Re: [squid-users] Kerberos authentication with MIT KDC

From: Rob Asher <rasher_at_paragould.k12.ar.us>
Date: Wed, 08 Dec 2010 08:00:13 -0600

>>> Rolf Loudon <rolf_at_ses.tas.gov.au> 12/06/10 7:46 PM >>>
>Hello
>
>I've done this but against AD. As far as I can see the squid helpers squid_kerb_auth and squidkerb_ldap are not AD specific and implement pure kerberos authentication. The former comes with squid 2.7 but getting the latest and compiling >provides a few extra features. (like the -r switch which I like). You will need these helpers and you will need to create a service principal.
>
>http://squidkerbauth.sourceforge.net/ is where the files are.
>
>Markus Moeller is the author of these helpers and is very helpful - and is active on this list.
>
>I found this helpful http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/
>
>regards
>
>rolf.

Thanks Rolf,

I'd already downloaded the latest squidkerbauth 1.0.7 from sourceforge and compiled it. Mostly just to test with squid_kerb_auth_test since it wasn't included in the binary package for CentOS I used. Squid was compiled with all the required helpers though I believe:

Squid Cache: Version 2.7.STABLE9
configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-epoll' '--enable-snmp' '--enable-removal-policies=heap,lru' '--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl' '--with-openssl=/usr/kerberos' '--enable-delay-pools' '--enable-linux-netfilter' '--with-pthreads' '--enable-ntlm-auth-helpers=SMB,fakeauth' '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-digest-auth-helpers=password' '--enable-useragent-log' '--enable-referer-log' '--disable-dependency-tracking' '--enable-cachemgr-hostname=localhost' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-cache-digests' '--enable-ident-lookups' '--enable-follow-x-forwarded-for' '--enable-wccpv2' '--with-maxfd=16384' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-fPIE -Os -g -pipe -fsigned-char -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'LDFLAGS=-pie'

I've actually loosely followed the link you provided for Klaubert's guide setting this up. Also referenced the guide on the wiki here http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos The one thread in the mailing list archives most closely to what I'm trying to do was this one: http://www.squid-cache.org/mail-archive/squid-users/201009/0405.html I've added a HTTP service principal to the KDC on the mac server but nothing else. Hopefully I exported the keytab and copied it to the squid server correctly since I couldn't find any documentation specific for that. I'm sure I've missed a step somewhere here or there that was implied or I've hosed something making changes along the way. I'm at a loss now as to what to look for or change.

Best Regards,
Rob

----------------
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169

----------

This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
Received on Wed Dec 08 2010 - 14:00:29 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 09 2010 - 12:00:02 MST