[squid-users] krb5.conf Example

Marko Cupać marko.cupac at mimar.rs
Mon Nov 25 16:35:43 UTC 2024 

On Thu, 21 Nov 2024 15:54:44 +0000
"Piana, Josh" <Josh.Piana at hexcel.com> wrote:

> Hey  Squid Users,
> 
> Wanted to reach out and see if there was an updated version of the
> /etc/krb5.conf example file anywhere.

Mine is as simple as:

[libdefaults]
  default_realm = EXAMPLE.ORG
  dns_lookup_realm = false
  dns_lookup_kdc = true

[domain_realm]
  .example.org = EXAMPLE.ORG

My FreeBSD 14.1 successfully obtains kerberos tickets from WS2019 AD
with above config.


> As of right now, my krb5.conf file looks like this:
> 
> includedir /etc/krb5.conf.d/
> [logging]
>     default = FILE:/var/log/krb5libs.log
>     kdc = FILE:/var/log/krb5kdc.log
>     admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>     dns_lookup_realm = true
>     ticket_lifetime = 24h
>     renew_lifetime = 7d
>     forwardable = true
>     rdns = true
>     pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
>     spake_preauth_groups = edwards25519
>     dns_canonicalize_hostname = true
>     qualify_shortname = ""
>     default_realm = AD.ARC-TECH.COM
>     default_ccache_name = KEYRING:persistent:%{uid}
>     udp_preference_limit = 0
> 
> [realms]
> # EXAMPLE.COM = {
> #     kdc = kerberos.example.com
> #     admin_server = kerberos.example.com
> # }
> 
> [domain_realm]
> # .example.com = EXAMPLE.COM
> # example.com = EXAMPLE.COM
> 
> This config file was done automatically when I joined the Linux Proxy
> Server to Windows AD using realmD. But I couldn't help but think
> there's a few things missing.

I would say you are missing at least commented records under
[domain_realm]. Can't say if there's something under [libdefaults]
which shouldn't be there (I never used most of the records you have
there).


> I've been going through our whole Kerberos setup to figure out why
> Squid isn't using it when directed to in the squid.conf file.

Have you tested pure kerberos without squid first? Are you successfully
getting tickets with kinit?

```
someuser at somesquid:~ $ kinit domainuser
domainuser at EXAMPLE.ORG's Password:

someuser at somesquid:~ $ klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: domainuser at EXAMPLE.ORG

  Issued                Expires               Principal
Nov 25 17:25:47 2024  Nov 26 03:25:47 2024  krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
```

Best regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

More information about the squid-users mailing list