Squid-kerberos: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(25 dazwischenliegende Versionen von 3 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
 +
=als ads client aufnehmen=
 +
zuerst als client aufnehemen
 +
https://xinux.net/index.php/Ubuntu-ads-client#.2Fetc.2Fkrb5.conf
 
=msktutils=
 
=msktutils=
 
*apt-get install msktutil
 
*apt-get install msktutil
 +
*[[Was mach mskutil]]
  
 
=create computeraccount and a local keytab=
 
=create computeraccount and a local keytab=
 
*kinit administrator
 
*kinit administrator
PROXY="lang.linuggs.lan"
+
*msktutil -c -b "CN=Computers" -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab --computer-name proxy --upn HTTP/proxy.lab34.linuggs.de --server win2022.lab34.linuggs.de -N
DN="douglas.linuggs.lan"
+
*chown proxy:proxy /etc/squid/krb5.keytab
*msktutil -c -b "CN=Computers" -s HTTP/$PROXY -k /etc/squid/PROXY.keytab --computer-name PROXYSRV-HTTP --upn HTTP/$PROXY --server $DN -N
 
chown proxy.proxy /etc/squid3/PROXY.keytab
 
  
=/etc/default/squid3=
+
=Kerberos Ticket update=
  KRB5_KTNAME=/etc/squid3/PROXY.keytab
+
*msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N
  export KRB5_KTNAME
 
= /etc/squid/squid.conf =
 
<pre>
 
coredump_dir /var/spool/squid3
 
refresh_pattern ^ftp:          1440    20%    10080
 
refresh_pattern ^gopher:        1440    0%      1440
 
refresh_pattern -i (/cgi-bin/|\?) 0    0%      0
 
refresh_pattern (Release|Packages(.gz)*)$      0      20%    2880
 
refresh_pattern .               0      20%    4320
 
access_log /var/log/squid/access.log squid
 
  
dns_v4_first on
+
=Crontab=
 +
*echo "0 4  *  *  * msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N"  | crontab
  
# iptables command ...
+
=/etc/default/squid3=
#iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp --dport 80 --to 192.168.240.100:3128
+
*systemctl edit squid
http_port 3128
+
Environment="KRB5_KTNAME=/etc/squid/krb5.keytab"
http_port 3129 transparent
 
#####
 
  
 +
= /etc/squid/squid.conf =
 +
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
 +
acl localnet src 10.0.0.0/8            # RFC 1918 local private network (LAN)
 +
acl localnet src 100.64.0.0/10        # RFC 6598 shared address space (CGN)
 +
acl localnet src 169.254.0.0/16        # RFC 3927 link-local (directly plugged) machines
 +
acl localnet src 172.16.0.0/12        # RFC 1918 local private network (LAN)
 +
acl localnet src 192.168.0.0/16                # RFC 1918 local private network (LAN)
 +
acl localnet src fc00::/7              # RFC 4193 local private network range
 +
acl localnet src fe80::/10            # RFC 4291 link-local (directly plugged) machines
 +
acl SSL_ports port 443
 +
acl Safe_ports port 80        # http
 +
acl Safe_ports port 21        # ftp
 +
acl Safe_ports port 443                # https
 +
acl Safe_ports port 70        # gopher
 +
acl Safe_ports port 210                # wais
 +
acl Safe_ports port 1025-65535 # unregistered ports
 +
acl Safe_ports port 280                # http-mgmt
 +
acl Safe_ports port 488                # gss-http
 +
acl Safe_ports port 591                # filemaker
 +
acl Safe_ports port 777                # multiling http
 +
'''auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5.keytab -d'''
 +
'''auth_param negotiate children 1000'''
 +
'''auth_param negotiate keep_alive on'''
 +
'''acl auth proxy_auth REQUIRED'''
 +
'''http_access deny !auth'''
 +
'''http_access allow auth'''
 +
http_access deny !Safe_ports
 +
http_access deny CONNECT !SSL_ports
 +
http_access allow localhost manager
 +
http_access deny manager
 +
include /etc/squid/conf.d/*.conf
 +
http_access allow localhost
 +
http_access deny all
 +
http_port 3128
 +
coredump_dir /var/spool/squid
 +
refresh_pattern ^ftp:          1440    20%    10080
 +
refresh_pattern ^gopher:      1440    0%      1440
 +
refresh_pattern -i (/cgi-bin/|\?) 0    0%      0
 +
refresh_pattern .              0      20%    4320
  
#cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange
+
=restart=
 
+
*systemctl restart squid
 
 
#auth_param basic program /usr/lib/squid3/basic_ldap_auth -b "dc=xinux,dc=de" -f "uid=%s" -h 127.0.0.1
 
#auth_param basic children 50
 
#auth_param basic realm Web-Proxy
 
#auth_param basic credentialsttl 1 minute
 
#auth_param basic casesensitive off
 
  
 
+
=Auf dem Client=
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth  -k /etc/squid/PROXY.keytab -d -i -s GSS_C_NO_NAME
+
  Bitte beim Client den Namen in die Proxy Konfiguration eintragen.
auth_param negotiate children 10
 
auth_param negotiate keep_alive off
 
 
 
 
 
####
 
acl auth proxy_auth REQUIRED
 
acl xinux src 192.168.240.0/20
 
acl thomas src 192.168.244.0/24
 
acl localhost src 127.0.0.1/32
 
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
 
acl SSL_ports port 443
 
acl Safe_ports port 80          # http
 
acl Safe_ports port 21          # ftp
 
acl Safe_ports port 443        # https
 
acl Safe_ports port 70          # gopher
 
acl Safe_ports port 210        # wais
 
acl Safe_ports port 1025-65535  # unregistered ports
 
acl Safe_ports port 280        # http-mgmt
 
acl Safe_ports port 488        # gss-http
 
acl Safe_ports port 591        # filemaker
 
acl Safe_ports port 777        # multiling http
 
acl boese_seiten url_regex  "/etc/squid3/boese_seiten"
 
acl CONNECT method CONNECT
 
 
 
 
 
##http_access allow xinux_users
 
#http_access allow xinux !boese_seiten
 
#http_access allow manager localhost
 
 
 
http_access allow all auth
 
http_access deny manager
 
http_access deny !Safe_ports
 
http_access deny CONNECT !SSL_ports
 
http_access allow localhost
 
http_access deny all
 
#never_direct allow all
 
</pre>
 
 
 
=restart=
 
service squid3 start
 
=client Machine=
 
  Set your proxy to server dewey.xinux.org using port 3128. It is important that you use the fully qualified domain name and NOT the IP address.
 
  
 
=debugging=
 
=debugging=

Aktuelle Version vom 7. Oktober 2024, 14:09 Uhr

als ads client aufnehmen

zuerst als client aufnehemen https://xinux.net/index.php/Ubuntu-ads-client#.2Fetc.2Fkrb5.conf

msktutils

create computeraccount and a local keytab

  • kinit administrator
  • msktutil -c -b "CN=Computers" -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab --computer-name proxy --upn HTTP/proxy.lab34.linuggs.de --server win2022.lab34.linuggs.de -N
  • chown proxy:proxy /etc/squid/krb5.keytab

Kerberos Ticket update

  • msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N

Crontab

  • echo "0 4 * * * msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N" | crontab

/etc/default/squid3

  • systemctl edit squid
Environment="KRB5_KTNAME=/etc/squid/krb5.keytab"

/etc/squid/squid.conf

acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8            # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10         # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16        # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12         # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16                # RFC 1918 local private network (LAN)
acl localnet src fc00::/7              # RFC 4193 local private network range
acl localnet src fe80::/10             # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80         # http
acl Safe_ports port 21         # ftp
acl Safe_ports port 443                # https
acl Safe_ports port 70         # gopher
acl Safe_ports port 210                # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280                # http-mgmt
acl Safe_ports port 488                # gss-http
acl Safe_ports port 591                # filemaker
acl Safe_ports port 777                # multiling http
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5.keytab -d
auth_param negotiate children 1000
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access deny !auth
http_access allow auth
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*.conf
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:          1440    20%     10080
refresh_pattern ^gopher:       1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%      0
refresh_pattern .              0       20%     4320

restart

  • systemctl restart squid

Auf dem Client

Bitte beim Client den Namen in die Proxy Konfiguration eintragen.

debugging

sources

Abgerufen von „http://wiki.ixheim.de/index.php?title=Squid-kerberos&oldid=57324