I'm trying to replace my basic ldap authentication by kerberos single sign on. The user can succesfully login with single sign on, but I have restriction on groups and that is where it goes wrong. I would like to use -r to trim the domain name, but when I do so it seems to work even less. Someone any ideas what to try, I believe the system is loking wrong in active directory but adding -b OU=Users,DC=yyy,DC=local does not help me further
======= auth_param negotiate program /usr/sbin/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=yyy --kerberos /usr/sbin/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param negotiate children 20 startup=0 idle=1 auth_param negotiate keep_alive off external_acl_type XXX_InternetAllowed ttl=3600 negative_ttl=3600 %LOGIN /usr/sbin/ext_kerberos_ldap_group_acl -b OU=Users,OU=BenH,DC=yyy,DC=local -g AD_XXX_InternetAllowed@yyy.LOCAL -d external_acl_type RestrictedAdult ttl=3600 negative_ttl=3600 %LOGIN /usr/sbin/ext_kerberos_ldap_group_acl -b OU=Users,OU=BenH,DC=yyy,DC=local -g ADGroupRestrictedAdult@yyy.LOCAL -d acl XXX_InternetAllowed external XXX_InternetAllowed acl XXX_Adult external XXX_Adult acl XXX_AdultX dstdomain .alternate.com<http://alternate.com/> .brood.nl<http://brood.nl/> .broodnodig.nl<http://broodnodig.nl/> acl localnet src xxx.xxx.xxx.0/24 acl CONNECT method CONNECT acl auth proxy_auth REQUIRED http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny auth !XXX_InternetAllowed http_access deny XXX_Adult XXX_AdultX http_access allow localnet http_access allow localhost http_access deny all ======== support_member.cc(63): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: User domain loop: group@domain AD_XXX_InternetAllowed@YYY.LOCAL support_member.cc(65): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Found group@domain AD_XXX_InternetAllowed@YYY.LOCAL support_ldap.cc(898): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(127): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_7612 support_krb5.cc(138): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(144): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/krb5.keytab support_krb5.cc(158): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/krb5.keytab support_krb5.cc(169): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YYY.LOCAL support_krb5.cc(189): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Found principal name: hosts/lnx01.yyy.local@YYY.LOCAL support_krb5.cc(205): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Got principal name hosts/lnx01.yyy.local@YYY.LOCAL support_krb5.cc(64): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'hosts/lnx01.yyy.local@YYY.LOCAL' not found in Kerberos database support_krb5.cc(169): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YYY.LOCAL support_krb5.cc(189): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Found principal name: HTTP/lnx01.yyy.local@YYY.LOCAL support_krb5.cc(205): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Got principal name HTTP/lnx01.yyy.local@YYY.LOCAL support_krb5.cc(269): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Stored credentials support_ldap.cc(927): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Initialise ldap connection support_ldap.cc(933): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain YYY.LOCAL support_resolv.cc(379): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YYY.LOCAL record to ad02.yyy.local support_resolv.cc(379): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YYY.LOCAL record to ad01.yyy.local support_resolv.cc(379): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YYY.LOCAL record to ad02.yyy.local support_resolv.cc(379): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YYY.LOCAL record to ad01.yyy.local support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 1 of YYY.LOCAL to ad01.yyy.local support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 2 of YYY.LOCAL to ad01.yyy.local support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 3 of YYY.LOCAL to ad01.yyy.local support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 4 of YYY.LOCAL to ad02.yyy.local support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 5 of YYY.LOCAL to ad02.yyy.local support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 6 of YYY.LOCAL to ad02.yyy.local support_resolv.cc(407): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Adding YYY.LOCAL to list support_resolv.cc(443): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain YYY.LOCAL: support_resolv.cc(445): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Host: ad01.yyy.local Port: 389 Priority: 0 Weight: 100 support_resolv.cc(445): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Host: ad02.yyy.local Port: 389 Priority: 0 Weight: 100 support_resolv.cc(445): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Host: YYY.LOCAL Port: -1 Priority: -2 Weight: -2 support_ldap.cc(942): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Setting up connection to ldap server ad01.yyy.local:389 support_ldap.cc(953): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_ldap.cc(967): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Successfully initialised connection to ldap server ad01.yyy.local:389 support_ldap.cc(333): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Search ldap server with bind path "" and filter: (objectclass=*) support_ldap.cc(602): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : schemaNamingContext support_ldap.cc(645): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: 1 ldap entry found with attribute : schemaNamingContext support_ldap.cc(342): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Search ldap server with bind path CN=Schema,CN=Configuration,DC=bnh,DC=local and filter: (ldapdisplayname=samaccountname) support_ldap.cc(345): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Found 0 ldap entries support_ldap.cc(350): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Determined ldap server not as an Active Directory server support_ldap.cc(1061): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: ERROR: Error determining ldap server type: Operations error support_member.cc(76): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: INFO: User Administrator is not member of group@domain AD_XXX_InternetAllowed@YYY.LOCAL support_member.cc(91): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Default domain loop: group@domain AD_XXX_InternetAllowed@YYY.LOCAL support_member.cc(119): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Default group loop: group@domain AD_XXX_InternetAllowed@YYY.LOCAL kerberos_ldap_group.cc(416): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: ERR regards Jeroen Ruijter
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
