[squid-users] NEGOTIATE Kerberos Auth

Markus Moeller huaraz at moeller.plus.com
Mon Mar 21 23:25:05 UTC 2016 

Hi,

     1) Yes, you should see user at DOMAIN for kerberos authentication, but if you use –r  the @DOMAIN will be removed. 

     2) The client in EXTERNAL.COM needs to know where to find the HTTP/<fqdn>@FATHER.COM principal.  I think your trust is not fully setup. You should see some cross domain TGTs.  

Cross Domain SPN Lookups with Active Directory
When Domains are within the same forest, the KDC should consult the GC (Global Catalog) and provide a referral if the account is in a different domain.  If the account is not in the same forest you would need to define Host Mapping for the account, unless you are using a forest trust.  Then you could define a Kerberos Forest Search Order


Markus


"akn ab" <drcimino at mail.com> wrote in message news:trinity-1231fb52-3516-493c-a2c9-b9fe1c1623c5-1458549367234 at 3capp-mailcom-lxa05...
Hello Markus,

firt of all thank you for your reply, today i'm having a strange issue.
KID1 and KID2 started to autenticate with kerberos correclty without any modification ...
This is so strange, but i'm very happy, so i started others configurations, but i have 2 more problems:

1)
On my squid logs, i can see users authenticated correctly, but not the domain users came from.
For example:
FATHER.COM\user1
KID1.FATHER.COM\user1
KID2.FATHER.COM\user1
are reported on my logs with "user1" and not in user1 at kid1.father.com or KID1\user1 (for example)
I need to differentiate domains because i'm sending x-authenticated-user to my proxy peers.
Is it possible with kerberos?

2)
I have another domain EXTERNALS.COM with bidirectional trust with FATHER.COM, so i added it in my krb5.conf like KID1, but kerberos auth fail.
Using your instructions, i captured port 88 during handshake and i get:

eRR-C-PRINCIPAL-UNKNOWN

User's PC belonging to EXTERNALS.COM are joined to EXTERNALS.COM

Best Regards.
  
Sent: Saturday, March 19, 2016 at 12:28 AM
From: "Markus Moeller" <huaraz at moeller.plus.com>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] NEGOTIATE Kerberos Auth
Hi,

    Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ?

     Can you get a wireshark capture on your client on port 88  ?  You should see some TGS –REQs in the capture and I assume also TGS-REPs  with error messages.  Can you share these error messages ?

Regards
Markus


"akn ab" <drcimino at mail.com> wrote in message news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239 at 3capp-mailcom-lxa01...
Dear all,

i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos authentication in my Mono Forest Multi Domains.

My FATHER.COM is a forest with 2 children: KID1 and KID2.
Like this:     FATHER.COM -> KID1.FATHER.COM
                                        -> KID2.FATHER.COM

With actual configurazion, squid negotiated kerberos auth works with only FATHER.COM but not when my users belongs to KID1 and KID2.
I readed some discussions on mailing list about forest, but cannot find a definitive advice and procedure to authenticate childern domains users.

My krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FATHER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = /usr/local/squid/etc/HTTP.keytab
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
FATHER.COM = {
  kdc = dc1.father.com:88
  kdc = dc2.father.com:88
  default_domain = father.com
}
KID1.FATHER.COM = {
  kdc = dc1.kid1.father.com:88
  kdc = dc2.kid1.father.com:88
  default_domain = kid1.father.com
}
KID2.FATHER.COM = {
  kdc = dc1.kid2.father.com:88
  kdc = dc2.kid2.father.com:88
  default_domain = kid2.father.com
}
[domain_realm]
.father.com = FATHER.COM
father.com = FATHER.COM
.kid1.father.com = KID1.FATHER.COM
kid1.father.com = KID1.FATHER.COM
.kid2.father.com = KID2.FATHER.COM
kid2.father.com = KID2.FATHER.COM
[capaths]
KID1.FATHER.COM = {
   FATHER.COM = .
}
KID2.FATHER.COM = {
   FATHER.COM = .
}

To join kerberous auth with FATHER.COM i did:
# kinit user at FATHER.COM
# msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N

On squid config i have:
auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth -r -k /usr/local/sq
uid/etc/HTTP.keytab -s HTTP/proxy1.father.com

Doing so, all my users belonging to FATHER.COM can negotiate kerberos using proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not work).

Now i'm trying to add KID1 and KID2 users to krb auth.
As i sayed previously, i readed some posts but i cannot find correct configuration to support my forest.
1) Someone say to add to HTTP.keytab KID1 and KID2. To do so i did:
- kinit user at FATHER.COM
- msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb-kid1 --upn HTTP/proxy1.father.com --server dc1.kid1.father.com --enctypes 28 --verbose -N
but this configuration give my an error authentication of my keytab or ticketing problem. So i tryed:
- kinit user at KID1.FATHER.COM
but my user is an Enterprise Admin form FATHER.COM, so i cannot get the ticket.

After many, many and many hours, i need some advices to complete my configuration.
Is there anyone that could help me?

Many thanks in advance.

--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users at lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users


--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160321/b6d6992d/attachment.html>

More information about the squid-users mailing list