Hi Enfal,
Do you run also samba on the server ? If so samba may change the AD
host entry to which your keytab is associated. This means your keytab gets out
of sync with AD.
Markus
"Enfal Gok" <enfal.gok2...@gmail.com> wrote in message
news:pawpr03mb9010df5eec64c9a281a03b24f4...@pawpr03mb9010.eurprd03.prod.outlook.com...
Dear Squid Community/Support Team,
I am currently configuring Squid with Kerberos authentication and LDAP
group-based access control. However, I am encountering persistent issues, and I
would greatly appreciate your guidance. Below are the details of my
configuration and the errors I am facing.
--------------------------------------------------------------------------------
Error Logs
The following errors repeatedly appear in the Squid logs:
2025/01/03 19:35:40 kid1| Starting new helpers
2025/01/03 19:35:40 kid1| helperOpenServers: Starting 1/5
'ext_kerberos_ldap_group_acl' processes
support_sasl.cc(276): pid=70855 :2025/01/03 19:35:40| kerberos_ldap_group:
ERROR: ldap_sasl_interactive_bind_s error: Local error
support_ldap.cc(1086): pid=70855 :2025/01/03 19:35:40| kerberos_ldap_group:
ERROR: Error while binding to ldap server with SASL/GSSAPI: Local error
support_ldap.cc(1172): pid=70855 :2025/01/03 19:35:40| kerberos_ldap_group:
ERROR: Error while binding to ldap server with Username/Password: Encoding error
(ext_kerberos_ldap_group_acl): ../../../../libraries/liblber/io.c:108:
ber_write: Assertion `buf != NULL' failed.
2025/01/03 19:35:41 kid1| WARNING: external_acl_type #Hlpr7 exited
2025/01/03 19:35:41 kid1| Too few external_acl_type processes are running (need
1/5)
--------------------------------------------------------------------------------
Current Configuration
Kerberos Authentication
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s
HTTP/ubuntuserver.demo.local
auth_param negotiate children 10
auth_param negotiate keep_alive on
External ACL for LDAP Groups
external_acl_type kerberos_ldap_group ttl=3600 negative_ttl=3600 %LOGIN
/usr/lib/squid/ext_kerberos_ldap_group_acl \ -P
HTTP/ubuntuserver.demo.local@DEMO.LOCAL \ -D demo.local \ -b
DC=demo,DC=local \ -l ldap://dc.demo.local \ -g
FullAccess@DEMO.LOCAL:Restricted@DEMO.LOCAL:Filtered@DEMO.LOCAL:Blocked@DEMO.LOCAL
ACL Definitions
acl FullAccess external kerberos_ldap_group FullAccess@DEMO.LOCAL
acl Restricted external kerberos_ldap_group Restricted@DEMO.LOCAL
acl Filtered external kerberos_ldap_group Filtered@DEMO.LOCAL
acl Blocked external kerberos_ldap_group Blocked@DEMO.LOCAL
acl allowed_sites dstdomain .benedictuspoort.be .smartschool.be .microsoft.com
acl bad_sites dstdomain .adult.com .gambling.com
Access Rules
http_access allow FullAccess
http_access allow Restricted allowed_sites
http_access deny Restricted
http_access deny Blocked
http_access deny Filtered bad_sites
http_access allow Filtered
http_access deny all
Proxy Settings
http_port 3128
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
--------------------------------------------------------------------------------
What I Have Tried
a.. Verified that the Kerberos keytab is up-to-date and matches the Key
Version Number (msDS-KeyVersionNumber) in Active Directory.
b.. Tested LDAP queries using ldapsearch with both simple and GSSAPI
bindings, which work intermittently.
c.. Checked Squid logs and confirmed that Kerberos tickets are being issued
successfully using kinit and klist.
Despite these efforts, the ext_kerberos_ldap_group_acl helper is unable to bind
to the LDAP server, and the Squid service keeps restarting helpers.
--------------------------------------------------------------------------------
Request for Assistance
Could you please provide guidance on:
1.. Debugging the ext_kerberos_ldap_group_acl helper?
2.. Ensuring compatibility between Kerberos and LDAP for group-based access
control?
3.. Any potential misconfigurations or missing steps in my setup?
Thank you in advance for your assistance. I look forward to your
recommendations.
Kind regards,
Enfal gok
--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
