----- Original Message -----
From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
Cc: <squid-users@xxxxxxxxxxxxxxx>
Sent: Sunday, March 22, 2009 12:28 AM
Subject: Re: Re: AD authentiction with squid
Markus Moeller wrote:
In more detail the required steps for squid_kerb_auth (from
https://sourceforge.net/project/showfiles.php?group_id=196348 or from
latest
squid distribution) are:
1) Install kerberos client package
2) Install msktutil package from
http://dag.wieers.com/rpm/packages/msktutil/
3) Configure krb5.conf
4) Configure squid by adding
auth_param negotiate program /usr/sbin/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
5) Create keytab for HTTP/fqdn with msktutil.
a) kinit administrator@DOMAIN
b) msktutil -c -b "CN=COMPUTERS" -s HTTP/<fqdn> -h <fqdn> -k
/etc/squid/HTTP.keytab --computer-name squid-HTTP --upn
HTTP/<fqdn> --server
<domain controller> --verbose
6) Add the following to thw squid startup script
KRB5_KTNAME=/etc/squid/HTTP.keytab
export KRB5_KTNAME
7) Done
Markus
Thank you. I was going to ask you for this soon.
Added to the wiki:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
Is there anything we can/should add to the krb5.conf section?
Regarding krb5.conf it might be good to mention that rc4-hmac should be
listed as encryption type. A minimal setup without DNS resolution of AD
servers would be
[libdefaults]
default_realm = WIN2003R2.HOME
dns_lookup_kdc = no
dns_lookup_realm = no
default_keytab_name = /etc/krb5.keytab
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
WIN2003R2.HOME = {
kdc = w2k3r2.win2003r2.home
admin_server = w2k3r2.win2003r2.home
}
[domain_realm]
.linux.home = WIN2003R2.HOME
.win2003r2.home = WIN2003R2.HOME
win2003r2.home = WIN2003R2.HOME
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
In IE the proxy must be specified as fqdn not as an IP-address
Amos
--
Regards
Markus
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
Current Beta Squid 3.1.0.6