Re: [squid-users] Re: Re: kerberos (AD) authentication - squid_kerb_auth from Jeremy Monnet on 2009-08-27 (squid-users)

From: Jeremy Monnet <jmonnet_at_gmail.com>
Date: Thu, 27 Aug 2009 12:40:28 +0200

On Thu, Aug 27, 2009 at 9:28 AM, Mrvka Andreas<mrv_at_tuv.at> wrote:
> Hi,
>
> Am Donnerstag, 27. August 2009 08:40:53 schrieb Jeremy Monnet:
>>
>> Would you have any clue to what the problem may be ? Should I try with
>> the MIT libs instead ?
>>
> I use MIT libs... FYI

Thanks for this piece of information, it helped very much (though the
problem may not have been the library in itself).

Now it works. Several pieces of information I think would be needed to
be added to the wiki, mostly regarding windows configuration in fact.
The squid/suid_kerb_auth/kerberos config was fine from the beginning I
think (except maybe for the rights to the keytab file, but that was my
mistake, and it is already written on the wiki).

First, generating the keytab file on windows may be done with
ktpass -out squidproxy.krb5.keytab -pass Password1 -princ
HTTP/squidproxy.ad.simia.fr_at_ad.simia.fr -mapuser host_squidproxy
-ptype KRB5_NT_SRV_HST -crypto DES-CBC-MD5 +DesOnly
(I said in a previous message I already had problems with the
encryption stuff on a previous project ...). I think I read somewhere
that RC4-HMAC (in the klaubert tutorial [1]) could be used, but it
seems it can't ? Or maybe not with MIT libs, or maybe ... for some
other reasons.

Second, you have to log in to the windows client *after* having
generated the keytab and transfered it to the linux box.

And it seems that the lines from krb5.conf related to *enctypes* are
useless also.

I found useful information on a thread about apache mod_auth_kerb,
using the error message from the MIT libraries, which was more useful
than the one from the heimdal library.

Some other stuff may be useful, such as "you need the support tools on
windows to have the ktpass command" or "you need the ressource kit to
use the kerbtrau command", but that is very windows-ish stuff, though
that is very useful to have this in a single wiki page IMHO.

Thanks very much for all your help !

Jeremy
[1] http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/
[2] http://osdir.com/ml/apache.mod-auth-kerb.general/2007-01/msg00057.html
Received on Thu Aug 27 2009 - 10:40:40 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 28 2009 - 12:00:03 MDT