[squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC

L.P.H. van Belle belle at bazuin.nl
Mon Sep 19 12:32:20 UTC 2016


Yes, 

You can fix that by setting the SPN : HTTP/host.you.domain.tld in UPN 
I had that too, changed it and it is working perfect now. 

See subject : Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe ) 

Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens
> Silamael Darkomen
> Verzonden: maandag 19 september 2016 14:20
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] Problem with Kerberos and
> ext_kerberos_ldap_group_acl not being able to reach realm's KDC
> 
> 
> On 19.09.2016 14:08, L.P.H. van Belle wrote:
> > Well thats strange.
> > No i cant speak about openBSD, but below is pretty general.
> >
> > When you test, did you set this before the test.
> > KRB5_KTNAME=/etc/squid/proxy.keytab
> > And does that keytab contain the HTTP/SPN
> > And test/check if you see http/SPN in the UPN, if not try that also.
> > After that change the
> > I just tested again to make my groups more flexible.
> >
> > /usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4  \
> >     -D YOUR.REALM.TLD \
> >     -N NTDOMAIN at YOUR.REALM.TLD \
> >     - S dc1.your.dnsdomain.tld at YOUR.REALM.TLD \
> >     -i -d
> > This one is without the -g so we can use more group names,
> > but test with -g first.
> >
> > from this example like. But i change the ldap group to kerberos group
> here.
> >
> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Prox
> y
> 
> That's all there, environment is correctly set up. Keytab looks good.
> As said before, the negotiate_kerberos_auth part works like a charm.
> All I get is a bunch of messages complaining about not being able to
> reach any KDC in realm while initializing the credentials of the keytab...
> Thought that it might be a DNS issue but even configuring DNS so that
> the AD server does all the DNS stuff did not change a bit :(
> 
> -- Matthias
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list