Squid 3.5/WindowsAD Group

jqkyp

　　Version:
　　OS: SUSE Linux Enterprise Server 12 SP2  (x86_64)
　　Samba: Version 4.4.2-29.4-3709-SUSE-SLE_12-x86_64
　　Winbind: Version 4.4.2-29.4-3709-SUSE-SLE_12-x86_64
　　Squid:
　　Squid Cache: Version 3.5.21
　　Service Name: squid
　　configure options:  '--host=x86_64-suse-linux-gnu' '--build=x86_64-suse-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/lib' '--localstatedir=/var' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-dependency-tracking' '--disable-strict-error-checking' '--sysconfdir=/etc/squid' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--sharedstatedir=/var/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid' '--with-dl' '--enable-disk-io' '--enable-storeio' '--enable-removal-policies=heap,lru' '--enable-icmp' '--enable-delay-pools' '--enable-esi' '--enable-icap-client' '--enable-useragent-log' '--enable-referer-log' '--enable-kill-parent-hack' '--enable-arp-acl' '--enable-ssl-crtd' '--with-openssl' '--enable-forw-via-db' '--enable-cache-digests' '--enable-linux-netfilter' '--with-large-files' '--enable-underscores' '--enable-auth' '--enable-auth-basic' '--enable-auth-ntlm' '--enable-auth-negotiate' '--enable-auth-digest' '--enable-external-acl-helpers=LDAP_group,eDirectory_userip,file_userip,kerberos_ldap_group,session,unix_group,wbinfo_group' '--enable-stacktraces' '--enable-x-accelerator-vary' '--with-default-user=squid' '--disable-ident-lookups' '--enable-follow-x-forwarded-for' '--disable-arch-native' 'build_alias=x86_64-suse-linux-gnu' 'host_alias=x86_64-suse-linux-gnu' 'CFLAGS=-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -fPIE -fPIC -DOPENSSL_LOAD_CONF' 'LDFLAGS=-Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro,-z,now -pie' 'CXXFLAGS=-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -fPIE -fPIC -DOPENSSL_LOAD_CONF' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
　　

　　configuration:

• 　　Samba:
  

　　[global]
　　workgroup = XXXX
　　passdb backend = tdbsam
　　printing = cups
　　printcap name = cups
　　printcap cache time = 750
　　cups options = raw
　　map to guest = Bad User
　　include = /etc/samba/dhcp.conf
　　logon path = \\%L\profiles\.msprofile
　　logon home = \\%L\%U\.9xprofile
　　logon drive = P:
　　usershare allow guests = No
　　add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
　　domain logons = No
　　domain master = No
　　netbios name = Proxy-xxx
　　security = ADS
　　wins support = No
　　realm = XXX.com
　　template homedir = /home/%D/%U
　　winbind refresh tickets = yes
　　idmap config * : backend = tdb
　　idmap config * : range = 1000000-1999999
　　idmap config ASIA : backend = rid
　　idmap config ASIA : range = 500-10000000
　　winbind enum users = yes
　　winbind enum groups = yes
　　winbind use default domain = yes
　　

　　2. /etc/kr5.conf
　　[libdefaults]
　　default_realm = XXX.com
　　clockskew = 300
　　[realms]

　　ASIA.MURATA.COM = {
　　kdc = x1.XXX.COM
　　default_domain = xxx.com
　　admin_server = x1.XXX.COM
　　}
　　

　　[logging]
　　kdc = FILE:/var/log/krb5/krb5kdc.log
　　admin_server = FILE:/var/log/krb5/kadmind.log
　　default = SYSLOG:NOTICE:DAEMON
　　[domain_realm]
　　.asia.murata.com = ASIA.MURATA.COM
　　[appdefaults]
　　pam = {
　　ticket_lifetime = 1d
　　renew_lifetime = 1d
　　forwardable = true
　　proxiable = false
　　minimum_uid = 1
　　clockskew = 300
　　external = sshd
　　use_shmem = sshd
　　}
　　

　　3. Squid
　　#---------START OF PAN CHINA PROXY CONFIG---------
　　cache_mgr xxx(mgr@xxx.com
　　#---AUTHENTICATION---

　　auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
　　auth_param ntlm children 300
　　#auth_param ntlm keep_alive on
　　auth_param ntlm max_challenge_reuses 0
　　auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
　　auth_param basic children 300
　　auth_param basic realm Squid proxy-caching web server
　　auth_param basic credentialsttl 2 hours
　　auth_param basic casesensitive off
　　#authenticate_ttl 1 hour
　　external_acl_type wbinfo_check %LOGIN /usr/sbin/ext_wbinfo_group_acl

　　acl allowed_group external wbinfo_check XXX-InternetUsers
　　http_access allow allowed_group allowedsites
　　

　　#---SETTING & OPTIMIZATION---
　　http_port 8888
　　icp_port 3130
　　hosts_file /etc/hosts
　　#dns_nameservers 114.114.115.115 114.114.114.114 8.8.4.4 8.8.8.8
　　half_closed_clients off
　　maximum_object_size 4 MB
　　ipcache_size 10240
　　ignore_expect_100 on
　　#never_direct allow all
　　#forwarded_for delete
　　#via off
　　cache_swap_low 90
　　cache_swap_high 95
　　memory_pools off
　　

　　4. TEST Result
　　kinit user
　　klist
net ads join -U admin(join domain)　　wbinfo -t (confirm the result of joining domain)
　　wbinfo --group-info  XXX\\domin\ users(if error , please enable ipv6, smb.conf idmap)
wbinfo -a XXX\\testuser%'password'  (test the domain user and password)　　5. /usr/sbin/exe_wbinfo_group_acl
　　authen windows AD group members.
　　

　　Squid parameter explain:
　　1.max_user_ip(one user with 2 IP address will be deny in bellow settings)
　　2.proxy_auth REQUIRED (AD uers no need password, others need username and password.)
　　3.authenticate_ip_ttl (squid remember the user with IP address time)
　　acl FOO max_user_ip 2
acl BAR proxy_auth REQUIRED
http_access deny FOO
http_access allow BAR
　　2.