<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>
<div>Hello Markus,</div>
<div> </div>
<div>firt of all thank you for your reply, today i'm having a strange issue.</div>
<div>KID1 and KID2 started to autenticate with kerberos correclty without any modification ...</div>
<div>This is so strange, but i'm very happy, so i started others configurations, but i have 2 more problems:</div>
<div> </div>
<div>1)</div>
<div>On my squid logs, i can see users authenticated correctly, but not the domain users came from.</div>
<div>For example:</div>
<div>FATHER.COM\user1</div>
<div>KID1.FATHER.COM\user1</div>
<div>KID2.FATHER.COM\user1</div>
<div>are reported on my logs with "user1" and not in user1@kid1.father.com or KID1\user1 (for example)</div>
<div>I need to differentiate domains because i'm sending x-authenticated-user to my proxy peers.</div>
<div>Is it possible with kerberos?</div>
<div> </div>
<div>2)</div>
<div>I have another domain EXTERNALS.COM with bidirectional trust with FATHER.COM, so i added it in my krb5.conf like KID1, but kerberos auth fail.</div>
<div>Using your instructions, i captured port 88 during handshake and i get:</div>
<div> </div>
<div>eRR-C-PRINCIPAL-UNKNOWN</div>
<div> </div>
<div>User's PC belonging to EXTERNALS.COM are joined to EXTERNALS.COM</div>
<div> </div>
<div>Best Regards.</div>
<div>
<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Sent:</b> Saturday, March 19, 2016 at 12:28 AM<br/>
<b>From:</b> "Markus Moeller" <huaraz@moeller.plus.com><br/>
<b>To:</b> squid-users@lists.squid-cache.org<br/>
<b>Subject:</b> Re: [squid-users] NEGOTIATE Kerberos Auth</div>
<div name="quoted-content">
<div>
<div>
<div style="FONT-SIZE: 10.0pt;FONT-FAMILY: Arial;COLOR: rgb(0,0,0);">
<div>Hi,</div>
<div> </div>
<div> Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ?</div>
<div> </div>
<div> Can you get a wireshark capture on your client on port 88 ? You should see some TGS –REQs in the capture and I assume also TGS-REPs with error messages. Can you share these error messages ?</div>
<div> </div>
<div>Regards</div>
<div>Markus</div>
<div> </div>
<div> </div>
<div style="BORDER-TOP-COLOR: rgb(0,0,0);BORDER-BOTTOM-COLOR: rgb(0,0,0);PADDING-LEFT: 5.0px;MARGIN-LEFT: 5.0px;BORDER-LEFT: rgb(0,0,0) 4.0px solid;BORDER-RIGHT-COLOR: rgb(0,0,0);">
<div style="FONT-SIZE: small;TEXT-DECORATION: none;FONT-FAMILY: Calibri;FONT-WEIGHT: normal;COLOR: rgb(0,0,0);FONT-STYLE: normal;DISPLAY: inline;">
<div>"akn ab" <drcimino@mail.com> wrote in message news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01...</div>
</div>
</div>
<div style="BORDER-TOP-COLOR: rgb(0,0,0);BORDER-BOTTOM-COLOR: rgb(0,0,0);PADDING-LEFT: 5.0px;MARGIN-LEFT: 5.0px;BORDER-LEFT: rgb(0,0,0) 4.0px solid;BORDER-RIGHT-COLOR: rgb(0,0,0);">
<div style="FONT-SIZE: small;TEXT-DECORATION: none;FONT-FAMILY: Calibri;FONT-WEIGHT: normal;COLOR: rgb(0,0,0);FONT-STYLE: normal;DISPLAY: inline;">
<div style="FONT-SIZE: 12.0px;FONT-FAMILY: verdana;">
<div>Dear all,</div>
<div> </div>
<div>i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos authentication in my Mono Forest Multi Domains.</div>
<div> </div>
<div>My FATHER.COM is a forest with 2 children: KID1 and KID2.</div>
<div>Like this: FATHER.COM -> KID1.FATHER.COM</div>
<div> -> KID2.FATHER.COM</div>
<div> </div>
<div>With actual configurazion, squid negotiated kerberos auth works with only FATHER.COM but not when my users belongs to KID1 and KID2.</div>
