Hi Scott,
So from what see in your first log you have a user MYSUER with a
domain/realm MYDOMAIN, but squid belongs to SUBDOMAIN.DOMAIN.COM.
squid_kerb_ldap tries to authenticate to the domain MYDOMAIN using the
keytab but does not find any entry for MYDOMAIN in the keytab. Then
squid_kerb_ldap tries to find an entry in the keytab of a domain which
trusts MYDOMAIN and fails. It seems there is no Kerberos trust between
MYDOMAIN and SUBDOMAIN.DOMAIN.COM.
The second log looks better, but the password stored in the keytab for
SQUIDPROXY-K$ is incorrect (Preauthentication failed).
Markus
"Scott Finlon" wrote in message
news:D01B8481.36D86%scott.finlon@xxxxxxxxxxxx...
Hi All,
I have squid_kerb_auth working and authenticating via my key tab file.
However, when trying to lock it down to users that are in a group in AD,
I¹m seeing a weird issue.
I put my sanitized output here: http://pastebin.com/wGc3RC0h
But basically if I use this "./squid_kerb_ldap -d -g proxy_allow -D
MYDOMAIN² it is able to auth to AD and eventually attempts to use a bind
path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it
gives a referral error.
So seeing that, I tried to use my full domain as the default domain, like
this "./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM² it
gives a Preauthentication failed error and doesn¹t even make it in to AD,
full output here: http://pastebin.com/Gk1ci0nt
That makes me think it¹s an issue with the key tab file, but it works
appropriately with kerb auth just not kerb ldap. Any ideas?
I am going to try and make a key tab file with ktpass instead of msktutil
and see if that has any affect.
Thanks,
-Scott