Re: Re: AD authentiction with squid

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

----- Original Message ----- 
From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
Cc: <squid-users@xxxxxxxxxxxxxxx>
Sent: Sunday, March 22, 2009 12:28 AM
Subject: Re:  Re: AD authentiction with squid


> Markus Moeller wrote:
> > In more detail the required steps for squid_kerb_auth (from
> > https://sourceforge.net/project/showfiles.php?group_id=196348 or from 
> > latest
> > squid distribution) are:
> >
> > 1) Install kerberos client package
> > 2) Install msktutil package from
> > http://dag.wieers.com/rpm/packages/msktutil/
> > 3) Configure krb5.conf
> > 4) Configure squid by adding
> > auth_param negotiate program /usr/sbin/squid_kerb_auth
> > auth_param negotiate children 10
> > auth_param negotiate keep_alive on
> > 5) Create keytab for HTTP/fqdn with msktutil.
> >    a) kinit administrator@DOMAIN
> >    b) msktutil -c -b "CN=COMPUTERS" -s HTTP/<fqdn> -h <fqdn> -k
> > /etc/squid/HTTP.keytab --computer-name squid-HTTP --upn 
> > HTTP/<fqdn> --server
> > <domain controller>  --verbose
> >
> > 6) Add the following to thw squid startup script
> >   KRB5_KTNAME=/etc/squid/HTTP.keytab
> >  export KRB5_KTNAME
> >
> > 7) Done
> >
> > Markus
>
> Thank you. I was going to ask you for this soon.
> Added to the wiki:
>   http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>
> Is there anything we can/should add to the krb5.conf section?

Regarding  krb5.conf it might be good to mention that rc4-hmac should be 
listed as encryption type. A minimal setup without DNS resolution of AD 
servers would be

[libdefaults]
      default_realm = WIN2003R2.HOME
      dns_lookup_kdc = no
      dns_lookup_realm = no
      default_keytab_name = /etc/krb5.keytab
      default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
      WIN2003R2.HOME = {
              kdc = w2k3r2.win2003r2.home
              admin_server = w2k3r2.win2003r2.home
      }

[domain_realm]
      .linux.home = WIN2003R2.HOME
      .win2003r2.home = WIN2003R2.HOME
      win2003r2.home = WIN2003R2.HOME

[logging]
  kdc = FILE:/var/log/kdc.log
  admin_server = FILE:/var/log/kadmin.log
  default = FILE:/var/log/krb5lib.log


In IE the proxy must be specified as fqdn not as an IP-address

> Amos
> --

Regards
Markus

> Please be using
>   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
>   Current Beta Squid 3.1.0.6