Search squid archive

NEGOTIATE Kerberos Auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear all,
 
i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos authentication in my Mono Forest Multi Domains.
 
My FATHER.COM is a forest with 2 children: KID1 and KID2.
Like this:     FATHER.COM -> KID1.FATHER.COM
                                        -> KID2.FATHER.COM
 
With actual configurazion, squid negotiated kerberos auth works with only FATHER.COM but not when my users belongs to KID1 and KID2.
I readed some discussions on mailing list about forest, but cannot find a definitive advice and procedure to authenticate childern domains users.
 
My krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = FATHER.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 default_keytab_name = /usr/local/squid/etc/HTTP.keytab
 default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
FATHER.COM = {
  kdc = dc1.father.com:88
  kdc = dc2.father.com:88
  default_domain = father.com
 }
 KID1.FATHER.COM = {
  kdc = dc1.kid1.father.com:88
  kdc = dc2.kid1.father.com:88
  default_domain = kid1.father.com
 }
 KID2.FATHER.COM = {
  kdc = dc1.kid2.father.com:88
  kdc = dc2.kid2.father.com:88
  default_domain = kid2.father.com
 }
[domain_realm]
 .father.com = FATHER.COM
 father.com = FATHER.COM
 .kid1.father.com = KID1.FATHER.COM
 kid1.father.com = KID1.FATHER.COM
 .kid2.father.com = KID2.FATHER.COM
 kid2.father.com = KID2.FATHER.COM
[capaths]
KID1.FATHER.COM = {
   FATHER.COM = .
}
KID2.FATHER.COM = {
   FATHER.COM = .
}
 
To join kerberous auth with FATHER.COM i did:
# kinit user@xxxxxxxxxx
# msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N
 
On squid config i have:
auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth -r -k /usr/local/sq
uid/etc/HTTP.keytab -s HTTP/proxy1.father.com
 
Doing so, all my users belonging to FATHER.COM can negotiate kerberos using proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not work).
 
Now i'm trying to add KID1 and KID2 users to krb auth.
As i sayed previously, i readed some posts but i cannot find correct configuration to support my forest.
1) Someone say to add to HTTP.keytab KID1 and KID2. To do so i did:
- kinit user@xxxxxxxxxx
- msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb-kid1 --upn HTTP/proxy1.father.com --server dc1.kid1.father.com --enctypes 28 --verbose -N
but this configuration give my an error authentication of my keytab or ticketing problem. So i tryed:
- kinit user@xxxxxxxxxxxxxxx
but my user is an Enterprise Admin form FATHER.COM, so i cannot get the ticket.
 
After many, many and many hours, i need some advices to complete my configuration.
Is there anyone that could help me?
 
Many thanks in advance.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux