Search squid archive

Re: Single Forest Multiple Domains kebreos setup (squid_kerb_ldap)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Bilal,

GIGO . wrote:

Problem:
Single FOrest Multiple domains where as Root A is empty with no users. Domain B & C have no trust configured between each other. The internet users belong to Domain B & Domain C. We want to enable users from both domains to authenticate via Kerberos and authrorized through LDAP.
If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal per realm to the 
HTTP.keytab file and use the -s GSS_C_NO_NAME option with squid_kerb_auth......
i think this is the only change required in squid configuration to authenticate and authorize from multiple domains?
I never tried this with non-hierarchical or non-Windows domains, but I would give it a go:
As there is at least a one-way trust from A to B/C, you don't need multiple service principals for the proxy. What you would do is create a single service principal in domain A.
When users from domains B and C are accessing the proxy, they should be able to discover (or be told in krb5.conf) that the service principal is in domain A and will acquire a service ticket from that domain. The proxy will then be able to verify these tickets. 

I would use "-s HTTP/fqdn@xxxxx". You don't need to set GSS_C_NO_NAME.



Please confirm that am i to create SPN as below for this setup to work.
I don't have experience with msktutil. I created the SPN and keytab file for a computer account on the Windows DC:
ktpass.exe -princ HTTP/fqdn@A -mapuser accountname$@A -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST +rndpass -out krb5.keytab 



PLease guide me on the changes that would be required in the krb5.conf file ?
If the domain structure is reflected in DNS (i.e. with SRV records) and the proxy is able to query the forest DNS you shouldn't need anything in the krb5.conf of the proxy. Try "dig _kerberos._tcp.b.com" on the proxy. For simplicity I would add the default realm: 

[libdefaults]
  default_realm = A.COM
Eventually and you will have to add a [capaths] section to define the trust relationship: 

[capaths]
B.COM = {
  A.COM = .
}
C.COM = {
  A.COM = .
}
This is only for the proxy and applies to a Windows2003 forest. The clients might need different settings. 

Regards,

Fabian
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux