Ставим squid
yum install
cyrus-sasl-gssapi krb5-workstation krb5-devel squid
Создаем в DNS прямую и обратную записи для хоста squid.my.dom
Cоздаем в AD
пользователя: usersquid, и группы wg_internet wg_internet_full ...
Cоздаем
кейтаб для этого пользователя:
c:\windows\system32\ktpass -princ HTTP/squid.my.dom@MY.DOM -mapuser
usersquid@MY.DOM -crypto rc4-hmac-nt -pass password -ptype KRB5_NT_PRINCIPAL
-out c:\squid.my.dom.keytab
именно c:\windows\system32\ktpass, а не
просто ktpass иначе
ошибка, видимо в 64 версии ошибка.
Если
кейтаб создан с параметром -crypto aes256-sha1, то не заработала
авторизация
В логе squid про несоответствие ключей клиента, возможно надо
настраивать krb5.conf, добавлять какой либо
параметр
2012/06/27 10:57:34| squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information.
2012/06/27 10:57:34| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
Копируем c:\squid.my.dom.keytab в каталог /etc/squid
Добавляем в /etc/rc.d/init.d/squid
Добавляем в /etc/rc.d/init.d/squid
KRB5_KTNAME=/etc/squid/squid.my.dom.keytab
export KRB5_KTNAME
export KRB5_KTNAME
Правим krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MY.DOM
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_timesync = 1
ticket_lifetime = 24h
forwardable = true
proxiable = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
MY.DOM = {
kdc = ad-ds-2008r2.my.dom
admin_server = ad-ds-2008r2.my.dom
kdc = 192.168.1.9
admin_server = 192.168.1.9
default_domain = my.dom
}
[domain_realm]
.my.dom = MY.DOM
my.dom = MY.DOM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[login]
krb4_convert = true
krb4_get_tickets = false
# # Recommended minimum configuration: # acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed ##acl localnet src 10.0.0.0/8 # RFC1918 possible internal network ##acl localnet src 172.16.0.0/12 # RFC1918 possible internal network ##acl localnet src 192.168.0.0/16 # RFC1918 possible internal network ##acl localnet src fc00::/7 # RFC 4193 local private network range ##acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT #auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d auth_param negotiate program /usr/lib64/squid/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on ####################### # для входа по запросу имя/пароль # auth_param basic program /usr/lib64/squid/squid_ldap_auth -v3 -R -D usersquid@my.dom -W /etc/squid/authpw -b "cn=users,dc=my,dc=dom" -f "sAMAccountName=%s" -h ad-ds-2008r2.my.dom auth_param basic children 10 auth_param basic realm Proxy Authentication auth_param basic credentialsttl 2 hours # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # acl AUTH proxy_auth REQUIRED acl mynet src 192.168.1.0/24 192.168.32.0/20 acl client_wsus src 192.168.1.128/32 192.168.1.16/32 acl server_wsus dstdomain wsus.prov.ru # Проверка соответствия пользователь-группа external_acl_type ldap_group ttl=1200 %LOGIN /usr/lib64/squid/squid_ldap_group -v3 -R -D usersquid@my.dom -W /etc/squid/authpw -b "dc=my,dc=dom" -f "(&(samaccountname=%v)(memberof=cn=%a,cn=users,dc=my,dc=dom))" -K -h ad-ds-2008r2.my.dom # Hosts that are not required to authenticate acl Auth_Not_Required src "/etc/squid/acl/auth_not_required.txt" # Domains accessible to all PC's ##acl Open_Domains dstdomain "/etc/squid/acl/open_domains.txt" # Hosts & domains that are denied to restricted users ##acl Banned_Hosts dst "/etc/squid/acl/banned_hosts.txt" acl Banned_Domains dstdomain "/etc/squid/acl/banned_domains.txt" acl Banned_URLs url_regex "/etc/squid/acl/banned_urls.txt" acl Good_URLs url_regex "/etc/squid/acl/good_urls.txt" acl Banned_Extensions url_regex "/etc/squid/acl/banned_extensions.txt" acl price_URLs url_regex "/etc/squid/acl/price_URLs.txt" # Full access acl Access_Full external ldap_group wg_internet_full # Restricted access acl Access_Restricted external ldap_group wg_internet # Restricted access Price URLs only acl Access_Restricted_Price external ldap_group wg_internet_price ####################### # Domains free to all users without needing to authenticate. ##http_access allow Open_Domains # Разрешаем доступ хостам без регистрации # IP addresses of hosts that don?t need to authenticate (usually automation hosts #performing automated downloads and without a Novell client. http_access allow Auth_Not_Required # Разрешаем доступ хостам из локалки к WSUS серверу провайдера http_access allow client_wsus server_wsus ##http_access allow domainusers mynet # Let users with full Internet access. http_access allow AUTH Access_Full http_access deny Banned_Domains http_access deny Banned_URLs !Good_URLs http_access deny Banned_Extensions http_access allow AUTH Access_Restricted http_access allow AUTH Access_Restricted_Price price_URLs #################################### # тестовое разрешение для любых авторизованных пользователей. #http_access allow AUTH # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed ##http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
Комментариев нет:
Отправить комментарий