Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC

Fri, 16 Sep 2016 01:53:56 -0700 

I think you forgot in your test, that you may need to modify the default 
kerberos ticket used. 

 

 

I suggest you change you config a bit to something like 

 

external_acl_type internet-win-allowed %LOGIN 
/usr/local/libexec/squid/ext_kerberos_ldap_group_acl \

-D YOUR.REALM.TLD \

-g allowed-inter...@your.realm.tld \

-N ntdom...@your.realm.tld \

-S dc1.your.dnsdomain....@your.realm.tld:dc2.your.dnsdomain....@your.realm.tld \

 

Now test it.  start like this :   

/usr/local/libexec/squid/negotiate_kerberos_auth \

-D YOUR.REALM.TLD \

-g allowed-inter...@your.realm.tld \

-N ntdom...@your.realm.tld \

-S dc1.your.dnsdomain....@your.realm.tld:dc2.your.dnsdomain....@your.realm.tld \

-d 

(-d = debug ) 

Test with –S and point to your server, does it work? 

Test again with –S , does it works, no? Change the default keytab for te test.

KRB5_KTNAME=/etc/squid/keytab.SQUID-HTTP

export KRB5_KTNAME

 

Type a username belonging to you group your testing with, hit enter. 

 

And in the end you should see : 

support_member.cc(69): pid=10396 :2016/09/16 10:39:07| kerberos_ldap_group: 
INFO: User testuser is member of group@domain allowed-inter...@your.realm.tld

OK

kerberos_ldap_group.cc(408): pid=10396 :2016/09/16 10:39:07| 
kerberos_ldap_group: DEBUG: OK

 

with search for the kdc in krb5.conf 

 

[libdefaults]

    default_realm = YOUR.REALM.TLD

    dns_lookup_kdc = true

    dns_lookup_realm = false

 

and now when it works adjust you parameters to your needs.  

( like the : children-max=1 ttl=3600 negative_ttl=3600 ) 

 

 

 

Greetz, 

 

Louis

 

 

> 

> squid.conf:

> auth_param negotiate program

> /usr/local/libexec/squid/negotiate_kerberos_auth -di -s

> HTTP/proxy.example.com

> auth_param negotiate children 1

> auth_param negotiate keep_alive on

> 

> external_acl_type squid_kerb_ldap children-max=1 ttl=3600 negative_ttl=3600 
> %LOGIN

> /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -di -S 1.2.3.4@ -g

> linux@

> acl ldap_group_check external squid_kerb_ldap

> http_access deny !ldap_group_check


_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to