[squid-users] krb5.conf Example

Piana, Josh Josh.Piana at hexcel.com
Wed Nov 27 14:45:40 UTC 2024 

Marko, 

Thank you for the response. 

I've found there's an issue with the Kerberos setup even besides Squid, so that's probably why Squid cannot utilize the auth_param negotiate parameters I put in place, there's an issue with the back end. 

Thank you for taking the time to respond, I'm working with RedHat support to figure out the Kerberos issues now. PITA. 

Thanks,
Josh

-----Original Message-----
From: Marko Cupać <marko.cupac at mimar.rs> 
Sent: Monday, November 25, 2024 11:36 AM
To: Piana, Josh <Josh.Piana at hexcel.com>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] krb5.conf Example

Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.


On Thu, 21 Nov 2024 15:54:44 +0000
"Piana, Josh" <Josh.Piana at hexcel.com> wrote:

> Hey  Squid Users,
>
> Wanted to reach out and see if there was an updated version of the 
> /etc/krb5.conf example file anywhere.

Mine is as simple as:

[libdefaults]
  default_realm = EXAMPLE.ORG
  dns_lookup_realm = false
  dns_lookup_kdc = true

[domain_realm]
  .example.org = EXAMPLE.ORG

My FreeBSD 14.1 successfully obtains kerberos tickets from WS2019 AD with above config.


> As of right now, my krb5.conf file looks like this:
>
> includedir /etc/krb5.conf.d/
> [logging]
>     default = FILE:/var/log/krb5libs.log
>     kdc = FILE:/var/log/krb5kdc.log
>     admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>     dns_lookup_realm = true
>     ticket_lifetime = 24h
>     renew_lifetime = 7d
>     forwardable = true
>     rdns = true
>     pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
>     spake_preauth_groups = edwards25519
>     dns_canonicalize_hostname = true
>     qualify_shortname = ""
>     default_realm = AD.ARC-TECH.COM
>     default_ccache_name = KEYRING:persistent:%{uid}
>     udp_preference_limit = 0
>
> [realms]
> # EXAMPLE.COM = {
> #     kdc = kerberos.example.com
> #     admin_server = kerberos.example.com
> # }
>
> [domain_realm]
> # .example.com = EXAMPLE.COM
> # example.com = EXAMPLE.COM
>
> This config file was done automatically when I joined the Linux Proxy 
> Server to Windows AD using realmD. But I couldn't help but think 
> there's a few things missing.

I would say you are missing at least commented records under [domain_realm]. Can't say if there's something under [libdefaults] which shouldn't be there (I never used most of the records you have there).


> I've been going through our whole Kerberos setup to figure out why 
> Squid isn't using it when directed to in the squid.conf file.

Have you tested pure kerberos without squid first? Are you successfully getting tickets with kinit?

```
someuser at somesquid:~ $ kinit domainuser
domainuser at EXAMPLE.ORG's Password:

someuser at somesquid:~ $ klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: domainuser at EXAMPLE.ORG

  Issued                Expires               Principal
Nov 25 17:25:47 2024  Nov 26 03:25:47 2024  krbtgt/EXAMPLE.ORG at EXAMPLE.ORG ```

Best regards,
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

More information about the squid-users mailing list