[squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC

L.P.H. van Belle belle at bazuin.nl
Fri Sep 16 08:52:59 UTC 2016 

I think you forgot in your test, that you may need to modify the default kerberos ticket used. 

 

 

I suggest you change you config a bit to something like 

 

external_acl_type internet-win-allowed %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \

-D YOUR.REALM.TLD \

-g allowed-internet at YOUR.REALM.TLD \

-N NTDOMAIN at YOUR.REALM.TLD \

-S dc1.your.dnsdomain.tld at YOUR.REALM.TLD:dc2.your.dnsdomain.tld at YOUR.REALM.TLD \

 

Now test it.  start like this :   

/usr/local/libexec/squid/negotiate_kerberos_auth \

-D YOUR.REALM.TLD \

-g allowed-internet at YOUR.REALM.TLD \

-N NTDOMAIN at YOUR.REALM.TLD \

-S dc1.your.dnsdomain.tld at YOUR.REALM.TLD:dc2.your.dnsdomain.tld at YOUR.REALM.TLD \

-d 

(-d = debug ) 

Test with –S and point to your server, does it work? 

Test again with –S , does it works, no? Change the default keytab for te test.

KRB5_KTNAME=/etc/squid/keytab.SQUID-HTTP

export KRB5_KTNAME

 

Type a username belonging to you group your testing with, hit enter. 

 

And in the end you should see : 

support_member.cc(69): pid=10396 :2016/09/16 10:39:07| kerberos_ldap_group: INFO: User testuser is member of group at domain allowed-internet at YOUR.REALM.TLD

OK

kerberos_ldap_group.cc(408): pid=10396 :2016/09/16 10:39:07| kerberos_ldap_group: DEBUG: OK

 

with search for the kdc in krb5.conf 

 

[libdefaults]

    default_realm = YOUR.REALM.TLD

    dns_lookup_kdc = true

    dns_lookup_realm = false

 

and now when it works adjust you parameters to your needs.  

( like the : children-max=1 ttl=3600 negative_ttl=3600 ) 

 

 

 

Greetz, 

 

Louis

 

 

> 

> squid.conf:

> auth_param negotiate program

> /usr/local/libexec/squid/negotiate_kerberos_auth -di -s

> HTTP/proxy.example.com

> auth_param negotiate children 1

> auth_param negotiate keep_alive on

> 

> external_acl_type squid_kerb_ldap children-max=1 ttl=3600 negative_ttl=3600 %LOGIN

> /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -di -S 1.2.3.4@ -g

> linux@

> acl ldap_group_check external squid_kerb_ldap

> http_access deny !ldap_group_check

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160916/63d1259e/attachment.html>

More information about the squid-users mailing list