[squid-users] Re: squid_kerb_ldap/squid_kerb_auth in Single Forest Multidomains Active Directory.

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 27 Apr 2010 07:07:29 +0100

"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
news:hr4mi5$3ei$1_at_dough.gmane.org...
>> "GIGO ." <gigoz_at_msn.com> wrote in message
>> news:SNT134-w60089C12FB3E7D43747C18B9050_at_phx.gbl...
>>
>> Dear All,
>>
>> The problem under discussion is a continuity of SPN creation/Single
>> Forest MultiDomain (Active Directory) topic.
>>
>> @ Markus
>> Yes my infrastructure is Active Directory based (Root Forest Directory A
>> with two child domains B (80 % users) & C (20 % users) in their own
>> trees). Only squid Proxy is installed on Centos OS and not joined to any
>> domain.Markus you are right I Observed that the clients in the child
>> domain are able to use squid proxy without any changes required in the
>> krb5.conf file.(no need to define [CAPATH] section). I got it that by
>> design of the Active directory forest where Parent domains and child
>> domains have two way transitive trusts, Active directory/DNS
>> infrastructure is managing itself...and the clients in any domain are
>> able to find that Service principal is in which domain to acquire a
>> service ticket from that domain. Right??
>>
>>
>
> Correct
>
>>
>>
>> If the UnixServer(Proxy) is not belonged to any domain then the
>> default_realm section does not matter and i can choose any of my domains
>> as default_realm. As i think that the default_realm tag is compulsory to
>> define so couldn't be left blank. Similarly if am not to use any other
>> kerberised service for example from my SquidProxyunix server then
>> .linux.home tag will be unimportant otherwise it is a must. Right??
>>
>>
>
> Correct

Keep in mind that squid_kerb_ldap is a kerberised client and will need the
krb5.conf settings.

>
>>
>>
>> //krb5.conf for Active directory single forest multi domain its working
>> correctly--------------------------------------------
>> [libdefaults]
>> default_realm = A.COM.PK
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> default_keytab_name = /etc/krb5.keytab
>>
>> ; for windows 2003 encryption type configuration.
>> default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>> default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>> permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>> [realms]
>> A.COM.PK = {
>> kdc = dc1.a.com.pk
>> admin_server = dc1.a.com.pk
>> }
>> b.A.COM.PK = {
>> kdc = childdc.b.a.com.pk
>> admin_server = childdc.b.a.com.pk
>> }
>> [domain_realm]
>> .linux.home = A.COM.PK
>> .a.com.pk = A.COM.PK
>> a.com.pk = A.COM.PK
>> .b.a.com.pk = b.A.COM.PK
>> b.a.com.pk = b.A.COM.PK
>> [logging]
>> kdc = FILE:/var/log/kdc.log
>> admin_server = FILE:/var/log/kadmin.log
>> default = FILE:/var/log/kdc.log
>> ----------------\\
>> Any suggestions/guidance required??
>>
>>
>
> That looks OK
>
>>
>>
>> My squid.conf portion related to Authentication/Authorization along with
>> the questions.
>>
>> auth_param negotiate program /usr/libexec/squid/squid_kerb_auth
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive on
>> # basic auth ACL controls to make use of it are.
>> #acl auth proxy_auth REQUIRED
>> #http_access deny !auth
>> #http_access allow auth
>>
>>
>> I think now above commented directives are not required as
>> squid_kerb_ldap has taken the charge. Right???
>>
>>
>>
>> #external_acl_type squid_kerb1 ttl=3600 negative_ttl=3600 %LOGIN
>> /usr/libexec/squid/squid_kerb_ldap -g
>> GROUP1_at_A.COM.PK:GROUP2_at_A.COM.PK:GROUP3_at_A.COM.PK:G1_at_B.A.COM.PK:GROUP2_at_B.A.COM.PK:GROUP3_at_B.A.COM.PK
>>
>> external_acl_type g1_parent ttl=3600 negative_ttl=3600 %LOGIN
>> /usr/libexec/squid/squid_kerb_ldap -g GROUP1_at_A.COM.PK
>>
>> external_acl_type g2_parent ttl=3600 negative_ttl=3600 %LOGIN
>> /usr/libexec/squid/squid_kerb_ldap -g GROUP2_at_A.COM.PK
>>
>> external_acl_type g2_child ttl=3600 negative_ttl=3600 %LOGIN
>> /usr/libexec/squid/squid_kerb_ldap -g GROUP2_at_A.B.COM.PK
>>
>>
>>
>> Although the commented single liner was working properly for me and look
>> more apporpriate to me but i had to split it into multiple
>> lines....nothing came into my mind how to handle the ACL's based on user
>> group membership. Please guide me if there is a better way to do that as
>> it feels that i am calling the helper multiple times instead of single
>> time now??
>>
>>
>>
>> (There are other expected groups from child domains and parent domains so
>> am worried that isnt it affect the performance)
>>
>>
>> acl ldap_group_check1 external g1_parent
>> acl ldap_group_check2 external g2_parent
>> acl ldap_group_check3 external g2_child
>>
>>
>> ####Definition of YouTube.
>> ## The videos come from several domains
>> acl youtube_domains dstdomain .youtube.com .googlevideo.com .ytimg.com
>>
>> http_access deny ldap_group_check1 youtube_domains
>> http_access allow ldap_group_check2
>> http_access allow ldap_group_check1
>> http_access allow ldap_group_check3
>> http_access deny all
>>
>>
>>
>> As i think squid.conf file is parsed from top to bottom and if a related
>> statement/acl is met then will see no further so it means that putting
>> the statments in an order where groups containing most of the users will
>> improve performance. Can there be if-else structure be used in squid.conf
>> and how? Am not sure??? please guide...
>>
>>
>>
>
> I leave this to the experts to answer.
>
>>
>> Thanking you
>>
>> &
>>
>> regards,
>>
>>
>> Bilal
>>
>>
>>
>>
>> _________________________________________________________________
>> Hotmail: Free, trusted and rich email service.
>> https://signup.live.com/signup.aspx?id=60969
>
> Regards
> Markus
>
>
Received on Tue Apr 27 2010 - 06:07:57 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 27 2010 - 12:00:05 MDT