[squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
L.P.H. van Belle
belle at bazuin.nl
Mon Sep 19 12:08:52 UTC 2016
Well thats strange.
No i cant speak about openBSD, but below is pretty general.
When you test, did you set this before the test.
KRB5_KTNAME=/etc/squid/proxy.keytab
And does that keytab contain the HTTP/SPN
And test/check if you see http/SPN in the UPN, if not try that also.
After that change the
I just tested again to make my groups more flexible.
/usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4 \
-D YOUR.REALM.TLD \
-N NTDOMAIN at YOUR.REALM.TLD \
- S dc1.your.dnsdomain.tld at YOUR.REALM.TLD \
-i -d
This one is without the -g so we can use more group names,
but test with -g first.
from this example like. But i change the ldap group to kerberos group here.
http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
When i now put in "username groupname" after staring with the line above to testout im getting.
support_member.cc(69): pid=23472 :2016/09/19 13:55:39| kerberos_ldap_group: INFO: User username is member of group at domain groupname at YOUR.REALM.TLD
OK
kerberos_ldap_group.cc(408): pid=23472 :2016/09/19 13:55:39| kerberos_ldap_group: DEBUG: OK
this is all i have in krb5.conf
[libdefaults]
default_keytab_name = /etc/krb5.keytab
default_realm = YOUR.REALM.TLD
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 24h
ccache_type = 4
forwardable = true
and the ad dc lookup works, if you set the SPN in the UPN, at least works for me.
I have my systems keytab as default keytab and KRB5_KTNAME=/etc/squid/proxy.keytab
export KRB5_KTNAME
TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt
export TLS_CACERTFILE
Is set in the /etc/default/squid3
So im thinking review the keytab setup and the variable.
And:
>The AD is reachable from the proxy machine but DNS is not done by the AD
>but on the proxy machine itself.
Same here, but i do have a forward zone in the dns for my ad domain.
Hope this helps a bit.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens
> Silamael Darkomen
> Verzonden: maandag 19 september 2016 13:35
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] Problem with Kerberos and
> ext_kerberos_ldap_group_acl not being able to reach realm's KDC
>
> On 16.09.2016 10:52, L.P.H. van Belle wrote:
> > I think you forgot in your test, that you may need to modify the default
> > kerberos ticket used.
> >
> >
> >
> >
> >
> > I suggest you change you config a bit to something like
> >
> >
> >
> > external_acl_type internet-win-allowed %LOGIN
> > /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \
> >
> > -D YOUR.REALM.TLD \
> >
> > -g allowed-internet at YOUR.REALM.TLD \
> >
> > -N NTDOMAIN at YOUR.REALM.TLD \
> >
> > -S
> >
> dc1.your.dnsdomain.tld at YOUR.REALM.TLD:dc2.your.dnsdomain.tld at YOUR.REALM.TL
> D
>
> Hello,
>
> Tried your suggestions but that doesn't change anything.
> Furthermore the ext_kerberos_ldap_group_acl creates a core dump after
> iterating over all the entries for the keytab...
> Any further ideas?
>
> -- Matthias
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list