I think you forgot in your test, that you may need to modify the
default kerberos ticket used. I suggest you change you config a bit to something like external_acl_type internet-win-allowed %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl
\ -D YOUR.REALM.TLD \ -g allowed-internet@xxxxxxxxxxxxxx
\ -N
NTDOMAIN@xxxxxxxxxxxxxx \ -S dc1.your.dnsdomain.tld@xxxxxxxxxxxxxx:dc2.your.dnsdomain.tld@xxxxxxxxxxxxxx
\ Now test it. start like this : /usr/local/libexec/squid/negotiate_kerberos_auth \ -D YOUR.REALM.TLD \ -g
allowed-internet@xxxxxxxxxxxxxx \ -N
NTDOMAIN@xxxxxxxxxxxxxx \ -S dc1.your.dnsdomain.tld@xxxxxxxxxxxxxx:dc2.your.dnsdomain.tld@xxxxxxxxxxxxxx
\ -d (-d = debug ) Test with –S and point to your server, does it work? Test again with –S , does it works, no? Change the default keytab
for te test. KRB5_KTNAME=/etc/squid/keytab.SQUID-HTTP export KRB5_KTNAME Type a username belonging to you group your testing with, hit enter. And in the end you should see : support_member.cc(69): pid=10396 :2016/09/16 10:39:07|
kerberos_ldap_group: INFO: User testuser is member of group@domain allowed-internet@xxxxxxxxxxxxxx OK kerberos_ldap_group.cc(408): pid=10396 :2016/09/16 10:39:07|
kerberos_ldap_group: DEBUG: OK with search for the kdc in krb5.conf [libdefaults] default_realm = YOUR.REALM.TLD dns_lookup_kdc = true dns_lookup_realm = false and now when it works adjust you parameters to your needs. ( like the : children-max=1 ttl=3600 negative_ttl=3600 ) Greetz, Louis > > squid.conf: > auth_param negotiate program > /usr/local/libexec/squid/negotiate_kerberos_auth -di -s > HTTP/proxy.example.com > auth_param negotiate children 1 > auth_param negotiate keep_alive on > > external_acl_type squid_kerb_ldap children-max=1 ttl=3600 negative_ttl=3600 %LOGIN > /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -di -S 1.2.3.4@ -g > linux@ > acl ldap_group_check external squid_kerb_ldap > http_access deny !ldap_group_check |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users