als ads client aufnehmen

zuerst als client aufnehemen https://xinux.net/index.php/Ubuntu-ads-client#.2Fetc.2Fkrb5.conf

msktutils

• apt-get install msktutil

create computeraccount and a local keytab

• kinit administrator

PROXY="lang.linuggs.lan"
DN="douglas.linuggs.lan"

• msktutil -c -b "CN=Computers" -s HTTP/$PROXY -k /etc/squid/PROXY.keytab --computer-name PROXYSRV-HTTP --upn HTTP/$PROXY --server $DN -N

chown proxy.proxy /etc/squid3/PROXY.keytab

Kerberos Ticket update

• msktutil --auto-update --computer-name PROXYSRV-HTTP --server $DN -s HTTP/$PROXY -k /etc/squid/PROXY.keytab -N

Crontab

• echo "0 4 * * * msktutil --auto-update --computer-name PROXYSRV-HTTP --server $DN -s HTTP/$PROXY -k /etc/squid/PROXY.keytab -N" | crontab

/etc/default/squid3

KRB5_KTNAME=/etc/squid3/PROXY.keytab
export KRB5_KTNAME

/etc/squid/squid.conf

coredump_dir /var/spool/squid3
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320
access_log /var/log/squid/access.log squid

dns_v4_first on

# iptables command ...
#iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp --dport 80 --to 192.168.240.100:3128
http_port 3128
http_port 3129 transparent
#####


#cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange


#auth_param basic program /usr/lib/squid3/basic_ldap_auth -b "dc=xinux,dc=de" -f "uid=%s" -h 127.0.0.1
#auth_param basic children 50
#auth_param basic realm Web-Proxy
#auth_param basic credentialsttl 1 minute
#auth_param basic casesensitive off


auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth  -k /etc/squid/PROXY.keytab -d -i -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off


####
acl auth proxy_auth REQUIRED
acl xinux src 192.168.240.0/20
acl thomas src 192.168.244.0/24
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl boese_seiten url_regex  "/etc/squid3/boese_seiten"
acl CONNECT method CONNECT


##http_access allow xinux_users
#http_access allow xinux !boese_seiten
#http_access allow manager localhost

http_access allow all auth
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
#never_direct allow all

restart

service squid3 start

client Machine

Set your proxy to server dewey.xinux.org using port 3128. It is important that you use the fully qualified domain name and NOT the IP address.

debugging

• http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-kerb-auth-received-type-1-NTLM-token-td2131613.html

sources

• http://roshan-g.blogspot.de/2014/05/squid-with-kerberos-and-ldap.html
• http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
• http://stackoverflow.com/questions/18075028/squid-integration-with-active-directory-best-practise
• http://manpages.ubuntu.com/manpages/trusty/man8/negotiate_kerberos_auth.8.html
• http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp