Hi Bilal,
GIGO . wrote:
Problem:
Single FOrest Multiple domains where as Root A is empty with no users. Domain B & C have no trust configured between each other. The internet users belong to Domain B & Domain C. We want to enable users from both domains to authenticate via Kerberos and authrorized through LDAP.
If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal per realm to the
HTTP.keytab file and use the -s GSS_C_NO_NAME option with squid_kerb_auth......
i think this is the only change required in squid configuration to authenticate and authorize from multiple domains?
I never tried this with non-hierarchical or non-Windows domains, but I
would give it a go:
As there is at least a one-way trust from A to B/C, you don't need
multiple service principals for the proxy. What you would do is create a
single service principal in domain A.
When users from domains B and C are accessing the proxy, they should be
able to discover (or be told in krb5.conf) that the service principal is
in domain A and will acquire a service ticket from that domain. The
proxy will then be able to verify these tickets.
I would use "-s HTTP/fqdn@xxxxx". You don't need to set GSS_C_NO_NAME.
Please confirm that am i to create SPN as below for this setup to work.
I don't have experience with msktutil. I created the SPN and keytab file
for a computer account on the Windows DC:
ktpass.exe -princ HTTP/fqdn@A -mapuser accountname$@A -crypto
rc4-hmac-nt -ptype KRB5_NT_SRV_HST +rndpass -out krb5.keytab
PLease guide me on the changes that would be required in the krb5.conf file ?
If the domain structure is reflected in DNS (i.e. with SRV records) and
the proxy is able to query the forest DNS you shouldn't need anything in
the krb5.conf of the proxy. Try "dig _kerberos._tcp.b.com" on the proxy.
For simplicity I would add the default realm:
[libdefaults]
default_realm = A.COM
Eventually and you will have to add a [capaths] section to define the
trust relationship:
[capaths]
B.COM = {
A.COM = .
}
C.COM = {
A.COM = .
}
This is only for the proxy and applies to a Windows2003 forest. The
clients might need different settings.
Regards,
Fabian