[squid-users] Single Forest Multiple Domains kebreos setup (squid_kerb_ldap)

From: GIGO . <gigoz_at_msn.com>
Date: Thu, 22 Apr 2010 18:54:43 +0000

Dear Markus/All,
 
Please guide me on the matter discussed below:

 
Single Forest Multiple Domain setup
 
 
                          A
                         / \
                        / \
                        B C
 
Problem:
 
Single FOrest Multiple domains where as Root A is empty with no users. Domain B & C have no trust configured between each other. The internet users belong to Domain B & Domain C. We want to enable users from both domains to authenticate via Kerberos and authrorized through LDAP.
 
 
Guides and Helpers used:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
http://mailman.mit.edu/pipermail/kerberos/2009-March/014751.html
& squid_kerb_ldap readme file
 
>>>If you serve multiple Kerberos realms add a HTTP/fqdn_at_REALM service principal per realm to the
HTTP.keytab file and use the -s GSS_C_NO_NAME option with squid_kerb_auth......
 
 
i think this is the only change required in squid configuration to authenticate and authorize from multiple domains?
 
 
 
 
Please confirm that am i to create SPN as below for this setup to work.
 
 
(SPNs for both the domains)
 
Creation of keytab/SPN/Computerobject for Domain A:
 
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidlhr.b.com -h squidlhr.b.com -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/squidlhr.b.com --server dcofbdomain.b.com --verbose
 
Appending in the same keytab SPN/keys for Domain B:
 
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidlhr.c.com -h squidlhr.c.com -k /etc/squid/HTTP.keytab --computer-name whatever-http --upn HTTP/squidlhr.c.com --server dcofcdomain.c.com --verbose
 
 
 
PLease guide me on the changes that would be required in the krb5.conf file ?
 
--------------------------------------------------------------------------------------------
My working krb5.conf file as per the guidance of Markus ( kerberos working authorizaton portion yet to implement )
 
[libdefaults]
 default_realm = B.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_keytab_name = /etc/krb5.keytab

; for windows 2003 encryption type configuration.
        default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
        default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
        permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
 B.COM = {
  kdc = b.com
  admin_server = dc.b.com }
[domain_realm]
.linux.home = B.COM
.b.com = B.COM
b.com = B.COM
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/kdc.log
-----------------------------------------------------------------------------------------------------
 
 
 
regards,
 
Bilal
 
                                                
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
Received on Thu Apr 22 2010 - 18:54:51 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 23 2010 - 12:00:05 MDT