Rolf Loudon r...@ses.tas.gov.au 12/06/10 7:46 PM
Hello
I've done this but against AD. As far as I can see the squid helpers
squid_kerb_auth and squidkerb_ldap are not AD specific and implement pure
kerberos authentication. The former comes with squid 2.7 but getting the
latest and compiling provides a few extra features. (like the -r switch which
I like). You will need these helpers and you will need to create a service
principal.
http://squidkerbauth.sourceforge.net/ is where the files are.
Markus Moeller is the author of these helpers and is very helpful - and is
active on this list.
I found this helpful
http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/
regards
rolf.
Thanks Rolf,
I'd already downloaded the latest squidkerbauth 1.0.7 from sourceforge and
compiled it. Mostly just to test with squid_kerb_auth_test since it wasn't
included in the binary package for CentOS I used. Squid was compiled with all
the required helpers though I believe:
Squid Cache: Version 2.7.STABLE9
configure options: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr'
'--bindir=/usr/sbin' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-epoll'
'--enable-snmp' '--enable-removal-policies=heap,lru'
'--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl'
'--with-openssl=/usr/kerberos' '--enable-delay-pools'
'--enable-linux-netfilter' '--with-pthreads'
'--enable-ntlm-auth-helpers=SMB,fakeauth'
'--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-digest-auth-helpers=password' '--enable-useragent-log'
'--enable-referer-log' '--disable-dependency-tracking'
'--enable-cachemgr-hostname=localhost'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL'
'--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-cache-digests'
'--enable-ident-lookups' '--enable-follow-x-forwarded-for' '--enable-wccpv2'
'--with-maxfd=16384' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu'
'CFLAGS=-fPIE -Os -g -pipe -fsigned-char -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'LDFLAGS=-pie'
I've actually loosely followed the link you provided for Klaubert's guide
setting this up. Also referenced the guide on the wiki here
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos The one
thread in the mailing list archives most closely to what I'm trying to do was
this one: http://www.squid-cache.org/mail-archive/squid-users/201009/0405.html
I've added a HTTP service principal to the KDC on the mac server but nothing
else. Hopefully I exported the keytab and copied it to the squid server
correctly since I couldn't find any documentation specific for that. I'm sure
I've missed a step somewhere here or there that was implied or I've hosed
something making changes along the way. I'm at a loss now as to what to look
for or change.
Best Regards,
Rob
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169
--
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.