<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word"><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=Generator content="Microsoft Word 11 (filtered medium)">
<STYLE>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</STYLE>
<STYLE>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman";}
span.E-mailStijl17
{mso-style-type:personal;
font-family:Arial;
color:navy;}
span.E-mailStijl18
{mso-style-type:personal;
font-family:Arial;
color:navy;}
span.E-mailStijl20
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:595.3pt 841.9pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.Section1
{page:Section1;}
-->
</STYLE>
</HEAD>
<BODY lang=NL dir=ltr vLink=blue link=blue>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial'; COLOR: #000000">
<DIV>Hi Louis,</DIV>
<DIV> </DIV>
<DIV> I know a user and machine account can be used and they
work the same. What my concern is, is that many companies deploy password
policies for users in AD. You would need to create exceptions for user
accounts which have SPNs with associated keytabs as a password change will make
the keytab invalid.</DIV>
<DIV> </DIV>
<DIV>Markus </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV>"L.P.H. van Belle" <belle@bazuin.nl> wrote in message
news:vmime.57c3e5ca.28ab.73ab0c8662c3316a@ms249-lin-003.rotterdam.bazuin.nl...</DIV></DIV></DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV class=Section1>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Hello Markus,
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Thank you for the
explanation, that helped a lot. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">I use the
</SPAN></FONT><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">TLS_CACERTFILE in the
init script now and that works for me . <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">( in debian the
/etc/default/squid )<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">>>The helper
tries to “authenticate” squid to AD as a user with the found SPN name, so the
UPN must be the same as the SPN. There is no easy way to query what the
UPN for the SPN is. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">Ah, this helped
identify-ing so other small things to. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">>>msktutil (my
preferred tool)<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">Since i try to use
only debian packages the msktutil is not available for me.
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">>>Also msktutil
(my preferred tool) creates a machine account not a user account in AD.
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">>>The reason I
prefer this is that often user accounts have a global password policy e.g.
change every 60 days otherwise it will be locked. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">>>machine
accounts do not have that limitation. But as I said it is just my
preference.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">Thats not correct in
my optionion. A the computer account, works the (almost) same an user account.
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">Like a computer
account = a user account. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">some pointers
:<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"><A
href="https://technet.microsoft.com/en-us/library/cc731641(v=ws.11).aspx">https://technet.microsoft.com/en-us/library/cc731641(v=ws.11).aspx</A><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"><A
href="https://adsecurity.org/?p=280">https://adsecurity.org/?p=280</A>
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">I used a seperated
user since i wanted to have 2 proxy on 1 service account, but due to the UPS/SPN
thing,<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">thats not options
anymore, not thats a problem, I’ll change to add the computer to the samba
domain and <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">add the UPN/SPN on the
computer account where needed.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">Which maybe even a
better option.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">Thanks again for you
replies. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">Best regards,
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">Louis<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT> </P>
<DIV
style="BORDER-TOP: medium none; BORDER-RIGHT: medium none; BORDER-BOTTOM: medium none; PADDING-BOTTOM: 0cm; PADDING-TOP: 0cm; PADDING-LEFT: 4pt; BORDER-LEFT: blue 1.5pt solid; PADDING-RIGHT: 0cm">
<DIV>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><FONT size=3
face="Times New Roman"><SPAN style="FONT-SIZE: 12pt">
<HR tabIndex=-1 align=center SIZE=2 width="100%">
</SPAN></FONT></DIV>
<P class=MsoNormal><B><FONT size=2 face=Tahoma><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: tahoma; FONT-WEIGHT: bold">Van:</SPAN></FONT></B><FONT
size=2 face=Tahoma><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: tahoma">
squid-users [mailto:squid-users-bounces@lists.squid-cache.org] <B><SPAN
style="FONT-WEIGHT: bold">Namens </SPAN></B>Markus Moeller<BR><B><SPAN
style="FONT-WEIGHT: bold">Verzonden:</SPAN></B> zaterdag 27 augustus 2016
16:52<BR><B><SPAN style="FONT-WEIGHT: bold">Aan:</SPAN></B>
squid-users@lists.squid-cache.org<BR><B><SPAN
style="FONT-WEIGHT: bold">Onderwerp:</SPAN></B> Re: [squid-users]
ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe
)</SPAN></FONT><o:p></o:p></P></DIV>
<P class=MsoNormal><FONT size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt"><o:p></o:p></SPAN></FONT> </P>
<DIV>
<DIV>
<DIV>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">Hi,<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"> I would
say they are bugs. The first “issue” is as you say more about understanding the
difference between UPN and SPN and how the tools use them. The helper
tries to “authenticate” squid to AD as a user with the found SPN name, so the
UPN must be the same as the SPN. There is no easy way to query what the
UPN for the SPN is. <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"> Also msktutil
(my preferred tool) creates a machine account not a user account in AD. The
reason I prefer this is that often user accounts have a global password policy
e.g. change every 60 days otherwise it will be locked. machine accounts do not
have that limitation. But as I said it is just my preference.
