[squid-users] squid_kerb_ldap/squid_kerb_auth in Single Forest Multidomains Active Directory.

From: GIGO . <gigoz_at_msn.com>
Date: Sun, 25 Apr 2010 18:42:10 +0000

Dear All,
 
The problem under discussion is a continutity of SPN creation/Single Forest MultiDomain (Active Directory) topic.
 
@ Markus
Yes my infrastructure is Active Directory based (Root Forest Directory A with two child domains B (80 % users) & C (20 % users) in their own trees). Only squid Proxy is installed on Centos OS and not joined to any domain.Markus you are right I Observerd that the clients in the child domain are able to use squidproxy without any changes required in the krb5.conf file.(no need to define [CAPATH] section). I got it that by design of the Active directory forest where Parent domains and child domains have two way transitive trusts, Active directory/DNS infrastructure is managing itself...and the clients in any domain are able to find that Service principal is in which domain to acquire a service ticket from that domain. Right??
 
 
 

If the UnixServer(Proxy) is not belonged to any domain then the default_realm section does not matter and i can choose any of my domains as default_realm. As i think that the default_realm tag is compulsory to define so couldn't be left blank. Similarly if am not to use any other kerberised service for example from my SquidProxyunix server then .linux.home tag will be unimportant otherwise it is a must. Right??
 
 
 
 
//krb5.conf for Active directory single forest multi domain its working correctly--------------------------------------------
[libdefaults]
 default_realm = A.COM.PK
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_keytab_name = /etc/krb5.keytab

; for windows 2003 encryption type configuration.
        default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
        default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
        permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
 A.COM.PK = {
   kdc = dc1.a.com.pk
   admin_server = dc1.a.com.pk
  }
 b.A.COM.PK = {
   kdc = childdc.b.a.com.pk
   admin_server = childdc.b.a.com.pk
}
[domain_realm]
.linux.home = A.COM.PK
.a.com.pk = A.COM.PK
a.com.pk = A.COM.PK
.b.a.com.pk = b.A.COM.PK
b.a.com.pk = b.A.COM.PK
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/kdc.log
----------------\\
Any suggestions/guidance required??
 
 
 
 
My squid.conf portion related to Authentication/Authorization along with the questions.
 
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
# basic auth ACL controls to make use of it are.
#acl auth proxy_auth REQUIRED
#http_access deny !auth
#http_access allow auth
 
 
I think now above commented directives are not required as squid_kerb_ldap has taken the charge. Right???
 
 
 
#external_acl_type squid_kerb1 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g GROUP1_at_A.COM.PK:GROUP2_at_A.COM.PK:GROUP3_at_A.COM.PK:G1_at_B.A.COM.PK:GROUP2_at_B.A.COM.PK:GROUP3_at_B.A.COM.PK

external_acl_type g1_parent ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g GROUP1_at_A.COM.PK
 
external_acl_type g2_parent ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g GROUP2_at_A.COM.PK
 
external_acl_type g2_child ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g GROUP2_at_A.B.COM.PK
 
 
 
Although the commented single liner was working properly for me and look more apporpriate to me but i had to split it into multiple lines....nothing came into my mind how to handle the ACL's based on user group membership. Please guide me if there is a better way to do that as it feels that i am calling the helper multiple times instead of single time now??
 
 
 
(There are other expected groups from child domains and parent domains so am worried that isnt it affect the performance)
 
 
acl ldap_group_check1 external g1_parent
acl ldap_group_check2 external g2_parent
acl ldap_group_check3 external g2_child
 
 
####Definition of YouTube.
## The videos come from several domains
acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com

http_access deny ldap_group_check1 youtube_domains
http_access allow ldap_group_check2
http_access allow ldap_group_check1
http_access allow ldap_group_check3
http_access deny all

 

As i think squid.conf file is parsed from top to bottom and if a related statement/acl is met then will see no further so it means that putting the statments in an order where groups containing most of the users will improve performance. Can there be if-else structure be used in squid.conf and how? Am not sure??? please guide...
 
 
 
 
Thanking you
 
&
 
regards,
 
 
Bilal
 
 
 
                                                
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
Received on Sun Apr 25 2010 - 18:42:16 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 27 2010 - 12:00:05 MDT