|
Hi,
Is you client a member of FATHER.COM or KID1.FATHER.COM
/ KID2.FATHER.COM ?
Can you get a wireshark capture on your client on
port 88 ? You should see some TGS –REQs in the capture and I assume
also TGS-REPs with error messages. Can you share these error
messages ?
Regards
Markus
"akn ab" <drcimino@xxxxxxxx> wrote in message
news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01... Dear all,
i'm having a problem in configuring my squid 3.5.15 with negotiated
kerberos authentication in my Mono Forest Multi Domains.
My FATHER.COM is a forest with 2 children: KID1 and KID2.
Like this: FATHER.COM -> KID1.FATHER.COM
-> KID2.FATHER.COM
With actual configurazion, squid negotiated kerberos auth works with only
FATHER.COM but not when my users belongs to KID1 and KID2.
I readed some discussions on mailing list about forest, but cannot find a
definitive advice and procedure to authenticate childern domains users.
My krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults]
default_realm = FATHER.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_keytab_name = /usr/local/squid/etc/HTTP.keytab default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms]
FATHER.COM = { kdc = dc1.father.com:88 kdc = dc2.father.com:88
default_domain = father.com } KID1.FATHER.COM = { kdc = dc1.kid1.father.com:88 kdc = dc2.kid1.father.com:88 default_domain = kid1.father.com } KID2.FATHER.COM = {
kdc = dc1.kid2.father.com:88 kdc = dc2.kid2.father.com:88 default_domain = kid2.father.com } [domain_realm]
.father.com = FATHER.COM father.com = FATHER.COM .kid1.father.com = KID1.FATHER.COM kid1.father.com = KID1.FATHER.COM .kid2.father.com = KID2.FATHER.COM
kid2.father.com = KID2.FATHER.COM [capaths]
KID1.FATHER.COM = { FATHER.COM = . } KID2.FATHER.COM = {
FATHER.COM = . } To join kerberous auth with FATHER.COM i did:
# kinit user@xxxxxxxxxx
# msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h
proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb
--upn HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose
-N
On squid config i have:
auth_param negotiate program
/usr/local/squid/libexec/negotiate_kerberos_auth -r -k
/usr/local/sq
uid/etc/HTTP.keytab -s HTTP/proxy1.father.com Doing so, all my users belonging to FATHER.COM can negotiate kerberos using
proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not
work).
Now i'm trying to add KID1 and KID2 users to krb auth.
As i sayed previously, i readed some posts but i cannot find correct
configuration to support my forest.
1) Someone say to add to HTTP.keytab KID1 and KID2. To do so i did:
- kinit user@xxxxxxxxxx
- msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h
proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name
proxy1krb-kid1 --upn HTTP/proxy1.father.com --server dc1.kid1.father.com
--enctypes 28 --verbose -N
but this configuration give my an error authentication of my keytab or
ticketing problem. So i tryed:
- kinit user@xxxxxxxxxxxxxxx
but my user is an Enterprise Admin form FATHER.COM, so i cannot get the
ticket.
After many, many and many hours, i need some advices to complete my
configuration.
Is there anyone that could help me?
Many thanks in advance. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
