<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>Dear all,</div>
<div> </div>
<div>i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos authentication in my Mono Forest Multi Domains.</div>
<div> </div>
<div>My FATHER.COM is a forest with 2 children: KID1 and KID2.</div>
<div>Like this: FATHER.COM -> KID1.FATHER.COM</div>
<div> -> KID2.FATHER.COM</div>
<div> </div>
<div>With actual configurazion, squid negotiated kerberos auth works with only FATHER.COM but not when my users belongs to KID1 and KID2.</div>
<div>I readed some discussions on mailing list about forest, but cannot find a definitive advice and procedure to authenticate childern domains users.</div>
<div> </div>
<div>My krb5.conf:</div>
<div>
<div>[logging]<br/>
default = FILE:/var/log/krb5libs.log<br/>
kdc = FILE:/var/log/krb5kdc.log<br/>
admin_server = FILE:/var/log/kadmind.log</div>
<div>[libdefaults]<br/>
default_realm = FATHER.COM<br/>
dns_lookup_realm = false<br/>
dns_lookup_kdc = false<br/>
ticket_lifetime = 24h<br/>
renew_lifetime = 7d<br/>
forwardable = true<br/>
default_keytab_name = /usr/local/squid/etc/HTTP.keytab<br/>
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5<br/>
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5<br/>
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5</div>
<div>[realms]<br/>
FATHER.COM = {<br/>
kdc = dc1.father.com:88</div>
<div> kdc = dc2.father.com:88<br/>
default_domain = father.com<br/>
}<br/>
KID1.FATHER.COM = {<br/>
kdc = dc1.kid1.father.com:88<br/>
kdc = dc2.kid1.father.com:88<br/>
default_domain = kid1.father.com<br/>
}</div>
<div> KID2.FATHER.COM = {<br/>
kdc = dc1.kid2.father.com:88<br/>
kdc = dc2.kid2.father.com:88<br/>
default_domain = kid2.father.com<br/>
}</div>
<div>[domain_realm]<br/>
.father.com = FATHER.COM<br/>
father.com = FATHER.COM<br/>
.kid1.father.com = KID1.FATHER.COM<br/>
kid1.father.com = KID1.FATHER.COM</div>
<div> .kid2.father.com = KID2.FATHER.COM<br/>
kid2.father.com = KID2.FATHER.COM</div>
<div>[capaths]<br/>
KID1.FATHER.COM = {<br/>
FATHER.COM = .<br/>
}</div>
<div>KID2.FATHER.COM = {<br/>
FATHER.COM = .<br/>
}</div>
<div> </div>
<div>To join kerberous auth with FATHER.COM i did:</div>
<div># kinit user@FATHER.COM</div>
<div># msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N</div>
<div> </div>
<div>On squid config i have:</div>
<div>auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth -r -k /usr/local/sq<br/>
uid/etc/HTTP.keytab -s HTTP/proxy1.father.com</div>
<div> </div>
<div>Doing so, all my users belonging to FATHER.COM can negotiate kerberos using proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not work).</div>
<div> </div>
<div>Now i'm trying to add KID1 and KID2 users to krb auth.</div>
<div>As i sayed previously, i readed some posts but i cannot find correct configuration to support my forest.</div>
<div>1) Someone say to add to HTTP.keytab KID1 and KID2. To do so i did:</div>
<div>- kinit user@FATHER.COM</div>
<div>- msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb-kid1 --upn HTTP/proxy1.father.com --server dc1.kid1.father.com --enctypes 28 --verbose -N</div>
<div>but this configuration give my an error authentication of my keytab or ticketing problem. So i tryed:</div>
<div>- kinit user@KID1.FATHER.COM</div>
<div>but my user is an Enterprise Admin form FATHER.COM, so i cannot get the ticket.</div>
<div> </div>
<div>After many, many and many hours, i need some advices to complete my configuration.</div>
<div>Is there anyone that could help me?</div>
<div> </div>
<div>Many thanks in advance.</div>
</div></div></body></html>