Squid-kerberos: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| (46 dazwischenliegende Versionen von 5 Benutzern werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
| + | =als ads client aufnehmen= | ||
| + | zuerst als client aufnehemen | ||
| + | https://xinux.net/index.php/Ubuntu-ads-client#.2Fetc.2Fkrb5.conf | ||
| + | =msktutils= | ||
| + | *apt-get install msktutil | ||
| + | *[[Was mach mskutil]] | ||
| + | |||
| + | =create computeraccount and a local keytab= | ||
| + | *kinit administrator | ||
| + | *msktutil -c -b "CN=Computers" -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab --computer-name proxy --upn HTTP/proxy.lab34.linuggs.de --server win2022.lab34.linuggs.de -N | ||
| + | *chown proxy:proxy /etc/squid/krb5.keytab | ||
| + | |||
| + | =Kerberos Ticket update= | ||
| + | *msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N | ||
| + | |||
| + | =Crontab= | ||
| + | *echo "0 4 * * * msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N" | crontab | ||
| + | |||
| + | =/etc/default/squid3= | ||
| + | *systemctl edit squid | ||
| + | Environment="KRB5_KTNAME=/etc/squid/krb5.keytab" | ||
| + | |||
| + | = /etc/squid/squid.conf = | ||
| + | acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) | ||
| + | acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) | ||
| + | acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) | ||
| + | acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines | ||
| + | acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) | ||
| + | acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) | ||
| + | acl localnet src fc00::/7 # RFC 4193 local private network range | ||
| + | acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines | ||
| + | acl SSL_ports port 443 | ||
| + | acl Safe_ports port 80 # http | ||
| + | acl Safe_ports port 21 # ftp | ||
| + | acl Safe_ports port 443 # https | ||
| + | acl Safe_ports port 70 # gopher | ||
| + | acl Safe_ports port 210 # wais | ||
| + | acl Safe_ports port 1025-65535 # unregistered ports | ||
| + | acl Safe_ports port 280 # http-mgmt | ||
| + | acl Safe_ports port 488 # gss-http | ||
| + | acl Safe_ports port 591 # filemaker | ||
| + | acl Safe_ports port 777 # multiling http | ||
| + | '''auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5.keytab -d''' | ||
| + | '''auth_param negotiate children 1000''' | ||
| + | '''auth_param negotiate keep_alive on''' | ||
| + | '''acl auth proxy_auth REQUIRED''' | ||
| + | '''http_access deny !auth''' | ||
| + | '''http_access allow auth''' | ||
| + | http_access deny !Safe_ports | ||
| + | http_access deny CONNECT !SSL_ports | ||
| + | http_access allow localhost manager | ||
| + | http_access deny manager | ||
| + | include /etc/squid/conf.d/*.conf | ||
| + | http_access allow localhost | ||
| + | http_access deny all | ||
| + | http_port 3128 | ||
| + | coredump_dir /var/spool/squid | ||
| + | refresh_pattern ^ftp: 1440 20% 10080 | ||
| + | refresh_pattern ^gopher: 1440 0% 1440 | ||
| + | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | ||
| + | refresh_pattern . 0 20% 4320 | ||
| + | |||
| + | =restart= | ||
| + | *systemctl restart squid | ||
| + | |||
| + | =Auf dem Client= | ||
| + | Bitte beim Client den Namen in die Proxy Konfiguration eintragen. | ||
| + | |||
| + | =debugging= | ||
| + | |||
| + | *http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-kerb-auth-received-type-1-NTLM-token-td2131613.html | ||
| + | =sources= | ||
*http://roshan-g.blogspot.de/2014/05/squid-with-kerberos-and-ldap.html | *http://roshan-g.blogspot.de/2014/05/squid-with-kerberos-and-ldap.html | ||
*http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory | *http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory | ||
| + | *http://stackoverflow.com/questions/18075028/squid-integration-with-active-directory-best-practise | ||
| + | *http://manpages.ubuntu.com/manpages/trusty/man8/negotiate_kerberos_auth.8.html | ||
| + | *http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp | ||
Aktuelle Version vom 7. Oktober 2024, 14:09 Uhr
als ads client aufnehmen
zuerst als client aufnehemen https://xinux.net/index.php/Ubuntu-ads-client#.2Fetc.2Fkrb5.conf
msktutils
- apt-get install msktutil
- Was mach mskutil
create computeraccount and a local keytab
- kinit administrator
- msktutil -c -b "CN=Computers" -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab --computer-name proxy --upn HTTP/proxy.lab34.linuggs.de --server win2022.lab34.linuggs.de -N
- chown proxy:proxy /etc/squid/krb5.keytab
Kerberos Ticket update
- msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N
Crontab
- echo "0 4 * * * msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N" | crontab
/etc/default/squid3
- systemctl edit squid
Environment="KRB5_KTNAME=/etc/squid/krb5.keytab"
/etc/squid/squid.conf
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5.keytab -d auth_param negotiate children 1000 auth_param negotiate keep_alive on acl auth proxy_auth REQUIRED http_access deny !auth http_access allow auth http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager include /etc/squid/conf.d/*.conf http_access allow localhost http_access deny all http_port 3128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
restart
- systemctl restart squid
Auf dem Client
Bitte beim Client den Namen in die Proxy Konfiguration eintragen.
debugging
sources
- http://roshan-g.blogspot.de/2014/05/squid-with-kerberos-and-ldap.html
- http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
- http://stackoverflow.com/questions/18075028/squid-integration-with-active-directory-best-practise
- http://manpages.ubuntu.com/manpages/trusty/man8/negotiate_kerberos_auth.8.html
- http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp