Search squid archive

Re: Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I think you forgot in your test, that you may need to modify the default kerberos ticket used.

 

 

I suggest you change you config a bit to something like

 

external_acl_type internet-win-allowed %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \

-D YOUR.REALM.TLD \

-g allowed-internet@xxxxxxxxxxxxxx \

-N NTDOMAIN@xxxxxxxxxxxxxx \

-S dc1.your.dnsdomain.tld@xxxxxxxxxxxxxx:dc2.your.dnsdomain.tld@xxxxxxxxxxxxxx \

 

Now test it.  start like this :   

/usr/local/libexec/squid/negotiate_kerberos_auth \

-D YOUR.REALM.TLD \

-g allowed-internet@xxxxxxxxxxxxxx \

-N NTDOMAIN@xxxxxxxxxxxxxx \

-S dc1.your.dnsdomain.tld@xxxxxxxxxxxxxx:dc2.your.dnsdomain.tld@xxxxxxxxxxxxxx \

-d

(-d = debug )

Test with –S and point to your server, does it work?

Test again with –S , does it works, no? Change the default keytab for te test.

KRB5_KTNAME=/etc/squid/keytab.SQUID-HTTP

export KRB5_KTNAME

 

Type a username belonging to you group your testing with, hit enter.

 

And in the end you should see :

support_member.cc(69): pid=10396 :2016/09/16 10:39:07| kerberos_ldap_group: INFO: User testuser is member of group@domain allowed-internet@xxxxxxxxxxxxxx

OK

kerberos_ldap_group.cc(408): pid=10396 :2016/09/16 10:39:07| kerberos_ldap_group: DEBUG: OK

 

with search for the kdc in krb5.conf

 

[libdefaults]

    default_realm = YOUR.REALM.TLD

    dns_lookup_kdc = true

    dns_lookup_realm = false

 

and now when it works adjust you parameters to your needs.  

( like the : children-max=1 ttl=3600 negative_ttl=3600 )

 

 

 

Greetz,

 

Louis

 

 

>

> squid.conf:

> auth_param negotiate program

> /usr/local/libexec/squid/negotiate_kerberos_auth -di -s

> HTTP/proxy.example.com

> auth_param negotiate children 1

> auth_param negotiate keep_alive on

>

> external_acl_type squid_kerb_ldap children-max=1 ttl=3600 negative_ttl=3600 %LOGIN

> /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -di -S 1.2.3.4@ -g

> linux@

> acl ldap_group_check external squid_kerb_ldap

> http_access deny !ldap_group_check

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux