Hello. There is perfect article about squid and freeipa - https://www.freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sig...
But I want to access in Internet with different rules - some group with full access, some - without sotial networks, an group without access, I use helper ext_kerberos_ldap_group_acl an all works fine. But with AD users it dont work.
IPA domain - FS.LAN AD domain - START-LINE.LOCAL
kerberos_ldap_group: ERROR: Error while getting tgt : Server krbtgt/START-LINE.LOCAL@FS.LAN
I tried to do debug:
kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/krb5.keytab kerberos_ldap_group: DEBUG: Keytab entry has realm name: FS.LAN kerberos_ldap_group: DEBUG: Did not find a principal in keytab for domain START-LINE.LOCAL. kerberos_ldap_group: DEBUG: Try to get principal of trusted domain. kerberos_ldap_group: DEBUG: Keytab entry has principal: host/mail.fs.lan@FS.LAN kerberos_ldap_group: ERROR: Error while getting TGT : Server krbtgt/START-LINE.LOCAL@FS.LAN not found in Kerberos database
May I could doing somthing trought manipulation with sssd.conf or krb5.conf?
freeipa-users@lists.fedorahosted.org