[squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
Silamael Darkomen
silamael at coronamundi.de
Mon Sep 19 12:20:29 UTC 2016
On 19.09.2016 14:08, L.P.H. van Belle wrote:
> Well thats strange.
> No i cant speak about openBSD, but below is pretty general.
>
> When you test, did you set this before the test.
> KRB5_KTNAME=/etc/squid/proxy.keytab
> And does that keytab contain the HTTP/SPN
> And test/check if you see http/SPN in the UPN, if not try that also.
> After that change the
> I just tested again to make my groups more flexible.
>
> /usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4 \
> -D YOUR.REALM.TLD \
> -N NTDOMAIN at YOUR.REALM.TLD \
> - S dc1.your.dnsdomain.tld at YOUR.REALM.TLD \
> -i -d
> This one is without the -g so we can use more group names,
> but test with -g first.
>
> from this example like. But i change the ldap group to kerberos group here.
> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
That's all there, environment is correctly set up. Keytab looks good.
As said before, the negotiate_kerberos_auth part works like a charm.
All I get is a bunch of messages complaining about not being able to
reach any KDC in realm while initializing the credentials of the keytab...
Thought that it might be a DNS issue but even configuring DNS so that
the AD server does all the DNS stuff did not change a bit :(
-- Matthias
More information about the squid-users
mailing list