Squid kerberos authtication

hyadijxp

【准备】

1. yum install cyrus-sasl-gssapi.i386 # 记得先装上这个

2. rpm -ivh msktutil-0.3.16.4-1.el5.rf.i386.rpm  #还有这个

3. 为防止configure出问题，都装上

krb5-auth-dialog.i386                    0.7-1                  installed      
krb5-devel.i386                          1.6.1-25.el5           installed      
krb5-libs.i386                           1.6.1-25.el5           installed      
krb5-server.i386                         1.6.1-25.el5           installed      
krb5-workstation.i386                    1.6.1-25.el5           installed      
pam_krb5.i386                            2.2.14-1               installed



【把Linux samba加入域并】

配置kbr5.conf smb.conf 加入域



【Kerberos 配置 】  这个国内有用资料实在太少

kinit administrator #检查一下

net ads keytab create -U administrator@800BEST.NET  #创建keytab 文件
net ads keytab add HTTP -U administrator@800BEST.NET #像keytab文件添加记录

klist -ke #看看keytab文件
kdb5_util create -s # 初始化库
kadmin.local -q "addprinc administrator/admin" #addprinc 并设置密码

启用kerberos验证

启动服务试试
/sbin/service krb5kdc start
/sbin/service kadmin start
/sbin/service krb524 start

配置成功后，应该直接可以用ldap或者AD账户登录域了 这下正好解决了single sign-on方案。



【编译安装】

4. ./configure --prefix=/Data/software/squid --enable-auth="basic,ntlm, negotiate" --enable-negotiate-auth-helpers="squid_kerb_auth"  #basci, ntlm, kerberos 都支持

5. make

6. make install







下面这段从squid网站上摘下来，看看似乎明白一点

#####


ntlm_auth requires access to the privileged winbind pipe in order to function properly. You enable this access by adding the security user Squid runs as to the winbindd_priv group.
   gpasswd -a proxy winbindd_priv

• 
  Remove the cache_effective_group setting in squid.conf, if present. This setting causes squid to ignore the auxiliary winbindd_priv group membership.
  the default user Squid is bundled as nobodythough some distribution packages are built with squidor proxyor other similar low-access user.
  

#############

因为这个，squid建议我们在做ntlm验证时候这样加如下configure 选项

--enable-auth="ntlm,basic"
--enable-external-acl-helpers="wbinfo_group"

不过我看2.7和以后版本没有必要。




我老老实实

groupadd winbindd_priv

gpasswd -a squid winbindd_priv # squid 是以squid用户来运行的




发现验证时候还是出错，还是土办法，立即OK了



chgrp squid /var/cache/samba/winbindd_privileged
chmod -R 750 /var/cache/samba/winbindd_privileged




squid.cong 基本都是默认配置

[squid@proxy ~]$ cat /Data/software/squid/etc/squid.conf
#Kerberos authentication
auth_param negotiate program /Data/software/squid/libexec/squid_kerb_auth -d -s HTTP/proxy.800best.net@800BEST.NET
auth_param negotiate children 15
auth_param negotiate keep_alive on
#ntlm_auth
#auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
#auth_param ntlm children 20
#auth_param ntlm use_ntlm_negotiate on
#basic_auth
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

cachemgr_passwd 800best all
acl all src all
acl auth proxy_auth REQUIRED

#DeniedURLs and IPs
acl DeniedURLs dstdomain -i .tianya.cn .qq.com
acl DeniedIPs dst "/Data/software/squid/etc/deniedIPs.list"

acl manager proto cache_object
acl webserver src 172.18.9.146/32
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow manager webserver
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny !auth
http_access allow auth
http_access deny DeniedURLs
http_access deny  DeniedIPs
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /Data/software/squid/var/logs/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /Data/software/squid/var/cache



添加
KRB5_KTNAME=/etc/krb5.keytab
export KRB5_KTNAME
KRB5RCACHETYPE=none
export KRB5RCACHETYPE

export SQUID_HOME=/Data/software/squid


到squid用户的 .bash_profile



squid -z

squid -Nd4c # 好像没有什么错了



echo 'su - squid -c "squid -s"' > /etc/rc.local



看了一下日志，有如下错误，可能与squid自带的kerberos验证模块有关

2009/08/19 17:54:18| squid_kerb_auth: parseNegTokenInit failed with rc=101
2009/08/19 17:54:18| squid_kerb_auth: received type 1 NTLM token
2009/08/19 17:54:18| squid_kerb_auth: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 5
9).


由于有其他更重要的项目，暂时通过

squid + basic,ntlm 验证 + sarg + wpad 来解决代理服务器方案，至于个别windows7或vista客户端，在squid.conf  添加IP acl 策略作为临时解决方案。