Hello.
There is perfect article about squid and freeipa -
https://www.freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_...
But I want to access in Internet with different rules - some group with full access, some
- without sotial networks, an group without access,
I use helper ext_kerberos_ldap_group_acl an all works fine.
But with AD users it dont work.
IPA domain - FS.LAN
AD domain - START-LINE.LOCAL
kerberos_ldap_group: ERROR: Error while getting tgt : Server
krbtgt/START-LINE.LOCAL(a)FS.LAN
I tried to do debug:
kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/krb5.keytab
kerberos_ldap_group: DEBUG: Keytab entry has realm name: FS.LAN
kerberos_ldap_group: DEBUG: Did not find a principal in keytab for domain
START-LINE.LOCAL.
kerberos_ldap_group: DEBUG: Try to get principal of trusted domain.
kerberos_ldap_group: DEBUG: Keytab entry has principal: host/mail.fs.lan(a)FS.LAN
kerberos_ldap_group: ERROR: Error while getting TGT : Server
krbtgt/START-LINE.LOCAL(a)FS.LAN not found in Kerberos database
May I could doing somthing trought manipulation with sssd.conf or krb5.conf?
--
С уважением, Николай.