[squid-users] NEGOTIATE Kerberos Auth

Markus Moeller huaraz at moeller.plus.com
Fri Mar 18 23:28:59 UTC 2016


Hi,

    Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ? 

     Can you get a wireshark capture on your client on port 88  ?  You should see some TGS –REQs in the capture and I assume also TGS-REPs  with error messages.  Can you share these error messages ? 

Regards
Markus


"akn ab" <drcimino at mail.com> wrote in message news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239 at 3capp-mailcom-lxa01...
Dear all,

i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos authentication in my Mono Forest Multi Domains.

My FATHER.COM is a forest with 2 children: KID1 and KID2.
Like this:     FATHER.COM -> KID1.FATHER.COM
                                        -> KID2.FATHER.COM

With actual configurazion, squid negotiated kerberos auth works with only FATHER.COM but not when my users belongs to KID1 and KID2.
I readed some discussions on mailing list about forest, but cannot find a definitive advice and procedure to authenticate childern domains users.

My krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FATHER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = /usr/local/squid/etc/HTTP.keytab
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
FATHER.COM = {
  kdc = dc1.father.com:88
  kdc = dc2.father.com:88
  default_domain = father.com
}
KID1.FATHER.COM = {
  kdc = dc1.kid1.father.com:88
  kdc = dc2.kid1.father.com:88
  default_domain = kid1.father.com
}
KID2.FATHER.COM = {
  kdc = dc1.kid2.father.com:88
  kdc = dc2.kid2.father.com:88
  default_domain = kid2.father.com
}
[domain_realm]
.father.com = FATHER.COM
father.com = FATHER.COM
.kid1.father.com = KID1.FATHER.COM
kid1.father.com = KID1.FATHER.COM
.kid2.father.com = KID2.FATHER.COM
kid2.father.com = KID2.FATHER.COM
[capaths]
KID1.FATHER.COM = {
   FATHER.COM = .
}
KID2.FATHER.COM = {
   FATHER.COM = .
}

To join kerberous auth with FATHER.COM i did:
# kinit user at FATHER.COM
# msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N

On squid config i have:
auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth -r -k /usr/local/sq
uid/etc/HTTP.keytab -s HTTP/proxy1.father.com

Doing so, all my users belonging to FATHER.COM can negotiate kerberos using proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not work).

Now i'm trying to add KID1 and KID2 users to krb auth.
As i sayed previously, i readed some posts but i cannot find correct configuration to support my forest.
1) Someone say to add to HTTP.keytab KID1 and KID2. To do so i did:
- kinit user at FATHER.COM
- msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb-kid1 --upn HTTP/proxy1.father.com --server dc1.kid1.father.com --enctypes 28 --verbose -N
but this configuration give my an error authentication of my keytab or ticketing problem. So i tryed:
- kinit user at KID1.FATHER.COM
but my user is an Enterprise Admin form FATHER.COM, so i cannot get the ticket.

After many, many and many hours, i need some advices to complete my configuration.
Is there anyone that could help me?

Many thanks in advance.

--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160318/c10a7164/attachment-0001.html>


More information about the squid-users mailing list