On 19.09.2016 14:08, L.P.H. van Belle wrote: > Well thats strange. > No i cant speak about openBSD, but below is pretty general. > > When you test, did you set this before the test. > KRB5_KTNAME=/etc/squid/proxy.keytab > And does that keytab contain the HTTP/SPN > And test/check if you see http/SPN in the UPN, if not try that also. > After that change the > I just tested again to make my groups more flexible. > > /usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4 \ > -D YOUR.REALM.TLD \ > -N NTDOMAIN@xxxxxxxxxxxxxx \ > - S dc1.your.dnsdomain.tld@xxxxxxxxxxxxxx \ > -i -d > This one is without the -g so we can use more group names, > but test with -g first. > > from this example like. But i change the ldap group to kerberos group here. > http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy That's all there, environment is correctly set up. Keytab looks good. As said before, the negotiate_kerberos_auth part works like a charm. All I get is a bunch of messages complaining about not being able to reach any KDC in realm while initializing the credentials of the keytab... Thought that it might be a DNS issue but even configuring DNS so that the AD server does all the DNS stuff did not change a bit :( -- Matthias _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
