If you use squid_kerb_auth you can configure it to do Kerberos
authentication for both domains. To do so use squid_kerb_auth with the
option -s GSS_C_NO_NAME and add a principal HTTP/<squid fqdn>@<WIN.DOM> to
the keytab.
To do this create a krb5_WIN.conf file like below and export
KRB5_CONFIG=./krb5_WIN.conf
[libdefaults]
default_realm = WIN.DOM
dns_lookup_kdc = no
dns_lookup_realm = no
default_keytab_name = /etc/krb5.keytab
; for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
;
[realms]
WIN.DOM = {
kdc = kdc.win.dom
admin_server = kdc.win.dom
}
[domain_realm]
.win.dom = WIN.DOM
win.dom = WIN.DOM
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
then kinit u...@win.dom where user has rights to create a computer account
in an OU of AD (e.g. OU=Unix). User could be Administrator or just a user
with limited rights in AD (e.g. just enought to create/modify the computer
account object)
Now run:
msktutil -c -b "OU=Unix" -s HTTP/<squid fqdn> -h <fqdn> -k <existing squid
keytab> --computer-name <squid-http> --upn HTTP/<squid fqdn> --server
<domain controller> --verbose
or for Windows 2008 for AES support
msktutil -c -b c -b "OU=Unix" -s HTTP/<squid fqdn> -h <fqdn> -k <existing
squid keytab> --computer-name <squid-http> --upn HTTP/<squid fqdn> --server
<domain controller> --verbose --enctypes 28
Regards
Markus
"L.S. Keijser" <l...@linux.nl> wrote in message
news:1255670481.7645.15.ca...@localhost.localdomain...
Hi,
For a customer we have setup up a redhat directory server (rhds) that
will hand out kerberos tickets which the user then uses to authenticate
itself with squid. All works great, the users can go to internet sites
without having to enter a username/password.
But there's a second kerberos realm (windows, active directory) for
which the ticket obviously doesn't work (yet .. we're working on that).
We have configured a PAC so squid won't be used for intranet sites.
Instead the Microsoft ISA server is used. Only every time the user
browses the intranet, he's being prompted for a username/password by the
ISA server.
Now we already keep both usernames/passwords in sync between the RHDS
and the AD. The only problem is that Microsoft ISA server requires a
username in the form 'DOMAIN\username'.
Now my question(s): is it possible to configure squid in such a way that
it'll forward the username/password to the ISA server? If not, is
possible to have squid already fill in the username field and have it
prefix it like 'DOMAIN\username' ? Or is that a much better way to
accomplish this? Obviously the best way would be to don't have the user
be prompted for his credentials at all when browsing the intranet.
Thanks in advance,
Léon
