Squid-kerberos: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
David (Diskussion | Beiträge) |
David (Diskussion | Beiträge) |
||
| Zeile 12: | Zeile 12: | ||
KRB5_KTNAME=/etc/squid3/PROXY.keytab | KRB5_KTNAME=/etc/squid3/PROXY.keytab | ||
export KRB5_KTNAME | export KRB5_KTNAME | ||
| − | =on the top of /etc/ | + | =on the top of /etc/squid/squid.conf add = |
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -i -s GSS_C_NO_NAME | auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -i -s GSS_C_NO_NAME | ||
auth_param negotiate children 10 | auth_param negotiate children 10 | ||
Version vom 16. Dezember 2016, 08:15 Uhr
msktutils
- apt-get install msktutil
create computeraccount and a local keytab
- kinit administrator
PROXY="lang.linuggs.lan" DN="douglas.linuggs.lan"
- msktutil -c -b "CN=Computers" -s HTTP/$PROXY -k /etc/squid/PROXY.keytab --computer-name PROXYSRV-HTTP --upn HTTP/$PROXY --server $DN -N
chown proxy.proxy /etc/squid3/PROXY.keytab
/etc/default/squid3
KRB5_KTNAME=/etc/squid3/PROXY.keytab export KRB5_KTNAME
on the top of /etc/squid/squid.conf add
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -i -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive on acl auth proxy_auth REQUIRED http_access allow all auth
restart
service squid3 start
client Machine
Set your proxy to server dewey.xinux.org using port 3128. It is important that you use the fully qualified domain name and NOT the IP address.
debugging
sources
- http://roshan-g.blogspot.de/2014/05/squid-with-kerberos-and-ldap.html
- http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
- http://stackoverflow.com/questions/18075028/squid-integration-with-active-directory-best-practise
- http://manpages.ubuntu.com/manpages/trusty/man8/negotiate_kerberos_auth.8.html
- http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp