Squid-kerberos: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| (8 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 8: | Zeile 8: | ||
=create computeraccount and a local keytab= | =create computeraccount and a local keytab= | ||
*kinit administrator | *kinit administrator | ||
| − | *msktutil -c -b "CN=Computers" -s HTTP/lab34.linuggs.de -k /etc/squid/krb5.keytab --computer-name proxy --upn HTTP/lab34.linuggs.de --server win2022.lab34.linuggs.de -N | + | *msktutil -c -b "CN=Computers" -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab --computer-name proxy --upn HTTP/proxy.lab34.linuggs.de --server win2022.lab34.linuggs.de -N |
*chown proxy:proxy /etc/squid/krb5.keytab | *chown proxy:proxy /etc/squid/krb5.keytab | ||
=Kerberos Ticket update= | =Kerberos Ticket update= | ||
| − | *msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/lab34.linuggs.de -k /etc/squid/krb5.keytab -N | + | *msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N |
=Crontab= | =Crontab= | ||
| − | *echo "0 4 * * * msktutil --auto-update | + | *echo "0 4 * * * msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N" | crontab |
=/etc/default/squid3= | =/etc/default/squid3= | ||
| Zeile 22: | Zeile 22: | ||
= /etc/squid/squid.conf = | = /etc/squid/squid.conf = | ||
| − | + | acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) | |
| − | acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) | + | acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) |
| − | acl localnet src 10.0.0.0/8 | + | acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) |
| − | acl localnet src 100.64.0.0/10 | + | acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines |
| − | acl localnet src 169.254.0.0/16 | + | acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) |
| − | acl localnet src 172.16.0.0/12 | + | acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) |
| − | acl localnet src 192.168.0.0/16 | + | acl localnet src fc00::/7 # RFC 4193 local private network range |
| − | acl localnet src fc00::/7 | + | acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines |
| − | acl localnet src fe80::/10 | + | acl SSL_ports port 443 |
| − | acl SSL_ports port 443 | + | acl Safe_ports port 80 # http |
| − | acl Safe_ports port 80 | + | acl Safe_ports port 21 # ftp |
| − | acl Safe_ports port 21 | + | acl Safe_ports port 443 # https |
| − | acl Safe_ports port 443 | + | acl Safe_ports port 70 # gopher |
| − | acl Safe_ports port 70 | + | acl Safe_ports port 210 # wais |
| − | acl Safe_ports port 210 | + | acl Safe_ports port 1025-65535 # unregistered ports |
| − | acl Safe_ports port 1025-65535 # unregistered ports | + | acl Safe_ports port 280 # http-mgmt |
| − | acl Safe_ports port 280 | + | acl Safe_ports port 488 # gss-http |
| − | acl Safe_ports port 488 | + | acl Safe_ports port 591 # filemaker |
| − | acl Safe_ports port 591 | + | acl Safe_ports port 777 # multiling http |
| − | acl Safe_ports port 777 | + | '''auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5.keytab -d''' |
| − | + | '''auth_param negotiate children 1000''' | |
| − | + | '''auth_param negotiate keep_alive on''' | |
| − | + | '''acl auth proxy_auth REQUIRED''' | |
| − | + | '''http_access deny !auth''' | |
| − | auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth | + | '''http_access allow auth''' |
| − | auth_param negotiate children | + | http_access deny !Safe_ports |
| − | auth_param negotiate keep_alive | + | http_access deny CONNECT !SSL_ports |
| − | acl auth proxy_auth REQUIRED | + | http_access allow localhost manager |
| − | http_access allow auth | + | http_access deny manager |
| − | include /etc/squid/conf.d/*.conf | + | include /etc/squid/conf.d/*.conf |
| − | http_access allow localhost | + | http_access allow localhost |
| − | http_access deny all | + | http_access deny all |
| − | http_port 3128 | + | http_port 3128 |
| − | coredump_dir /var/spool/squid | + | coredump_dir /var/spool/squid |
| − | refresh_pattern ^ftp: | + | refresh_pattern ^ftp: 1440 20% 10080 |
| − | refresh_pattern ^gopher: 1440 0% 1440 | + | refresh_pattern ^gopher: 1440 0% 1440 |
| − | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | + | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 |
| − | refresh_pattern . | + | refresh_pattern . 0 20% 4320 |
| − | |||
=restart= | =restart= | ||
| − | + | *systemctl restart squid | |
| − | = | + | =Auf dem Client= |
| − | + | Bitte beim Client den Namen in die Proxy Konfiguration eintragen. | |
=debugging= | =debugging= | ||
Aktuelle Version vom 7. Oktober 2024, 14:09 Uhr
als ads client aufnehmen
zuerst als client aufnehemen https://xinux.net/index.php/Ubuntu-ads-client#.2Fetc.2Fkrb5.conf
msktutils
- apt-get install msktutil
- Was mach mskutil
create computeraccount and a local keytab
- kinit administrator
- msktutil -c -b "CN=Computers" -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab --computer-name proxy --upn HTTP/proxy.lab34.linuggs.de --server win2022.lab34.linuggs.de -N
- chown proxy:proxy /etc/squid/krb5.keytab
Kerberos Ticket update
- msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N
Crontab
- echo "0 4 * * * msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N" | crontab
/etc/default/squid3
- systemctl edit squid
Environment="KRB5_KTNAME=/etc/squid/krb5.keytab"
/etc/squid/squid.conf
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5.keytab -d auth_param negotiate children 1000 auth_param negotiate keep_alive on acl auth proxy_auth REQUIRED http_access deny !auth http_access allow auth http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager include /etc/squid/conf.d/*.conf http_access allow localhost http_access deny all http_port 3128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
restart
- systemctl restart squid
Auf dem Client
Bitte beim Client den Namen in die Proxy Konfiguration eintragen.
debugging
sources
- http://roshan-g.blogspot.de/2014/05/squid-with-kerberos-and-ldap.html
- http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
- http://stackoverflow.com/questions/18075028/squid-integration-with-active-directory-best-practise
- http://manpages.ubuntu.com/manpages/trusty/man8/negotiate_kerberos_auth.8.html
- http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp