Well thats strange. No i cant speak about openBSD, but below is pretty general. When you test, did you set this before the test. KRB5_KTNAME=/etc/squid/proxy.keytab And does that keytab contain the HTTP/SPN And test/check if you see http/SPN in the UPN, if not try that also. After that change the I just tested again to make my groups more flexible. /usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4 \ -D YOUR.REALM.TLD \ -N NTDOMAIN@xxxxxxxxxxxxxx \ - S dc1.your.dnsdomain.tld@xxxxxxxxxxxxxx \ -i -d This one is without the -g so we can use more group names, but test with -g first. from this example like. But i change the ldap group to kerberos group here. http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy When i now put in "username groupname" after staring with the line above to testout im getting. support_member.cc(69): pid=23472 :2016/09/19 13:55:39| kerberos_ldap_group: INFO: User username is member of group@domain groupname@xxxxxxxxxxxxxx OK kerberos_ldap_group.cc(408): pid=23472 :2016/09/19 13:55:39| kerberos_ldap_group: DEBUG: OK this is all i have in krb5.conf [libdefaults] default_keytab_name = /etc/krb5.keytab default_realm = YOUR.REALM.TLD dns_lookup_kdc = true dns_lookup_realm = false ticket_lifetime = 24h ccache_type = 4 forwardable = true and the ad dc lookup works, if you set the SPN in the UPN, at least works for me. I have my systems keytab as default keytab and KRB5_KTNAME=/etc/squid/proxy.keytab export KRB5_KTNAME TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt export TLS_CACERTFILE Is set in the /etc/default/squid3 So im thinking review the keytab setup and the variable. And: >The AD is reachable from the proxy machine but DNS is not done by the AD >but on the proxy machine itself. Same here, but i do have a forward zone in the dns for my ad domain. Hope this helps a bit. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens > Silamael Darkomen > Verzonden: maandag 19 september 2016 13:35 > Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx > Onderwerp: Re: Problem with Kerberos and > ext_kerberos_ldap_group_acl not being able to reach realm's KDC > > On 16.09.2016 10:52, L.P.H. van Belle wrote: > > I think you forgot in your test, that you may need to modify the default > > kerberos ticket used. > > > > > > > > > > > > I suggest you change you config a bit to something like > > > > > > > > external_acl_type internet-win-allowed %LOGIN > > /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \ > > > > -D YOUR.REALM.TLD \ > > > > -g allowed-internet@xxxxxxxxxxxxxx \ > > > > -N NTDOMAIN@xxxxxxxxxxxxxx \ > > > > -S > > > dc1.your.dnsdomain.tld@xxxxxxxxxxxxxx:dc2.your.dnsdomain.tld@xxxxxxxxxxxxx > D > > Hello, > > Tried your suggestions but that doesn't change anything. > Furthermore the ext_kerberos_ldap_group_acl creates a core dump after > iterating over all the entries for the keytab... > Any further ideas? > > -- Matthias > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users