache_type = 4
forwardable = true
and the ad dc lookup works, if you set the SPN in the UPN, at least works for
me.
I have my systems keytab as default keytab and
KRB5_KTNAME=/etc/squid/proxy.keytab
export KRB5_KTNAME
TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt
export TLS_CACERTFILE
Is set in the /etc/default/squid3
So im thinking review the keytab setup and the variable.
And:
>The AD is reachable from the proxy machine but DNS is not done by the AD
>but on the proxy machine itself.
Same here, but i do have a forward zone in the dns for my ad domain.
Hope this helps a bit.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:[email protected]] Namens
> Silamael Darkomen
> Verzonden: maandag 19 september 2016 13:35
> Aan: [email protected]
> Onderwerp: Re: [squid-users] Problem with Kerberos and
> ext_kerberos_ldap_group_acl not being able to reach realm's KDC
>
> On 16.09.2016 10:52, L.P.H. van Belle wrote:
> > I think you forgot in your test, that you may need to modify the default
> > kerberos ticket used.
> >
> >
> >
> >
> >
> > I suggest you change you config a bit to something like
> >
> >
> >
> > external_acl_type internet-win-allowed %LOGIN
> > /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \
> >
> > -D YOUR.REALM.TLD \
> >
> > -g [email protected] \
> >
> > -N [email protected] \
> >
> > -S
> >
> [email protected]:[email protected]
> D
>
> Hello,
>
> Tried your suggestions but that doesn't change anything.
> Furthermore the ext_kerberos_ldap_group_acl creates a core dump after
> iterating over all the entries for the keytab...
> Any further ideas?
>
> -- Matthias
> _______________________________________________
> squid-users mailing list
> [email protected]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-users
