LAB Linux in heterogenen Netzen Squid KERBEROS: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 76: | Zeile 76: | ||
</pre> | </pre> | ||
| − | == | + | =msktutils= |
| − | + | *apt-get install msktutil | |
| − | * | + | *[[Was mach mskutil]] |
| − | |||
| − | === | + | =create computeraccount and a local keytab= |
| − | + | *kinit administrator | |
| − | + | *msktutil -c -b "CN=Computers" -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab --computer-name proxy --upn HTTP/proxy.lab34.linuggs.de --server win2022.lab34.linuggs.de -N | |
| − | + | *chown proxy:proxy /etc/squid/krb5.keytab | |
| − | * | ||
| − | + | =Kerberos Ticket update= | |
| − | + | *msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N | |
| − | |||
| − | |||
| − | + | =Crontab= | |
| + | *echo "0 4 * * * msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N" | crontab | ||
| − | + | =/etc/default/squid3= | |
| − | + | *systemctl edit squid | |
| − | + | Environment="KRB5_KTNAME=/etc/squid/krb5.keytab" | |
| − | + | = /etc/squid/squid.conf = | |
| + | acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) | ||
| + | acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) | ||
| + | acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) | ||
| + | acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines | ||
| + | acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) | ||
| + | acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) | ||
| + | acl localnet src fc00::/7 # RFC 4193 local private network range | ||
| + | acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines | ||
| + | acl SSL_ports port 443 | ||
| + | acl Safe_ports port 80 # http | ||
| + | acl Safe_ports port 21 # ftp | ||
| + | acl Safe_ports port 443 # https | ||
| + | acl Safe_ports port 70 # gopher | ||
| + | acl Safe_ports port 210 # wais | ||
| + | acl Safe_ports port 1025-65535 # unregistered ports | ||
| + | acl Safe_ports port 280 # http-mgmt | ||
| + | acl Safe_ports port 488 # gss-http | ||
| + | acl Safe_ports port 591 # filemaker | ||
| + | acl Safe_ports port 777 # multiling http | ||
| + | '''auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5.keytab -d''' | ||
| + | '''auth_param negotiate children 1000''' | ||
| + | '''auth_param negotiate keep_alive on''' | ||
| + | '''acl auth proxy_auth REQUIRED''' | ||
| + | '''http_access deny !auth''' | ||
| + | '''http_access allow auth''' | ||
| + | http_access deny !Safe_ports | ||
| + | http_access deny CONNECT !SSL_ports | ||
| + | http_access allow localhost manager | ||
| + | http_access deny manager | ||
| + | include /etc/squid/conf.d/*.conf | ||
| + | http_access allow localhost | ||
| + | http_access deny all | ||
| + | http_port 3128 | ||
| + | coredump_dir /var/spool/squid | ||
| + | refresh_pattern ^ftp: 1440 20% 10080 | ||
| + | refresh_pattern ^gopher: 1440 0% 1440 | ||
| + | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | ||
| + | refresh_pattern . 0 20% 4320 | ||
| − | == | + | =restart= |
| − | + | *systemctl restart squid | |
| − | * | ||
| − | = | + | =Auf dem Client= |
| − | + | Bitte beim Client den Namen in die Proxy Konfiguration eintragen. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Version vom 7. Oktober 2024, 14:45 Uhr
Ziel
- Wir wollen Proxy Server aufsetzen
- Dieser soll in der AD registriert sein
- Die Anbindung soll auch über Kerberos erfolgen
- Nur an der Domain angemeldete Benutzer sollen Squid nutzen dürfen-
Aus dem Debian Template einen Klon erstellen
- Name: proxy
- Netz: dmz
- HOSTS: proxy.lab34.linuggs.de
- IPv4: 172.26.55.15/24
- GWv4: 172.26.55.1
- NSv4: 172.26.54.2
- DOM: proxy.linuggs.de
- HOSTS: mail.lab34.linuggs.de
- IPv6: 2a02:24d8:71:3037::15/64
- GWv6: 2a02:24d8:71:3037::1
- NSv6: 2a02:24d8:71:3036::2
- DOM: lab34.linuggs.de
Auf dem DC
- A-Record und AAAA-Record anlegen
- PTR erzeugen lassen
Integration des Proxy-Servers in die Active Directory-Domäne mit Samba und Realm
Installation der erforderlichen Pakete
Installieren Sie die erforderlichen Pakete auf dem Proxy-Server:
- sudo apt update
- sudo apt install sssd realmd adcli packagekit krb5-user squid
Konfiguration von Samba
Bearbeiten Sie die Samba-Konfigurationsdatei /etc/samba/smb.conf:
- sudo nano /etc/samba/smb.conf
Fügen Sie die folgenden Zeilen hinzu oder passen Sie die Datei entsprechend an:
[global] workgroup = LAB34 realm = LAB34.LINUGGS.DE security = ADS kerberos method = secrets and keytab log file = /var/log/samba/%m.log max log size = 50
Beitritt zur Active Directory-Domäne
Verwenden Sie den realm-Befehl, um den Proxy-Server der AD-Domäne beizutreten:
- sudo realm join --user=Administrator LAB34.LINUGGS.DE
SSSD konfigurieren
Füge folgendes noch zur Konfiguration ändern
- vi /etc/sssd/sssd.conf
use_fully_qualified_names = False enumerate = true
Kerberos-Konfiguration
Überprüfen Sie die Kerberos-Konfigurationsdatei /etc/krb5.conf:
- sudo nano /etc/krb5.conf
Stellen Sie sicher, dass die Datei wie folgt aussieht:
[libdefaults]
default_realm = LAB34.LINUGGS.DE
dns_lookup_realm = true
dns_lookup_kdc = true
LAB34.LINUGGS.DE = {
kdc = win2022.lab34.linuggs.de
admin_server = win2022.lab34.linuggs.de
}
[domain_realm]
.lab34.linuggs.de = LAB34.LINUGGS.DE
lab34.linuggs.de = LAB34.LINUGGS.DE
msktutils
- apt-get install msktutil
- Was mach mskutil
create computeraccount and a local keytab
- kinit administrator
- msktutil -c -b "CN=Computers" -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab --computer-name proxy --upn HTTP/proxy.lab34.linuggs.de --server win2022.lab34.linuggs.de -N
- chown proxy:proxy /etc/squid/krb5.keytab
Kerberos Ticket update
- msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N
Crontab
- echo "0 4 * * * msktutil --auto-update --computer-name proxy --server win2022.lab34.linuggs.de -s HTTP/proxy.lab34.linuggs.de -k /etc/squid/krb5.keytab -N" | crontab
/etc/default/squid3
- systemctl edit squid
Environment="KRB5_KTNAME=/etc/squid/krb5.keytab"
/etc/squid/squid.conf
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5.keytab -d auth_param negotiate children 1000 auth_param negotiate keep_alive on acl auth proxy_auth REQUIRED http_access deny !auth http_access allow auth http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager include /etc/squid/conf.d/*.conf http_access allow localhost http_access deny all http_port 3128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
restart
- systemctl restart squid
Auf dem Client
Bitte beim Client den Namen in die Proxy Konfiguration eintragen.