<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"> Regarding
the certifcate check I do not use any ldap.conf settings. I require an export
TLS_CACERTFILE=/mydir/myfile.pem in the squid startup file.
Maybe in the next version I see how I can determine the right ldap.conf file and
check if the CACERTFILE variable is already
set.<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">Kind
regards<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">Markus<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV
style="BORDER-TOP: black 1pt; BORDER-RIGHT: black 1pt; BORDER-BOTTOM: black 1pt; PADDING-BOTTOM: 0cm; PADDING-TOP: 0cm; PADDING-LEFT: 4pt; MARGIN-LEFT: 3.75pt; BORDER-LEFT: black 3pt solid; PADDING-RIGHT: 0cm">
<DIV>
<DIV>
<P class=MsoNormal><FONT color=black size=3 face=Calibri><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: calibri; COLOR: black">"L.P.H. van Belle"
<belle@bazuin.nl> wrote in message
news:vmime.57bdb617.37c8.575130a1134f9a07@ms249-lin-003.rotterdam.bazuin.nl...<o:p></o:p></SPAN></FONT></P></DIV></DIV></DIV>
<DIV
style="BORDER-TOP: black 1pt; BORDER-RIGHT: black 1pt; BORDER-BOTTOM: black 1pt; PADDING-BOTTOM: 0cm; PADDING-TOP: 0cm; PADDING-LEFT: 4pt; MARGIN-LEFT: 3.75pt; BORDER-LEFT: black 3pt solid; PADDING-RIGHT: 0cm">
<DIV>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Ok reply to myself so
other users know this also.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">if you create a user
for the HTTP services and you dont use </SPAN></FONT><FONT color=black><SPAN
lang=EN style="COLOR: black">msktutil but like me samba-tool or something else.
</SPAN></FONT><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Read :
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><A
href="http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos">http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos</A>
carefully. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">and the clue was this
line for me. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN lang=EN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">Squid "login" to
Windows Active Directory or Unix kdc as user
<HTTP/<fqdn-squid>@DOMAIN.COM>. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN lang=EN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">This requires Active
Directory to have an <U>attribute userPrincipalname</U> set to
<HTTP/<fqdn-squid>@DOMAIN.COM><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=2 face=Arial><SPAN lang=EN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: black">for the associated
acount. This is usaully done by using msktutil. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">But this is not done by
samba-tools <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">samba-tool setup fro
squid i used, was as followed. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">samba-tool user create
squid1-service --description="Unprivileged user for SQUID1-Proxy Services"
--random-password <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">samba-tool user
setexpiry squid1-service –noexpiry<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">samba-tool spn add
HTTP/proxy.internal.domain.tld squid1-service<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Now this results in :
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">My UPN was set to the
username@internal.domain.tld ( as it should ).
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">My SPN was set to
HTTP/proxyserver.internal.domain.tld@REALM ( as is should )
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">samba-tool spn list
squid1-service <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">squid1-service<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">User
CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX has the
following servicePrincipalName:<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">
HTTP/proxy.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">
HTTP/proxy.internal.domain.tld@YOUR.REALM.T<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Now i changed my UPN
from username@internal.domain.tld to the (SPN name)
HTTP/proxyserver.internal.domain.tld@REALM <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Solved my initial
problem. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">This should be in my
optionion be changed to search for the SPN in
ext_kerberos_ldap_group.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Now i have LDAPS
messages, see below, im adding the _ldaps SRV records now ,but i dont get why im
getting : <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Set certificate file
for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting
environment variable TLS_CACERTFILE)<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Im already having :
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Which contains the
needed certs.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Did i find 2 small bugs
here? <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Or is this a “Debian”
related thing? <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">Debug output.
