User Tools
аутентификация_доступа_к_squid
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
аутентификация_доступа_к_squid [2017/06/08 12:22] val [NCSA basic аутентификация] |
аутентификация_доступа_к_squid [2022/10/19 13:38] val [Создаем ключи сервиса и копируем иx на сервер] |
||
|---|---|---|---|
| Line 15: | Line 15: | ||
| Login: gatehttp | Login: gatehttp | ||
| Password: Pa$$w0rd | Password: Pa$$w0rd | ||
| + | |||
| + | ИЛИ | ||
| + | |||
| + | Обязательно и DisplayName и UserPrincipalName указать | ||
| + | New-ADUser -Name "gatehttp" -SamAccountName "gatehttp" -AccountPassword(ConvertTo-SecureString -AsPlainText 'Pa$$w0rd' -Force) -Enabled $true -ChangePasswordAtLogon $false -CannotChangePassword $true -UserPrincipalName gatehttp@corpX.un -DisplayName gatehttp -PasswordNeverExpires $true | ||
| </code> | </code> | ||
| Пароль не меняется и не устаревает | Пароль не меняется и не устаревает | ||
| Line 24: | Line 29: | ||
| Название сервиса HTTP обязательно заглавными буквами | Название сервиса HTTP обязательно заглавными буквами | ||
| <code> | <code> | ||
| + | C:\>setspn -L gatehttp | ||
| + | |||
| C:\>ktpass -princ HTTP/gate.corpX.un@CORPX.UN -mapuser gatehttp -pass 'Pa$$w0rd' -out gatehttp.keytab | C:\>ktpass -princ HTTP/gate.corpX.un@CORPX.UN -mapuser gatehttp -pass 'Pa$$w0rd' -out gatehttp.keytab | ||
| + | |||
| + | C:\>setspn -L gatehttp | ||
| + | |||
| + | C:\>setspn -Q HTTP/gate.corpX.un | ||
| </code> | </code> | ||
| Line 44: | Line 55: | ||
| </code> | </code> | ||
| - | === Если в роли KDC выступает MIT (Ubuntu) === | + | === Если в роли KDC выступает MIT (Debian/Ubuntu) === |
| <code> | <code> | ||
| root@server:~# kadmin.local | root@server:~# kadmin.local | ||
| Line 54: | Line 65: | ||
| kadmin.local: exit | kadmin.local: exit | ||
| + | </code> | ||
| + | |||
| + | === Если в роли KDC выступает Samba4 === | ||
| + | |||
| + | * [[https://wiki.samba.org/index.php/Generating_Keytabs|wiki.samba.org Generating Keytabs]] | ||
| + | * [[http://www.delayer.org/2015/06/squid-samba4-ad-kerberos-auth.html|Squid + Samba4 AD Kerberos Authentication]] | ||
| + | |||
| + | <code> | ||
| + | server# samba-tool user create gatehttp 'Pa$$w0rd' | ||
| + | |||
| + | server# samba-tool user setexpiry gatehttp --noexpiry | ||
| + | |||
| + | server# samba-tool spn add HTTP/gate.corpX.un gatehttp | ||
| + | |||
| + | server# samba-tool spn list gatehttp | ||
| + | |||
| + | server# samba-tool domain exportkeytab gatehttp.keytab --principal=HTTP/gate.corpX.un | ||
| </code> | </code> | ||
| Line 71: | Line 99: | ||
| </code> | </code> | ||
| - | === Ubuntu === | + | === Debian/Ubuntu === |
| <code> | <code> | ||
| root@gate:~# ktutil | root@gate:~# ktutil | ||
| Line 82: | Line 110: | ||
| </code> | </code> | ||
| - | === FreeBSD, Ubuntu === | + | === Debian/Ubuntu/FreeBSD === |
| <code> | <code> | ||
| gate# chmod +r /etc/krb5.keytab | gate# chmod +r /etc/krb5.keytab | ||
| Line 90: | Line 118: | ||
| <code> | <code> | ||
| - | gate# cat squid.conf | + | gate# cat /etc/squid/conf.d/my.conf |
| </code><code> | </code><code> | ||
| - | ... | + | auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d |
| - | # OPTIONS FOR AUTHENTICATION | + | |
| - | ... | + | |
| - | ###For Ubuntu 12.04 | + | |
| - | #auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d | + | |
| - | ###For Ubuntu 14.04, 16.04 | + | |
| - | #auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d | + | |
| - | ###For FreeBSD8 | ||
| - | #auth_param negotiate program /usr/local/libexec/squid/squid_kerb_auth -d | ||
| - | ###For FreeBSD10 | ||
| - | auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d | ||
| - | ... | ||
| - | # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS | ||
| - | ... | ||
| acl inetuser proxy_auth REQUIRED | acl inetuser proxy_auth REQUIRED | ||
| + | |||
| http_access allow inetuser | http_access allow inetuser | ||
| - | # http_access allow localnet | ||
| </code> | </code> | ||
| Line 159: | Line 174: | ||
| <code> | <code> | ||
| - | # cat /etc/squid3/squid.conf | + | # cat /etc/squid/squid.conf |
| </code><code> | </code><code> | ||
| ... | ... | ||
| - | auth_param basic program /usr/lib/squid3/ncsa_auth /usr/etc/passwd | + | auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd |
| ... | ... | ||
| </code><code> | </code><code> | ||
| Line 178: | Line 193: | ||
| ==== pam_unix (по умолчанию) ==== | ==== pam_unix (по умолчанию) ==== | ||
| <code> | <code> | ||
| - | # chmod u+s /usr/lib/squid3/pam_auth | + | # chmod u+s /usr/lib/squid/basic_pam_auth |
| - | # cat /etc/squid3/squid.conf | + | # cat /etc/squid/squid.conf |
| </code><code> | </code><code> | ||
| ... | ... | ||
| - | auth_param basic program /usr/lib/squid3/pam_auth | + | auth_param basic program /usr/lib/squid/basic_pam_auth |
| ... | ... | ||
| + | </code> | ||
| + | |||
| + | Возможно, не обязательно | ||
| + | |||
| + | <code> | ||
| + | # cat /etc/pam.d/squid | ||
| + | </code><code> | ||
| + | auth sufficient pam_unix.so | ||
| </code> | </code> | ||
| ==== pam_radius ==== | ==== pam_radius ==== | ||
аутентификация_доступа_к_squid.txt · Last modified: 2023/03/18 18:57 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
