Hi Scott,
So from what see in your first log you have a user MYSUER with a
domain/realm MYDOMAIN, but squid belongs to SUBDOMAIN.DOMAIN.COM.
squid_kerb_ldap tries to authenticate to the domain MYDOMAIN using the
keytab but does not find any entry for MYDOMAIN in the keytab. Then
squid_kerb_ldap tries to find an entry in the keytab of a domain which
trusts MYDOMAIN and fails. It seems there is no Kerberos trust between
MYDOMAIN and SUBDOMAIN.DOMAIN.COM.
The second log looks better, but the password stored in the keytab for
SQUIDPROXY-K$ is incorrect (Preauthentication failed).
Markus
"Scott Finlon" wrote in message
news:D01B8481.36D86%scott.finlon_at_scranton.edu...
Hi All,
I have squid_kerb_auth working and authenticating via my key tab file.
However, when trying to lock it down to users that are in a group in AD,
I�m seeing a weird issue.
I put my sanitized output here: http://pastebin.com/wGc3RC0h
But basically if I use this "./squid_kerb_ldap -d -g proxy_allow -D
MYDOMAIN� it is able to auth to AD and eventually attempts to use a bind
path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it
gives a referral error.
So seeing that, I tried to use my full domain as the default domain, like
this "./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM� it
gives a Preauthentication failed error and doesn�t even make it in to AD,
full output here: http://pastebin.com/Gk1ci0nt
That makes me think it�s an issue with the key tab file, but it works
appropriately with kerb auth just not kerb ldap. Any ideas?
I am going to try and make a key tab file with ktpass instead of msktutil
and see if that has any affect.
Thanks,
-Scott
Received on Thu Aug 21 2014 - 19:21:27 MDT
This archive was generated by hypermail 2.2.0 : Fri Aug 22 2014 - 12:00:06 MDT