Search squid archive

Single Forest Multiple Domains kebreos setup (squid_kerb_ldap)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear Markus/All,
 
Please guide me on the matter discussed below:

 
Single Forest Multiple Domain setup 
 
 
                          A
                         / \
                        /   \
                        B    C
 
Problem:
 
Single FOrest Multiple domains where as Root A is empty with no users. Domain B & C have no trust configured between each other. The internet users belong to Domain B & Domain C. We want to enable users from both domains to authenticate via Kerberos and authrorized through LDAP.
 
 
Guides and Helpers used:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
http://mailman.mit.edu/pipermail/kerberos/2009-March/014751.html
& squid_kerb_ldap readme file
 
>>>If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal per realm to the 
HTTP.keytab file and use the -s GSS_C_NO_NAME option with squid_kerb_auth......
 
 
i think this is the only change required in squid configuration to authenticate and authorize from multiple domains?
 
 
 
 
Please confirm that am i to create SPN as below for this setup to work.
 
 
(SPNs for both the domains)
 
Creation of keytab/SPN/Computerobject for  Domain A:
 
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidlhr.b.com -h squidlhr.b.com -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/squidlhr.b.com --server dcofbdomain.b.com --verbose
 
Appending in the same keytab SPN/keys for Domain B:
 
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidlhr.c.com -h squidlhr.c.com -k /etc/squid/HTTP.keytab --computer-name whatever-http --upn HTTP/squidlhr.c.com --server dcofcdomain.c.com --verbose
 
 
 
PLease guide me on the changes that would be required in the krb5.conf file ?
 
--------------------------------------------------------------------------------------------
My working krb5.conf file as per the guidance of Markus ( kerberos working authorizaton portion yet to implement )
 
[libdefaults]
 default_realm = B.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_keytab_name = /etc/krb5.keytab

; for windows 2003 encryption type configuration.
        default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
        default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
        permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
 B.COM = {
  kdc = b.com
  admin_server = dc.b.com  }
[domain_realm]
.linux.home = B.COM
.b.com = B.COM
b.com = B.COM
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/kdc.log
-----------------------------------------------------------------------------------------------------
 
 
 
regards,
 
Bilal
 
  		 	   		  
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux