[squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
L.P.H. van Belle
belle at bazuin.nl
Fri Sep 16 08:52:59 UTC 2016
I think you forgot in your test, that you may need to modify the default kerberos ticket used.
I suggest you change you config a bit to something like
external_acl_type internet-win-allowed %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \
-D YOUR.REALM.TLD \
-g allowed-internet at YOUR.REALM.TLD \
-N NTDOMAIN at YOUR.REALM.TLD \
-S dc1.your.dnsdomain.tld at YOUR.REALM.TLD:dc2.your.dnsdomain.tld at YOUR.REALM.TLD \
Now test it. start like this :
/usr/local/libexec/squid/negotiate_kerberos_auth \
-D YOUR.REALM.TLD \
-g allowed-internet at YOUR.REALM.TLD \
-N NTDOMAIN at YOUR.REALM.TLD \
-S dc1.your.dnsdomain.tld at YOUR.REALM.TLD:dc2.your.dnsdomain.tld at YOUR.REALM.TLD \
-d
(-d = debug )
Test with –S and point to your server, does it work?
Test again with –S , does it works, no? Change the default keytab for te test.
KRB5_KTNAME=/etc/squid/keytab.SQUID-HTTP
export KRB5_KTNAME
Type a username belonging to you group your testing with, hit enter.
And in the end you should see :
support_member.cc(69): pid=10396 :2016/09/16 10:39:07| kerberos_ldap_group: INFO: User testuser is member of group at domain allowed-internet at YOUR.REALM.TLD
OK
kerberos_ldap_group.cc(408): pid=10396 :2016/09/16 10:39:07| kerberos_ldap_group: DEBUG: OK
with search for the kdc in krb5.conf
[libdefaults]
default_realm = YOUR.REALM.TLD
dns_lookup_kdc = true
dns_lookup_realm = false
and now when it works adjust you parameters to your needs.
( like the : children-max=1 ttl=3600 negative_ttl=3600 )
Greetz,
Louis
>
> squid.conf:
> auth_param negotiate program
> /usr/local/libexec/squid/negotiate_kerberos_auth -di -s
> HTTP/proxy.example.com
> auth_param negotiate children 1
> auth_param negotiate keep_alive on
>
> external_acl_type squid_kerb_ldap children-max=1 ttl=3600 negative_ttl=3600 %LOGIN
> /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -di -S 1.2.3.4@ -g
> linux@
> acl ldap_group_check external squid_kerb_ldap
> http_access deny !ldap_group_check
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160916/63d1259e/attachment.html>
More information about the squid-users
mailing list