[squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
Silamael
Silamael at coronamundi.de
Tue Sep 20 13:20:06 UTC 2016
On 19.09.2016 13:39, Silamael Darkomen wrote:
>
>
> On 16.09.2016 22:11, Markus Moeller wrote:
>> Hi Silamael,
>>
>> Can you perform a kinit user at EXAMPLE.COM ? Does the squid user
>> have read access to krb5.conf ?
>>
>> Markus
>
> Hello Markus,
>
> Yes, the permissions are correctly set up so that Squid and it's
> processes can read every file needed.
> For it seems that the Heimdal library ignores the dns_lookup_kdc and
> dns_lookup_realm options in the krb5.conf...
> As written in my other response, the helper also crashes at the end.
> I'll take a look on the stack trace...
Ok, found one problem. Under OpenBSD I had some hack that the external
helper was linked against libbind (the bind resolver library) instead of
libc (as the helper uses some defines which have different names in the
OpenBSD libc). This caused that the Heimdal libs used also the Bind
resolver library instead of the libc resolver. And this lead to an error
in the getaddrinfo() call due to invalid ai_flags.
After patching the helper to compile with the libc now a new problem
comes up:
When binding to the LDAP server the helper uses SASL/GSSAPI. And then
ldap_sasl_interactive_bind_s failes with "Unknown authentication method".
Is there anything special that must be given on the Windows side? Or
what's wrong now?
-- Matthias
More information about the squid-users
mailing list