[squid-users] Single Forest Multiple Domains kebreos setup (squid_kerb_ldap)
Dear Markus/All, Please guide me on the matter discussed below: Single Forest Multiple Domain setup A / \ / \ BC Problem: Single FOrest Multiple domains where as Root A is empty with no users. Domain B & C have no trust configured between each other. The internet users belong to Domain B & Domain C. We want to enable users from both domains to authenticate via Kerberos and authrorized through LDAP. Guides and Helpers used: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos http://mailman.mit.edu/pipermail/kerberos/2009-March/014751.html & squid_kerb_ldap readme file >>>If you serve multiple Kerberos realms add a HTTP/f...@realm service >>>principal per realm to the HTTP.keytab file and use the -s GSS_C_NO_NAME option with squid_kerb_auth.. i think this is the only change required in squid configuration to authenticate and authorize from multiple domains? Please confirm that am i to create SPN as below for this setup to work. (SPNs for both the domains) Creation of keytab/SPN/Computerobject for Domain A: msktutil -c -b "CN=COMPUTERS" -s HTTP/squidlhr.b.com -h squidlhr.b.com -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/squidlhr.b.com --server dcofbdomain.b.com --verbose Appending in the same keytab SPN/keys for Domain B: msktutil -c -b "CN=COMPUTERS" -s HTTP/squidlhr.c.com -h squidlhr.c.com -k /etc/squid/HTTP.keytab --computer-name whatever-http --upn HTTP/squidlhr.c.com --server dcofcdomain.c.com --verbose PLease guide me on the changes that would be required in the krb5.conf file ? My working krb5.conf file as per the guidance of Markus ( kerberos working authorizaton portion yet to implement ) [libdefaults] default_realm = B.COM dns_lookup_realm = false dns_lookup_kdc = false default_keytab_name = /etc/krb5.keytab ; for windows 2003 encryption type configuration. default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 [realms] B.COM = { kdc = b.com admin_server = dc.b.com } [domain_realm] .linux.home = B.COM .b.com = B.COM b.com = B.COM [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/kdc.log - regards, Bilal _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
Re: [squid-users] Single Forest Multiple Domains kebreos setup (squid_kerb_ldap)
Hi Bilal, GIGO . wrote: Problem: Single FOrest Multiple domains where as Root A is empty with no users. Domain B & C have no trust configured between each other. The internet users belong to Domain B & Domain C. We want to enable users from both domains to authenticate via Kerberos and authrorized through LDAP. If you serve multiple Kerberos realms add a HTTP/f...@realm service principal per realm to the HTTP.keytab file and use the -s GSS_C_NO_NAME option with squid_kerb_auth.. i think this is the only change required in squid configuration to authenticate and authorize from multiple domains? I never tried this with non-hierarchical or non-Windows domains, but I would give it a go: As there is at least a one-way trust from A to B/C, you don't need multiple service principals for the proxy. What you would do is create a single service principal in domain A. When users from domains B and C are accessing the proxy, they should be able to discover (or be told in krb5.conf) that the service principal is in domain A and will acquire a service ticket from that domain. The proxy will then be able to verify these tickets. I would use "-s HTTP/f...@a.com". You don't need to set GSS_C_NO_NAME. Please confirm that am i to create SPN as below for this setup to work. I don't have experience with msktutil. I created the SPN and keytab file for a computer account on the Windows DC: ktpass.exe -princ HTTP/f...@a -mapuser accountna...@a -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST +rndpass -out krb5.keytab PLease guide me on the changes that would be required in the krb5.conf file ? If the domain structure is reflected in DNS (i.e. with SRV records) and the proxy is able to query the forest DNS you shouldn't need anything in the krb5.conf of the proxy. Try "dig _kerberos._tcp.b.com" on the proxy. For simplicity I would add the default realm: [libdefaults] default_realm = A.COM Eventually and you will have to add a [capaths] section to define the trust relationship: [capaths] B.COM = { A.COM = . } C.COM = { A.COM = . } This is only for the proxy and applies to a Windows2003 forest. The clients might need different settings. Regards, Fabian