User Tools
аутентификация_доступа_к_squid
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
аутентификация_доступа_к_squid [2015/06/02 15:36] val [Настройка сервиса SQUID на использование GSSAPI] |
аутентификация_доступа_к_squid [2022/10/19 13:25] val [Создаем ключи сервиса и копируем иx на сервер] |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| ===== Kerberos GSSAPI аутентификация ===== | ===== Kerberos GSSAPI аутентификация ===== | ||
| - | [[http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos]] | + | * [[http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos|Configuring a Squid Server to authenticate from Kerberos]] |
| - | + | * [[http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory|Configuring a Squid Server to authenticate off Active Directory]] | |
| - | [[http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/]] | + | * [[http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/|Squid kerberos authentication and ldap authorization in Active Directory]] |
| ==== Создаем ключи сервиса и копируем иx на сервер ==== | ==== Создаем ключи сервиса и копируем иx на сервер ==== | ||
| Line 15: | Line 15: | ||
| Login: gatehttp | Login: gatehttp | ||
| Password: Pa$$w0rd | Password: Pa$$w0rd | ||
| + | |||
| + | !!! не работает, найти решение!!! | ||
| + | New-ADUser -Name "gatehttp" -SamAccountName "gatehttp" -AccountPassword(ConvertTo-SecureString -AsPlainText 'Pa$$w0rd' -Force) -Enabled $true -ChangePasswordAtLogon $false -CannotChangePassword $true | ||
| + | |||
| + | New-ADUser -Name "gatehttp" -SamAccountName "gatehttp" -AccountPassword(ConvertTo-SecureString -AsPlainText 'Pa$$w0rd' -Force) -Enabled $true -ChangePasswordAtLogon $false -CannotChangePassword $true -UserPrincipalName gatehttp@corp15.un -DisplayName gatehttp | ||
| + | - так сработало. Обязательно и DisplayName и UserPrincipalName указать | ||
| </code> | </code> | ||
| Пароль не меняется и не устаревает | Пароль не меняется и не устаревает | ||
| Line 24: | Line 30: | ||
| Название сервиса HTTP обязательно заглавными буквами | Название сервиса HTTP обязательно заглавными буквами | ||
| <code> | <code> | ||
| + | C:\>setspn -L gatehttp | ||
| + | |||
| C:\>ktpass -princ HTTP/gate.corpX.un@CORPX.UN -mapuser gatehttp -pass 'Pa$$w0rd' -out gatehttp.keytab | C:\>ktpass -princ HTTP/gate.corpX.un@CORPX.UN -mapuser gatehttp -pass 'Pa$$w0rd' -out gatehttp.keytab | ||
| + | |||
| + | C:\>setspn -L gatehttp | ||
| + | |||
| + | C:\>setspn -Q HTTP/gate.corpX.un | ||
| </code> | </code> | ||
| Line 44: | Line 56: | ||
| </code> | </code> | ||
| - | === Если в роли KDC выступает MIT (Ubuntu) === | + | === Если в роли KDC выступает MIT (Debian/Ubuntu) === |
| <code> | <code> | ||
| root@server:~# kadmin.local | root@server:~# kadmin.local | ||
| Line 54: | Line 66: | ||
| kadmin.local: exit | kadmin.local: exit | ||
| + | </code> | ||
| + | |||
| + | === Если в роли KDC выступает Samba4 === | ||
| + | |||
| + | * [[https://wiki.samba.org/index.php/Generating_Keytabs|wiki.samba.org Generating Keytabs]] | ||
| + | * [[http://www.delayer.org/2015/06/squid-samba4-ad-kerberos-auth.html|Squid + Samba4 AD Kerberos Authentication]] | ||
| + | |||
| + | <code> | ||
| + | server# samba-tool user create gatehttp 'Pa$$w0rd' | ||
| + | |||
| + | server# samba-tool user setexpiry gatehttp --noexpiry | ||
| + | |||
| + | server# samba-tool spn add HTTP/gate.corpX.un gatehttp | ||
| + | |||
| + | server# samba-tool spn list gatehttp | ||
| + | |||
| + | server# samba-tool domain exportkeytab gatehttp.keytab --principal=HTTP/gate.corpX.un | ||
| </code> | </code> | ||
| Line 71: | Line 100: | ||
| </code> | </code> | ||
| - | === Ubuntu === | + | === Debian/Ubuntu === |
| <code> | <code> | ||
| root@gate:~# ktutil | root@gate:~# ktutil | ||
| Line 82: | Line 111: | ||
| </code> | </code> | ||
| - | === FreeBSD, Ubuntu === | + | === Debian/Ubuntu/FreeBSD === |
| <code> | <code> | ||
| gate# chmod +r /etc/krb5.keytab | gate# chmod +r /etc/krb5.keytab | ||
| Line 90: | Line 119: | ||
| <code> | <code> | ||
| - | gate# cat squid.conf | + | gate# cat /etc/squid/conf.d/my.conf |
| </code><code> | </code><code> | ||
| - | ... | + | auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d |
| - | # OPTIONS FOR AUTHENTICATION | + | |
| - | ... | + | |
| - | #For Ubuntu12.04 | + | |
| - | #auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d | + | |
| - | #For Ubuntu14.04 | + | |
| - | #auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d | + | |
| - | #For FreeBSD8 | ||
| - | #auth_param negotiate program /usr/local/libexec/squid/squid_kerb_auth -d | ||
| - | #For FreeBSD10 | ||
| - | auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d | ||
| - | ... | ||
| - | # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS | ||
| - | ... | ||
| acl inetuser proxy_auth REQUIRED | acl inetuser proxy_auth REQUIRED | ||
| + | |||
| http_access allow inetuser | http_access allow inetuser | ||
| - | # http_access allow localnet | ||
| </code> | </code> | ||
| Line 159: | Line 175: | ||
| <code> | <code> | ||
| - | # cat /etc/squid3/squid.conf | + | # cat /etc/squid/squid.conf |
| </code><code> | </code><code> | ||
| ... | ... | ||
| - | auth_param basic program /usr/lib/squid3/ncsa_auth /usr/etc/passwd | + | auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd |
| ... | ... | ||
| </code><code> | </code><code> | ||
| # mkdir /usr/etc/ | # mkdir /usr/etc/ | ||
| - | # apt-get install apache2-utils | + | # apt install apache2-utils |
| - | # touch /usr/etc/passwd | + | # touch /etc/squid/passwd |
| - | # htpasswd /usr/etc/passwd user1 | + | # htpasswd /etc/squid/passwd user1 |
| </code> | </code> | ||
| Line 178: | Line 194: | ||
| ==== pam_unix (по умолчанию) ==== | ==== pam_unix (по умолчанию) ==== | ||
| <code> | <code> | ||
| - | # chmod u+s /usr/lib/squid3/pam_auth | + | # chmod u+s /usr/lib/squid/basic_pam_auth |
| - | # cat /etc/squid3/squid.conf | + | # cat /etc/squid/squid.conf |
| </code><code> | </code><code> | ||
| ... | ... | ||
| - | auth_param basic program /usr/lib/squid3/pam_auth | + | auth_param basic program /usr/lib/squid/basic_pam_auth |
| ... | ... | ||
| + | </code> | ||
| + | |||
| + | Возможно, не обязательно | ||
| + | |||
| + | <code> | ||
| + | # cat /etc/pam.d/squid | ||
| + | </code><code> | ||
| + | auth sufficient pam_unix.so | ||
| </code> | </code> | ||
| ==== pam_radius ==== | ==== pam_radius ==== | ||
аутентификация_доступа_к_squid.txt · Last modified: 2023/03/18 18:57 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
