This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
аутентификация_доступа_к_squid [2017/06/08 12:25] val [NCSA basic аутентификация] |
аутентификация_доступа_к_squid [2022/10/19 13:25] val [Создаем ключи сервиса и копируем иx на сервер] |
||
---|---|---|---|
Line 15: | Line 15: | ||
Login: gatehttp | Login: gatehttp | ||
Password: Pa$$w0rd | Password: Pa$$w0rd | ||
+ | |||
+ | !!! не работает, найти решение!!! | ||
+ | New-ADUser -Name "gatehttp" -SamAccountName "gatehttp" -AccountPassword(ConvertTo-SecureString -AsPlainText 'Pa$$w0rd' -Force) -Enabled $true -ChangePasswordAtLogon $false -CannotChangePassword $true | ||
+ | |||
+ | New-ADUser -Name "gatehttp" -SamAccountName "gatehttp" -AccountPassword(ConvertTo-SecureString -AsPlainText 'Pa$$w0rd' -Force) -Enabled $true -ChangePasswordAtLogon $false -CannotChangePassword $true -UserPrincipalName gatehttp@corp15.un -DisplayName gatehttp - так сработало. Обязательно и DisplayName и UserPrincipalName указать | ||
</code> | </code> | ||
Пароль не меняется и не устаревает | Пароль не меняется и не устаревает | ||
Line 24: | Line 29: | ||
Название сервиса HTTP обязательно заглавными буквами | Название сервиса HTTP обязательно заглавными буквами | ||
<code> | <code> | ||
+ | C:\>setspn -L gatehttp | ||
+ | |||
C:\>ktpass -princ HTTP/gate.corpX.un@CORPX.UN -mapuser gatehttp -pass 'Pa$$w0rd' -out gatehttp.keytab | C:\>ktpass -princ HTTP/gate.corpX.un@CORPX.UN -mapuser gatehttp -pass 'Pa$$w0rd' -out gatehttp.keytab | ||
+ | |||
+ | C:\>setspn -L gatehttp | ||
+ | |||
+ | C:\>setspn -Q HTTP/gate.corpX.un | ||
</code> | </code> | ||
Line 44: | Line 55: | ||
</code> | </code> | ||
- | === Если в роли KDC выступает MIT (Ubuntu) === | + | === Если в роли KDC выступает MIT (Debian/Ubuntu) === |
<code> | <code> | ||
root@server:~# kadmin.local | root@server:~# kadmin.local | ||
Line 54: | Line 65: | ||
kadmin.local: exit | kadmin.local: exit | ||
+ | </code> | ||
+ | |||
+ | === Если в роли KDC выступает Samba4 === | ||
+ | |||
+ | * [[https://wiki.samba.org/index.php/Generating_Keytabs|wiki.samba.org Generating Keytabs]] | ||
+ | * [[http://www.delayer.org/2015/06/squid-samba4-ad-kerberos-auth.html|Squid + Samba4 AD Kerberos Authentication]] | ||
+ | |||
+ | <code> | ||
+ | server# samba-tool user create gatehttp 'Pa$$w0rd' | ||
+ | |||
+ | server# samba-tool user setexpiry gatehttp --noexpiry | ||
+ | |||
+ | server# samba-tool spn add HTTP/gate.corpX.un gatehttp | ||
+ | |||
+ | server# samba-tool spn list gatehttp | ||
+ | |||
+ | server# samba-tool domain exportkeytab gatehttp.keytab --principal=HTTP/gate.corpX.un | ||
</code> | </code> | ||
Line 71: | Line 99: | ||
</code> | </code> | ||
- | === Ubuntu === | + | === Debian/Ubuntu === |
<code> | <code> | ||
root@gate:~# ktutil | root@gate:~# ktutil | ||
Line 82: | Line 110: | ||
</code> | </code> | ||
- | === FreeBSD, Ubuntu === | + | === Debian/Ubuntu/FreeBSD === |
<code> | <code> | ||
gate# chmod +r /etc/krb5.keytab | gate# chmod +r /etc/krb5.keytab | ||
Line 90: | Line 118: | ||
<code> | <code> | ||
- | gate# cat squid.conf | + | gate# cat /etc/squid/conf.d/my.conf |
</code><code> | </code><code> | ||
- | ... | + | auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d |
- | # OPTIONS FOR AUTHENTICATION | + | |
- | ... | + | |
- | ###For Ubuntu 12.04 | + | |
- | #auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d | + | |
- | ###For Ubuntu 14.04, 16.04 | + | |
- | #auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d | + | |
- | ###For FreeBSD8 | ||
- | #auth_param negotiate program /usr/local/libexec/squid/squid_kerb_auth -d | ||
- | ###For FreeBSD10 | ||
- | auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d | ||
- | ... | ||
- | # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS | ||
- | ... | ||
acl inetuser proxy_auth REQUIRED | acl inetuser proxy_auth REQUIRED | ||
+ | |||
http_access allow inetuser | http_access allow inetuser | ||
- | # http_access allow localnet | ||
</code> | </code> | ||
Line 159: | Line 174: | ||
<code> | <code> | ||
- | # cat /etc/squid3/squid.conf | + | # cat /etc/squid/squid.conf |
</code><code> | </code><code> | ||
... | ... | ||
- | auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid/passwd | + | auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd |
... | ... | ||
</code><code> | </code><code> | ||
Line 178: | Line 193: | ||
==== pam_unix (по умолчанию) ==== | ==== pam_unix (по умолчанию) ==== | ||
<code> | <code> | ||
- | # chmod u+s /usr/lib/squid3/pam_auth | + | # chmod u+s /usr/lib/squid/basic_pam_auth |
- | # cat /etc/squid3/squid.conf | + | # cat /etc/squid/squid.conf |
</code><code> | </code><code> | ||
... | ... | ||
- | auth_param basic program /usr/lib/squid3/pam_auth | + | auth_param basic program /usr/lib/squid/basic_pam_auth |
... | ... | ||
+ | </code> | ||
+ | |||
+ | Возможно, не обязательно | ||
+ | |||
+ | <code> | ||
+ | # cat /etc/pam.d/squid | ||
+ | </code><code> | ||
+ | auth sufficient pam_unix.so | ||
</code> | </code> | ||
==== pam_radius ==== | ==== pam_radius ==== |