Winbind and squid problem

squidwinbind

I've have squid configured with auth in the AD via winbind

now I have wired problems with authorisation

I found in the logs interesting string

 kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot find KDC for requested realm

does anybody know how to fix this?

Best Answer

Most problems related to Kerberos authentication come down to DNS problems. It looks like your Squid machine isn't able to resolve the name of the KDC. Can you verify that you're able to resolve the name of the Active Directory domain controllers via their SRV records? (You can specify the KDC(s) in the /etc/krb5.conf file, but you really should be letting DNS do its job.)

Assuming DNS is working right, double-check the spelling of your Active Directoy domain name in your winbind configuration. The domain's name should be capitalized.

Related Solutions

Linux – squid authentication error kerberos – windows active directory

Make sure reverse DNS lookup is properly configured for your domain as explained here.

If you run dig -x [domain_controler_ip] and you don't see your domain name in the "ANSWER SECTION" you will get Unspecified GSS failure.

Why Squid ntlm_auth works only when “cache_effective_group root”

I have found an answer by myself:

The real place for Winbind privileged pipe is /var/lib/samba/winbindd_privileged (NOT /var/run/samba/winbind_privileged)

In Jessie it owned by root:root and has rights: 0750

I've changed ownership:

chown root:winbindd_priv /var/lib/samba/winbindd_privileged/

Now everything works fine without "cache_effective_group"

PS. Finally there is a bug reported in 2014 :) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754339 that has not been fixed yet

Best Answer

Related Solutions

Linux – squid authentication error kerberos – windows active directory

Why Squid ntlm_auth works only when “cache_effective_group root”

Related Topic