<div>I readed some discussions on mailing list about forest, but cannot find a definitive advice and procedure to authenticate childern domains users.</div>
<div> </div>
<div>My krb5.conf:</div>
<div>
<div>[logging]<br/>
default = FILE:/var/log/krb5libs.log<br/>
kdc = FILE:/var/log/krb5kdc.log<br/>
admin_server = FILE:/var/log/kadmind.log</div>
<div>[libdefaults]<br/>
default_realm = FATHER.COM<br/>
dns_lookup_realm = false<br/>
dns_lookup_kdc = false<br/>
ticket_lifetime = 24h<br/>
renew_lifetime = 7d<br/>
forwardable = true<br/>
default_keytab_name = /usr/local/squid/etc/HTTP.keytab<br/>
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5<br/>
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5<br/>
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5</div>
<div>[realms]<br/>
FATHER.COM = {<br/>
kdc = dc1.father.com:88</div>
<div> kdc = dc2.father.com:88<br/>
default_domain = father.com<br/>
}<br/>
KID1.FATHER.COM = {<br/>
kdc = dc1.kid1.father.com:88<br/>
kdc = dc2.kid1.father.com:88<br/>
default_domain = kid1.father.com<br/>
}</div>
<div>KID2.FATHER.COM = {<br/>
kdc = dc1.kid2.father.com:88<br/>
kdc = dc2.kid2.father.com:88<br/>
default_domain = kid2.father.com<br/>
}</div>
<div>[domain_realm]<br/>
.father.com = FATHER.COM<br/>
father.com = FATHER.COM<br/>
.kid1.father.com = KID1.FATHER.COM<br/>
kid1.father.com = KID1.FATHER.COM</div>
<div>.kid2.father.com = KID2.FATHER.COM<br/>
kid2.father.com = KID2.FATHER.COM</div>
<div>[capaths]<br/>
KID1.FATHER.COM = {<br/>
FATHER.COM = .<br/>
}</div>
<div>KID2.FATHER.COM = {<br/>
FATHER.COM = .<br/>
}</div>
<div> </div>
<div>To join kerberous auth with FATHER.COM i did:</div>
<div># kinit user@FATHER.COM</div>
<div># msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N</div>
<div> </div>
<div>On squid config i have:</div>
<div>auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth -r -k /usr/local/sq<br/>
uid/etc/HTTP.keytab -s HTTP/proxy1.father.com</div>
<div> </div>
<div>Doing so, all my users belonging to FATHER.COM can negotiate kerberos using proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not work).</div>
<div> </div>
<div>Now i'm trying to add KID1 and KID2 users to krb auth.</div>
<div>As i sayed previously, i readed some posts but i cannot find correct configuration to support my forest.</div>
<div>1) Someone say to add to HTTP.keytab KID1 and KID2. To do so i did:</div>
<div>- kinit user@FATHER.COM</div>
<div>- msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb-kid1 --upn HTTP/proxy1.father.com --server dc1.kid1.father.com --enctypes 28 --verbose -N</div>
<div>but this configuration give my an error authentication of my keytab or ticketing problem. So i tryed:</div>
<div>- kinit user@KID1.FATHER.COM</div>
<div>but my user is an Enterprise Admin form FATHER.COM, so i cannot get the ticket.</div>
<div> </div>
<div>After many, many and many hours, i need some advices to complete my configuration.</div>
<div>Is there anyone that could help me?</div>
<div> </div>
<div>Many thanks in advance.</div>
</div>
</div>
<hr/>_______________________________________________<br/>
squid-users mailing list<br/>
squid-users@lists.squid-cache.org<br/>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a></div>
</div>
</div>
</div>
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org <a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a></div>
</div>
</div>
</div>
</div></div></body></html>