If you use squid_kerb_auth you can configure it to do Kerberos
authentication for both domains. To do so use squid_kerb_auth with the
option -s GSS_C_NO_NAME and add a principal HTTP/<squid fqdn>@<WIN.DOM> to
the keytab.
To do this create a krb5_WIN.conf file like below and export
KRB5_CONFIG=./krb5_WIN.conf
[libdefaults]
default_realm = WIN.DOM
dns_lookup_kdc = no
dns_lookup_realm = no
default_keytab_name = /etc/krb5.keytab
; for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
;
[realms]
WIN.DOM = {
kdc = kdc.win.dom
admin_server = kdc.win.dom
}
[domain_realm]
.win.dom = WIN.DOM
win.dom = WIN.DOM
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
then kinit user_at_WIN.DOM where user has rights to create a computer account
in an OU of AD (e.g. OU=Unix). User could be Administrator or just a user
with limited rights in AD (e.g. just enought to create/modify the computer
account object)
Now run:
msktutil -c -b "OU=Unix" -s HTTP/<squid fqdn> -h <fqdn> -k <existing squid
keytab> --computer-name <squid-http> --upn HTTP/<squid fqdn> --server
<domain controller> --verbose
or for Windows 2008 for AES support
msktutil -c -b c -b "OU=Unix" -s HTTP/<squid fqdn> -h <fqdn> -k <existing
squid keytab> --computer-name <squid-http> --upn HTTP/<squid fqdn> --server
<domain controller> --verbose --enctypes 28
Regards
Markus
"L.S. Keijser" <leon_at_linux.nl> wrote in message
news:1255670481.7645.15.camel_at_localhost.localdomain...
> Hi,
>
> For a customer we have setup up a redhat directory server (rhds) that
> will hand out kerberos tickets which the user then uses to authenticate
> itself with squid. All works great, the users can go to internet sites
> without having to enter a username/password.
>
> But there's a second kerberos realm (windows, active directory) for
> which the ticket obviously doesn't work (yet .. we're working on that).
>
> We have configured a PAC so squid won't be used for intranet sites.
> Instead the Microsoft ISA server is used. Only every time the user
> browses the intranet, he's being prompted for a username/password by the
> ISA server.
>
> Now we already keep both usernames/passwords in sync between the RHDS
> and the AD. The only problem is that Microsoft ISA server requires a
> username in the form 'DOMAIN\username'.
>
> Now my question(s): is it possible to configure squid in such a way that
> it'll forward the username/password to the ISA server? If not, is
> possible to have squid already fill in the username field and have it
> prefix it like 'DOMAIN\username' ? Or is that a much better way to
> accomplish this? Obviously the best way would be to don't have the user
> be prompted for his credentials at all when browsing the intranet.
>
> Thanks in advance,
>
> Léon
>
>
Received on Fri Oct 16 2009 - 23:30:38 MDT
This archive was generated by hypermail 2.2.0 : Sat Oct 17 2009 - 12:00:03 MDT