Ok, found it. So a resume for a squid 3.5.19 + samba 4.4.5, kerberos auth and
kerberos groups on debian jessie. By default the package libsasl2-modules-gssapi-mit was not installed. So i installed it: apt-get install libsasl2-modules-gssapi-mit I always install with, --no-install-recommends, here i missed this
package. After installing it works fine, at least, .. This works : (SASL/GSSAPI over port 389) /usr/lib/squid3/ext_kerberos_ldap_group_acl -g group-mail@REALM -D
REALM -N group-mail@REALM But with ssl enabled.. SASL/GSSAPI over port 636 (ldaps) /usr/lib/squid3/ext_kerberos_ldap_group_acl -g group-mail@REALM -D
REALM -N group-mail@REALM –s Or .. SASL/GSSAPI over port 636 (ldaps) without cert checks. /usr/lib/squid3/ext_kerberos_ldap_group_acl -g group-mail@REALM -D REALM
-N group-mail@REALM –s –a And with also tried adding this to the /etc/default/squid TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt export TLS_CACERTFILE And adding the _ldaps_._tcp records the samba4/bind_dlz dns didnt help.
(samba-tool dns add ADDC.FQDN REALM _ldaps._tcp SRV 'host.internal.domain.tld
636 0 100') The log part of the remaining errors. But no need to fix this for me, im putting this here so people can find
it as reference. DEBUG: Set SSL defaults DEBUG: Disable server certificate check for ldap server. ERROR: Error while setting start_tls for ldap server: Operations error DEBUG: Bind to ldap server with SASL/GSSAPI ERROR: ldap_sasl_interactive_bind_s error: Strong(er) authentication
required ERROR: Error while binding to ldap server with SASL/GSSAPI: Strong(er)
authentication required DEBUG: Setting up connection to ldap server hostname.internal.domain.tld:636 DEBUG: Set SSL defaults DEBUG: Disable server certificate check for ldap server. ERROR: Error while setting start_tls for ldap server: Operations error DEBUG: Bind to ldap server with SASL/GSSAPI ERROR: ldap_sasl_interactive_bind_s error: Strong(er) authentication
required And if someone find the solution for this above, that would be nice to
report here. Greetz, Louis |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users