[squid-users] Re: squid_kerb_ldap with specific SPN

Fri, 13 Aug 2010 12:23:05 -0700 




"Mark deJong" <dejo...@gmail.com> wrote in message 
news:aanlktimpw4vgdf536suz0inbx8nwax-o_bvljjytr...@mail.gmail.com...

Hello,
I'm having some issue with squid_kerb_ldap in its handling of SPN's in
the specified keytab file. I'm hoping I'm just missing something.

I have a Windows Forest with multiple child domains, all trusting each
other. I'd like to have one SPN authorize users for all of the child
domains and not have to setup a user account in each domain tied with
a dedicated SPN for that domain. From previous posts that seems to be
the only solution when squid_kerberos_ldap looks for the users realm
and match that realm with one in the keytab file.

Is there not an argument like squid_kerb_auth has ( " -s <SPN>" )
where I can specify exactly which SPN to use to bind to ldap? Is there
another way? I read about setting [capaths] in krb5.conf but that
doesn't seem to help much.




If you have trust between domains squid_kerb_ldap tries to find the right 
keytab entry. If you run squid_kerb_ldap with -d you should see something 
like below. I have a OpenSuse kdc and a Windows kdc which trust each other 
and I have a keytab with only keys for SUSE.HOME. squid_kerb_ldap first 
checks for a matching entry if it doesn't find one it tries to test if there 
is trust between the user domain and the keytab entries, which is then used 
to authenticate squid to the users domain for the group lookup.



2009/08/01 15:44:21| squid_kerb_auth: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== 
m...@win2003r2.home

2009/08/01 15:44:21| squid_kerb_ldap: Got User: mm Domain: WIN2003R2.HOME

2009/08/01 15:44:21| squid_kerb_ldap: User domain loop: gr...@domain 
SQUID_ALLOW@
2009/08/01 15:44:21| squid_kerb_ldap: Default domain loop: gr...@domain 
SQUID_ALLOW@

2009/08/01 15:44:21| squid_kerb_ldap: Found gr...@domain SQUID_ALLOW@
2009/08/01 15:44:21| squid_kerb_ldap: Setup Kerberos credential cache
2009/08/01 15:44:21| squid_kerb_ldap: Get default keytab file name

2009/08/01 15:44:21| squid_kerb_ldap: Got default keytab file name 
/etc/squid/squid.keytab
2009/08/01 15:44:21| squid_kerb_ldap: Get principal name from keytab 
/etc/squid/squid.keytab

2009/08/01 15:44:21| squid_kerb_ldap: Keytab entry has realm name: SUSE.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Keytab entry has realm name: SUSE.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Keytab entry has realm name: SUSE.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Keytab entry has realm name: SUSE.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Keytab entry has realm name: SUSE.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Keytab entry has realm name: SUSE.HOME

2009/08/01 15:44:21| squid_kerb_ldap: Set credential cache to 
MEMORY:squid_ldap_20587
2009/08/01 15:44:21| squid_kerb_ldap: Did not find a principal in keytab for 
domain WIN2003R2.HOME.
2009/08/01 15:44:21| squid_kerb_ldap: Try to get principal of trusted 
domain.
2009/08/01 15:44:21| squid_kerb_ldap: Keytab entry has principal: 
HTTP/opensuse11.suse.h...@suse.home
2009/08/01 15:44:21| squid_kerb_ldap: Found trusted principal name: 
HTTP/opensuse11.suse.h...@suse.home
2009/08/01 15:44:21| squid_kerb_ldap: Got principal name 
HTTP/opensuse11.suse.h...@suse.home

2009/08/01 15:44:21| squid_kerb_ldap: Stored credentials
2009/08/01 15:44:21| squid_kerb_ldap: Initialise ldap connection

2009/08/01 15:44:21| squid_kerb_ldap: Canonicalise ldap server name for 
domain WIN2003R2.HOME
2009/08/01 15:44:21| squid_kerb_ldap: Resolved SRV _ldap._tcp.WIN2003R2.HOME 
record to w2k3r2.win2003r2.home
2009/08/01 15:44:21| squid_kerb_ldap: Resolved address 1 of WIN2003R2.HOME 
to w2k3r2.win2003r2.home
2009/08/01 15:44:21| squid_kerb_ldap: Resolved address 2 of WIN2003R2.HOME 
to w2k3r2.win2003r2.home
2009/08/01 15:44:21| squid_kerb_ldap: Resolved address 3 of WIN2003R2.HOME 
to w2k3r2.win2003r2.home
2009/08/01 15:44:21| squid_kerb_ldap: Sorted ldap server names for domain 
WIN2003R2.HOME:
2009/08/01 15:44:21| squid_kerb_ldap: Host: w2k3r2.win2003r2.home Port: 389 
Priority: 0 Weight: 0
2009/08/01 15:44:21| squid_kerb_ldap: Setting up connection to ldap server 
w2k3r2.win2003r2.home:389



Does this help ? Can you send me your -d output ?


Any help is much appreciated!!!

Sincerely,
M deJong




I tried to cover as many use cases as possible as automated as possible. But 
they might be some case I do not cover ( yet ;-) ).  Any feedback for 
improvements is appreciated.


Regards

Markus 

























					Reply via email to