On 19.09.2016 14:08, L.P.H. van Belle wrote:
> Well thats strange. 
> No i cant speak about openBSD, but below is pretty general. 
> When you test, did you set this before the test. 
> KRB5_KTNAME=/etc/squid/proxy.keytab
> And does that keytab contain the HTTP/SPN
> And test/check if you see http/SPN in the UPN, if not try that also. 
> After that change the 
> I just tested again to make my groups more flexible. 
> /usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4  \
>     -N ntdom...@your.realm.tld \
>     - S dc1.your.dnsdomain....@your.realm.tld \
>     -i -d 
> This one is without the -g so we can use more group names, 
> but test with -g first.
> from this example like. But i change the ldap group to kerberos group here.
> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy 

That's all there, environment is correctly set up. Keytab looks good.
As said before, the negotiate_kerberos_auth part works like a charm.
All I get is a bunch of messages complaining about not being able to
reach any KDC in realm while initializing the credentials of the keytab...
Thought that it might be a DNS issue but even configuring DNS so that
the AD server does all the DNS stuff did not change a bit :(

-- Matthias
squid-users mailing list

Reply via email to