Hello Markus,
firt of all thank you for your reply, today i'm having a strange issue.
KID1 and KID2 started to autenticate with kerberos correclty without any modification ...
This is so strange, but i'm very happy, so i started others configurations, but i have 2 more problems:
1)
On my squid logs, i can see users authenticated correctly, but not the domain users came from.
For example:
FATHER.COM\user1
KID1.FATHER.COM\user1
KID2.FATHER.COM\user1
are reported on my logs with "user1" and not in user1@xxxxxxxxxxxxxxx or KID1\user1 (for example)
I need to differentiate domains because i'm sending x-authenticated-user to my proxy peers.
Is it possible with kerberos?
2)
I have another domain EXTERNALS.COM with bidirectional trust with FATHER.COM, so i added it in my krb5.conf like KID1, but kerberos auth fail.
Using your instructions, i captured port 88 during handshake and i get:
eRR-C-PRINCIPAL-UNKNOWN
User's PC belonging to EXTERNALS.COM are joined to EXTERNALS.COM
Best Regards.
Sent: Saturday, March 19, 2016 at 12:28 AM
From: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: NEGOTIATE Kerberos Auth
From: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: NEGOTIATE Kerberos Auth
Hi,
Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ?
Can you get a wireshark capture on your client on port 88 ? You should see some TGS –REQs in the capture and I assume also TGS-REPs with error messages. Can you share these error messages ?
Regards
Markus
"akn ab" <drcimino@xxxxxxxx> wrote in message news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01...
Dear all,
i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos authentication in my Mono Forest Multi Domains.
My FATHER.COM is a forest with 2 children: KID1 and KID2.
Like this: FATHER.COM -> KID1.FATHER.COM
-> KID2.FATHER.COM
With actual configurazion, squid negotiated kerberos auth works with only FATHER.COM but not when my users belongs to KID1 and KID2.
I readed some discussions on mailing list about forest, but cannot find a definitive advice and procedure to authenticate childern domains users.
My krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FATHER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = /usr/local/squid/etc/HTTP.keytab
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_realm = FATHER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = /usr/local/squid/etc/HTTP.keytab
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
FATHER.COM = {
kdc = dc1.father.com:88
FATHER.COM = {
kdc = dc1.father.com:88
kdc = dc2.father.com:88
default_domain = father.com
}
KID1.FATHER.COM = {
kdc = dc1.kid1.father.com:88
kdc = dc2.kid1.father.com:88
default_domain = kid1.father.com
}
default_domain = father.com
}
KID1.FATHER.COM = {
kdc = dc1.kid1.father.com:88
kdc = dc2.kid1.father.com:88
default_domain = kid1.father.com
}
KID2.FATHER.COM = {
kdc = dc1.kid2.father.com:88
kdc = dc2.kid2.father.com:88
default_domain = kid2.father.com
}
kdc = dc1.kid2.father.com:88
kdc = dc2.kid2.father.com:88
default_domain = kid2.father.com
}
[domain_realm]
.father.com = FATHER.COM
father.com = FATHER.COM
.kid1.father.com = KID1.FATHER.COM
kid1.father.com = KID1.FATHER.COM
.father.com = FATHER.COM
father.com = FATHER.COM
.kid1.father.com = KID1.FATHER.COM
kid1.father.com = KID1.FATHER.COM
.kid2.father.com = KID2.FATHER.COM
kid2.father.com = KID2.FATHER.COM
kid2.father.com = KID2.FATHER.COM
[capaths]
KID1.FATHER.COM = {
FATHER.COM = .
}
KID1.FATHER.COM = {
FATHER.COM = .
}
KID2.FATHER.COM = {
FATHER.COM = .
}
FATHER.COM = .
}
To join kerberous auth with FATHER.COM i did:
# kinit user@xxxxxxxxxx
# msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N
On squid config i have:
auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth -r -k /usr/local/sq
uid/etc/HTTP.keytab -s HTTP/proxy1.father.com
uid/etc/HTTP.keytab -s HTTP/proxy1.father.com
Doing so, all my users belonging to FATHER.COM can negotiate kerberos using proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not work).
Now i'm trying to add KID1 and KID2 users to krb auth.
As i sayed previously, i readed some posts but i cannot find correct configuration to support my forest.
1) Someone say to add to HTTP.keytab KID1 and KID2. To do so i did:
- kinit user@xxxxxxxxxx
- msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb-kid1 --upn HTTP/proxy1.father.com --server dc1.kid1.father.com --enctypes 28 --verbose -N
but this configuration give my an error authentication of my keytab or ticketing problem. So i tryed:
- kinit user@xxxxxxxxxxxxxxx
but my user is an Enterprise Admin form FATHER.COM, so i cannot get the ticket.
After many, many and many hours, i need some advices to complete my configuration.
Is there anyone that could help me?
Many thanks in advance.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
