Index: helpers/external_acl/kerberos_ldap_group/support_krb5.cc =================================================================== --- helpers/external_acl/kerberos_ldap_group/support_krb5.cc.orig 2013-12-30 12:33:27.000000000 +0100 +++ helpers/external_acl/kerberos_ldap_group/support_krb5.cc 2014-03-15 00:41:12.581050607 +0100 @@ -52,7 +52,7 @@ krb5_cleanup() * create Kerberos memory cache */ int -krb5_create_cache(char *domain) +krb5_create_cache(struct main_args *margs, char *domain) { krb5_keytab keytab = 0; @@ -130,8 +130,17 @@ krb5_create_cache(char *domain) if (code) { error((char *) "%s| %s: ERROR: Error while unparsing principal name : %s\n", LogTime(), PROGRAM, error_message(code)); } else { - debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name); - found = 1; + if (margs->brokenad == 1) { + if (!strncmp(principal_name,"HTTP/",strlen("HTTP/"))==0){ + debug((char *) "%s| %s: DEBUG: Found principal without 'HTTP/' service name: %s NOT USING IT\n", LogTime(), PROGRAM, principal_name); + } else { + debug((char *) "%s| %s: DEBUG: Found principal with 'HTTP/' service name: %s\n", LogTime(), PROGRAM, principal_name); + found = 1; + } + } else { + debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name); + found = 1; + } } } #if defined(HAVE_HEIMDAL_KERBEROS) || ( defined(HAVE_KRB5_KT_FREE_ENTRY) && HAVE_DECL_KRB5_KT_FREE_ENTRY==1) Index: helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc =================================================================== --- helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc.orig 2013-12-30 12:33:27.000000000 +0100 +++ helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc 2014-03-15 00:39:14.653271451 +0100 @@ -57,6 +57,7 @@ init_args(struct main_args *margs) margs->rc_allow = 0; margs->AD = 0; margs->mdepth = 5; + margs->brokenad = 0; margs->ddomain = NULL; margs->groups = NULL; margs->ndoms = NULL; @@ -176,7 +177,7 @@ main(int argc, char *const argv[]) init_args(&margs); - while (-1 != (opt = getopt(argc, argv, "diasg:D:N:S:u:U:t:T:p:l:b:m:h"))) { + while (-1 != (opt = getopt(argc, argv, "diasxg:D:N:S:u:U:t:T:p:l:b:m:h"))) { switch (opt) { case 'd': debug_enabled = 1; @@ -228,6 +229,9 @@ main(int argc, char *const argv[]) case 'S': margs.llist = xstrdup(optarg); break; + case 'x': + margs.brokenad = 1; + break; case 'h': fprintf(stderr, "Usage: \n"); fprintf(stderr, "squid_kerb_ldap [-d] [-i] -g group list [-D domain] [-N netbios domain map] [-s] [-u ldap user] [-p ldap user password] [-l ldap url] [-b ldap bind path] [-a] [-m max depth] [-h]\n"); @@ -244,6 +248,7 @@ main(int argc, char *const argv[]) fprintf(stderr, "-l ldap url\n"); fprintf(stderr, "-b ldap bind path\n"); fprintf(stderr, "-s use SSL encryption with Kerberos authentication\n"); + fprintf(stderr, "-x force use of HTTP/ principal on ms ad 2008\n"); fprintf(stderr, "-a allow SSL without cert verification\n"); fprintf(stderr, "-m maximal depth for recursive searches\n"); fprintf(stderr, "-h help\n"); Index: helpers/external_acl/kerberos_ldap_group/support.h =================================================================== --- helpers/external_acl/kerberos_ldap_group/support.h.orig 2013-12-30 12:33:27.000000000 +0100 +++ helpers/external_acl/kerberos_ldap_group/support.h 2014-03-15 00:08:50.918686771 +0100 @@ -97,6 +97,7 @@ struct main_args { int rc_allow; int AD; int mdepth; + int brokenad; char *ddomain; struct gdstruct *groups; struct ndstruct *ndoms; @@ -156,7 +157,7 @@ int create_nd(struct main_args *margs); int create_ls(struct main_args *margs); #ifdef HAVE_KRB5 -int krb5_create_cache(char *domain); +int krb5_create_cache(struct main_args *margs, char *domain); void krb5_cleanup(void); #endif Index: helpers/external_acl/kerberos_ldap_group/support_ldap.cc =================================================================== --- helpers/external_acl/kerberos_ldap_group/support_ldap.cc.orig 2013-12-30 12:33:27.000000000 +0100 +++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2014-03-15 00:14:51.423011652 +0100 @@ -801,7 +801,7 @@ get_memberof(struct main_args *margs, ch debug((char *) "%s| %s: DEBUG: Setup Kerberos credential cache\n", LogTime(), PROGRAM); #ifdef HAVE_KRB5 - kc = krb5_create_cache(domain); + kc = krb5_create_cache(margs,domain); if (kc) { error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM); }