|
Hi,
1) Yes, you should see user@DOMAIN for kerberos authentication, but if
you use –r the @DOMAIN will be removed.
2) The client in EXTERNAL.COM needs to know where
to find the HTTP/<fqdn>@FATHER.COM principal. I think your trust is
not fully setup. You should see some cross domain TGTs.
Cross Domain SPN Lookups with Active DirectoryWhen Domains are within the same forest, the KDC should consult the GC (Global Catalog) and provide a referral if the account is in a different domain. If the account is not in the same forest you would need to define Host Mapping for the account, unless you are using a forest trust. Then you could define a Kerberos Forest Search Order Markus
"akn ab" <drcimino@xxxxxxxx> wrote in message
news:trinity-1231fb52-3516-493c-a2c9-b9fe1c1623c5-1458549367234@3capp-mailcom-lxa05... Hello Markus,
firt of all thank you for your reply, today i'm having a strange
issue.
KID1 and KID2 started to autenticate with kerberos correclty without any
modification ...
This is so strange, but i'm very happy, so i started others configurations,
but i have 2 more problems:
1)
On my squid logs, i can see users authenticated correctly, but not the
domain users came from.
For example:
FATHER.COM\user1
KID1.FATHER.COM\user1
KID2.FATHER.COM\user1
are reported on my logs with "user1" and not in user1@xxxxxxxxxxxxxxx or
KID1\user1 (for example)
I need to differentiate domains because i'm sending x-authenticated-user to
my proxy peers.
Is it possible with kerberos?
2)
I have another domain EXTERNALS.COM with bidirectional trust with
FATHER.COM, so i added it in my krb5.conf like KID1, but kerberos auth
fail.
Using your instructions, i captured port 88 during handshake and i
get:
eRR-C-PRINCIPAL-UNKNOWN
User's PC belonging to EXTERNALS.COM are joined to EXTERNALS.COM
Best Regards.
Sent: Saturday, March 19, 2016 at 12:28
AM
From: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: NEGOTIATE Kerberos Auth Hi,
Is you client a member of FATHER.COM or KID1.FATHER.COM
/ KID2.FATHER.COM ?
Can you get a wireshark capture on your client on
port 88 ? You should see some TGS –REQs in the capture and I assume
also TGS-REPs with error messages. Can you share these error
messages ?
Regards
Markus
"akn ab" <drcimino@xxxxxxxx> wrote in message
news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01... Dear all,
i'm having a problem in configuring my squid 3.5.15 with negotiated
kerberos authentication in my Mono Forest Multi Domains.
My FATHER.COM is a forest with 2 children: KID1 and KID2.
Like this: FATHER.COM -> KID1.FATHER.COM
-> KID2.FATHER.COM
With actual configurazion, squid negotiated kerberos auth works with only
FATHER.COM but not when my users belongs to KID1 and KID2.
I readed some discussions on mailing list about forest, but cannot find a
definitive advice and procedure to authenticate childern domains users.
My krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults]
default_realm = FATHER.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_keytab_name = /usr/local/squid/etc/HTTP.keytab default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms]
FATHER.COM = { kdc = dc1.father.com:88 kdc = dc2.father.com:88
default_domain = father.com } KID1.FATHER.COM = { kdc = dc1.kid1.father.com:88 kdc = dc2.kid1.father.com:88 default_domain = kid1.father.com } KID2.FATHER.COM = {
kdc = dc1.kid2.father.com:88 kdc = dc2.kid2.father.com:88 default_domain = kid2.father.com } [domain_realm]
.father.com = FATHER.COM father.com = FATHER.COM .kid1.father.com = KID1.FATHER.COM kid1.father.com = KID1.FATHER.COM .kid2.father.com = KID2.FATHER.COM
kid2.father.com = KID2.FATHER.COM [capaths]
KID1.FATHER.COM = { FATHER.COM = . } KID2.FATHER.COM = {
FATHER.COM = . } To join kerberous auth with FATHER.COM i did:
# kinit user@xxxxxxxxxx
# msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h
proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb
--upn HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose
-N
On squid config i have:
auth_param negotiate program
/usr/local/squid/libexec/negotiate_kerberos_auth -r -k
/usr/local/sq
uid/etc/HTTP.keytab -s HTTP/proxy1.father.com Doing so, all my users belonging to FATHER.COM can negotiate kerberos using
proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not
work).
Now i'm trying to add KID1 and KID2 users to krb auth.
As i sayed previously, i readed some posts but i cannot find correct
configuration to support my forest.
1) Someone say to add to HTTP.keytab KID1 and KID2. To do so i did:
- kinit user@xxxxxxxxxx
- msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h
proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name
proxy1krb-kid1 --upn HTTP/proxy1.father.com --server dc1.kid1.father.com
--enctypes 28 --verbose -N
but this configuration give my an error authentication of my keytab or
ticketing problem. So i tryed:
- kinit user@xxxxxxxxxxxxxxx
but my user is an Enterprise Admin form FATHER.COM, so i cannot get the
ticket.
After many, many and many hours, i need some advices to complete my
configuration.
Is there anyone that could help me?
Many thanks in advance. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
