Search squid archive

Re: krb5.conf Example

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Marko, 

Thank you for the response. 

I've found there's an issue with the Kerberos setup even besides Squid, so that's probably why Squid cannot utilize the auth_param negotiate parameters I put in place, there's an issue with the back end. 

Thank you for taking the time to respond, I'm working with RedHat support to figure out the Kerberos issues now. PITA. 

Thanks,
Josh

-----Original Message-----
From: Marko Cupać <marko.cupac@xxxxxxxx> 
Sent: Monday, November 25, 2024 11:36 AM
To: Piana, Josh <Josh.Piana@xxxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  krb5.conf Example

Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.


On Thu, 21 Nov 2024 15:54:44 +0000
"Piana, Josh" <Josh.Piana@xxxxxxxxxx> wrote:

> Hey  Squid Users,
>
> Wanted to reach out and see if there was an updated version of the 
> /etc/krb5.conf example file anywhere.

Mine is as simple as:

[libdefaults]
  default_realm = EXAMPLE.ORG
  dns_lookup_realm = false
  dns_lookup_kdc = true

[domain_realm]
  .example.org = EXAMPLE.ORG

My FreeBSD 14.1 successfully obtains kerberos tickets from WS2019 AD with above config.


> As of right now, my krb5.conf file looks like this:
>
> includedir /etc/krb5.conf.d/
> [logging]
>     default = FILE:/var/log/krb5libs.log
>     kdc = FILE:/var/log/krb5kdc.log
>     admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>     dns_lookup_realm = true
>     ticket_lifetime = 24h
>     renew_lifetime = 7d
>     forwardable = true
>     rdns = true
>     pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
>     spake_preauth_groups = edwards25519
>     dns_canonicalize_hostname = true
>     qualify_shortname = ""
>     default_realm = AD.ARC-TECH.COM
>     default_ccache_name = KEYRING:persistent:%{uid}
>     udp_preference_limit = 0
>
> [realms]
> # EXAMPLE.COM = {
> #     kdc = kerberos.example.com
> #     admin_server = kerberos.example.com
> # }
>
> [domain_realm]
> # .example.com = EXAMPLE.COM
> # example.com = EXAMPLE.COM
>
> This config file was done automatically when I joined the Linux Proxy 
> Server to Windows AD using realmD. But I couldn't help but think 
> there's a few things missing.

I would say you are missing at least commented records under [domain_realm]. Can't say if there's something under [libdefaults] which shouldn't be there (I never used most of the records you have there).


> I've been going through our whole Kerberos setup to figure out why 
> Squid isn't using it when directed to in the squid.conf file.

Have you tested pure kerberos without squid first? Are you successfully getting tickets with kinit?

```
someuser@somesquid:~ $ kinit domainuser
domainuser@xxxxxxxxxxx's Password:

someuser@somesquid:~ $ klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: domainuser@xxxxxxxxxxx

  Issued                Expires               Principal
Nov 25 17:25:47 2024  Nov 26 03:25:47 2024  krbtgt/EXAMPLE.ORG@xxxxxxxxxxx ```

Best regards,
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux