Доброго времени суток. При проверке авторизации пользователей через хелпер squid ext_kerberos_ldap_group_acl вываливается ошибка следующего вида:
kerberos_ldap_group.cc(437): pid=558 :2021/07/27 15:30:27| kerberos_ldap_group: INFO: Got User: BuharskyAA Domain: TELMANA.LOCAL
support_resolv.cc(289): pid=558 :2021/07/27 15:30:42| kerberos_ldap_group: ERROR: Error while resolving service record _ldap._tcp.TELMANA.LOCAL with res_search
support_resolv.cc(71): pid=558 :2021/07/27 15:30:42| kerberos_ldap_group: ERROR: res_search: Unknown service record: _ldap._tcp.TELMANA.LOCAL
support_resolv.cc(183): pid=558 :2021/07/27 15:30:45| kerberos_ldap_group: ERROR: Error while resolving hostname with getaddrinfo: System error
support_sasl.cc(276): pid=558 :2021/07/27 15:30:45| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(1087): pid=558 :2021/07/27 15:30:45| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server
support_member.cc(134): pid=558 :2021/07/27 15:30:45| kerberos_ldap_group: INFO: User BuharskyAA is not member of group@domain -d@NULL
ERR
Прошу помочь в разрешении данной проблемы.
Список установленных пакетов:samba, krb5-user, squid , winbind, libsasl2-modules-gssapi-mit (данная библиотека лечит другую ошибку: ERROR: ldap_sasl_interactive_bind_s error: Unknown authentication method)
Информация об ОС squid сервера:Linux squid 4.19.0-16-686-pae #1 SMP Debian 4.19.181-1 (2021-03-19) i686 GNU/Linux
Информация об ОС контроллера домена: Windows Server 2012R2 Standard версия 6.3 (сборка 9600)
Конфиги установленных пакетов + hosts:
1) smb.conf
workgroup = TELMANA
server string = Domain Proxy Server
security = ads
realm = TELMANA.LOCAL
load printers = no
log file = /var/log/samba/log.m%
max log size = 50
password server = dc.telmana.local
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
encrypt passwords = yes
idmap config * : range = 10000-20000
idmap config * : backend = tdb
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
name resolve order = host wins bcast lmhosts
case sensetive = yes
client use spnego = yes
client signing = mandatory
local master = no
os level = 0
domain master = no
preferred master = no
domain logons = no
dns proxy = no
2)squid.conf:
#Register the authenticator
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/squid.telmana.local@TELMANA.LOCAL
auth_param negotiate children 50 startup=10 idle=5
auth_param negotiate keep_alive on
acl localnet src 10.47.0.0/24
#acl SSL_ports port 443
#acl Safe_ports port 80
#acl Safe_ports port 443
#acl Safe_ports port 1025-65535
#http_access deny !Safe_ports
#acl CONNECT method CONNECT
#http_access deny CONNECT !SSL_ports
#http_access allow localhost manager
#http_access deny manager
#http_access allow localhost
#http_access deny to_localhost
#Before checking the entry into the user group it is necessery to authenticate
external_acl_type FullInet ttl=3600 negative_ttl=3600 children-max=50 children-startup=10 children-idle=5 grace=15 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl -g InetUsers@telmana.local
external_acl_type LimInet ttl=3600 negative_ttl=3600 children-max=50 children-startup=10 children-idle=5 grace=15 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl -g InetCommonCytes@telmana.local
#Acls with allowed and forbidden sites
acl blacklist url_regex -i "/etc/squid/blacklist.txt"
acl whitelist url_regex -i "/etc/squid/whitelist.txt"
#External groups from AD
acl my_full external FullInet
acl my_lim external LimInet
#Group access to Intenet
http_access allow my_lim whitelist
http_access allow my_full
#http_access deny blacklist
http_access deny all
#port for squid
http_port squid.telmana.local:3128
cache_dir ufs /var/log/squid/cache 20480 16 256
maximum_object_size_in_memory 1024 KB
cache_mem 256 MB
coredump_dir /var/log/squid/cache
access_log stdio:/var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log none
3)nsswitch.conf:
group: files winbind
hosts: files dns nis winbind
networks: files winbind
passwd: files winbind
shells: files winbind
shadow: files winbind
4)krb5.conf:
[libdefaults]
default_realm = TELMANA.LOCAL
default_keytab_name = /etc/squid/squid.keytab
clockskew = 200
[realms]
TELMANA.LOCAL = {
kdc = DC.TELMANA.LOCAL
admin_server = DC.TELMANA.LOCAL
}
default_domain = dc.telmana.local
[domain_realm]
.telmana.local = TELMANA.LOCAL
5)hosts
127.0.0.1 localhost
10.47.143.138 squid.telmana.local squid
10.47.143.111 dc.telmana.local dc