Displaying 6 results from an estimated 6 matches for "ext_kerberos_ldap_group_acl".
2016 Aug 24
5
missing dns records? _ldaps._tcp ?
Hai,
Im wondering, im missing the _ldaps._tcp. INTERNAL.DOMAIN.TLD entries in my dns.
Now, before the updates ( badlock ) etc. this wasnt notice i think.
But now since im setting up that everything is doing ldaps i noticed this in my squid setup
( squid mailing subject : [squid-users] ext_kerberos_ldap_group_acl problem )
My question is... did someone resently setup a new AD DC domain and if so does the _ldaps exits?
My squid group helper reported ..
support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resolving service record _ldaps._tcp.INTERNAL.DO...
2016 Aug 29
5
set UPN / SPN from samba-tool.
...internal.domain.tld at YOUR.REALM.TLD
Sofare all ok, but It seems if you use a user as computer account, you must change the UPN.
And in this case i changed the UPN from username at internal.domain.tld to : HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD
Which was key to get the squid ext_kerberos_ldap_group_acl correctly working.
I hope this helps someone for something ;-)
So my suggestions, add an option thats shows and can change the UserPrincipalName from within samba-tool, would be great.
Or did i miss this options somewhere?
Greetz,
Louis
2016 Aug 24
0
missing dns records? _ldaps._tcp ?
...the _ldaps._tcp. INTERNAL.DOMAIN.TLD entries in my dns.
>
> Now, before the updates ( badlock ) etc. this wasnt notice i think.
>
> But now since im setting up that everything is doing ldaps i noticed this in my squid setup
>
>
>
> ( squid mailing subject : [squid-users] ext_kerberos_ldap_group_acl problem )
>
>
>
> My question is... did someone resently setup a new AD DC domain and if so does the _ldaps exits?
>
>
>
> My squid group helper reported ..
>
> support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resol...
2016 Aug 30
0
set UPN / SPN from samba-tool.
...>
>
>
> Sofare all ok, but It seems if you use a user as computer account, you
> must change the UPN.
>
> And in this case i changed the UPN from username at internal.domain.tld to
> : HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD
>
> Which was key to get the squid ext_kerberos_ldap_group_acl correctly
> working.
>
>
SPN must unique in AD because they are used in LDAP filter to search user
account these SPN are linked to.
When search a user the filter could be "(sAMAccountName=toto)" or
"(userPrincipalName=toto_long_form at domain.tld)". This will return &q...
2016 Aug 30
2
set UPN / SPN from samba-tool.
2016-08-30 16:10 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Tue, 30 Aug 2016 15:58:13 +0200
> mathias dufresne via samba <samba at lists.samba.org> wrote:
>
> > And reading last mails comforts me in believing the filter used by
> > client side to retrieve user is not correct, that filter should use
> > SPN then you won't need to
2016 Aug 30
2
set UPN / SPN from samba-tool.
...re all ok, but It seems if you use a user as computer account, you
>> must change the UPN.
>>
>> And in this case i changed the UPN from username at internal.domain.tld to
>> : HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD
>>
>> Which was key to get the squid ext_kerberos_ldap_group_acl correctly
>> working.
>>
>>
> SPN must unique in AD because they are used in LDAP filter to search user
> account these SPN are linked to.
>
> When search a user the filter could be "(sAMAccountName=toto)" or
> "(userPrincipalName=toto_long_form at do...