I am happily using Kerberos authentication for my AD domain users. In fact the driving force was less prompts for my Mac users - Safari and some other browsers don't support Kerberos, so I also have a fallback for NTLM auth, but they are much happier using Kerberos (in firefox) and I don't take nearly so many calls... Plus there's one less auth req between my dcs and squid.
AFAIK winbind is used for your NTLM and Samba config but not for Kerberos authentication directly.
Process for AD domain is:
Get your time, network, samba, winbind and Kerberos settings configured and join squid server to the domain
Kinit a user
Create a dummy computer account, add the SPNs and export the keytab using msktutil
Klist -k /locationto-the-keytab file i.e. /etc/squid/HTTP.keytab. This will confirm you have exported the keys properly.
Ensure permissions on the keytab allow squid to use it
Update the init.d/squid startup to use the keytab
Update squid.conf to use the squid_kerb_auth helper
>> Are the kerberos-tickets persistent, or do I have to renew them periodically?
Host Kerberos tickets are by default 10 hours. They will renew automatically providing the user (for example) is valid and the SPNs are ok.. and the KVNO doesn't change for the auth account/keytab.
>> What happens, if this account will locked out? Is then the squid-access denied?
Locked out account won't matter, you are authenticating your users against AD not the domain account you created.
>>Can someone help me with this? Are there some other examples, which describes a promptless login (SSO) with plain kerberos?
Squid wiki howto on Keberos has the basics, although that example uses Samba to create and export the keytab. I have found this to cause problems as Samba periodically changes the computer account in AD and thus the KVNOs get out of sync, hence the dummy account.
Search this list for squid_kerb_auth, msktutil and Kerberos for more info and help
** Please consider the environment before printing this e-mail **
The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author.
Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU
Registered in London No. 226900
Received on Fri Jun 25 2010 - 15:55:44 MDT
This archive was generated by hypermail 2.2.0 : Fri Jun 25 2010 - 12:00:04 MDT