[squid-users] Re: squid_kerb_ldap with specific SPN

"Mark deJong" <dejongm_at_gmail.com> wrote in message
news:AANLkTimPW4Vgdf536SUZ0inbX8nwax-o_BVLjjYtRc0Y_at_mail.gmail.com...
> Hello,
> I'm having some issue with squid_kerb_ldap in its handling of SPN's in
> the specified keytab file. I'm hoping I'm just missing something.
>
> I have a Windows Forest with multiple child domains, all trusting each
> other. I'd like to have one SPN authorize users for all of the child
> domains and not have to setup a user account in each domain tied with
> a dedicated SPN for that domain. From previous posts that seems to be
> the only solution when squid_kerberos_ldap looks for the users realm
> and match that realm with one in the keytab file.
>
> Is there not an argument like squid_kerb_auth has ( " -s <SPN>" )
> where I can specify exactly which SPN to use to bind to ldap? Is there
> another way? I read about setting [capaths] in krb5.conf but that
> doesn't seem to help much.
>

If you have trust between domains squid_kerb_ldap tries to find the right
keytab entry. If you run squid_kerb_ldap with -d you should see something
like below. I have a OpenSuse kdc and a Windows kdc which trust each other
and I have a keytab with only keys for SUSE.HOME. squid_kerb_ldap first
checks for a matching entry if it doesn't find one it tries to test if there
is trust between the user domain and the keytab entries, which is then used
to authenticate squid to the users domain for the group lookup.

2009/08/01 15:44:21| squid_kerb_auth: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
mm_at_WIN2003R2.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Got User: mm Domain: WIN2003R2.HOME
2009/08/01 15:44:21| squid_kerb_ldap: User domain loop: group_at_domain
SQUID_ALLOW@
2009/08/01 15:44:21| squid_kerb_ldap: Default domain loop: group_at_domain
SQUID_ALLOW@
2009/08/01 15:44:21| squid_kerb_ldap: Found group_at_domain SQUID_ALLOW@
2009/08/01 15:44:21| squid_kerb_ldap: Setup Kerberos credential cache
2009/08/01 15:44:21| squid_kerb_ldap: Get default keytab file name
2009/08/01 15:44:21| squid_kerb_ldap: Got default keytab file name
/etc/squid/squid.keytab
2009/08/01 15:44:21| squid_kerb_ldap: Get principal name from keytab
/etc/squid/squid.keytab
2009/08/01 15:44:21| squid_kerb_ldap: Keytab entry has realm name: SUSE.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Keytab entry has realm name: SUSE.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Keytab entry has realm name: SUSE.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Keytab entry has realm name: SUSE.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Keytab entry has realm name: SUSE.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Keytab entry has realm name: SUSE.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Set credential cache to
MEMORY:squid_ldap_20587
2009/08/01 15:44:21| squid_kerb_ldap: Did not find a principal in keytab for
domain WIN2003R2.HOME.
2009/08/01 15:44:21| squid_kerb_ldap: Try to get principal of trusted
domain.
2009/08/01 15:44:21| squid_kerb_ldap: Keytab entry has principal:
HTTP/opensuse11.suse.home_at_SUSE.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Found trusted principal name:
HTTP/opensuse11.suse.home_at_SUSE.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Got principal name
HTTP/opensuse11.suse.home_at_SUSE.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Stored credentials
2009/08/01 15:44:21| squid_kerb_ldap: Initialise ldap connection
2009/08/01 15:44:21| squid_kerb_ldap: Canonicalise ldap server name for
domain WIN2003R2.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Resolved SRV _ldap._tcp.WIN2003R2.HOME
record to w2k3r2.win2003r2.home
2009/08/01 15:44:21| squid_kerb_ldap: Resolved address 1 of WIN2003R2.HOME
to w2k3r2.win2003r2.home
2009/08/01 15:44:21| squid_kerb_ldap: Resolved address 2 of WIN2003R2.HOME
to w2k3r2.win2003r2.home
2009/08/01 15:44:21| squid_kerb_ldap: Resolved address 3 of WIN2003R2.HOME
to w2k3r2.win2003r2.home
2009/08/01 15:44:21| squid_kerb_ldap: Sorted ldap server names for domain
WIN2003R2.HOME:
2009/08/01 15:44:21| squid_kerb_ldap: Host: w2k3r2.win2003r2.home Port: 389
Priority: 0 Weight: 0
2009/08/01 15:44:21| squid_kerb_ldap: Setting up connection to ldap server
w2k3r2.win2003r2.home:389

Does this help ? Can you send me your -d output ?

> Any help is much appreciated!!!
>
> Sincerely,
> M deJong
>

I tried to cover as many use cases as possible as automated as possible. But
they might be some case I do not cover ( yet ;-) ). Any feedback for
improvements is appreciated.

Regards
Markus
Received on Fri Aug 13 2010 - 19:23:04 MDT