[squid-users] Re: Re: AD authentiction with squid from Markus Moeller on 2009-03-21 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sun, 22 Mar 2009 01:04:38 -0000

----- Original Message -----
From: "Amos Jeffries" <squid3_at_treenet.co.nz>
To: "Markus Moeller" <huaraz_at_moeller.plus.com>
Cc: <squid-users_at_squid-cache.org>
Sent: Sunday, March 22, 2009 12:28 AM
Subject: Re: [squid-users] Re: AD authentiction with squid

> Markus Moeller wrote:
>> In more detail the required steps for squid_kerb_auth (from
>> https://sourceforge.net/project/showfiles.php?group_id=196348 or from
>> latest
>> squid distribution) are:
>>
>> 1) Install kerberos client package
>> 2) Install msktutil package from
>> http://dag.wieers.com/rpm/packages/msktutil/
>> 3) Configure krb5.conf
>> 4) Configure squid by adding
>> auth_param negotiate program /usr/sbin/squid_kerb_auth
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive on
>> 5) Create keytab for HTTP/fqdn with msktutil.
>> a) kinit administrator_at_DOMAIN
>> b) msktutil -c -b "CN=COMPUTERS" -s HTTP/<fqdn> -h <fqdn> -k
>> /etc/squid/HTTP.keytab --computer-name squid-HTTP --upn
>> HTTP/<fqdn> --server
>> <domain controller> --verbose
>>
>> 6) Add the following to thw squid startup script
>> KRB5_KTNAME=/etc/squid/HTTP.keytab
>> export KRB5_KTNAME
>>
>> 7) Done
>>
>> Markus
>>
>>
>
> Thank you. I was going to ask you for this soon.
> Added to the wiki:
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>
> Is there anything we can/should add to the krb5.conf section?
>

Regarding krb5.conf it might be good to mention that rc4-hmac should be
listed as encryption type. A minimal setup without DNS resolution of AD
servers would be

[libdefaults]
       default_realm = WIN2003R2.HOME
       dns_lookup_kdc = no
       dns_lookup_realm = no
       default_keytab_name = /etc/krb5.keytab
       default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
       default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
       permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
       WIN2003R2.HOME = {
               kdc = w2k3r2.win2003r2.home
               admin_server = w2k3r2.win2003r2.home
       }

[domain_realm]
       .linux.home = WIN2003R2.HOME
       .win2003r2.home = WIN2003R2.HOME
       win2003r2.home = WIN2003R2.HOME

[logging]
   kdc = FILE:/var/log/kdc.log
   admin_server = FILE:/var/log/kadmin.log
   default = FILE:/var/log/krb5lib.log

In IE the proxy must be specified as fqdn not as an IP-address

> Amos
> --

Regards
Markus

> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
> Current Beta Squid 3.1.0.6
>
Received on Sun Mar 22 2009 - 01:04:58 MDT

This archive was generated by hypermail 2.2.0 : Sun Mar 22 2009 - 12:00:02 MDT