Answer the question
In order to leave comments, you need to log in
I
I
I_AM_SHEF2020-01-08 10:32:49
I_AM_SHEF, 2020-01-08 10:32:49
squid does not work on 2 domains?
Colleagues, good afternoon! I've been struggling with this problem for a long time.
We have Squid 3.5.8, Active Directory (two DCs).
Configured integration via Kerberos with AD.
Everything works, everything is great.
But when you disconnect DC1 - the squid starts to block all traffic. If you turn on DC1, then everything works as it should. (groups, locks, ACL everything works)
Re-created krb5.keytab. When DC1 shuts down, squid gets a ticket from DC2, everything is displayed in klist. PTR records are available, everything is resolved.
Below are configs, logs.
At the moment of blocking, the code in access.log is basically 407.
And in cache.log the following:
spoiler
kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server
kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server
squid.conf
spoiler
### negotiate kerberos
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -s HTTP/[email protected]
auth_param negotiate children 60
auth_param negotiate keep_alive off
external_acl_type inet_medium ttl=300 negative_ttl=60 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [email protected]
external_acl_type inet_full ttl=300 negative_ttl=60 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [email protected]
external_acl_type inet_low ttl=300 negative_ttl=60 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [email protected]
acl localnet src 192.168.10.0/24
acl my_full external inet_full
acl my_medium external inet_medium
acl my_low external inet_low
acl auth proxy_auth REQUIRED
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -s HTTP/[email protected]
auth_param negotiate children 60
auth_param negotiate keep_alive off
external_acl_type inet_medium ttl=300 negative_ttl=60 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [email protected]
external_acl_type inet_full ttl=300 negative_ttl=60 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [email protected]
external_acl_type inet_low ttl=300 negative_ttl=60 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [email protected]
acl localnet src 192.168.10.0/24
acl my_full external inet_full
acl my_medium external inet_medium
acl my_low external inet_low
acl auth proxy_auth REQUIRED
krb5.conf
spoiler
[realms]
DOMEN.LOCAL = {
kdc = dc1.domen.local
kdc = dc2.domen.local
admin_server = dc1.domen.local
default_domain = domen.local}
DOMEN.LOCAL = {
kdc = dc1.domen.local
kdc = dc2.domen.local
admin_server = dc1.domen.local
default_domain = domen.local}
Similar questions
A
M
S
K
Kirill Ponomarev2016-09-27 16:43:21
How to organize the update of LDAP users on the fly in squid?
1Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question