Squid-kerberos: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 19: | Zeile 19: | ||
=/etc/default/squid3= | =/etc/default/squid3= | ||
*systemctl edit squid | *systemctl edit squid | ||
| − | Environment="KRB5_KTNAME=/etc/ | + | Environment="KRB5_KTNAME=/etc/squid/krb5.keytab" |
= /etc/squid/squid.conf = | = /etc/squid/squid.conf = | ||
Version vom 7. Oktober 2024, 13:54 Uhr
als ads client aufnehmen
zuerst als client aufnehemen https://xinux.net/index.php/Ubuntu-ads-client#.2Fetc.2Fkrb5.conf
msktutils
- apt-get install msktutil
- Was mach mskutil
create computeraccount and a local keytab
- kinit administrator
- msktutil -c -b "CN=Computers" -s HTTP/lab34.linuggs.de -k /etc/squid/krb5.keytab --computer-name proxy --upn HTTP/lab34.linuggs.de --server win2022.lab34.linuggs.de -N
- chown proxy:proxy /etc/squid/krb5.keytab
Kerberos Ticket update
- msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/lab34.linuggs.de -k /etc/squid/krb5.keytab -N
Crontab
- echo "0 4 * * * msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/lab34.linuggs.de -k /etc/squid/krb5.keytab -N" | crontab
/etc/default/squid3
- systemctl edit squid
Environment="KRB5_KTNAME=/etc/squid/krb5.keytab"
/etc/squid/squid.conf
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/PROXY.keytab -d -i -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive off acl auth proxy_auth REQUIRED http_access allow auth include /etc/squid/conf.d/*.conf http_access allow localhost http_access deny all http_port 3128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
restart
systemctl restart squid3
client Machine
Set your proxy to server dewey.xinux.org using port 3128. It is important that you use the fully qualified domain name and NOT the IP address.
debugging
sources
- http://roshan-g.blogspot.de/2014/05/squid-with-kerberos-and-ldap.html
- http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
- http://stackoverflow.com/questions/18075028/squid-integration-with-active-directory-best-practise
- http://manpages.ubuntu.com/manpages/trusty/man8/negotiate_kerberos_auth.8.html
- http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp