----- Original Message -----
From: "Amos Jeffries" <squid3_at_treenet.co.nz>
To: "Markus Moeller" <huaraz_at_moeller.plus.com>
Cc: <squid-users_at_squid-cache.org>
Sent: Sunday, March 22, 2009 12:28 AM
Subject: Re: [squid-users] Re: AD authentiction with squid
> Markus Moeller wrote:
>> In more detail the required steps for squid_kerb_auth (from
>> https://sourceforge.net/project/showfiles.php?group_id=196348 or from
>> latest
>> squid distribution) are:
>>
>> 1) Install kerberos client package
>> 2) Install msktutil package from
>> http://dag.wieers.com/rpm/packages/msktutil/
>> 3) Configure krb5.conf
>> 4) Configure squid by adding
>> auth_param negotiate program /usr/sbin/squid_kerb_auth
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive on
>> 5) Create keytab for HTTP/fqdn with msktutil.
>> a) kinit administrator_at_DOMAIN
>> b) msktutil -c -b "CN=COMPUTERS" -s HTTP/<fqdn> -h <fqdn> -k
>> /etc/squid/HTTP.keytab --computer-name squid-HTTP --upn
>> HTTP/<fqdn> --server
>> <domain controller> --verbose
>>
>> 6) Add the following to thw squid startup script
>> KRB5_KTNAME=/etc/squid/HTTP.keytab
>> export KRB5_KTNAME
>>
>> 7) Done
>>
>> Markus
>>
>>
>
> Thank you. I was going to ask you for this soon.
> Added to the wiki:
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>
> Is there anything we can/should add to the krb5.conf section?
>
Regarding krb5.conf it might be good to mention that rc4-hmac should be
listed as encryption type. A minimal setup without DNS resolution of AD
servers would be
[libdefaults]
default_realm = WIN2003R2.HOME
dns_lookup_kdc = no
dns_lookup_realm = no
default_keytab_name = /etc/krb5.keytab
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
WIN2003R2.HOME = {
kdc = w2k3r2.win2003r2.home
admin_server = w2k3r2.win2003r2.home
}
[domain_realm]
.linux.home = WIN2003R2.HOME
.win2003r2.home = WIN2003R2.HOME
win2003r2.home = WIN2003R2.HOME
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
In IE the proxy must be specified as fqdn not as an IP-address
> Amos
> --
Regards
Markus
> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
> Current Beta Squid 3.1.0.6
>
Received on Sun Mar 22 2009 - 01:04:58 MDT
This archive was generated by hypermail 2.2.0 : Sun Mar 22 2009 - 12:00:02 MDT