[squid-users] Assistance Required: Issues with Squid Kerberos + LDAP Group Configuration

Markus Moeller huaraz at moeller.plus.com
Sun Jan 19 10:37:42 UTC 2025 

Hi Enfal,

          Do you run also samba on the server ?   If so samba may change the AD host entry to which your keytab is associated. This means your keytab gets out of sync with AD.

Markus


"Enfal Gok" <enfal.gok2004 at gmail.com> wrote in message news:PAWPR03MB9010DF5EEC64C9A281A03B24F4152 at PAWPR03MB9010.eurprd03.prod.outlook.com...
Dear Squid Community/Support Team,
I am currently configuring Squid with Kerberos authentication and LDAP group-based access control. However, I am encountering persistent issues, and I would greatly appreciate your guidance. Below are the details of my configuration and the errors I am facing.

--------------------------------------------------------------------------------

Error Logs
The following errors repeatedly appear in the Squid logs:
2025/01/03 19:35:40 kid1| Starting new helpers
2025/01/03 19:35:40 kid1| helperOpenServers: Starting 1/5 'ext_kerberos_ldap_group_acl' processes
support_sasl.cc(276): pid=70855 :2025/01/03 19:35:40| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Local error
support_ldap.cc(1086): pid=70855 :2025/01/03 19:35:40| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Local error
support_ldap.cc(1172): pid=70855 :2025/01/03 19:35:40| kerberos_ldap_group: ERROR: Error while binding to ldap server with Username/Password: Encoding error
(ext_kerberos_ldap_group_acl): ../../../../libraries/liblber/io.c:108: ber_write: Assertion `buf != NULL' failed.
2025/01/03 19:35:41 kid1| WARNING: external_acl_type #Hlpr7 exited
2025/01/03 19:35:41 kid1| Too few external_acl_type processes are running (need 1/5)

--------------------------------------------------------------------------------

Current Configuration
Kerberos Authentication
 auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/ubuntuserver.demo.local
auth_param negotiate children 10
auth_param negotiate keep_alive on
External ACL for LDAP Groups
 external_acl_type kerberos_ldap_group ttl=3600 negative_ttl=3600 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl \    -P HTTP/ubuntuserver.demo.local at DEMO.LOCAL \    -D demo.local \    -b DC=demo,DC=local \    -l ldap://dc.demo.local \    -g FullAccess at DEMO.LOCAL:Restricted at DEMO.LOCAL:Filtered at DEMO.LOCAL:Blocked at DEMO.LOCAL
ACL Definitions
 acl FullAccess external kerberos_ldap_group FullAccess at DEMO.LOCAL
acl Restricted external kerberos_ldap_group Restricted at DEMO.LOCAL
acl Filtered external kerberos_ldap_group Filtered at DEMO.LOCAL
acl Blocked external kerberos_ldap_group Blocked at DEMO.LOCAL

acl allowed_sites dstdomain .benedictuspoort.be .smartschool.be .microsoft.com
acl bad_sites dstdomain .adult.com .gambling.com
Access Rules
 http_access allow FullAccess
http_access allow Restricted allowed_sites
http_access deny Restricted
http_access deny Blocked
http_access deny Filtered bad_sites
http_access allow Filtered
http_access deny all
Proxy Settings
 http_port 3128
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid

--------------------------------------------------------------------------------

What I Have Tried
  a.. Verified that the Kerberos keytab is up-to-date and matches the Key Version Number (msDS-KeyVersionNumber) in Active Directory. 
  b.. Tested LDAP queries using ldapsearch with both simple and GSSAPI bindings, which work intermittently. 
  c.. Checked Squid logs and confirmed that Kerberos tickets are being issued successfully using kinit and klist.
Despite these efforts, the ext_kerberos_ldap_group_acl helper is unable to bind to the LDAP server, and the Squid service keeps restarting helpers.

--------------------------------------------------------------------------------

Request for Assistance
Could you please provide guidance on:
  1.. Debugging the ext_kerberos_ldap_group_acl helper? 
  2.. Ensuring compatibility between Kerberos and LDAP for group-based access control? 
  3.. Any potential misconfigurations or missing steps in my setup?
Thank you in advance for your assistance. I look forward to your recommendations.
Kind regards,
Enfal gok 


--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250119/8eb45030/attachment-0001.htm>

More information about the squid-users mailing list