<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">/usr/lib/squid3/ext_kerberos_ldap_group_acl
-g internet-mail@YOUR.REALM.TLD -D YOUR.REALM.TLD -N internet-mail@NTDOMAIN -s
-i -d<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">kerberos_ldap_group.cc(278):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Starting version
1.3.1sq<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_group.cc(382):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group list
internet-mail@YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_group.cc(447):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group
internet-mail Domain YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_netbios.cc(83):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios list
internet-mail@NTDOMAIN<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_netbios.cc(156):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios name
internet-mail Domain NTDOMAIN<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_lserver.cc(82):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: ldap server list
NULL<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_lserver.cc(86):
pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: No ldap servers
defined.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">testuser
internet-mail<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">kerberos_ldap_group.cc(371):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser set
default domain: YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">kerberos_ldap_group.cc(376):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser
Domain: YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_member.cc(63):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: User domain loop:
group@domain internet-mail@YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_member.cc(65):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found group@domain
internet-mail@YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(898):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setup Kerberos
credential cache<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_krb5.cc(127):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set credential cache
to MEMORY:squid_ldap_6902<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_krb5.cc(138):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Get default keytab
file name<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_krb5.cc(144):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Got default keytab
file name /etc/squid/keytab.PROXYSERVER-HTTP<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_krb5.cc(158):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Get principal name
from keytab /etc/squid/keytab.PROXYSERVER-HTTP<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_krb5.cc(169):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Keytab entry has
realm name: YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_krb5.cc(181):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found principal name:
HTTP/proxy.internal.domain.tld@YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_krb5.cc(196):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Got principal name
HTTP/proxy.internal.domain.tld@YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_krb5.cc(260):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Stored
credentials<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(927):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Initialise ldap
connection<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(931):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable SSL to ldap
servers<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(933):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Canonicalise ldap
server name for domain YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(289):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resolving
service record _ldaps._tcp.YOUR.REALM.TLD with
res_search<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(71):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: res_search: Unknown
service record: _ldaps._tcp.YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(379):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved SRV
_ldap._tcp.YOUR.REALM.TLD record to
samba-dc2.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(379):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved SRV
_ldap._tcp.YOUR.REALM.TLD record to
samba-dc1.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 1 of
YOUR.REALM.TLD to samba-dc1.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 2 of
YOUR.REALM.TLD to samba-dc1.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 3 of
YOUR.REALM.TLD to samba-dc1.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 4 of
YOUR.REALM.TLD to samba-dc2.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 5 of
YOUR.REALM.TLD to samba-dc2.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(207):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 6 of
YOUR.REALM.TLD to samba-dc2.internal.domain.tld<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(407):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Adding YOUR.REALM.TLD
to list<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(443):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Sorted ldap server
names for domain YOUR.REALM.TLD:<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(445):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host:
samba-dc1.internal.domain.tld Port: 389 Priority: 0 Weight:
100<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(445):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host:
samba-dc2.internal.domain.tld Port: 389 Priority: 0 Weight:
100<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_resolv.cc(445):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host: YOUR.REALM.TLD
Port: -1 Priority: -2 Weight: -2<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(942):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection
to ldap server samba-dc1.internal.domain.tld:389<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(786):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL
defaults<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(531):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server
certificate check for ldap server.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(544):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file
for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting
environment variable TLS_CACERTFILE)<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(800):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting
start_tls for ldap server: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(953):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server
with SASL/GSSAPI<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_sasl.cc(276):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR:
ldap_sasl_interactive_bind_s error: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(957):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding
to ldap server with SASL/GSSAPI: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(942):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection
to ldap server samba-dc2.internal.domain.tld:389<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(786):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL
defaults<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(531):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server
certificate check for ldap server.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(544):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file
for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting
environment variable TLS_CACERTFILE)<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(800):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting
start_tls for ldap server: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(953):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server
with SASL/GSSAPI<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_sasl.cc(276):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR:
ldap_sasl_interactive_bind_s error: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(957):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding
to ldap server with SASL/GSSAPI: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(942):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection
to ldap server YOUR.REALM.TLD:389<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(786):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL
defaults<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(531):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server
certificate check for ldap server.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(544):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file
for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting
environment variable TLS_CACERTFILE)<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(800):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting
start_tls for ldap server: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(953):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server
with SASL/GSSAPI<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_sasl.cc(276):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR:
ldap_sasl_interactive_bind_s error: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(957):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding
to ldap server with SASL/GSSAPI: Can't contact LDAP
server<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(979):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Error during
initialisation of ldap connection: No such file or
directory<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_ldap.cc(1048):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Error during
initialisation of ldap connection: No such file or
directory<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_member.cc(76):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: User testuser is not
member of group@domain internet-mail@YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_member.cc(91):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Default domain loop:
group@domain internet-mail@YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=navy size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy">support_member.cc(119):
pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Default group loop:
group@domain internet-mail@YOUR.REALM.TLD<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT color=black size=3 face="Times New Roman"><SPAN
style="FONT-SIZE: 12pt; COLOR: black"> </SPAN></FONT><FONT color=navy
size=2 face=Arial><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: arial; COLOR: navy"><o:p></o:p></SPAN></FONT></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><FONT color=black
size=3 face=Calibri><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: calibri; COLOR: black">
<HR align=center SIZE=2 width="100%">
</SPAN></FONT></DIV>
<P class=MsoNormal><FONT color=black size=3 face=Calibri><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: calibri; COLOR: black">_______________________________________________<BR>squid-users
mailing
list<BR>squid-users@lists.squid-cache.org<BR>http://lists.squid-cache.org/listinfo/squid-users<o:p></o:p></SPAN></FONT></P></DIV></DIV></DIV></DIV></DIV></DIV>
<P>
<HR>
_______________________________________________<BR>squid-users mailing
list<BR>squid-users@lists.squid-cache.org<BR>http://lists.squid-cache.org/listinfo/squid-users<BR></DIV></DIV></DIV></DIV></BODY></HTML>