Re: [squid-users] Re: Re: AD authentiction with squid

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 22 Mar 2009 14:13:43 +1300

Markus Moeller wrote:
> ----- Original Message ----- From: "Amos Jeffries" <squid3_at_treenet.co.nz>
> To: "Markus Moeller" <huaraz_at_moeller.plus.com>
> Cc: <squid-users_at_squid-cache.org>
> Sent: Sunday, March 22, 2009 12:28 AM
> Subject: Re: [squid-users] Re: AD authentiction with squid
>
>
>> Markus Moeller wrote:
>>> In more detail the required steps for squid_kerb_auth (from
>>> https://sourceforge.net/project/showfiles.php?group_id=196348 or from
>>> latest
>>> squid distribution) are:
>>>
>>> 1) Install kerberos client package
>>> 2) Install msktutil package from
>>> http://dag.wieers.com/rpm/packages/msktutil/
>>> 3) Configure krb5.conf
>>> 4) Configure squid by adding
>>> auth_param negotiate program /usr/sbin/squid_kerb_auth
>>> auth_param negotiate children 10
>>> auth_param negotiate keep_alive on
>>> 5) Create keytab for HTTP/fqdn with msktutil.
>>> a) kinit administrator_at_DOMAIN
>>> b) msktutil -c -b "CN=COMPUTERS" -s HTTP/<fqdn> -h <fqdn> -k
>>> /etc/squid/HTTP.keytab --computer-name squid-HTTP --upn HTTP/<fqdn>
>>> --server
>>> <domain controller> --verbose
>>>
>>> 6) Add the following to thw squid startup script
>>> KRB5_KTNAME=/etc/squid/HTTP.keytab
>>> export KRB5_KTNAME
>>>
>>> 7) Done
>>>
>>> Markus
>>>
>>>
>>
>> Thank you. I was going to ask you for this soon.
>> Added to the wiki:
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>
>> Is there anything we can/should add to the krb5.conf section?
>>
>
> Regarding krb5.conf it might be good to mention that rc4-hmac should be
> listed as encryption type. A minimal setup without DNS resolution of AD
> servers would be
>
<snip>

Done. Than you.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.6
Received on Sun Mar 22 2009 - 01:12:59 MDT

This archive was generated by hypermail 2.2.0 : Sun Mar 22 2009 - 12:00:02 MDT