[squid-users] Re: squid_kerb_ldap/squid_kerb_auth in Single Forest Multidomains Active Directory.

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Mon, 26 Apr 2010 19:37:48 +0100

> "GIGO ." <gigoz_at_msn.com> wrote in message
> news:SNT134-w60089C12FB3E7D43747C18B9050_at_phx.gbl...
>
> Dear All,
>
> The problem under discussion is a continuity of SPN creation/Single Forest
> MultiDomain (Active Directory) topic.
>
> @ Markus
> Yes my infrastructure is Active Directory based (Root Forest Directory A
> with two child domains B (80 % users) & C (20 % users) in their own
> trees). Only squid Proxy is installed on Centos OS and not joined to any
> domain.Markus you are right I Observed that the clients in the child
> domain are able to use squid proxy without any changes required in the
> krb5.conf file.(no need to define [CAPATH] section). I got it that by
> design of the Active directory forest where Parent domains and child
> domains have two way transitive trusts, Active directory/DNS
> infrastructure is managing itself...and the clients in any domain are able
> to find that Service principal is in which domain to acquire a service
> ticket from that domain. Right??
>
>

Correct

>
>
> If the UnixServer(Proxy) is not belonged to any domain then the
> default_realm section does not matter and i can choose any of my domains
> as default_realm. As i think that the default_realm tag is compulsory to
> define so couldn't be left blank. Similarly if am not to use any other
> kerberised service for example from my SquidProxyunix server then
> .linux.home tag will be unimportant otherwise it is a must. Right??
>
>

Correct

>
>
> //krb5.conf for Active directory single forest multi domain its working
> correctly--------------------------------------------
> [libdefaults]
> default_realm = A.COM.PK
> dns_lookup_realm = false
> dns_lookup_kdc = false
> default_keytab_name = /etc/krb5.keytab
>
> ; for windows 2003 encryption type configuration.
> default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> [realms]
> A.COM.PK = {
> kdc = dc1.a.com.pk
> admin_server = dc1.a.com.pk
> }
> b.A.COM.PK = {
> kdc = childdc.b.a.com.pk
> admin_server = childdc.b.a.com.pk
> }
> [domain_realm]
> .linux.home = A.COM.PK
> .a.com.pk = A.COM.PK
> a.com.pk = A.COM.PK
> .b.a.com.pk = b.A.COM.PK
> b.a.com.pk = b.A.COM.PK
> [logging]
> kdc = FILE:/var/log/kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/kdc.log
> ----------------\\
> Any suggestions/guidance required??
>
>

That looks OK

>
>
> My squid.conf portion related to Authentication/Authorization along with
> the questions.
>
> auth_param negotiate program /usr/libexec/squid/squid_kerb_auth
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> # basic auth ACL controls to make use of it are.
> #acl auth proxy_auth REQUIRED
> #http_access deny !auth
> #http_access allow auth
>
>
> I think now above commented directives are not required as squid_kerb_ldap
> has taken the charge. Right???
>
>
>
> #external_acl_type squid_kerb1 ttl=3600 negative_ttl=3600 %LOGIN
> /usr/libexec/squid/squid_kerb_ldap -g
> GROUP1_at_A.COM.PK:GROUP2_at_A.COM.PK:GROUP3_at_A.COM.PK:G1_at_B.A.COM.PK:GROUP2_at_B.A.COM.PK:GROUP3_at_B.A.COM.PK
>
> external_acl_type g1_parent ttl=3600 negative_ttl=3600 %LOGIN
> /usr/libexec/squid/squid_kerb_ldap -g GROUP1_at_A.COM.PK
>
> external_acl_type g2_parent ttl=3600 negative_ttl=3600 %LOGIN
> /usr/libexec/squid/squid_kerb_ldap -g GROUP2_at_A.COM.PK
>
> external_acl_type g2_child ttl=3600 negative_ttl=3600 %LOGIN
> /usr/libexec/squid/squid_kerb_ldap -g GROUP2_at_A.B.COM.PK
>
>
>
> Although the commented single liner was working properly for me and look
> more apporpriate to me but i had to split it into multiple
> lines....nothing came into my mind how to handle the ACL's based on user
> group membership. Please guide me if there is a better way to do that as
> it feels that i am calling the helper multiple times instead of single
> time now??
>
>
>
> (There are other expected groups from child domains and parent domains so
> am worried that isnt it affect the performance)
>
>
> acl ldap_group_check1 external g1_parent
> acl ldap_group_check2 external g2_parent
> acl ldap_group_check3 external g2_child
>
>
> ####Definition of YouTube.
> ## The videos come from several domains
> acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com
>
> http_access deny ldap_group_check1 youtube_domains
> http_access allow ldap_group_check2
> http_access allow ldap_group_check1
> http_access allow ldap_group_check3
> http_access deny all
>
>
>
> As i think squid.conf file is parsed from top to bottom and if a related
> statement/acl is met then will see no further so it means that putting the
> statments in an order where groups containing most of the users will
> improve performance. Can there be if-else structure be used in squid.conf
> and how? Am not sure??? please guide...
>
>
>

I leave this to the experts to answer.

>
> Thanking you
>
> &
>
> regards,
>
>
> Bilal
>
>
>
>
> _________________________________________________________________
> Hotmail: Free, trusted and rich email service.
> https://signup.live.com/signup.aspx?id=60969

Regards
Markus
Received on Mon Apr 26 2010 - 18:38:17 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 27 2010 - 12:00:05 MDT