Search squid archive

Re: Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Well thats strange. 
No i cant speak about openBSD, but below is pretty general. 

When you test, did you set this before the test. 
KRB5_KTNAME=/etc/squid/proxy.keytab
And does that keytab contain the HTTP/SPN
And test/check if you see http/SPN in the UPN, if not try that also. 
After that change the 
I just tested again to make my groups more flexible. 

/usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4  \
    -D YOUR.REALM.TLD \
    -N NTDOMAIN@xxxxxxxxxxxxxx \
    - S dc1.your.dnsdomain.tld@xxxxxxxxxxxxxx \
    -i -d 
This one is without the -g so we can use more group names, 
but test with -g first.

from this example like. But i change the ldap group to kerberos group here.
http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy 


When i now put in "username groupname" after staring with the line above to testout im getting. 

support_member.cc(69): pid=23472 :2016/09/19 13:55:39| kerberos_ldap_group: INFO: User username is member of group@domain groupname@xxxxxxxxxxxxxx
OK
kerberos_ldap_group.cc(408): pid=23472 :2016/09/19 13:55:39| kerberos_ldap_group: DEBUG: OK

this is all i have in krb5.conf
[libdefaults]
    default_keytab_name = /etc/krb5.keytab
    default_realm = YOUR.REALM.TLD
    dns_lookup_kdc = true
    dns_lookup_realm = false
    ticket_lifetime = 24h
    ccache_type = 4
    forwardable = true

and the ad dc lookup works, if you set the SPN in the UPN, at least works for me. 
I have my systems keytab as default keytab and  KRB5_KTNAME=/etc/squid/proxy.keytab
export KRB5_KTNAME

TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt
export TLS_CACERTFILE

Is set in the /etc/default/squid3 

So im thinking review the keytab setup and the variable. 

And:
>The AD is reachable from the proxy machine but DNS is not done by the AD
>but on the proxy machine itself.

Same here, but i do have a forward zone in the dns for my ad domain.


Hope this helps a bit. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens
> Silamael Darkomen
> Verzonden: maandag 19 september 2016 13:35
> Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx
> Onderwerp: Re:  Problem with Kerberos and
> ext_kerberos_ldap_group_acl not being able to reach realm's KDC
> 
> On 16.09.2016 10:52, L.P.H. van Belle wrote:
> > I think you forgot in your test, that you may need to modify the default
> > kerberos ticket used.
> >
> >
> >
> >
> >
> > I suggest you change you config a bit to something like
> >
> >
> >
> > external_acl_type internet-win-allowed %LOGIN
> > /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \
> >
> > -D YOUR.REALM.TLD \
> >
> > -g allowed-internet@xxxxxxxxxxxxxx \
> >
> > -N NTDOMAIN@xxxxxxxxxxxxxx \
> >
> > -S
> >
> dc1.your.dnsdomain.tld@xxxxxxxxxxxxxx:dc2.your.dnsdomain.tld@xxxxxxxxxxxxx
> D
> 
> Hello,
> 
> Tried your suggestions but that doesn't change anything.
> Furthermore the ext_kerberos_ldap_group_acl creates a core dump after
> iterating over all the entries for the keytab...
> Any further ideas?
> 
> -- Matthias
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux