>>> Rolf Loudon <[email protected]> 12/06/10 7:46 PM >>> >Hello > >I've done this but against AD. As far as I can see the squid helpers >squid_kerb_auth and squidkerb_ldap are not AD specific and implement pure >kerberos authentication. The former comes with squid 2.7 but getting the >latest and compiling >provides a few extra features. (like the -r switch which >I like). You will need these helpers and you will need to create a service >principal. > >http://squidkerbauth.sourceforge.net/ is where the files are. > >Markus Moeller is the author of these helpers and is very helpful - and is >active on this list. > >I found this helpful >http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/ > >regards > >rolf.
Thanks Rolf, I'd already downloaded the latest squidkerbauth 1.0.7 from sourceforge and compiled it. Mostly just to test with squid_kerb_auth_test since it wasn't included in the binary package for CentOS I used. Squid was compiled with all the required helpers though I believe: Squid Cache: Version 2.7.STABLE9 configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-epoll' '--enable-snmp' '--enable-removal-policies=heap,lru' '--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl' '--with-openssl=/usr/kerberos' '--enable-delay-pools' '--enable-linux-netfilter' '--with-pthreads' '--enable-ntlm-auth-helpers=SMB,fakeauth' '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-digest-auth-helpers=password' '--enable-useragent-log' '--enable-referer-log' '--disable-dependency-tracking' '--enable-cachemgr-hostname=localhost' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-cache-digests' '--enable-ident-lookups' '--enable-follow-x-forwarded-for' '--enable-wccpv2' '--with-maxfd=16384' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-fPIE -Os -g -pipe -fsigned-char -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'LDFLAGS=-pie' I've actually loosely followed the link you provided for Klaubert's guide setting this up. Also referenced the guide on the wiki here http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos The one thread in the mailing list archives most closely to what I'm trying to do was this one: http://www.squid-cache.org/mail-archive/squid-users/201009/0405.html I've added a HTTP service principal to the KDC on the mac server but nothing else. Hopefully I exported the keytab and copied it to the squid server correctly since I couldn't find any documentation specific for that. I'm sure I've missed a step somewhere here or there that was implied or I've hosed something making changes along the way. I'm at a loss now as to what to look for or change. Best Regards, Rob ---------------- Rob Asher Network Systems Technician Paragould School District 870-236-7744 x169 ---------- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean.
