[squid-users] Single Forest Multiple Domains kebreos setup (squid_kerb_ldap)

[GIGO .]

Dear Markus/All,
 
Please guide me on the matter discussed below:

 
Single Forest Multiple Domain setup 
 
 
  A
 / \
/   \
BC
 
Problem:
 
Single FOrest Multiple domains where as Root A is empty with no users. Domain B 
& C have no trust configured between each other. The internet users belong to 
Domain B & Domain C. We want to enable users from both domains to authenticate 
via Kerberos and authrorized through LDAP.
 
 
Guides and Helpers used:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
http://mailman.mit.edu/pipermail/kerberos/2009-March/014751.html
& squid_kerb_ldap readme file
 
>>>If you serve multiple Kerberos realms add a HTTP/f...@realm service 
>>>principal per realm to the 
HTTP.keytab file and use the -s GSS_C_NO_NAME option with squid_kerb_auth..
 
 
i think this is the only change required in squid configuration to authenticate 
and authorize from multiple domains?
 
 
 
 
Please confirm that am i to create SPN as below for this setup to work.
 
 
(SPNs for both the domains)
 
Creation of keytab/SPN/Computerobject for  Domain A:
 
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidlhr.b.com -h squidlhr.b.com -k 
/etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/squidlhr.b.com 
--server dcofbdomain.b.com --verbose
 
Appending in the same keytab SPN/keys for Domain B:
 
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidlhr.c.com -h squidlhr.c.com -k 
/etc/squid/HTTP.keytab --computer-name whatever-http --upn HTTP/squidlhr.c.com 
--server dcofcdomain.c.com --verbose
 
 
 
PLease guide me on the changes that would be required in the krb5.conf file ?
 

My working krb5.conf file as per the guidance of Markus ( kerberos working 
authorizaton portion yet to implement )
 
[libdefaults]
 default_realm = B.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_keytab_name = /etc/krb5.keytab

; for windows 2003 encryption type configuration.
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
 B.COM = {
  kdc = b.com
  admin_server = dc.b.com  }
[domain_realm]
.linux.home = B.COM
.b.com = B.COM
b.com = B.COM
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/kdc.log
-
 
 
 
regards,
 
Bilal
 
  
_
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969

Re: [squid-users] Single Forest Multiple Domains kebreos setup (squid_kerb_ldap)

[Fabian Hugelshofer]

Hi Bilal,

GIGO . wrote:

Problem:
 
Single FOrest Multiple domains where as Root A is empty with no users. Domain B & C have no trust configured between each other. The internet users belong to Domain B & Domain C. We want to enable users from both domains to authenticate via Kerberos and authrorized through LDAP.


If you serve multiple Kerberos realms add a HTTP/f...@realm service principal per realm to the 

HTTP.keytab file and use the -s GSS_C_NO_NAME option with squid_kerb_auth..
 
 
i think this is the only change required in squid configuration to authenticate and authorize from multiple domains?


I never tried this with non-hierarchical or non-Windows domains, but I 
would give it a go:


As there is at least a one-way trust from A to B/C, you don't need 
multiple service principals for the proxy. What you would do is create a 
single service principal in domain A.


When users from domains B and C are accessing the proxy, they should be 
able to discover (or be told in krb5.conf) that the service principal is 
in domain A and will acquire a service ticket from that domain. The 
proxy will then be able to verify these tickets.


I would use "-s HTTP/f...@a.com". You don't need to set GSS_C_NO_NAME.



Please confirm that am i to create SPN as below for this setup to work.


I don't have experience with msktutil. I created the SPN and keytab file 
for a computer account on the Windows DC:


ktpass.exe -princ HTTP/f...@a -mapuser accountna...@a -crypto 
rc4-hmac-nt -ptype KRB5_NT_SRV_HST +rndpass -out krb5.keytab




PLease guide me on the changes that would be required in the krb5.conf file ?


If the domain structure is reflected in DNS (i.e. with SRV records) and 
the proxy is able to query the forest DNS you shouldn't need anything in 
the krb5.conf of the proxy. Try "dig _kerberos._tcp.b.com" on the proxy. 
For simplicity I would add the default realm:


[libdefaults]
  default_realm = A.COM

Eventually and you will have to add a [capaths] section to define the 
trust relationship:


[capaths]
B.COM = {
  A.COM = .
}
C.COM = {
  A.COM = .
}

This is only for the proxy and applies to a Windows2003 forest. The 
clients might need different settings.


Regards,

Fabian