Hi I'm trying to authenticate our clients with squid_kerb_ldap against our ad. There exists a global-group called "Internet". My squid.conf looks like this: auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i auth_param negotiate children 10 auth_param negotiate keep_alive on external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g Internet acl inetAccess external SQUID_KERB_LDAP http_access allow inetAccess My "klist -k" looks like this: proxy-test-01:/usr/local/squid_kerb_ldap/bin # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 host/proxy-test-01.xx.yy@xxxxx 4 host/proxy-test-01.xx.yy@xxxxx 4 host/proxy-test-01.xx.yy@xxxxx 4 host/proxy-test-01@xxxxx 4 host/proxy-test-01@xxxxx 4 host/proxy-test-01@xxxxx 4 PROXY-TEST-01$@XX.YY 4 PROXY-TEST-01$@XX.YY 4 PROXY-TEST-01$@XX.YY 4 HTTP/proxy-test-01.xx.yy@xxxxx 4 HTTP/proxy-test-01.xx.yy@xxxxx 4 HTTP/proxy-test-01.xx.yy@xxxxx 4 HTTP/proxy-test-01@xxxxx 4 HTTP/proxy-test-01@xxxxx 4 HTTP/proxy-test-01@xxxxx 5 proxy-test-01$@XX.YY 5 proxy-test-01$@XX.YY 5 proxy-test-01$@XX.YY 5 HTTP/proxy-test-01.xx.yy@xxxxx 5 HTTP/proxy-test-01.xx.yy@xxxxx 5 HTTP/proxy-test-01.xx.yy@xxxxx 5 HTTP/proxy-test-01@xxxxx 5 HTTP/proxy-test-01@xxxxx 5 HTTP/proxy-test-01@xxxxx 5 host/proxy-test-01.xx.yy@xxxxx 5 host/proxy-test-01.xx.yy@xxxxx 5 host/proxy-test-01.xx.yy@xxxxx Without squid_kerb_ldap, the internet-access is working fine. With the helper, I got the following errors in the cache.log: 2010/06/30 09:45:48| squid_kerb_auth: INFO: User TESTUSER@xxxxx authenticated 2010/06/30 09:45:48| squid_kerb_ldap: Got User: TESTUSER Domain: XX.YY 2010/06/30 09:45:48| squid_kerb_ldap: User domain loop: group@domain Internet@NULL 2010/06/30 09:45:48| squid_kerb_ldap: Default domain loop: group@domain Internet@NULL 2010/06/30 09:45:48| squid_kerb_ldap: Default group loop: group@domain Internet@NULL 2010/06/30 09:45:48| squid_kerb_ldap: Found group@domain Internet@NULL 2010/06/30 09:45:48| squid_kerb_ldap: Setup Kerberos credential cache 2010/06/30 09:45:48| squid_kerb_ldap: Get default keytab file name 2010/06/30 09:45:48| squid_kerb_ldap: Got default keytab file name /etc/krb5.keytab 2010/06/30 09:45:48| squid_kerb_ldap: Get principal name from keytab /etc/krb5.keytab 2010/06/30 09:45:48| squid_kerb_ldap: Keytab entry has realm name: XX.YY 2010/06/30 09:45:48| squid_kerb_ldap: Found principal name: host/proxy-test-01.xx.yy@xxxxx 2010/06/30 09:45:48| squid_kerb_ldap: Set credential cache to MEMORY:squid_ldap_22001 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name host/proxy-test-01.xx.yy@xxxxx 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising credentials from keytab : Client not found in Kerberos database 2010/06/30 09:45:48| squid_kerb_ldap: Error during setup of Kerberos credential cache 2010/06/30 09:45:48| squid_kerb_ldap: User TESTUSER is not member of group@domain Internet@NULL 2010/06/30 09:45:48| squid_kerb_ldap: ERR 2010/06/30 09:45:48| squid_kerb_auth: INFO: User TESTUSER@xxxxx authenticated What could this be? The user "testuser" is member of the ad-group "Internet". Thanks a lot. Tom
