NEGOTIATE Kerberos Auth

"akn ab" <drcimino@xxxxxxxx> · Fri, 18 Mar 2016 12:48:33 +0100

Dear all,

i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos authentication in my Mono Forest Multi Domains.

My FATHER.COM is a forest with 2 children: KID1 and KID2.

Like this:     FATHER.COM -> KID1.FATHER.COM

                                        -> KID2.FATHER.COM

With actual configurazion, squid negotiated kerberos auth works with only FATHER.COM but not when my users belongs to KID1 and KID2.

I readed some discussions on mailing list about forest, but cannot find a definitive advice and procedure to authenticate childern domains users.

My krb5.conf:

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 default_realm = FATHER.COM

 dns_lookup_realm = false

 dns_lookup_kdc = false

 ticket_lifetime = 24h

 renew_lifetime = 7d

 forwardable = true

 default_keytab_name = /usr/local/squid/etc/HTTP.keytab

 default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]

FATHER.COM = {

  kdc = dc1.father.com:88

  kdc = dc2.father.com:88

  default_domain = father.com

 }

 KID1.FATHER.COM = {

  kdc = dc1.kid1.father.com:88

  kdc = dc2.kid1.father.com:88

  default_domain = kid1.father.com

 }

 KID2.FATHER.COM = {

  kdc = dc1.kid2.father.com:88

  kdc = dc2.kid2.father.com:88

  default_domain = kid2.father.com

 }

[domain_realm]

 .father.com = FATHER.COM

 father.com = FATHER.COM

 .kid1.father.com = KID1.FATHER.COM

 kid1.father.com = KID1.FATHER.COM

 .kid2.father.com = KID2.FATHER.COM

 kid2.father.com = KID2.FATHER.COM

[capaths]

KID1.FATHER.COM = {

   FATHER.COM = .

}

KID2.FATHER.COM = {

   FATHER.COM = .

}

To join kerberous auth with FATHER.COM i did:

# kinit user@xxxxxxxxxx

# msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N

On squid config i have:

auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth -r -k /usr/local/sq

uid/etc/HTTP.keytab -s HTTP/proxy1.father.com

Doing so, all my users belonging to FATHER.COM can negotiate kerberos using proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not work).

Now i'm trying to add KID1 and KID2 users to krb auth.

As i sayed previously, i readed some posts but i cannot find correct configuration to support my forest.

1) Someone say to add to HTTP.keytab KID1 and KID2. To do so i did:

- kinit user@xxxxxxxxxx

- msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb-kid1 --upn HTTP/proxy1.father.com --server dc1.kid1.father.com --enctypes 28 --verbose -N

but this configuration give my an error authentication of my keytab or ticketing problem. So i tryed:

- kinit user@xxxxxxxxxxxxxxx

but my user is an Enterprise Admin form FATHER.COM, so i cannot get the ticket.

After many, many and many hours, i need some advices to complete my configuration.

Is there anyone that could help me?

Many thanks in advance.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users