Hi Scott,
You mean authentication and authorisation ?
I think you can. I would expect you see instead of user@DOMAIN a
host/<fqdn>@DOMAIN and if you add the computer account to the AD group it
should authorise.
I am very curious to see it :-)
Markus
"Scott Finlon" wrote in message
news:d01cdf61.36eeb%scott.fin...@scranton.edu...
Hi Markus,
Thanks for your input. I ended up completely removing everything and
recreating my key tab and it works great now.
One more question for you or the list: Is it possible to do machine based
AD auth to squid?
We have a use case here where we would want to allow a machine access to a
resource but not necessarily specifically allow the users who are logged
in to it.
Thanks again,
-Scott
Scott Finlon, CISSP GCIA GCIH
-----------------------------------
Information Security Engineer
The University of Scranton
email : scott.fin...@scranton.edu
phone : 570-941-6168
-----------------------------------
On 8/21/14, 3:20 PM, "Markus Moeller" <hua...@moeller.plus.com> wrote:
Hi Scott,
So from what see in your first log you have a user MYSUER with a
domain/realm MYDOMAIN, but squid belongs to SUBDOMAIN.DOMAIN.COM.
squid_kerb_ldap tries to authenticate to the domain MYDOMAIN using the
keytab but does not find any entry for MYDOMAIN in the keytab. Then
squid_kerb_ldap tries to find an entry in the keytab of a domain which
trusts MYDOMAIN and fails. It seems there is no Kerberos trust between
MYDOMAIN and SUBDOMAIN.DOMAIN.COM.
The second log looks better, but the password stored in the keytab for
SQUIDPROXY-K$ is incorrect (Preauthentication failed).
Markus
"Scott Finlon" wrote in message
news:d01b8481.36d86%scott.fin...@scranton.edu...
Hi All,
I have squid_kerb_auth working and authenticating via my key tab file.
However, when trying to lock it down to users that are in a group in AD,
I¹m seeing a weird issue.
I put my sanitized output here: http://pastebin.com/wGc3RC0h
But basically if I use this "./squid_kerb_ldap -d -g proxy_allow -D
MYDOMAIN² it is able to auth to AD and eventually attempts to use a bind
path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it
gives a referral error.
So seeing that, I tried to use my full domain as the default domain, like
this "./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM² it
gives a Preauthentication failed error and doesn¹t even make it in to AD,
full output here: http://pastebin.com/Gk1ci0nt
That makes me think it¹s an issue with the key tab file, but it works
appropriately with kerb auth just not kerb ldap. Any ideas?
I am going to try and make a key tab file with ktpass instead of msktutil
and see if that has any affect.
Thanks,
-Scott
