Squid-kerberos: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(26 dazwischenliegende Versionen von 3 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
 +
=als ads client aufnehmen=
 +
zuerst als client aufnehemen
 +
https://xinux.net/index.php/Ubuntu-ads-client#.2Fetc.2Fkrb5.conf
 
=msktutils=
 
=msktutils=
 
*apt-get install msktutil
 
*apt-get install msktutil
 +
*[[Was mach mskutil]]
  
 
=create computeraccount and a local keytab=
 
=create computeraccount and a local keytab=
 
*kinit administrator
 
*kinit administrator
PROXY="lang.linuggs.lan"
+
*msktutil -c -b "CN=Computers" -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab --computer-name proxy --upn HTTP/proxy.lab34.linuggs.de --server win2022.lab34.linuggs.de -N
DN="douglas.linuggs.lan"
+
*chown proxy:proxy /etc/squid/krb5.keytab
*msktutil -c -b "CN=Computers" -s HTTP/$PROXY -k /etc/squid/PROXY.keytab --computer-name PROXYSRV-HTTP --upn HTTP/$PROXY --server $DN -N
+
 
  chown proxy.proxy /etc/squid3/PROXY.keytab
+
=Kerberos Ticket update=
 +
*msktutil --auto-update  --computer-name proxy --server win2022.lab34.linuggs.de -s  HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N
 +
 
 +
=Crontab=
 +
*echo "0 4 *  *  * msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N"  | crontab
  
 
=/etc/default/squid3=
 
=/etc/default/squid3=
  KRB5_KTNAME=/etc/squid3/PROXY.keytab
+
*systemctl edit squid
export KRB5_KTNAME
+
  Environment="KRB5_KTNAME=/etc/squid/krb5.keytab"
=on the top of /etc/squid/squid.conf add =
+
 
  auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -i -s GSS_C_NO_NAME
+
= /etc/squid/squid.conf =
  auth_param negotiate children 10
+
  acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
  auth_param negotiate keep_alive on
+
acl localnet src 10.0.0.0/8            # RFC 1918 local private network (LAN)
  acl auth proxy_auth REQUIRED
+
acl localnet src 100.64.0.0/10        # RFC 6598 shared address space (CGN)
  http_access allow all auth
+
acl localnet src 169.254.0.0/16        # RFC 3927 link-local (directly plugged) machines
 +
acl localnet src 172.16.0.0/12        # RFC 1918 local private network (LAN)
 +
acl localnet src 192.168.0.0/16                # RFC 1918 local private network (LAN)
 +
acl localnet src fc00::/7              # RFC 4193 local private network range
 +
acl localnet src fe80::/10            # RFC 4291 link-local (directly plugged) machines
 +
acl SSL_ports port 443
 +
acl Safe_ports port 80        # http
 +
acl Safe_ports port 21        # ftp
 +
acl Safe_ports port 443                # https
 +
acl Safe_ports port 70        # gopher
 +
acl Safe_ports port 210                # wais
 +
acl Safe_ports port 1025-65535 # unregistered ports
 +
acl Safe_ports port 280                # http-mgmt
 +
acl Safe_ports port 488                # gss-http
 +
acl Safe_ports port 591                # filemaker
 +
acl Safe_ports port 777                # multiling http
 +
'''auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5.keytab -d'''
 +
  '''auth_param negotiate children 1000'''
 +
  '''auth_param negotiate keep_alive on'''
 +
  '''acl auth proxy_auth REQUIRED'''
 +
'''http_access deny !auth'''
 +
'''http_access allow auth'''
 +
http_access deny !Safe_ports
 +
http_access deny CONNECT !SSL_ports
 +
http_access allow localhost manager
 +
http_access deny manager
 +
include /etc/squid/conf.d/*.conf
 +
  http_access allow localhost
 +
http_access deny all
 +
http_port 3128
 +
coredump_dir /var/spool/squid
 +
refresh_pattern ^ftp:          1440    20%    10080
 +
refresh_pattern ^gopher:      1440    0%      1440
 +
refresh_pattern -i (/cgi-bin/|\?) 0    0%      0
 +
refresh_pattern .              0      20%    4320
 +
 
 
=restart=
 
=restart=
service squid3 start
+
*systemctl restart squid
=client Machine=
+
 
  Set your proxy to server dewey.xinux.org using port 3128. It is important that you use the fully qualified domain name and NOT the IP address.
+
=Auf dem Client=
 +
  Bitte beim Client den Namen in die Proxy Konfiguration eintragen.
  
 
=debugging=
 
=debugging=

Aktuelle Version vom 7. Oktober 2024, 14:09 Uhr

als ads client aufnehmen

zuerst als client aufnehemen https://xinux.net/index.php/Ubuntu-ads-client#.2Fetc.2Fkrb5.conf

msktutils

create computeraccount and a local keytab

  • kinit administrator
  • msktutil -c -b "CN=Computers" -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab --computer-name proxy --upn HTTP/proxy.lab34.linuggs.de --server win2022.lab34.linuggs.de -N
  • chown proxy:proxy /etc/squid/krb5.keytab

Kerberos Ticket update

  • msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N

Crontab

  • echo "0 4 * * * msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N" | crontab

/etc/default/squid3

  • systemctl edit squid
Environment="KRB5_KTNAME=/etc/squid/krb5.keytab"

/etc/squid/squid.conf

acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8            # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10         # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16        # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12         # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16                # RFC 1918 local private network (LAN)
acl localnet src fc00::/7              # RFC 4193 local private network range
acl localnet src fe80::/10             # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80         # http
acl Safe_ports port 21         # ftp
acl Safe_ports port 443                # https
acl Safe_ports port 70         # gopher
acl Safe_ports port 210                # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280                # http-mgmt
acl Safe_ports port 488                # gss-http
acl Safe_ports port 591                # filemaker
acl Safe_ports port 777                # multiling http
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5.keytab -d
auth_param negotiate children 1000
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access deny !auth
http_access allow auth
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*.conf
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:          1440    20%     10080
refresh_pattern ^gopher:       1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%      0
refresh_pattern .              0       20%     4320

restart

  • systemctl restart squid

Auf dem Client

Bitte beim Client den Namen in die Proxy Konfiguration eintragen.

debugging

sources

Abgerufen von „http://wiki.ixheim.de/index.php?title=Squid-kerberos&oldid=57324