search for: ext_kerberos_ldap_group_acl

Hai,   Im wondering, im missing the  _ldaps._tcp. INTERNAL.DOMAIN.TLD entries in my dns. Now, before the updates ( badlock ) etc. this wasnt notice i think. But now since im setting up that everything is doing ldaps i noticed this in my squid setup   ( squid mailing subject : [squid-users] ext_kerberos_ldap_group_acl problem )   My question is...   did someone resently setup a new AD DC domain and if so does the _ldaps exits?    My squid group helper reported .. support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resolving service record _ldaps._tcp.INTERNAL.DO...

...internal.domain.tld at YOUR.REALM.TLD     Sofare all ok, but It seems if you use a user as computer account, you must change the UPN. And in this case i changed the UPN from username at internal.domain.tld  to : HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD   Which was key to get the squid ext_kerberos_ldap_group_acl correctly working.   I hope this helps someone for something ;-)   So my suggestions, add an option thats shows and can change the UserPrincipalName from within samba-tool, would be great. Or did i miss this options somewhere?     Greetz,   Louis      

...the _ldaps._tcp. INTERNAL.DOMAIN.TLD entries in my dns. > > Now, before the updates ( badlock ) etc. this wasnt notice i think. > > But now since im setting up that everything is doing ldaps i noticed this in my squid setup > > > > ( squid mailing subject : [squid-users] ext_kerberos_ldap_group_acl problem ) > > > > My question is... did someone resently setup a new AD DC domain and if so does the _ldaps exits? > > > > My squid group helper reported .. > > support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resol...

...> > > > Sofare all ok, but It seems if you use a user as computer account, you > must change the UPN. > > And in this case i changed the UPN from username at internal.domain.tld to > : HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD > > Which was key to get the squid ext_kerberos_ldap_group_acl correctly > working. > > SPN must unique in AD because they are used in LDAP filter to search user account these SPN are linked to. When search a user the filter could be "(sAMAccountName=toto)" or "(userPrincipalName=toto_long_form at domain.tld)". This will return &q...

2016-08-30 16:10 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>: > On Tue, 30 Aug 2016 15:58:13 +0200 > mathias dufresne via samba <samba at lists.samba.org> wrote: > > > And reading last mails comforts me in believing the filter used by > > client side to retrieve user is not correct, that filter should use > > SPN then you won't need to

...re all ok, but It seems if you use a user as computer account, you >> must change the UPN. >> >> And in this case i changed the UPN from username at internal.domain.tld to >> : HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD >> >> Which was key to get the squid ext_kerberos_ldap_group_acl correctly >> working. >> >> > SPN must unique in AD because they are used in LDAP filter to search user > account these SPN are linked to. > > When search a user the filter could be "(sAMAccountName=toto)" or > "(userPrincipalName=toto_long_form at do...