Re: squid_kerb_ldap/squid_kerb_auth in Single Forest Multidomains Active Directory.

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message 
news:hr4mi5$3ei$1@xxxxxxxxxxxxxxxxxx
> > "GIGO ." <gigoz@xxxxxxx> wrote in message 
> > news:SNT134-w60089C12FB3E7D43747C18B9050@xxxxxxxxxx
> >
> > Dear All,
> >
> > The problem under discussion is a continuity of SPN creation/Single 
> > Forest MultiDomain (Active Directory) topic.
> >
> > @ Markus
> > Yes my infrastructure is Active Directory based (Root Forest Directory A 
> > with two child domains B (80 % users) & C (20 % users) in their own 
> > trees). Only squid Proxy is installed on Centos OS and not joined to any 
> > domain.Markus you are right I Observed that the clients in the child 
> > domain are able to use squid proxy without any changes required in the 
> > krb5.conf file.(no need to define [CAPATH] section). I got it that by 
> > design of the Active directory forest where Parent domains and child 
> > domains have two way transitive trusts,  Active directory/DNS 
> > infrastructure is managing itself...and the clients in any domain are 
> > able to find that Service principal is in which domain to acquire a 
> > service ticket from that domain. Right??
>
> Correct
>
> > If the UnixServer(Proxy) is not belonged to any domain then the 
> > default_realm section does not matter and i can choose any of my domains 
> > as default_realm. As i think that the default_realm tag is compulsory to 
> > define so couldn't be left blank. Similarly if am not to use any other 
> > kerberised service for example from my SquidProxyunix server then 
> > .linux.home tag will be unimportant otherwise it is a must. Right??
>
> Correct

Keep in mind that squid_kerb_ldap is a kerberised client and will need the 
krb5.conf settings.

> > //krb5.conf for Active directory single forest multi domain its working 
> > correctly--------------------------------------------
> > [libdefaults]
> >  default_realm = A.COM.PK
> >  dns_lookup_realm = false
> >  dns_lookup_kdc = false
> >  default_keytab_name = /etc/krb5.keytab
> >
> > ; for windows 2003 encryption type configuration.
> >         default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> >         default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> >         permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> > [realms]
> >  A.COM.PK = {
> >    kdc = dc1.a.com.pk
> >    admin_server = dc1.a.com.pk
> >   }
> >  b.A.COM.PK = {
> >    kdc = childdc.b.a.com.pk
> >    admin_server = childdc.b.a.com.pk
> > }
> > [domain_realm]
> > .linux.home = A.COM.PK
> > .a.com.pk = A.COM.PK
> > a.com.pk = A.COM.PK
> > .b.a.com.pk = b.A.COM.PK
> > b.a.com.pk = b.A.COM.PK
> > [logging]
> > kdc = FILE:/var/log/kdc.log
> > admin_server = FILE:/var/log/kadmin.log
> > default = FILE:/var/log/kdc.log
> > ----------------\\
> > Any suggestions/guidance required??
>
> That looks OK
>
> > My squid.conf portion related to Authentication/Authorization along with 
> > the questions.
> >
> > auth_param negotiate program /usr/libexec/squid/squid_kerb_auth
> > auth_param negotiate children 10
> > auth_param negotiate keep_alive on
> > # basic auth ACL controls to make use of it are.
> > #acl auth proxy_auth REQUIRED
> > #http_access deny !auth
> > #http_access allow auth
> >
> >
> > I think now above commented directives are not required as 
> > squid_kerb_ldap has taken the charge. Right???
> >
> >
> >
> > #external_acl_type squid_kerb1 ttl=3600  negative_ttl=3600  %LOGIN 
> > /usr/libexec/squid/squid_kerb_ldap -g 
> > GROUP1@xxxxxxxx:GROUP2@xxxxxxxx:GROUP3@xxxxxxxx:G1@xxxxxxxxxx:GROUP2@xxxxxxxxxx:GROUP3@xxxxxxxxxx
> >
> > external_acl_type g1_parent ttl=3600  negative_ttl=3600  %LOGIN 
> > /usr/libexec/squid/squid_kerb_ldap -g GROUP1@xxxxxxxx
> >
> > external_acl_type g2_parent ttl=3600  negative_ttl=3600  %LOGIN 
> > /usr/libexec/squid/squid_kerb_ldap -g GROUP2@xxxxxxxx
> >
> > external_acl_type g2_child ttl=3600  negative_ttl=3600  %LOGIN 
> > /usr/libexec/squid/squid_kerb_ldap -g GROUP2@xxxxxxxxxx
> >
> >
> >
> > Although the commented single liner was working properly for me and look 
> > more apporpriate to me but i had to split it into multiple 
> > lines....nothing came into my mind how to handle the ACL's based on user 
> > group membership. Please guide me if there is a better way to do that as 
> > it feels that i am calling the helper multiple times instead of single 
> > time now??
> >
> >
> >
> > (There are other expected groups from child domains and parent domains so 
> > am worried that isnt it affect the performance)
> >
> >
> > acl ldap_group_check1 external g1_parent
> > acl ldap_group_check2 external g2_parent
> > acl ldap_group_check3 external g2_child
> >
> >
> > ####Definition of YouTube.
> > ## The videos come from several domains
> > acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com
> >
> > http_access deny  ldap_group_check1 youtube_domains
> > http_access allow ldap_group_check2
> > http_access allow ldap_group_check1
> > http_access allow ldap_group_check3
> > http_access deny  all
> >
> >
> >
> > As i think squid.conf file is parsed from top to bottom and if a related 
> > statement/acl is met then will see no further so it means that putting 
> > the statments in an order where groups containing most of the users will 
> > improve performance. Can there be if-else structure be used in squid.conf 
> > and how? Am not sure??? please guide...
>
> I leave this to the experts to answer.
>
> > Thanking you
> >
> > &
> >
> > regards,
> >
> >
> > Bilal
> >
> >
> >
> >
> > _________________________________________________________________
> > Hotmail: Free, trusted and rich email service.
> > https://signup.live.com/signup.aspx?id=60969
>
> Regards
> Markus