Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
I
I
I_AM_SHEF2020-01-08 10:32:49
Squid
I_AM_SHEF, 2020-01-08 10:32:49

squid does not work on 2 domains?

Colleagues, good afternoon! I've been struggling with this problem for a long time.
We have Squid 3.5.8, Active Directory (two DCs).
Configured integration via Kerberos with AD.
Everything works, everything is great.
But when you disconnect DC1 - the squid starts to block all traffic. If you turn on DC1, then everything works as it should. (groups, locks, ACL everything works)
Re-created krb5.keytab. When DC1 shuts down, squid gets a ticket from DC2, everything is displayed in klist. PTR records are available, everything is resolved.
Below are configs, logs.
At the moment of blocking, the code in access.log is basically 407.
And in cache.log the following:

spoiler
kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server

squid.conf
spoiler
### negotiate kerberos
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -s HTTP/[email protected]
auth_param negotiate children 60
auth_param negotiate keep_alive off
external_acl_type inet_medium ttl=300 negative_ttl=60 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [email protected]
external_acl_type inet_full ttl=300 negative_ttl=60 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [email protected]
external_acl_type inet_low ttl=300 negative_ttl=60 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [email protected]
acl localnet src 192.168.10.0/24
acl my_full external inet_full
acl my_medium external inet_medium
acl my_low external inet_low
acl auth proxy_auth REQUIRED

krb5.conf
spoiler
[realms]
DOMEN.LOCAL = {
kdc = dc1.domen.local
kdc = dc2.domen.local
admin_server = dc1.domen.local
default_domain = domen.local}

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
C
CityCat4, 2020-01-09
@CityCat4

external_acl_type inet_medium ttl=300 negative_ttl=60 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [email protected]

Here I also have -D DOMEN.LOCAL and -a (accept all certificates without checking for validity)

Similar questions
L
lless2012-01-13 09:52:59
Thread limit per users in SQUID group? 0Reply
M
Maxim2015-11-18 15:19:11
Where can I get libssl.so.32? 3Reply
P
pentarh2012-08-17 15:34:54
Nginx as another proxy frontend 3Reply
A
Anton Pashchenko2020-05-28 17:19:00
How to make distribution of AD users on freebsd proxy through different channels depending on the group? 1Reply
A
AndreyTT2016-01-26 08:53:23
How to setup ssl connection from user to squid proxy server? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question